Audit

What is the biggest challenge in getting a job as a first-time CIO? Is it out-competing others who look similar on paper?

I think there is a tremendous amount of competition. Most of the CIO positions out there are usually going through some type of an executive recruiting network. The recruiters I talked to don't usually pull up a set of criteria in a database online. One recruiter I talked to doesn't even recommend candidates putting information into an executive recruiting online database, because most executive recruiters aren't going to use it. They're going to look to the contacts and network of sitting CIOs or deputy CIOs to ask if there is someone on their staff or someone they know.
You became CIO of the World Wildlife Fund at age 37. What helped you most to get that job?

I was recruited for it. I did not approach an executive recruiter for that position; they approached me, at the recommendation of another sitting CIO. I had established my credentials in the private and for-profit sector. I had gotten experience with a variety of technologies at some pretty tier-one organizations: it was Sallie Mae on the financial services side, and PricewaterhouseCoopers on the consulting side. I had gotten all my tickets punched. I got my technical MBA at Johns Hopkins University. I actually took it a step farther. A year after I obtained by graduate degree I started teaching as an adjunct faculty at Johns Hopkins -- intentionally.
As a way to increase your network?

Increase my network, increase my exposure. As an adjunct faculty I was giving back to the IT community and the educational community, but at the same time I was greasing the skids for easier access to publications. When someone was looking at my bio and saw I was a director of this, a tech MBA and teach at a graduate level, when I submitted articles I believe they had a little more merit behind them.
What's the biggest mistake you made in plotting your career?

I'm not sure that I made any.
None?

I really don't think that I have. I've gotten consulting experience, I've gotten for-profit experience, I've gotten Big Five experience, I got my tech MBA, I've got publishing experience, I've got my graduate adjunct faculty. The only thing that I would -- I don't know if this is really a mistake. I was about to say, started my graduate work earlier. But Hopkins wouldn't really let me enroll in the program until I had a specific number of years of business experience.
Fifty percent of your experience is in consulting, and you strongly recommend that aspiring CIOs work as consultants. Why?

You've got to get both sides of the fence if you want to be a viable CIO. You have to understand the consulting proposition. You have to know also how to manage consultants and vendors.

Being a consultant makes you a little bit humble. There are many instances where you have to sidestep and put the brakes on what you may know technically or business wise. You may have to deal with a client or a customer that is not that smart or that doesn't know as much as you do, and you've got to figure out creative and diplomatic ways to get that customer on board or eliminate any roadblocks that the customer may be putting up. In the organizations that use consultants regularly, some of the internal employees are a little bit jaded. They're thinking, 'Why did we have to go to the outside, when we could have probably done this on the inside.' Serving in a consulting role gives you far more experience than flat-out IT experience.
Define for us what you call in your book "the IT glasshouse."

I define the glasshouse as the central IT management infrastructure of the past where all decisions, all the systems and all the policies were pretty much made within the IT shop. If you had to classify it as a government, it would be an IT monarchy. Today, I don't believe that works. I am not a fan of 100% decentralized IT, where managers and staff are completely decentralized and put into business units. I am not saying do a 180-degree from the old model. But I do think that today's CIOs need to work more with the business units and customers of their organizations and form better relations to share the risks, responsibilities and project sponsorship, as opposed to assuming the responsibility in IT or forcing a system on a business unit.
There is a lot of talk about letting your business units take responsibility for the technology they use. But how do you do that? Do you get it in writing?

I do. But I don't let them take responsibility for the technology. I let them take responsibility for the business process that drives the solution. So when we are looking at doing a requirement analysis for trying to solve some problem or drive some goal, whether it is increasing revenue or something else, when we put budgeted dollars toward the project, we use an organizational structure that integrates with the project manager in the business unit itself. I bolt on an IT lead and have at least one business VP take accountability as co-executive sponsors. At the end of the day if I don't get signature from a business unit sponsor for a business unit application, I will not press forward. I make the calls for infrastructure, for security, all those good things. That is my job. But if we are looking for a CRM system, for example, to help drive donor management, the CIO should not own that system. IT should be owned by the business unit that is responsible for the revenue.

I have a simple phrase: IT drives technology decisions. The business units drive application business technology.
I thought it was refreshing to read in your book that a CIO should have a solid grounding in technology, because so much of what you hear now is that this position is being taken over by businesspeople.

