Outsourcing

Was there debate within PeopleSoft that it might be a bit shortsighted not to give steady-as-you-go maintenance?

Other than from me? You had development lining up on the side of, 'Absolutely hold to these support polices.' The consulting group wants to sell upgrade services. The development organization only wants to support a limited number of product lines, and there are practical reasons for that. They can't technically support 10 lines forever. In general, they were just incensed it accreted life to releases that they wanted to see retired.
Isn't this a problem for all software?

Everyone has to carry forward their baggage, and a backwards compatibility. Very rarely do you come out with a brand new release that has no connection, in technology, to what you had before, because then you open up the whole competitive realm. 'Well, hell, if your new product isn't really an upgrade, it's a migration, then I might as well look at everybody's else's if I am going to move to a migration.'
How have companies managed this problem before your software maintenance businesses existed?

They thought they could basically use the stick to beat customers forward by threatening them. You've seen that with Oracle. Siebel is the same way -- basically, if you don't upgrade, we're going to pull your support, you'll rue the day, you'll get nothing from us, and we'll still charge you the full amount.
What are the reasons your customers opt for third-party software maintenance?

They do it for different reasons. The small customers were making the move, because it was right after the dot-com meltdown. Prior to that, people were very optimistic, thinking they would be growing 10 times their size. They went in and bought PeopleSoft; it was the Rolls-Royce of HR systems and finance. So now they're stuck with the Rolls-Royce. They love it; they don't want to get rid of it. But they can't afford to keep it. So, a lot of those people, by switching to third-party maintenance, actually were able to keep the software they loved at price points they could afford.
Why did you leave TomorrowNow after the acquisition by SAP?

I left three months after the SAP acquisition; as an entrepreneur I needed to be on to my next thing. I actually was going to go build a software company, but after looking at it, I couldn't stay away from the maintenance stream. When you've got a 90% profit margin, it's just too hard to resist. And TomorrowNow didn't even take 1% of the market. As soon as Oracle announced its acquisition of Siebel, I decided to launch Rimini Street and offer the first third-party alternative into Siebel space.
Oracle must love you, especially given its suit against SAP -- targeted at TomorrowNow.

Oh yeah. I announced Rimini Street at OracleWorld 2005 and I think the words were, 'He's back.' As soon as my noncompetes expired with PeopleSoft and J.D. Edwards products, we introduced those at Rimini Street, too. So now you have two companies -- the captured, SAP-TomorrowNow and our independent Rimini Street -- and we are the only two really credible companies in the industry.
The Oracle lawsuit against TomorrowNow is notable for its strong language -- "corporate theft on a grand scale." Some analysts said that one of the aims of the lawsuit was to scare companies off using third-party maintenance.

Just to give you that color from the lawsuit -- it hasn't deterred the business. The lawsuit actually opened up business -- because some people didn't even know there was a choice. A lot of people read the lawsuit and said, 'My God, Merck and Honeywell, and all these large companies using third-party support.' And instead of saying, 'Wow, look what happened here!' The issue really is, 'Holy gee, am I the only guy paying full price?'
What about maintenance of SAP software at Rimini?

I have a noncompete that expires in January. Let's just say, we're looking with interest at the SAP market. With 30,000 customers, who wouldn't be? They recognize what is good for the goose is good for the gander. You can't complain and say you want Oracle to open up and allow third parties more access and think that is not going to boomerang back on you. They know this is about open access.
AMR analyst Jim Shepherd makes the argument that because everything is changing -- the software platform, the underlying components, your company's business -- that the software needs to be continuously updated.

That's not what we're hearing from clients. They have incredibly stable platforms that they feel like they can run their business on for 10 years. And, in fact, if you look at the recent enhancements from the PeopleSoft product line, it is akin to heated and cooling cup holders -- they're really cool, but it doesn't help me pay my employee any faster.
Who do you go to when you make your pitch? The CEO, the CIO -- who is most receptive to your message?

