Is cyber security going anywhere?

It seems to be the new gold rush – everyone wants to get into cyber security. It isn’t surprising given the salary differential between IT operations staff and IT security staff. There are new education options popping up, all with a hefty price tag. I have a friend who printed a business card, registered for a course and got a gig working in IT security for more money than he could get in IT operations.

While I accept that there is a specific skill set for IT security, I am cynical as to how it is approached in industry. I can understand why the considerable investment in cyber security is not reducing the problem!

So let me give you my perspective on how cyber security influences senior management. The first thing to say is that it does have a place on the agenda of boards and senior executives and this is a good thing. Typically it will take more time than questions about how IT is improving productivity or how technology changes are influencing the current business model, and this is a bad thing.

The initial triggers have come from either a security breach, news of breaches in similar organisations or the regulatory changes being introduced (such as mandatory reporting of certain breaches). A consultant might brief the board and executive and tell them that there is a significant risk that is not being effectively managed. The potential for dire consequences will be spelled out followed by a proposal for an expensive consulting engagement to determine current state and propose rectifications.

The board may feel relieved that they have dodged a bullet and fulfilled their duty by getting in expensive “experts”. Fast forward a couple of years and the whole cycle will repeat. There is little evidence that things are getting better despite the resources devoted to cyber security – an overhead that doesn’t by itself deliver business value.

The trouble is that the experts are expert in the wrong things. They might know about firewall policies, denial of service attacks and (maybe) IT management frameworks. All these are needed, but not sufficient. What you really need to know is how your business manages its data.

The truth is that modern businesses manage data everywhere in their operations. There are staff with laptops, tablets and devices throughout the business collecting, processing, sharing and deleting data. Any system that considers the data without understanding the business processes that act on it is doomed to failure (read ISO 27001).

If senior managers want to manage the cyber security risk they need to put more effort into understanding how their business really works. There is precedence for this; most organisations have a significant effort on understanding their financial data. The accountants and book-keepers who delve into financial transactions generally have a good understanding of data around money. Imagine putting the same resources as are applied to finance into all the other data sources in the organisation – asset, customer, people, health and safety, environment, social, suppliers etc.

Fortunately there is a way around this. Many business areas do have a good understanding of their business processes, their skills and their technologies. Rarely, however is a consistent view available to the executive.

The answer to managing your cyber security risk is therefore to manage your business better – on a holistic level rather than a financial or compliance approach. Putting in place consistent approaches to documenting and monitoring business activities is a good start. Many departments will be undertaking business analysis work within their current scope, so we are not talking about a brand new expenditure line.

Do good business analysis, broadly and consistently throughout the organisation. Collect and leverage the information through some (uncomplicated) architecture. Insist that the effort improves business performance. These are the key tenets for success. With this in place your cyber security consultants can add value and advise on solutions that don’t break the bank.

Not going anywhere fast

Gregory House for CIO?

The right approach?
The right approach?

Being in a household full of teenage kids, it is hard to find TV programs that everyone wants to watch. One series that we all agree is intriguing and entertaining is House – the story of a brilliant doctor saving his patient’s lives through his intellect. Along the way he struggles with drug addiction, dysfunctional personal relationships and, most intriguingly, managing a high performing team.

I see all sorts of similarities between this evidently contrived medical environment and my experiences as CIO trying to get the best out of my team for their own sakes and to deliver to the organization.

So how does Dr House stack up against my principles of what makes a good leader and especially a good CIO?

  1. Integrity. For me this trait stands above all others in importance (as it does for any executive). On the face of it, House lacks integrity – he lies consistently, is always taking money off Wilson and almost always avoids answering questions. Behind this somewhat dispiriting façade, you know that House holds certain values with incredibly high integrity. He puts his patients first in front of his career or image. He is open and honest about the life that he leads, even if it doesn’t fit society’s norms; and he bases his decisions on fact and not prejudice.
  2. Strategic thinking – CIOs need strategic bones in their bodies (see The Reluctant CIO!) and this takes a certain thought process. They have to be comfortable “in the fug”, not having the full picture but still being confident enough to move in one direction. This is House’s life: a patient presents with lots of data, but insufficient information to diagnose. He has to weigh up the risks of each test or treatment against the risk of inaction (usually the patient will die). He never just sits and holds his head; he always picks a path and follows it.
  3. Domain expertise – This is a tricky area for CIOs; they need domain expertise but it needs to be in the right area. They should not be experts in configuring routers or writing code. They do need to be great at managing risk, optimizing architecture, process management and governance functions. House is the ultimate domain expert in managing risk. He doesn’t know the diagnosis any more than his team (until the last 5 minutes), but he can weigh up the risks of various options and tells the team to “Go!”
  4. Communications – A core requirement of a CIO is to communicate the opportunities, challenges, risks and achievements of information technology. In this area you would have to say that House fails dismally, at least at face value. He interacts rudely with his patients (he would rather not talk to them) and prefers to hang out in the morgue or with coma guy. To counteract this perspective, we know that House is the best asset of the hospital, so somehow the word has got out. Maybe he really does know how to communicate – just in unconventional ways.
  5. Relationship building – I have always thought that the relationship web that a CIO weaves is his or her biggest asset. The CIO must work up, down and across developing trust and enthusiasm. House has a strange set of relationships with Cuddy (up), his team (down) and Wilson (across). The recurring challenge with his team is to let them make their own decisions (and mistakes) but not let them kill the patient (which sometimes happens). This is like any CIO challenge – let the Operations Manager manage operations, but know when you have to step in to save a disaster.

