|
|
By Sarah Lourie, Assistant Site Editor
Tell me about the IT Leadership Academy. How did it start? The IT Leadership Academy is a program that was an initiative of a network of IT professionals, CIOs and CTOs of companies around country. We decided to put it together and house it in one place. We found a sponsor, which happens to be a college in Florida [Florida Community College]. We've been able to incorporate this professional network and the vendors in the field to work on developing the next generation of IT leaders. This isn't necessarily the ones who have just started out either. These are folks who are second and third level, preparing to be CIOs, CTOs, associate CIOs and directors of larger enterprises. How do you try to get new business partners? If you look in the IT news, you will read about major technology implementations that people spent millions on and failed. Vendors are better served by having better leaders making better decisions and doing better implementations of their solutions. The vendors, the IT practitioners and the business leaders are all in this together, so we had a common goal to start with. That's an easy pitch to make. The second part is that companies already spend a tremendous amount of money trying to get people to buy their stuff. We decided that for a small percentage of that amount of money, we could create a lasting network and relationship model where people feel comfortable. It's not very hard to get folks who are already spending money to achieve a desired end, to spend it a little wiser.
What do you think is the biggest challenge facing CIOs today?
I think the biggest single challenge facing CIOs today is the overall complexity of the environment. I don't mean the technical complexity; I mean the business, financial and political complexity. For a long time, IT folks have been involved in very complex system implementations, but they seem to forget that it's really all about the carbonware -- it's about the people, the politics and the relationships. Until you have a trust relationship with the other C-level executives in an organization, it's very difficult to have the opportunity to do difficult projects.
How does the academy address that issue?
It helps an individual IT leader's professional network to help them make difficult decisions. This built-in network includes people that have been successful in the variety of areas and can help navigate a little bit. It also helps them develop individual strategies for how to approach different problems, not just from a technical context, or a project management or leadership context, but from a political context as well. A big part of the ITLA is to actually put long term, successful CIOs, CEOs and CFOs in a room with these nascent IT leaders so they talk about the issues or problems from multiple perspectives.
What qualities do you think make up a good CIO?
I don't think where you started your career is as critical as the mindset that you approach problem solving with. If you understand your organization and if you understand your business, those are the two most important things. The technology landscape changes so much, that to succeed, it takes people who are confident and intelligent enough to be able to work in different tool sets and to be able to solve problems. CIOs need to be able to do that in a creative way, but they also need to be able to do that in very pragmatic ways.
Do you have a formal governance initiative?
We do, but our governance is a little different because we're a college. Basically we have a college wide committee structure. Our governance structure isn't as formalized as you might have in some kinds of businesses. We have faculty who chair our college wide technology committee and then we have subcommittees that all work on specific governance issues. In terms of the management of priorities, ultimately those are decisions that are made in my office. I have to allocate the resources and adjust on the fly if we have budget considerations.
How else does being the CIO of a college differ from being the CIO of a company?
Although I don't have a profit motive, that's a double-edged sword. The one side of it is that you can do things because you opt to do them, not because they will make money, but on the other side, we are very driven by ROI. We do run on a business model, and it's very difficult to make a business case when you don't have a profit motive. I cannot go out there and explain that the improved value is explained by an increased revenue share. I can in some cases, because we're going to add new programs or add new people. But on the other side, it's very hard to assign a value ROI to for a registration system that is easier for students to use. We have to use other tools and other means that were developed for other things. Sometimes you just have to say, "You know what? We can't calculate ROI in a purely financial way. " What we can say is, "we will improve our customer service and it's going to cost this amount."
Has the curriculum at Florida Community College changed since outsourcing has become an issue?
The curriculum hasn't changed a whole lot just because of that, but in the past few years, we've eliminated close to 200 programs, and we've added slightly more than that because we have a very strong organizational commitment to relevance. As our curriculum is refined over time, it typically reflects current business trends and issues. We try to remain relevant to what's going on in the business world.