I just met one the other day. A new CIO from the business unit, and I think he's scared. Think about it. I take the inverse view that businesspeople can do the job. I think it is way off, and I am not shy in stating that. Look, this is a profession that in my case includes 20 years of work experience at some of the best companies in America. I have gotten a top-tier education. If you combine all that together, I am somewhere in the 28-year range of progressive IT skills and experience, managing technology and applying it to business. Now, would you hire someone who came up that track, who had all that experience in IT, to head up your financial organization? I wouldn't.
The flip side is why is it hard for technical people to speak in business terms?

Given the amount of time they work on the technology side versus the amount of time they spend in the business unit side, it is so easy to lapse back into all of the different acronyms and the lingo the technology people use. I'll be honest. I have to force myself to be conscious of the fact that when I am speaking to a nontechnical audience to not be too technical. I have to force myself, today, and I am a sitting CIO with a new book out giving guidance to others on how to follow in my footsteps. It's hard.
Does it have anything to do with the notion that the kind of people attracted to technology are very concrete in their thinking; they simply think in a different way from businesspeople?

Working in the technology area takes an analytical, top-down, logical, process-oriented person. That said, I think at some point in their career they have to force themselves to branch off and submerse themselves in an environment, like an MBA, which makes them recognize the other side of the fence and to think like a business person. The technology field attracts far more the introvert than the extrovert. I probably started out as a pretty strong-typed introvert and became a forced extrovert as a result of going up the ladder.
When did you turn outward?

When I realized that it was absolutely one of the most important skills needed for an IT executive to have excellent communication skills.
How long did it take you to hone your presentation skills?

Oh gosh. I'll give you the answer in the form of advice given to me from one of my mentors. I asked how long it would be before I was completely comfortable giving presentations to an audience I had never met before. The answer was, once you've done your first 100 or so, you'll get the hang of it.
Your book's title is Straight to the Top, and top for you is CIO. Do you ever think there is somewhere else to go once you're a CIO?

Absolutely. I think it is the next-generation track to chief operating officer, and potentially a CEO of a technology company. I can tell that my career aspirations include one or two of these tracks.
You devoted an entire chapter to golf. I found that a bit shocking.

It wasn't the whole chapter. Half of it was about the vendor management function. I talk about the importance of relying on vendors, having a vendor management strategy, in my case reducing the overall number of vendors, and distinguishing between commodity-based vendors and strategic vendors. I consider Dell a commodity-based vendor. I buy stuff from them and put it in. A strategic vendor will actually help me go from Point A to Point B. It might be a CRM vendor. It might be a consulting vendor. And I talk about that whole process of how do you manage and scorecard your vendor and different approaches for doing that. And I ask other CIOs how they do it. So you'll see stuff about outsourcing.

Then, halfway through Chapter 8 is when I start talking about integrating sports to build your relationships and to grow your network and build stronger relationships with your vendors.
But why go out with them at all, especially given the sensitivity about conflict of interest these days?

Well, let me ask you, define conflict of interest.
There are some companies that say don't even go out for a cup of coffee with your vendors, because you don't need to be friends with them or beholden.

That would be the federal government. And you know what? I understand why they do it. But I don't think that a cup of coffee is going to materially make a difference in the decision to purchase goods or services. I think the federal government has just decided to take that track. But I take the issue beyond the level of the CIO. How many CEOs do you know who go out and have dinner with some of their partners and vendors and colleagues? And how many CEOs and presidents do you see on the golf course? I can tell you I played golf in a tournament and John Thompson was there. He is not a CIO. He is the CEO for Symantec.

It doesn't have to be about who pays for what, as I clarified in my book. My guidance to people is, check what your policies are. If there is a no-pay policy, fine, pay for yourself. There are some clear benefits of getting out of the office and spending some time with people, getting to know them. And at the end of the day, because I have a better relationship both professionally and through sports, I have several vendors who I can pick up the phone and say, 'Listen Tom, I need this done, you need to help me out with this.' Now granted, they should be able to do that regardless, as a vendor. But it doesn't work that way. And if you look at the quotes from the vendors in the book, people tend to reciprocate, form partnerships and get more stuff done, cut through the [bull], when they have a better relationship. And I have found that a 30-minute meeting in my office doesn't get me a better relationship with a strategic vendor.
Another piece of advice you give is that a CIO has to think like a chief financial officer. Why?

If you don't start thinking like a CFO, you're going to be reporting to one.
What is so bad about reporting to the CFO?