It's gotta be the CIO and the CFO. The reason is, this is a lot like outsourcing. You're not going to go pitch the IT team how great it is to send your jobs to Infosys. When we come in, how much excitement is there to tell a team, 'Hey, we've got some great news for you -- you guys are going to drive the same car for the next five to seven years instead of that new one you were hoping to play with.' A lot of IT folks do want the excitement of getting new tools and new technology to play with -- and that is part of the fun of it.

Our decision is very much a cost-driven decision, so it is very often the CFO or the CIO who says, 'I'm the guy who has to go before the board and justify we need to spend $2 million on an upgrade when we did it just three years ago, and I can't put down on paper how that money is going to be returned to us in benefits.'

What about people who have just upgraded to the newest version of software -- are they off-limits?

We used to work primarily with more retired or retiring-level versions of the software. Today, 30% to 40% of our business is on the latest versions of the software, so it is people who literally go and do the next upgrade and say, 'You know what, we are done for the next decade. And all that money we bank over the next decade? We will then do a capital expense because a whole new version of software is coming.' In 2015, '17, as late as 2018, you'll see a mature Fusion product against a mature NetWeaver product from SAP, hell Microsoft will probably be offering a full enterprise-level product at the rate they are investing. Rather than play the upgrade game every two or three years that doesn't necessarily yield results but ties up the entire IT team, costs a fortune, instead we're going to make a generational change.
How long should a company hold on to a software product?

We have more customers than ever looking for five- and 10-year guarantees for support. No one makes this change for a six-month change; it is not worth it.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

It doesn't take much to get Seth Ravin badmouthing big software companies. Ravin co-founded TomorrowNow, which he sold to SAP, and eventually went on to found Rimini Street Inc., an independent provider of enterprise software support services for Siebel Systems Inc., PeopleSoft Inc. and J.D. Edwards & Co. licensees. The companies share the same aim: make software last longer. Ravin's idea of software maintenance evolved from his work at PeopleSoft in the late 1990s. He was in charge of getting 4,000-plus customers through Y2K. The board authorized Ravin to quietly sell customers a Y2K package of support -- on top of their regular maintenance support -- so they could stay on their older releases.

Indeed, as word of the special program spread, enthusiasm reached fever pitch. By 1999, Ravin had customers left and right willing to pay him more than regular maintenance fees, so they wouldn't have to upgrade. Not long after, he left PeopleSoft to join former colleague Andrew Nelson, who had a little consulting business, TomorrowNow.

What is the biggest challenge in getting a job as a first-time CIO? Is it out-competing others who look similar on paper?

I think there is a tremendous amount of competition. Most of the CIO positions out there are usually going through some type of an executive recruiting network. The recruiters I talked to don't usually pull up a set of criteria in a database online. One recruiter I talked to doesn't even recommend candidates putting information into an executive recruiting online database, because most executive recruiters aren't going to use it. They're going to look to the contacts and network of sitting CIOs or deputy CIOs to ask if there is someone on their staff or someone they know.
You became CIO of the World Wildlife Fund at age 37. What helped you most to get that job?

I was recruited for it. I did not approach an executive recruiter for that position; they approached me, at the recommendation of another sitting CIO. I had established my credentials in the private and for-profit sector. I had gotten experience with a variety of technologies at some pretty tier-one organizations: it was Sallie Mae on the financial services side, and PricewaterhouseCoopers on the consulting side. I had gotten all my tickets punched. I got my technical MBA at Johns Hopkins University. I actually took it a step farther. A year after I obtained by graduate degree I started teaching as an adjunct faculty at Johns Hopkins -- intentionally.
As a way to increase your network?

Increase my network, increase my exposure. As an adjunct faculty I was giving back to the IT community and the educational community, but at the same time I was greasing the skids for easier access to publications. When someone was looking at my bio and saw I was a director of this, a tech MBA and teach at a graduate level, when I submitted articles I believe they had a little more merit behind them.
What's the biggest mistake you made in plotting your career?

