Security

In today's economic scenario, how can CIOs get the best value out of shrinking IT budgets?


Although it may sound harsh, I would say that the CIO should stop spending. He should evaluate his existing assets, and then decide what he can deliver using those assets. For example, assume that you have 20 servers, 25 databases, 30 applications and a staff of 25 programmers. Can you deliver the value that business requires with this staff without hardware investments?

Yes. This can be achieved with reengineering, re-staffing and staff rotation.

A CIO should also resist the tendency of unnecessary upgrades or migrations. Don't get carried away by what vendors suggest. For example, suppose I have a budget of Rs 5 crore. That budget should be used for extracting new value out of existing software. Instead, for most CIOs who have an ERP implemented, the effort is to go to the next version just for a couple of new features. In my opinion, you can implement add-ons which extract those values from the old system. If you have good programmers, this can be achieved. If business requirements absolutely demand a new version, definitely go in for it. Otherwise, the old system can be tweaked to get incremental functionality.

Be a bit more conservative on infrastructure investments, and try to use outsourcing as much as possible. If everything is in-house, you are not able to make 100% use of this investment. For example, most hardware runs on 25-30% of capacity, whereas 70-75% capacity goes waste. With outsourcing in place, you pay as per your usage. So you save on capital investments and running costs.

Can you give us some examples of the aspects that can be looked at for outsourcing?


Start from data center. You can look at managed services. Sometimes, if it's not a large operation, you can sign up for Software as a Service.

Common concern here is of security going out of your control. Always understand that it's a matter of governance. If proper governance is not in place for your IT setup, this can happen even in a new organization. So outsourcing is not necessarily the culprit.

Should you renegotiate existing contracts?


There's no harm in trying. In my opinion, you have to create competition between your existing vendor and a competing new vendor. If you negotiate directly, he won't listen. So bring in a new vendor who quotes lower. This will make things easier.

How do you handle re-staffing and re-skilling?


Companies which believe in managing a large number of IT projects through their in-house staff definitely need to look at re-skilling. For example, I use a technique where I assign three technologies to a group, which has three to four people. One becomes the leader by virtue of his experience and role. The other two are the followers. After six months, I remove the first person and assign him to look after another area. The second person now assumes charge of the group. It's not like if someone is a Basis expert in SAP, he will retire as a Basis expert. I move them after three years.

Second is that I always create new challenges for my staff by putting them in charge of a new technology every year. So they gain new skill sets. Always ensure that they have an enjoyable experience. You have to see that they should find a career in the technology.

With IT budgets coming down, staff training has also come down. How do you cope with that?


Learning new skill sets does not happen with two weeks of classroom training. It should be on-the-job training.

For example, we had undertaken migration from Microsoft SharePoint Portal 2003 to Microsoft SharePoint Server 2007. The challenge was to migrate Hummingbird IDMS to SharePoint Server 2007. Now the staff member was not conversant with SharePoint Server 2007, but she mastered it and completed the migration in three months.

Now, I had the budgets for outsourcing, but the objective was to create a challenging opportunity for a team member. Today we are able to roll out the technology in other parts of our business. We'll also be saving at least Rs 50 lakh.

What about using cloud computing's touted benefits?


Yes, cloud computing will work, but not the way that vendors portray. Software as a Service will definitely work. Corporates can use cloud computing for their own group companies. For example, we have two associated refineries. Why should they invest in infrastructure that we already have?

So our sister concerns use part of my ERP -- the catalog management system. We've asked them not to buy any software and hardware. Our manpower manages their system, and we charge them a very nominal fee. Such efforts substantially reduce hardware and software costs.

How can a CIO deal with reduced IT budgets? M D Agrawal, the deputy general manager of IS (refinery) at Bharat Petroleum Corporation Ltd., shares tips.

What is the biggest challenge in getting a job as a first-time CIO? Is it out-competing others who look similar on paper?

I think there is a tremendous amount of competition. Most of the CIO positions out there are usually going through some type of an executive recruiting network. The recruiters I talked to don't usually pull up a set of criteria in a database online. One recruiter I talked to doesn't even recommend candidates putting information into an executive recruiting online database, because most executive recruiters aren't going to use it. They're going to look to the contacts and network of sitting CIOs or deputy CIOs to ask if there is someone on their staff or someone they know.
You became CIO of the World Wildlife Fund at age 37. What helped you most to get that job?

