IT budgets today typically include a large amount of Application costs. Acquisitions, change in business strategies, business growth and new demand for IT services have contributed to significant growth in application portfolios. Support needs to grow with the portfolio as new solutions are added and the overall complexity and risks increase.
This situation leads to two key challenges for IT and the Business:
Rising costs – while most organizations believe they are spending on highest valued opportunities, this is rarely the case. As the portfolio increases, spending gets spread across too many priorities and very few understand the true costs of each application. In addition, complex infrastructure supporting applications are often shared across multiple solutions which further complicates the true costs.
Outdated Applications – companies rarely initiate programs to simplify or retire applications. Why? It is hard work and usually means that one organization may have to give something up for the companies greater good. However, just like life itself, applications have a life cycle or beginning and end. A burning platform can arise as vendors discontinue support for applications, hardware becomes obsolete, and organizations lose specialized resources that maintain these applications.
It is imperative that organizations adopt an Application Portfolio Management (APM) process to align their portfolio with business, strategic and technology priorities.
One of the best places to start an APM program is to conduct an application rationalization project. This project focuses on building or enhancing an existing inventory of applications, but more importantly it establishes a framework for classifying business value and understanding application assets.
During this process, applications are scored and ranked along with an initial set of issues and opportunities. The ranking provides input to a strategic roadmap of which applications to invest, promote, retire, or enhance in some form (migrate, renovate, etc.) in an effort to reduce complexity and focus resources on new capabilities.
An application portfolio rationalization forms the basis of an organizations application strategy and governance process that can drive business and IT improvement for years to come.
Despite security concerns, the mass migration of IT services to the cloud will be an inevitable macro-trend. The value proposition is just too compelling: cloud computing is evolving into a utility. (See WGroup strategy brief “Cloud Computing: A Practical Guide to Utilize Cloud in the Era of Asset-Light IT.”)
If anything, the recent Edward Snowden saga only goes to show that regardless of tools, technology, policies and procedures, your security measures can only be as good as the people you employ to follow or enforce them.
So what message does that translate into for enterprises already worrying about security in the cloud? Observations:
Private clouds are not necessarily more secure then public clouds (i.e Amazon). Private clouds are only as secure as the people and processes supporting them.
A common approach to improving security is to virtualize security controls, but that in turn adds another layer of abstraction to a key component of the overall cloud environment. More abstraction means less visibility. Thus the underlying trust relationship with the provider is key.
Now that cloud providers have become responsible for much of the security apparatus, the cloud customers should take it upon themselves to check the qualifications of the cloud providers’ security personnel – their architects, coders, operators and policy makers. The practice of “trust but verify” should apply both to the vendor’s people as well as their processes and technologies.
A key subset of the vendor’s personnel that demand scrutiny for security reasons are those with administrative access to the customer’s assets. Cloud has introduced this new tier of privileged users whose oversight and even hiring should be monitored as if they were in-house personnel.
Another common approach to enhancing security is to ask the cloud provider to contribute more to security monitoring processes and making SIEM (Security Information and Event Management) data more available. But that still means the customer should inquire about the provider’s handling of the logging and execution of their monitoring processes.
At the very front end of the provisioning process, risk prevention means careful screening of workloads before deciding whether they are appropriate for migration to the cloud (mission-critical or sensitive data workloads demand more isolation.) But isolation can never substitute for people’s compliance. So it still boils down to the people.
Finally, self-provisioning means governance and training are critical before the end users are empowered and set loose to decide for themselves or to gain access to the cloud.
While technology is a very important component, managing the people component is just as, if not more, vital to security.
Organizations that encounter change due to the loss of an IT leader are often left in a state of flux. An Interim CIO can be an opportunity to quickly fill the role with someone experienced in the business with a playbook for re-mediating challenges. It is important during this period of time that organizations assess the root cause of the departure and work to correct any internal issues.
Choosing to bring an Interim CIO into a newly vacated position is a move that more organizations are making to ‘prepare the ground’ for the next permanent leader. The Interim CIO enters the organization without the baggage of history and can provide an independent assessment of the situation. They offer senior management an unbiased view of the situation and call attention to new ways for IT to add value.
Typically the Interim CIO will:
Function as the Operational CIO – Keep the IT organization running and ensure resources are fully utilized while working to prevent staff flight and ensure business continuity.
Conduct a Robust Set of IT Assessments – Provide independent audit, assessment, and bench-marking in many areas of IT including strategy, business alignment, organizational model, sourcing utilization, application portfolio, cloud utilization, service levels, planned projects, and spend levels.
Build an IT Strategic Plan – Tackle the critical problem areas and take politically inexpedient positions where necessary to ensure IT supports the short and long-term business objectives. Lay the groundwork for a long term manager, make hard personnel decisions, develop a detailed implementation road-map, and establish professional management practices, policies and processes.
Help Hire a Permanent CIO – Fine tune the perspectives and requirements for the next long term leader. The Interim CIO provides a clear view of the capabilities, experience, and culture/personality requirements for a successful permanent CIO. The Interim CIO will develop a profile in connection with top management, and play a significant role in the interview process to ensure a successful placement.
To be successful, the Interim CIO needs to be a deeply experienced executive with both IT and consulting skills to work in complex and sometimes difficult cultural environments. The critical outcome from an interim CIO assignment is the alignment of senior management’s understanding of the proper role for IT in the organization, and their commitment to ongoing collaboration with the future IT leader.
IT leaders are constantly challenged to leverage all elements of technology, resources, and funding to maintain IT’s alignment to changing business requirements. To deliver value to the business, many organizations develop detailed strategic plans and roadmaps designed to guide the IT department toward a desired future state.
IT strategic plans are vital for every IT organization, but even the best engineered strategies are at risk of irrelevance if they don’t adapt as technology platforms, service delivery models, and “best practices” continue to evolve at an accelerating rate.
Opportunities for strategy adjustment can manifest themselves in many ways. At one end of the spectrum are major, unexpected issues that can cause significant business harm if not managed correctly including outages, radical business direction shifts, new regulations, or economic factors. On the other end of the spectrum are new technologies and processes that can create immense value if adopted, but in many cases the IT organization may not even know that they exist. In the middle are regular course of business optimizations that must be managed to ensure continuity including end of life technology, contract renewals, and personnel turnover.
To provide awareness of these issues and opportunities, and to maintain relevancy and progress against the IT strategic plan, leading IT managers should regularly conduct IT assessments or IT audits. Tailored to the specific needs of your organization and industry, the IT assessment should evaluate trends, performance, issues, costs, new models, and peer alignment across the following areas:
Emerging technology – e.g., Cloud, Big Data
IT security and vulnerability
Disaster recovery and business continuity
Application portfolio, architecture, security, risk, and controls
Skills and IT organizational model
Alignment to business strategy
IT Service management
Contracts and SLA performance
Costs, budgets, and spend levels
In some cases, these assessments can be conducted with internal resources during bi-annual or annual IT department health checks and IT strategy revisions. Sometimes, it’s critical to get an outside-in perspective on existing IT strategy and capabilities to inject new ideas and challenge the status quo. Organizations constantly need to re-invent themselves otherwise existing processes may become ossified and an impediment to innovation.
In cases where there are such larger concerns, it is essential to engage an experienced advisor to conduct the assessment to provide an objective, 3rd party perspective, and formal fact-based comparison to leading models and current best practices.