I'm not sure that I made any.
None?

I really don't think that I have. I've gotten consulting experience, I've gotten for-profit experience, I've gotten Big Five experience, I got my tech MBA, I've got publishing experience, I've got my graduate adjunct faculty. The only thing that I would -- I don't know if this is really a mistake. I was about to say, started my graduate work earlier. But Hopkins wouldn't really let me enroll in the program until I had a specific number of years of business experience.
Fifty percent of your experience is in consulting, and you strongly recommend that aspiring CIOs work as consultants. Why?

You've got to get both sides of the fence if you want to be a viable CIO. You have to understand the consulting proposition. You have to know also how to manage consultants and vendors.

Being a consultant makes you a little bit humble. There are many instances where you have to sidestep and put the brakes on what you may know technically or business wise. You may have to deal with a client or a customer that is not that smart or that doesn't know as much as you do, and you've got to figure out creative and diplomatic ways to get that customer on board or eliminate any roadblocks that the customer may be putting up. In the organizations that use consultants regularly, some of the internal employees are a little bit jaded. They're thinking, 'Why did we have to go to the outside, when we could have probably done this on the inside.' Serving in a consulting role gives you far more experience than flat-out IT experience.
Define for us what you call in your book "the IT glasshouse."

I define the glasshouse as the central IT management infrastructure of the past where all decisions, all the systems and all the policies were pretty much made within the IT shop. If you had to classify it as a government, it would be an IT monarchy. Today, I don't believe that works. I am not a fan of 100% decentralized IT, where managers and staff are completely decentralized and put into business units. I am not saying do a 180-degree from the old model. But I do think that today's CIOs need to work more with the business units and customers of their organizations and form better relations to share the risks, responsibilities and project sponsorship, as opposed to assuming the responsibility in IT or forcing a system on a business unit.
There is a lot of talk about letting your business units take responsibility for the technology they use. But how do you do that? Do you get it in writing?

I do. But I don't let them take responsibility for the technology. I let them take responsibility for the business process that drives the solution. So when we are looking at doing a requirement analysis for trying to solve some problem or drive some goal, whether it is increasing revenue or something else, when we put budgeted dollars toward the project, we use an organizational structure that integrates with the project manager in the business unit itself. I bolt on an IT lead and have at least one business VP take accountability as co-executive sponsors. At the end of the day if I don't get signature from a business unit sponsor for a business unit application, I will not press forward. I make the calls for infrastructure, for security, all those good things. That is my job. But if we are looking for a CRM system, for example, to help drive donor management, the CIO should not own that system. IT should be owned by the business unit that is responsible for the revenue.

I have a simple phrase: IT drives technology decisions. The business units drive application business technology.
I thought it was refreshing to read in your book that a CIO should have a solid grounding in technology, because so much of what you hear now is that this position is being taken over by businesspeople.

I just met one the other day. A new CIO from the business unit, and I think he's scared. Think about it. I take the inverse view that businesspeople can do the job. I think it is way off, and I am not shy in stating that. Look, this is a profession that in my case includes 20 years of work experience at some of the best companies in America. I have gotten a top-tier education. If you combine all that together, I am somewhere in the 28-year range of progressive IT skills and experience, managing technology and applying it to business. Now, would you hire someone who came up that track, who had all that experience in IT, to head up your financial organization? I wouldn't.
The flip side is why is it hard for technical people to speak in business terms?

Given the amount of time they work on the technology side versus the amount of time they spend in the business unit side, it is so easy to lapse back into all of the different acronyms and the lingo the technology people use. I'll be honest. I have to force myself to be conscious of the fact that when I am speaking to a nontechnical audience to not be too technical. I have to force myself, today, and I am a sitting CIO with a new book out giving guidance to others on how to follow in my footsteps. It's hard.
Does it have anything to do with the notion that the kind of people attracted to technology are very concrete in their thinking; they simply think in a different way from businesspeople?