So how would you like to be in Houses’ team? A mixed blessing I think!

How much should we spend on IT?

Budget evolution
Budget evolution

Times are tough, as everyone playing in the consulting game would know. The March quarter Westpac pulse survey shows business is generally getting more optimistic, but this has not translated into increased sales and revenue. Organizations have streamlined and cut back on costs over the last 3 years and the IT department has participated generously in this (with another 10% cut in overall expenditure last year).

Is it still reasonable for executives to ask whether there are further cost savings available? The answer is of course yes and no. To illustrate I have taken a graph published by MIT’s CISR – a fantastic resource for IT research. The graph represents the IT spend graphed against technology maturity. In this case they measure maturity in the effectiveness of an enterprise architecture.

The baseline is 100% for an IT Department in an immature organization. This is typified by different services being offered to different parts of the business and dispersed infrastructure. If you are in this position you are definitely spending too much on IT.

A solid effort on standardizing hardware and software, consolidating infrastructure and improving procurement will deliver a 15% saving. The next 10% comes from standardizing and simplifying business processes onto core enterprise systems.

The surprising outcome is where businesses go next. Once the IT monster has been tamed inside the IT department and the business, organizations become more comfortable about investing in IT. They actually increase their IT spend as it delivers real business value and the IT budget ends up 20% higher than when they started.

So where do you think your organization is on the maturity curve?

Just do these 5 things!

Food in Laos
Recipe for success

I am passionate about making organizations work better through technology. We could vastly improve business performance and prevent wanton destruction of wealth. With the resources freed up we can tackle poverty, the environment and global inequity – or am I getting carried away?

The agenda is clear and many would agree that the solutions are clear – but not simple. Every organization should be doing the following 5 things:

1. Corporate governance of IT. Technology is not a separate thing to the business, it needs to be managed by management and not by the IT department. There are best practices (Cobit5, ISO38500) but the real implementation challenge is that many senior managers do not have the skills and knowledge to make the right decisions about the technology in their business.

Implement a corporate governance of IT best practice and develop your senior staff to be excellent in its application

2. Enterprise architecture. This must not be confined to the IT department, it must become a central component of all business initiatives. Enterprise architecture is very difficult to do well despite the best practices (TOGAF, FEAF etc).

Invest in an enterprise architecture and use it broadly for business decision making

3. Continuous improvement. If you have ever taken delivery of a new enterprise IT system, it probably resembled a bath tub and not the speed boat that you expected. It takes time to update practices, fix bugs and improve processes. This should never stop, even when you realize that the system has grown into the beautiful sleek machine that you were expecting.

Formalize continuous improvement in all areas of the business, maybe through Six Sigma and an Improvement Register

4. Service management. It is now almost universally accepted that the only way to run IT in complex organizations is through a service management approach (ITIL, ISO20000 etc). In my view this approach should be extended to other internal service departments such as HR and finance.

Commit to a service management maturity level of 3 and above

5. Execution methods. Execution of technology projects is notoriously tricky, with 70% not delivering to expectations. Those that do deliver use proven methodologies run by high quality people. Project management, business process management, software development lifecycle, security, and information lifecycle are 5 key areas to look at.

Develop and nurture excellence in execution to deliver 90% on time, on budget initiatives

All organizations can benefit from the above approach, but the government sector is probably most in need. Citizens who see their hard earned tax payments go up in smoke through the likes of the Queensland Government Health Payroll debacle should be insisting on a plan from politicians. This was a $6M technology project that cost $1.2Bn (or $1000 from my family).

Commit to the above 5 steps and not only will IT disasters be less likely, we should also get IT enabled and connected governments. From this we can expect transparent government, a citizen centric approach, better social inclusion and at a reduced cost.

This would be a good start on the quest for a better world!

So how can we make this happen?