Is cyber security going anywhere?

Not going anywhere fast

It seems to be the new gold rush – everyone wants to get into cyber security. It isn’t surprising given the salary differential between IT operations staff and IT security staff. There are new education options popping up, all with a hefty price tag. I have a friend who printed a business card, registered for a course and got a gig working in IT security for more money than he could get in IT operations.

While I accept that there is a specific skill set for IT security, I am cynical as to how it is approached in industry. I can understand why the considerable investment in cyber security is not reducing the problem!

So let me give you my perspective on how cyber security influences senior management. The first thing to say is that it does have a place on the agenda of boards and senior executives and this is a good thing. Typically it will take more time than questions about how IT is improving productivity or how technology changes are influencing the current business model, and this is a bad thing.

The initial triggers have come from either a security breach, news of breaches in similar organisations or the regulatory changes being introduced (such as mandatory reporting of certain breaches). A consultant might brief the board and executive and tell them that there is a significant risk that is not being effectively managed. The potential for dire consequences will be spelled out followed by a proposal for an expensive consulting engagement to determine current state and propose rectifications.

The board may feel relieved that they have dodged a bullet and fulfilled their duty by getting in expensive “experts”. Fast forward a couple of years and the whole cycle will repeat. There is little evidence that things are getting better despite the resources devoted to cyber security – an overhead that doesn’t by itself deliver business value.

The trouble is that the experts are expert in the wrong things. They might know about firewall policies, denial of service attacks and (maybe) IT management frameworks. All these are needed, but not sufficient. What you really need to know is how your business manages its data.

The truth is that modern businesses manage data everywhere in their operations. There are staff with laptops, tablets and devices throughout the business collecting, processing, sharing and deleting data. Any system that considers the data without understanding the business processes that act on it is doomed to failure (read ISO 27001).

If senior managers want to manage the cyber security risk they need to put more effort into understanding how their business really works. There is precedence for this; most organisations have a significant effort on understanding their financial data. The accountants and book-keepers who delve into financial transactions generally have a good understanding of data around money. Imagine putting the same resources as are applied to finance into all the other data sources in the organisation – asset, customer, people, health and safety, environment, social, suppliers etc.

Fortunately there is a way around this. Many business areas do have a good understanding of their business processes, their skills and their technologies. Rarely, however is a consistent view available to the executive.

The answer to managing your cyber security risk is therefore to manage your business better – on a holistic level rather than a financial or compliance approach. Putting in place consistent approaches to documenting and monitoring business activities is a good start. Many departments will be undertaking business analysis work within their current scope, so we are not talking about a brand new expenditure line.

Do good business analysis, broadly and consistently throughout the organisation. Collect and leverage the information through some (uncomplicated) architecture. Insist that the effort improves business performance. These are the key tenets for success. With this in place your cyber security consultants can add value and advise on solutions that don’t break the bank.

Gregory House for CIO?

The right approach?
The right approach?

Being in a household full of teenage kids, it is hard to find TV programs that everyone wants to watch. One series that we all agree is intriguing and entertaining is House – the story of a brilliant doctor saving his patient’s lives through his intellect. Along the way he struggles with drug addiction, dysfunctional personal relationships and, most intriguingly, managing a high performing team.

I see all sorts of similarities between this evidently contrived medical environment and my experiences as CIO trying to get the best out of my team for their own sakes and to deliver to the organization.

So how does Dr House stack up against my principles of what makes a good leader and especially a good CIO?