Working in the technology area takes an analytical, top-down, logical, process-oriented person. That said, I think at some point in their career they have to force themselves to branch off and submerse themselves in an environment, like an MBA, which makes them recognize the other side of the fence and to think like a business person. The technology field attracts far more the introvert than the extrovert. I probably started out as a pretty strong-typed introvert and became a forced extrovert as a result of going up the ladder.
When did you turn outward?

When I realized that it was absolutely one of the most important skills needed for an IT executive to have excellent communication skills.
How long did it take you to hone your presentation skills?

Oh gosh. I'll give you the answer in the form of advice given to me from one of my mentors. I asked how long it would be before I was completely comfortable giving presentations to an audience I had never met before. The answer was, once you've done your first 100 or so, you'll get the hang of it.
Your book's title is Straight to the Top, and top for you is CIO. Do you ever think there is somewhere else to go once you're a CIO?

Absolutely. I think it is the next-generation track to chief operating officer, and potentially a CEO of a technology company. I can tell that my career aspirations include one or two of these tracks.
You devoted an entire chapter to golf. I found that a bit shocking.

It wasn't the whole chapter. Half of it was about the vendor management function. I talk about the importance of relying on vendors, having a vendor management strategy, in my case reducing the overall number of vendors, and distinguishing between commodity-based vendors and strategic vendors. I consider Dell a commodity-based vendor. I buy stuff from them and put it in. A strategic vendor will actually help me go from Point A to Point B. It might be a CRM vendor. It might be a consulting vendor. And I talk about that whole process of how do you manage and scorecard your vendor and different approaches for doing that. And I ask other CIOs how they do it. So you'll see stuff about outsourcing.

Then, halfway through Chapter 8 is when I start talking about integrating sports to build your relationships and to grow your network and build stronger relationships with your vendors.
But why go out with them at all, especially given the sensitivity about conflict of interest these days?

Well, let me ask you, define conflict of interest.
There are some companies that say don't even go out for a cup of coffee with your vendors, because you don't need to be friends with them or beholden.

That would be the federal government. And you know what? I understand why they do it. But I don't think that a cup of coffee is going to materially make a difference in the decision to purchase goods or services. I think the federal government has just decided to take that track. But I take the issue beyond the level of the CIO. How many CEOs do you know who go out and have dinner with some of their partners and vendors and colleagues? And how many CEOs and presidents do you see on the golf course? I can tell you I played golf in a tournament and John Thompson was there. He is not a CIO. He is the CEO for Symantec.

It doesn't have to be about who pays for what, as I clarified in my book. My guidance to people is, check what your policies are. If there is a no-pay policy, fine, pay for yourself. There are some clear benefits of getting out of the office and spending some time with people, getting to know them. And at the end of the day, because I have a better relationship both professionally and through sports, I have several vendors who I can pick up the phone and say, 'Listen Tom, I need this done, you need to help me out with this.' Now granted, they should be able to do that regardless, as a vendor. But it doesn't work that way. And if you look at the quotes from the vendors in the book, people tend to reciprocate, form partnerships and get more stuff done, cut through the [bull], when they have a better relationship. And I have found that a 30-minute meeting in my office doesn't get me a better relationship with a strategic vendor.
Another piece of advice you give is that a CIO has to think like a chief financial officer. Why?

If you don't start thinking like a CFO, you're going to be reporting to one.
What is so bad about reporting to the CFO?

Because historically, CIOs who report to CFOs are doing so because the CFO is not comfortable with their financial management skills, or the CIOs need to be reined in on their cost controls. The other research that I found is that CIOs who reported in to the CFO spent overall less percent of the company's revenue than those that didn't. A CFO's job is internal controls, audit, cost containment, financial management and reporting. I don't think that is the best creative place to put a potential innovator and catalyst, such as the CIO, who interfaces with just about everybody. There is no other executive that touches every other point of the organization.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Gregory Smith, author of "Straight to the Top: Becoming a World-Class CIO" and CIO of the World Wildlife Fund, talks about his carefully plotted route to the executive ranks and offers some tips for aspiring CIOs.