Because historically, CIOs who report to CFOs are doing so because the CFO is not comfortable with their financial management skills, or the CIOs need to be reined in on their cost controls. The other research that I found is that CIOs who reported in to the CFO spent overall less percent of the company's revenue than those that didn't. A CFO's job is internal controls, audit, cost containment, financial management and reporting. I don't think that is the best creative place to put a potential innovator and catalyst, such as the CIO, who interfaces with just about everybody. There is no other executive that touches every other point of the organization.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Gregory Smith, author of "Straight to the Top: Becoming a World-Class CIO" and CIO of the World Wildlife Fund, talks about his carefully plotted route to the executive ranks and offers some tips for aspiring CIOs.

What' are some of the toughest SOX challenges for CIOs?

CIOs were brought to the table late. SOX was viewed to be a financial accounting project. In many cases, CIOs thought it was another Y2k initiative, and they didn't have to worry about it after Jan. 1. I think SOX is more like Y2k every day This is a permanent issue, and most organizations aren't set up to deal with that. One of the toughest questions is 'what do you do from a compliance standpoint next year and thereafter?'

Also, some accounting firms are asking for evidence of controls from the time systems were implemented. Nobody kept that documentation, so it's really hard to reconstruct. That makes it especially difficult in some environments where IT systems are customized or modified -- where there's a lot of knowledge in individuals' heads that's not committed to paper. There's not a lot of quality assurance in IT that ensures evidence is committed to paper -- that's almost a new priority.

It's also vague and open to interpretation by accounting firms and individuals serving that account. Different firms have different expectations. A lot of this is judgment.
What does the CIO need to be doing?

I think depending on the size of the company that the CIO has to get involved from a project management standpoint and know the quality and integrity of the systems that are already deployed. Compliance is not as important as other things [to many firms] and may not be in their budget and was not a business objective at the beginning of year. It's a pain!

The CFO and the audit committee are usually the two who have to understand SOX. But you need a culture where the CIO also understands it. The CIO doesn't have to certify, but I'd want CIOs to certify. Why wouldn't I want my colleague to sign before I sign a public document? That's already happening in larger companies, although you'll never see it in writing publicly. It's done internally though -- it's called accountability.
As an auditor, what are you looking for when you enter the IT department?

IT controls of particular importance are related to physical and access security systems, development and change, and operations backups production. I look for governance -- how the IT function is managed. The more systems you have and the more people in the building running and maintaining them, the more likelihood of slip ups.

The bar is very high for passing and very low for stumbling. IT controls are considered pervasive -- poor controls could undermine the integrity of financial systems and processes. It requires more to prove everything's running soundly in an IT environment.

CIOs are fearful that if they get adverse opinions from auditors, it will be in operations backups and security over the network and database. You can have a great accounts payable, but if it runs on a computer that people can break into, management has to prove that if a break-in did happen, something was done before anything bad happened. You have to prove you can detect and fix wrongdoing quickly.
What red flags are you looking for?

Is IT organized to show evidence of supervision, governance and segregation of duties? When you can't find that, and you don't know who reports to whom, that's disconcerting. If a CIO doesn't have a business focus and is a techie who ended up as CIO as the result of turnover, their ability to adapt to controls becomes a stretch.

Also, if there's a lot of systems in a lot of locations that don't talk to each other -- especially if they're old systems -- that's a problem. The absence of documented policies and procedures – no paperwork or protocol – that's a problem too.

That's what we look at when we're scoping this out. If we don't have it, we've got an uphill battle. If there's a level of disinterest on finance or IT, then the chance of success goes down.
What are some common mistakes you see IT making in regards to SOX compliance?

We've found companies with a general ledger system, and more people than necessary have access to it and can change records. We're also seeing contractors and other third parties with too much physical access to computers. You can't have too many people in the computer area who don't belong there. We've also seen companies with backup facilities that don't kick in.
November 15 is creeping closer and closer? What would you say to CIOs who won't make the deadline?

There's a firm I'm aware of that has so much to do, that a good portion of their business won't be compliant. They're trying a bunch of things concurrently -- some documentation, some testing. They could end up spending a lot of money and will have nothing to show for it.

Do some testing so you know controls are sound going into next year as opposed to just saying 'some things work, and some don't -- we don't know which ones.' Either way, you'll have weaknnesses. But you don't want the weakness to be governance. You don't want to say that management didn't care. Everything else will be tainted.
So some compliance is better than none?

Absolutely. How many firms will get done fast enough so there's enough time to get new or remediated controls in place that are testable? No comment. There are estimates all over the place, but no one really knows.
A lot of CIOs say there's no precedent for SOX, so they're still unclear as to what to do. Is that a valid argument?