  1. Integrity. For me this trait stands above all others in importance (as it does for any executive). On the face of it, House lacks integrity – he lies consistently, is always taking money off Wilson and almost always avoids answering questions. Behind this somewhat dispiriting façade, you know that House holds certain values with incredibly high integrity. He puts his patients first in front of his career or image. He is open and honest about the life that he leads, even if it doesn’t fit society’s norms; and he bases his decisions on fact and not prejudice.
  2. Strategic thinking – CIOs need strategic bones in their bodies (see The Reluctant CIO!) and this takes a certain thought process. They have to be comfortable “in the fug”, not having the full picture but still being confident enough to move in one direction. This is House’s life: a patient presents with lots of data, but insufficient information to diagnose. He has to weigh up the risks of each test or treatment against the risk of inaction (usually the patient will die). He never just sits and holds his head; he always picks a path and follows it.
  3. Domain expertise – This is a tricky area for CIOs; they need domain expertise but it needs to be in the right area. They should not be experts in configuring routers or writing code. They do need to be great at managing risk, optimizing architecture, process management and governance functions. House is the ultimate domain expert in managing risk. He doesn’t know the diagnosis any more than his team (until the last 5 minutes), but he can weigh up the risks of various options and tells the team to “Go!”
  4. Communications – A core requirement of a CIO is to communicate the opportunities, challenges, risks and achievements of information technology. In this area you would have to say that House fails dismally, at least at face value. He interacts rudely with his patients (he would rather not talk to them) and prefers to hang out in the morgue or with coma guy. To counteract this perspective, we know that House is the best asset of the hospital, so somehow the word has got out. Maybe he really does know how to communicate – just in unconventional ways.
  5. Relationship building – I have always thought that the relationship web that a CIO weaves is his or her biggest asset. The CIO must work up, down and across developing trust and enthusiasm. House has a strange set of relationships with Cuddy (up), his team (down) and Wilson (across). The recurring challenge with his team is to let them make their own decisions (and mistakes) but not let them kill the patient (which sometimes happens). This is like any CIO challenge – let the Operations Manager manage operations, but know when you have to step in to save a disaster.

So how would you like to be in Houses’ team? A mixed blessing I think!

The wrong trousers

stylish?
stylish?

You may have seen the Wallace and Grommet animation “The wrong trousers”. It is foolish and funny, but many business leaders feel like their IT systems are the wrong trousers. The technology that is supposed to enable their business is not sufficiently flexible, is not user friendly, takes too long to change and costs too much. So how did we end up here and what do we do about it?

The core reason for this poor fit is mis-alignment. The business wants one thing and the IT systems deliver something else. It is likely that when the systems were purchased they did not properly incorporate the business requirements. Then as the business has changed over time, there has not been an effective feedback loop that modified the systems. Other systems may have been added, with dependencies that make any changes very complex. Once this mis-alignment becomes severe, the system is often replaced rather than modified.

So how do we stop Groundhog Day when we decide on a replacement? Here are a few tips:

1. Business change. Any technology project must be seen as a business change project. The real costs of change will almost be much higher than the cost of the technology.

2. Business process approach. Identify the business processes early on. They will provide clarity for the business case and are critical in selecting the solution.

3. Service management. Ensure that one of the outcomes is a set of IT services. These should have defined performance, cost and governance for future changes

4. Value delivery. Drive change in the business to deliver on the business case benefits. Make this value visible and the CEO may be less likely to chop the IT budget next year.

The core to this advice is that any IT investment must be strategic and not tactical. I have heard business managers railing against the strategic approach – “We just need to do this..” or “Doesn’t such and such a system do what we need?”. It is tough for CIOs to stand up to this and propose a more comprehensive (and more expensive) approach.

I recall a time when a mining executive wanted specific software to manage stocks of tyres. He pushed for an accelerated project to install the software on the basis that it would deliver significant savings. The lite business case stacked up with a low IT investment and a high return.

I insisted that we did a more thorough business analysis. We mapped the business processes and compared the features required against that available on the market. At this level of detail, it was evident that the projected return on investment would not be delivered by the systems available. We could create a better outcome with spread sheets.

We saved some costs from cancelling the project early, but more importantly we did not hobble the business with a system that was not adapted to their needs. Of course no-one thanked me for this.

So if your organization is wearing the wrong trousers, will you tackle your next technology investment any differently?

Is technology too expensive?

Leap of faith
Leap of faith

Successful business leaders ensure that the scarce resources available to them are best used. They focus on all aspects of spending and ask is it absolutely necessary? Is there a cheaper way of doing this? Can we squeeze out more for the same cost?

Given the challenges of the last few years, most of the low hanging fruit has already been harvested. The competitive pressure has not come off and CEOs are looking to balance an increased demand for services with a reduced ability to attract income. There are 3 main options to achieve this:

1. Transformational change. Radically changing the operating model through acquisition, amalgamation or strategic repositioning is an option. James Carlopio from the World Future Society suggests that these efforts fail 50-80% of the time.

2. Intermediation. This is where the relationships between suppliers and consumers is modified and may be as simple as consolidating suppliers to achieve discounts. This strategy can sometimes be affected with little of the risk associated with business change.

3. Incremental. Typically this involves turning the handle on business processes to make them more effective, reducing cost and improving quality. Technology is likely to be a core component and the biggest risks are around organizational change.