Who do you report to?

The COO [chief operating officer]. We don't have a dedicated CIO role right now; our CTO is largely performing that function. However, my boss is a former CIO. The CTO and I report to the COO.
What percentage of your job is spent working on compliance regulations?

In 2004, I spent approximately 40% of my time on compliance. Things really fired up in 2004. When I came on board, compliance activities had been building for at least the last 12 months. I was originally hired NOT to do compliance directly. I was to handle the security aspects of compliance only. Then last fall, my boss asked for me to become corporate compliance officer, in addition to my role as CSO. So now I'm involved with other compliance issues. There was no single, executive-level focal point before I took it over. Prior to that, each business unit would identify their issues and address compliance at their own levels.
Do you have any other staff dedicated to compliance?

I have one full-time coordinator and two part-time coordinators working on compliance. We also involve the appropriate business people. The full-time coordinator is a temporary position, ending later this year (2005). Then we'll be relying upon the part-time positions to provide program coordination and help the individual contributors when they have problems. The full-time temporary person was needed initially to get the program on its feet.
What compliance regulations have you had to comply with in the past year? Which were the most challenging?

In 2004, our emphasis was on two areas. First with Visa. Visa has a cardholder information security program. We had to demonstrate compliance with that. Most people might not consider Visa compliance as a big deal compared with SOX [Sarbanes-Oxley] or GLBA [Gramm-Leach-Bliley Act] -- but it was important to our organization. There were real consequences if we didn't meet their test -- they could revoke our right to process Visa transactions. Visa has to approve anyone that wants to process transactions. This security program is a big strategic initiative for them. It also includes a lot of risk for us -- considering we could lose a huge revenue stream.

The other big regulation challenge in 2004 was getting our SAS 70 Type 2 compliance report. We needed to get this report for our customers -- all financial institutions. SAS 70 is a third-party attestation, a common instrument used when two parties work closely together and they want to make sure the other is doing what they're contractually obligated to do. When a bank outsources work to a vendor, examining the SAS 70 report is typically part of the financial institution's risk management program. The banks will look for certain controls in the vendor's organization.

It's an annual event for us; 2004 was our first one. Industry-wide, the increased emphasis on SAS 70, which has been around for quite some time now, has developed as a direct result of increased regulatory pressure on financial institutions. Financial institutions need to demonstrate good risk management practices when they are working with particular vendors or service providers. It's a reality for any financial institution because almost all of them outsource some aspect of their IT or tech operations, thus placing customer date at risk.
You're not a publicly traded company, so you didn't have to meet the SOX deadline. But do you have to meet any of the guidelines indirectly since you work with mostly publicly traded companies?

We have decided to adopt various aspects of the SOX requirements. We think it's just a matter of good business practice. We're currently analyzing now which practices we should adopt and how and when to do it. Most business leaders would probably tell you that if you're a company today that's not subject to SOX or other major regulations, it's just a matter of time before you will be. Eventually, I believe the government will extend these requirements to nonpublic institutions.
All of your customers are financial institutions. Is there even more pressure from them for you to be 100% compliant at all time?

Yes. Since we only serve financial institutions, we are getting increased pressure. I believe there are two specific reasons. First, the auditors themselves are getting more sophisticated on how they evaluate financial institutions. Secondly, the regulations are getting much more strict. As most people know, it's a common practice among financial institutions to outsource some or all of their IT to TSPs [technology service providers]. The regulators have guidelines that tell financial institutions how they should manage TSPs. One specific requirement is that financial institutions can not outsource risk management.

Banks in the past have tended to implicitly outsource risk management along with the systems. Regulators are now demanding that financial institutions prove they are actively conducting risk management on any technology outsourcing contracts. One thing we try to do is recognize what the burden is on the customer. From the auditors -- we try to deliver our services in a way that they meet that burden of proof. We see a lot of the compliance work we do on behalf of our customers as a way to differentiate ourselves in the market.
Do you send any work offshore? If so, is compliance an issue when working with an offshore customer or partner?