Do you worry about a decline in interest amongst students wanting to make a career out of IT?
Yes. I worry a little bit when I see our registrations go down. On the professional side, I worry about it a different way. I'm more concerned with the general overall competency in math and science. The most difficult problems require the kinds of thinking and discipline that it takes to become good at math and science. What I find now, is that although they're not IT specific anymore, the same kinds of master problem-solving skills that it takes to become a really good systems developer are necessary to become successful in other areas of the business as well.
As the CIO of Florida Community College in Jacksonville, and the dean of its IT Leadership Academy, Rob Rennie has his work cut out for him. He recently spoke to SearchCIO.com to share how he successfully works with business partners - and how he aligns the constant changing IT industry with his curriculum.
By Ed Parry, News Editor
What' are some of the toughest SOX challenges for CIOs? CIOs were brought to the table late. SOX was viewed to be a financial accounting project. In many cases, CIOs thought it was another Y2k initiative, and they didn't have to worry about it after Jan. 1. I think SOX is more like Y2k every day This is a permanent issue, and most organizations aren't set up to deal with that. One of the toughest questions is 'what do you do from a compliance standpoint next year and thereafter?'
Also, some accounting firms are asking for evidence of controls from the time systems were implemented. Nobody kept that documentation, so it's really hard to reconstruct. That makes it especially difficult in some environments where IT systems are customized or modified -- where there's a lot of knowledge in individuals' heads that's not committed to paper. There's not a lot of quality assurance in IT that ensures evidence is committed to paper -- that's almost a new priority.
It's also vague and open to interpretation by accounting firms and individuals serving that account. Different firms have different expectations. A lot of this is judgment.
What does the CIO need to be doing?
I think depending on the size of the company that the CIO has to get involved from a project management standpoint and know the quality and integrity of the systems that are already deployed. Compliance is not as important as other things [to many firms] and may not be in their budget and was not a business objective at the beginning of year. It's a pain!
The CFO and the audit committee are usually the two who have to understand SOX. But you need a culture where the CIO also understands it. The CIO doesn't have to certify, but I'd want CIOs to certify. Why wouldn't I want my colleague to sign before I sign a public document? That's already happening in larger companies, although you'll never see it in writing publicly. It's done internally though -- it's called accountability.
As an auditor, what are you looking for when you enter the IT department?
IT controls of particular importance are related to physical and access security systems, development and change, and operations backups production. I look for governance -- how the IT function is managed. The more systems you have and the more people in the building running and maintaining them, the more likelihood of slip ups. The bar is very high for passing and very low for stumbling. IT controls are considered pervasive -- poor controls could undermine the integrity of financial systems and processes. It requires more to prove everything's running soundly in an IT environment. CIOs are fearful that if they get adverse opinions from auditors, it will be in operations backups and security over the network and database. You can have a great accounts payable, but if it runs on a computer that people can break into, management has to prove that if a break-in did happen, something was done before anything bad happened. You have to prove you can detect and fix wrongdoing quickly.
What red flags are you looking for?
Is IT organized to show evidence of supervision, governance and segregation of duties? When you can't find that, and you don't know who reports to whom, that's disconcerting. If a CIO doesn't have a business focus and is a techie who ended up as CIO as the result of turnover, their ability to adapt to controls becomes a stretch. Also, if there's a lot of systems in a lot of locations that don't talk to each other -- especially if they're old systems -- that's a problem. The absence of documented policies and procedures – no paperwork or protocol – that's a problem too. That's what we look at when we're scoping this out. If we don't have it, we've got an uphill battle. If there's a level of disinterest on finance or IT, then the chance of success goes down.
What are some common mistakes you see IT making in regards to SOX compliance?
We've found companies with a general ledger system, and more people than necessary have access to it and can change records. We're also seeing contractors and other third parties with too much physical access to computers. You can't have too many people in the computer area who don't belong there. We've also seen companies with backup facilities that don't kick in.
November 15 is creeping closer and closer? What would you say to CIOs who won't make the deadline?