But you could argue no one went through Y2k either, and we survived it. But Y2k was always an IT event. People thought this was an accounting problem. Last winter, I was giving a speech to big company CIOs talking about their getting involved in Sarbanes. I got a lot of blank expressions. When I asked how many were involved in SOX planning and understood what needed to be done on the IT side, one out of about 100 raised their hands. I was shocked.
We've heard CIOs voice their concerns and fears about Sarbanes-Oxley compliance, but what's going through the minds of auditors as they prepare to invade the IT department? Lawrence Baye, a management advisory services principal with Grant Thornton LLP and a SOX expert, talks about some common mistakes CIOs are making and what situations send the red flags flying on an auditor's checklist.

It sounds like you almost have a blank check to get IT up and going.

[The check] is not completely blank, but I have a tremendous amount of support, both intellectually and financially. During my interview with the CEO and CFO, I was impressed with two things concerning the IT arena. One, they both understood how important IT is to the success of the business. Two, they both expressed a desire to [have] high standards internally and for our customers and to position ourselves in a way that would carry us into the future. I put a presentation [for two new servers] before our tech committee, including the CEO and CFO. I presented my research and explained why we needed them, how much they cost, and how they would benefit the company. Cost to them wasn't a factor -- they wanted to know if it made business sense. The cost was reasonable, the business plan was there, the ROI was there for them to see. It got to the point where they said, 'We've seen enough; go buy them.'
It's obviously a position other CIOs would envy, but are there any pitfalls that go with it?

Yes, resisting the temptation to say 'ooh' and 'aah' and buy the most expensive equipment, software and services on the market. There's a lot of responsibility to do things right. You have to do your due diligence before you make a purchase ... to make sure it's in the company's best interest. Sure, you can say, 'Here's the chance to build the infrastructure I always wanted to build,' but it's not always best for the company. You just don't build a dream IT environment when it's not necessary.
What kind of relationship do you have with the CEO and CFO?

I have an excellent relationship with both of them and all of the other bank officers. When I interviewed with the CEO, CFO and senior vice president, the thing that really got my attention was how well they related to each other. Later, I could tell how well all the bank officers related to each other and that they had respect for each others' expertise. No one said, 'My area's more important than yours.' No one was trying to climb the corporate ladder. The CEO and CFO are true believers in the value of the IT department. We had a meeting this morning about expanding IT's role within [the] company. The CFO is fairly well-educated in IT, as far as terminology goes and some of the technological capabilities out there. He'd be quick to notice if I came in blowing smoke and were trying to build an empire.
Have you found yourself spending more time in the executive suite than you did in previous jobs? How extensive is your involvement in the making of business decisions?

The company wanted someone at a higher level who could bring techies and businesspeople together and take it forward. My involvement at this company is much higher than other places I have been. I attend all officers' meetings. Any time a business decision is being considered that even has the appearance that it might impact IT ... I am contacted, and either I attend or I send one of my staff to participate. [Making the transition into the executive suite] has not been difficult. The hardest thing is not being down in [the] trenches. Your technical skills and knowledge tend to get behind the times because you're in meetings and planning. I have a high level of confidence in my staff. They understand that I trust them and rely on them to give me technically accurate information when I request it. By getting them involved, I find that they participate more willingly and come up with ideas. Example: I was looking for a particular application [and] everything was much more than I needed. A young lady [on the IT staff] walked in and said that she could write the program -- there was no need to go buy something that's more confusing than helpful. So she's working on it.
How would you characterize your relationship with the business unit? Can you speak each other's language? Is there a mechanism in place that facilitates communication?

My relationship with the business units is very good. Since I am the company's first CIO, some adjustments have been made. Some processes are in place now that they didn't have before. One thing I think has helped this relationship is the way I approached my responsibilities when I first arrived. I didn't get here and say, 'I am going to fix everything, and here's what I am going to do.' What I've done is sit down with other officers in the business units, asked questions about goals for the year and what problems they've had in the past. I actually listen when they talk. That's opened doors of communication that weren't there previously. I'm asking them questions, asking what they need. They hadn't had that before -- [an IT leader] keeping in mind that communication is two-way, not me dictating to them what was going to happen. By working with officers, I get their buy-in; they feel they're part of the decision making. Ultimately, I am responsible for the final decision on what to purchase and how to implement, but it's a lot easier when I have their buy-in and participation. It sounds over-used, but teamwork is a big part of the success I have experienced here.
What kinds of technologies are you working with? Any particular success stories or headaches?