As a CIO I have been involved in a number of successful incremental change projects. One example was the introduction of a logistics management application in a large not for profit organization.

The new application had many technology challenges causing delays and frustration amongst the users. The business processes were standardized and simplified, which made some users feel disempowered. Fortunately there was a clear vision from senior management on what they wanted to achieve. The turning point came when a major disaster struck, requiring a highly complex logistics operation.

The simplified processes improved productivity of staff who were working 18 hours per day. The on line nature of the application meant that geographically dispersed stakeholders collaborated effectively. The biggest impact came from being able to analyse the supply chain and optimize ordering, reducing delivery time by a factor of 6 and costs by 80%.

Of course for every success story, there are litanies of disasters where IT investments have soaked up huge amounts of money. I have a few tips for making sure that you get value if you are investing scarce resources:

1. Create a business case. This clearly states the expectations behind business drivers, strategic outcomes, options, scope, benefits, costs, risks and timeframe. If the costs and risks outweigh the benefits, cancel the initiative early.

2. Assign accountability. You need to have individuals who are fully accountable for the business case and in particular the delivery of business benefits. The expectations should be clearly stated in the individual’s personal performance objectives

3. Excellence in delivery. Running IT projects is risky. The concensus from a number of surveys on IT projects is that just 1 in 5 are fully successful. A solid project methodology, experienced project managers and executive support focused on delivering the promised benefits will increase your chance of success

4. Connect initiatives. Running a series of disconnected IT initiatives will lead to lower agility and higher costs in the long run. Plan your IT like you would plan a city to make sure that your roads connect and you don’t build an abattoir in a residential area.

How confident are you about investing in organizational change?

Congratulations CEO, you did something great!

First place
Getting the top prize

CEOs are there to create outcomes for their stakeholders – the shareholders, staff, community or government. In many cases this is a thankless task, so how would it feel to get a letter 10 years from now congratulating you on some of the important calls you have made that put the business in a strong position. I put my mind to what those big decisions would be, and the answers might surprise you:

1. Well done for identifying that all your key people will need to be excellent in managing technology! You recognized that your technology is a key driver of business improvement. The solutions were not going to come exclusively from the IT Department, but you had to avoid the chaos of business units all purchasing their own disconnected systems.

You created development opportunities for staff to understand the relationship between the business and technology. This meant formal education in the tools of technology (enterprise architecture, business cases, service management etc), as well as on the job engagement with technology procurement, implementation and operations. Your senior managers became expert in understanding the risks and opportunities from various approaches to technology.

You have adapted your succession planning to incorporate technology competence as a key differentiator. Managing technology is a serious stream of business, as important as financial competence or technical expertise. The language of business has adapted to incorporate concepts that many of your business leaders were uninterested in 10 years ago.

2. Your approach to business process management was revolutionary and may have been a game changer. You understood that there is both value and opportunity in your company’s processes. Inside your organization, you focused on awareness and incremental improvements, using full scale process re-engineering only when the benefit clearly outweighed the risk. Your key metrics were achieved through great people running great processes on the right technology platforms.

The real difference that you made was to not stop at the edge of your business. You understood your customer’s business (and life) processes. You drove your organization to seamlessly become part of your customer’s processes. This was a challenge because of the complexity of such integrations, but it created a stickiness in your customers – you were no longer a supplier, you became part of their value chain.

3. Relationships. There it is all in that one little word, you moved relationships to the forefront of strategic thinking. You created a relationship architecture that provided clarity and direction. You reset your relationships with suppliers to provide transparency and shared success. You invested in relationships with your peers and competitors, and most importantly you encapsulated the relationship with your customers as a key value set in your organization.

You acquired and organized information to provide insights into your stakeholders. Every touch point with stakeholders was fully informed and provided them with value. All this required investment, but with savings from business process improvements and reliable internal data this was manageable. There is further to go in this area, but the lack of skilled resources has curtailed your aspirations.

My heartfelt thanks from your imaginary friend ……

We hear stories of the CEO who has creatively transformed the business, like Steve Jobs. The reality is that many transformations fail and most successful businesses strategies are around incremental improvements and intermediation. All of the above approaches can be tackled as increments, through pilots and gradually acquired competencies. You have after all got 10 years to achieve it!

Have you identified the long term initiatives that are going to differentiate your company? How long is your list and does it have anything in common with mine?