There's a firm I'm aware of that has so much to do, that a good portion of their business won't be compliant. They're trying a bunch of things concurrently -- some documentation, some testing. They could end up spending a lot of money and will have nothing to show for it. Do some testing so you know controls are sound going into next year as opposed to just saying 'some things work, and some don't -- we don't know which ones.' Either way, you'll have weaknnesses. But you don't want the weakness to be governance. You don't want to say that management didn't care. Everything else will be tainted.
So some compliance is better than none?
Absolutely. How many firms will get done fast enough so there's enough time to get new or remediated controls in place that are testable? No comment. There are estimates all over the place, but no one really knows.
A lot of CIOs say there's no precedent for SOX, so they're still unclear as to what to do. Is that a valid argument?
But you could argue no one went through Y2k either, and we survived it. But Y2k was always an IT event. People thought this was an accounting problem. Last winter, I was giving a speech to big company CIOs talking about their getting involved in Sarbanes. I got a lot of blank expressions. When I asked how many were involved in SOX planning and understood what needed to be done on the IT side, one out of about 100 raised their hands. I was shocked.
We've heard CIOs voice their concerns and fears about Sarbanes-Oxley compliance, but what's going through the minds of auditors as they prepare to invade the IT department? Lawrence Baye, a management advisory services principal with Grant Thornton LLP and a SOX expert, talks about some common mistakes CIOs are making and what situations send the red flags flying on an auditor's checklist.
By Dana McCurley, Associate Editor
How do you inspire customer loyalty in such a highly competitive market? It's an evolving area. We started by doing analysis to understand their different needs. From there, we're beginning to develop programs that will meet more specific needs. It's in development. How do you use IT to help CRM? Historically, the CRM strategy was all about getting members to renew and it was around reminders and renewal offers. All that was technology driven. We're now going to be moving into a more complex approach where we have content for members, specific offers for current members. What are your IT governance principles? I think it's important that IT governance be part of corporate governance. IT governance is critical in order for IT to be a sane place to work. Historically, in organizations without a governance structure, no one has any idea what others are working on. That lack of direction makes it hard to know where decisions are made. It's all about a process to prioritize and about being very clear about what IT will spend its energy on. Do you have a governance committee? We have a tech steering committee to evaluate all new major projects. If incremental resources are necessary, they may recommend to the top management committee whether to make the resources available. The group includes the CFO, the chief marketing officer, the controller, the head of operations, the head of CRM, our senior VP of shared services and myself. How do you manage such a widespread network of locations? We have franchises in Asia, Mexico and the Bahamas, but they have their own IT systems. My responsibility is for the more than 400 clubs in the U.S. and Canada. We have chosen a fairly centralized approach. All our data is processed centrally and presented to the field using a thin client and Citrix, so we don't have to worry about software delivery. Almost all of our IT technical staff is centralized. We do use outside providers to help with breaks and fixes for individual clubs.
Do you see any new technologies that will offer Bally a lasting advantage?
I think that our future is studying our members and the way they use technology and figuring out how to connect with them the way they use it. Our demographics are fairly young -- 18 to 35. These are heavy technology users, and we need to figure out how to connect with them using the technologies they prefer. That's our challenge: how to stay on top of where those consumer technologies are going.
Are you trying to become more personalized?
We want to get to [the point where] members tell us how they want to communicate with us -- whether by the Web or by telephone or whatever. Read part 2 of this CIO Conversation
With hundreds of locations across the world and positioned in a youth-targeted and aggressive market, how does Bally Total Fitness CIO Gail Holmberg run geographically dispersed systems? And what is her strategy to connect to this plugged-in generation? We sat down with Gail and tried to get inside her IT department.
services in a vacuum. SOA governance is the way to build in the processes and checks and balances to ensure your company does SOA right, and doesn't end up with a...
IT restructuring includes focus on governance For its part, Gartner is seeing organizations change their cost structures and use IT differently. In particular, some...
|