We don't send work offshore. We have customers who do that, though. We try to work with our customers on how to manage their risk with offshore partners. For example, we perform a certain amount of systems monitoring and forward anything we find to our customers. I'll give you a specific problem for which there is no easy answer: We bond all of our staff which requires a certain amount of background checking, which is fairly straightforward in the U.S. When a customer of ours is doing business with an offshore partner, our customer typically will want to perform similar background checks. However, it's not always clear how to do that with people overseas. It's usually an issue of how do you find a level of scrutiny that's equivalent to a check you've done with a U.S. worker. But, how does that work in India or wherever your offshore partner happens to be? What's considered to be equivalent?
Have you been audited for any compliance regulations? If so, did they uncover any issues?

Yes, we largely have had customers auditing us. In 2004, we had no less than 10 external audits. We also had six internal audits.

Issues have come up, but nothing I consider to be serious. One example is we had some faulty maintenance performed on an exterior door to our building. When the auditor was checking our physical perimeter, they found the door didn't close completely all the time. Even though that door provided no direct access to a protected area, the incident was noted in the report and we did a follow-up with the maintenance group to explain how important this issue was.

Some of our time and effort working with external auditors is spent working with auditors to help them interpret the regulations for our specific context. These regulations are very complex themselves. Issues brought up by the auditors are often matters of interpretation. We sometimes have to point out to the auditors that there isn't an issue and why -- typically because we have a different control or other compensating controls. But in the end, if the auditor is insistent, we will usually accept the issue and make the necessary changes for the customers. However, there have never been any real show stoppers.
Does the business side fully support any efforts and spending for compliance? Do they realize the value and importance of these initiatives?

Yes, for us it's very obvious. There's a clear connection between compliance and business success. We have no problems with having the business recognize the value of compliance. However, because there is so much compliance that needs to be done, the business often has a difficult time prioritizing what needs to get done.
I read that you have an off-site business continuity and disaster recovery site in Colorado. I assume DR/BC [Disaster Recovery/Business Continuance] plans are essential to the success of compliance regulations. Is that correct? Did you have this site set up before many of the regulations and auditors starting coming out?

There are several compliance initiatives that officially told us we had to have this; VISA CISP, for example. Even so, the reason we have DR/BC is that the business recognizes that the money spent today to ensure business continuity will pay off. You're talking about companies [our customers] that if they're not able to process transactions, the revenue loss for them could be astounding, much more than they are paying for the DR/BC plans. Therefore, the first priority is how to prevent loss of revenue. I think compliance issues are also addressed in there, but ensuring continuous revenue is our No. 1 goal here.
Do new customers ask about your compliance plans or situation? Is it as important to them?

We make sure our compliance goals are included in our initial marketing pitches -- we state we're very in-tuned with their compliance needs. In some cases we're more aware of their compliance regulations than they are. On their side, there's an initial line of questions about whether we're compliant -- basically to make sure we're credible. Most of the customer's effort then moves to making sure we can deliver on their technological goals and that we come in at a good price point. Once they know we're viable -- they'll do more due diligence on us. My point is that they're interested in our compliance efforts, but it's not their No. 1 priority. They want to make sure we can deliver the service first.
Kip Boyle was hired as chief security officer of Pemco Corp. in October 2003. Compliance was not originally part of the job. But as compliance activities grew and became more important at his organization, Boyle was asked to take on the role of corporate compliance officer -- in addition to his current role -- and oversee the company's compliance efforts. In this exclusive interview with SearchCIO.com, he discusses his most challenging compliance issues and how to deal with both internal and external audits.

first 12 months.

Hire an experienced outsourcing consultant and take advantage of new offshoring opportunities.

Extend the lifecycles of desktop and laptop...

value environments, consider outsourcing.

For business-critical environments, focus deployment on where the best value will be achieved at low-to-moderate risk...