We are looking at biometrics. I want to take a look at that and see if it has a fit in my environment and if it would be of viable use for our customers. They look to us for guidance. Some don't have an IT staff at all and look to us. I don't want to recommend anything to them until I have used it, or at least played with it. We're almost done with a huge (for us) product conversion. More than 200 customers are going from dialing up our modems to a Web-based form of communication. ... The transition has been both a headache and a success. The headaches [lie in dealing with] the sheer quantity ... of customers -- more than 200 -- within a short period of time, while dealing with a second conversion at the same time in a different area and doing this with both the Thanksgiving and Christmas holidays in the mix. The success part of this has been the relatively smooth rollout so far, which I attribute to the hard work, knowledge and dedication of my staff, keeping in mind that they also work the help desk for both the outgoing product and the incoming product, while assisting our customers through the actual conversion itself.
Is there a technology you're especially interested in for the future? Linux? RFID?

I come from a mixed background when it comes to operating systems, but my most recent -- and favorite -- is in the Unix arena (HP and Solaris, primarily). I started asking questions about Linux when I got here. I am looking for where Linux might play a role in our infrastructure and might fit better than what we currently have. But I am not an advocate of change for change's sake.
How are you dealing with the looming Sarbanes-Oxley deadline? How are you handling compliance issues in general -- is the onus on IT to make sure all is well?

I work very closely with our compliance officer to ensure that we are implementing processes and procedures that are in compliance with not only Sarbanes-Oxley, but with all regulations -- GLB [Gramm-Leach-Bliley], FFIEC [Federal Financial Institutions Examination Council]. We have audits every year and, before I came on board, our holding company brought in an auditor. I work with her as well. She does internal audits; I assist her in gathering IT's part of audits. We have to be familiar with federal regulations. So when they come in and do their external audits, we make sure our systems and network meet regulations and that processes and procedures are correct. We had an audit right before I arrived -- and got their highest rating. So the bottom line is that I am involved and fully integrated into our compliance requirements. But the onus is not on a single entity, but is basically a company-wide concern.
Do you outsource any functions? Do you plan to do more or less outsourcing?

I do outsource a couple of our applications, more of a hosting-type of outsourcing than in personnel. My staff still oversees, manages accounts, and provides the help desk functions for the application. We've basically taken it and placed it on someone else's server here in the U.S. I don't anticipate outsourcing any of my personnel functions.
Talk about your background and how the CIO position has changed over the years.

I've spent more than 31 years in the IT industry, dating back to 1972. I served in the U.S. Navy for 22 years, which is where I got started in the industry, and worked on a multitude of platforms (Univac, IBM, Honeywell, Sun, HP, PCs) and worked in a variety of positions (operator, programmer, system administrator, supervisor, manager and now CIO). I believe the CIO has moved from a strictly technical type of person/position to a more strategic business partner with the other business units of a company. The CIOs who have the most problems, in my opinion, are those who either aren't allowed to participate in business discussions and strategy meetings, or they try and tell the business units 'the what and how' of IT services that are available, instead of trying to work with and understand the other business units. I've seen both situations, which is why I feel privileged to work with the executives and other bank officers that I do.

Two things make life tough on a CIO, besides budgets. First, technology itself and how quickly it changes. I call it the 'trying to keep up' syndrome. Second, the technical understanding of users in today's world. 'Educated amateurs' are always offering advice or questioning decisions being made by the IT department. People who say 'I have a PC at home; this is what I do. How come we don't do this here?' It makes life miserable. I've seen it not here, but in other places.

Six months ago, Midwest Independent Bank (MIB) didn't even have a CIO. The Jefferson City, Mo.-based company is a banker's bank, which means it's owned by and only does business with independent community banks. MIB provides services to more than 450 retail or "people" banks in Missouri, Iowa and Nebraska -- so it's a good-sized business to have no CIO. But a recent change in executive leadership brought a greater emphasis on IT. Enter Ron Dinwiddie in July 2003. A 31-year IT veteran, this is his first CIO job. In this profile, he tells SearchCIO.com how the transition has gone so far.

has the information going into the audit or the negotiation? Do I have control or does the vendor? Which applications are growing in deployment, and are they the...

view the process controls, audit abilities and off-site hosting features of SaaS applications as a perfect solution for SOX."

It's low-maintenance and...