I was recruited for it. I did not approach an executive recruiter for that position; they approached me, at the recommendation of another sitting CIO. I had established my credentials in the private and for-profit sector. I had gotten experience with a variety of technologies at some pretty tier-one organizations: it was Sallie Mae on the financial services side, and PricewaterhouseCoopers on the consulting side. I had gotten all my tickets punched. I got my technical MBA at Johns Hopkins University. I actually took it a step farther. A year after I obtained by graduate degree I started teaching as an adjunct faculty at Johns Hopkins -- intentionally.
As a way to increase your network?

Increase my network, increase my exposure. As an adjunct faculty I was giving back to the IT community and the educational community, but at the same time I was greasing the skids for easier access to publications. When someone was looking at my bio and saw I was a director of this, a tech MBA and teach at a graduate level, when I submitted articles I believe they had a little more merit behind them.
What's the biggest mistake you made in plotting your career?

I'm not sure that I made any.
None?

I really don't think that I have. I've gotten consulting experience, I've gotten for-profit experience, I've gotten Big Five experience, I got my tech MBA, I've got publishing experience, I've got my graduate adjunct faculty. The only thing that I would -- I don't know if this is really a mistake. I was about to say, started my graduate work earlier. But Hopkins wouldn't really let me enroll in the program until I had a specific number of years of business experience.
Fifty percent of your experience is in consulting, and you strongly recommend that aspiring CIOs work as consultants. Why?

You've got to get both sides of the fence if you want to be a viable CIO. You have to understand the consulting proposition. You have to know also how to manage consultants and vendors.

Being a consultant makes you a little bit humble. There are many instances where you have to sidestep and put the brakes on what you may know technically or business wise. You may have to deal with a client or a customer that is not that smart or that doesn't know as much as you do, and you've got to figure out creative and diplomatic ways to get that customer on board or eliminate any roadblocks that the customer may be putting up. In the organizations that use consultants regularly, some of the internal employees are a little bit jaded. They're thinking, 'Why did we have to go to the outside, when we could have probably done this on the inside.' Serving in a consulting role gives you far more experience than flat-out IT experience.
Define for us what you call in your book "the IT glasshouse."

I define the glasshouse as the central IT management infrastructure of the past where all decisions, all the systems and all the policies were pretty much made within the IT shop. If you had to classify it as a government, it would be an IT monarchy. Today, I don't believe that works. I am not a fan of 100% decentralized IT, where managers and staff are completely decentralized and put into business units. I am not saying do a 180-degree from the old model. But I do think that today's CIOs need to work more with the business units and customers of their organizations and form better relations to share the risks, responsibilities and project sponsorship, as opposed to assuming the responsibility in IT or forcing a system on a business unit.
There is a lot of talk about letting your business units take responsibility for the technology they use. But how do you do that? Do you get it in writing?

I do. But I don't let them take responsibility for the technology. I let them take responsibility for the business process that drives the solution. So when we are looking at doing a requirement analysis for trying to solve some problem or drive some goal, whether it is increasing revenue or something else, when we put budgeted dollars toward the project, we use an organizational structure that integrates with the project manager in the business unit itself. I bolt on an IT lead and have at least one business VP take accountability as co-executive sponsors. At the end of the day if I don't get signature from a business unit sponsor for a business unit application, I will not press forward. I make the calls for infrastructure, for security, all those good things. That is my job. But if we are looking for a CRM system, for example, to help drive donor management, the CIO should not own that system. IT should be owned by the business unit that is responsible for the revenue.

I have a simple phrase: IT drives technology decisions. The business units drive application business technology.
I thought it was refreshing to read in your book that a CIO should have a solid grounding in technology, because so much of what you hear now is that this position is being taken over by businesspeople.

I just met one the other day. A new CIO from the business unit, and I think he's scared. Think about it. I take the inverse view that businesspeople can do the job. I think it is way off, and I am not shy in stating that. Look, this is a profession that in my case includes 20 years of work experience at some of the best companies in America. I have gotten a top-tier education. If you combine all that together, I am somewhere in the 28-year range of progressive IT skills and experience, managing technology and applying it to business. Now, would you hire someone who came up that track, who had all that experience in IT, to head up your financial organization? I wouldn't.
The flip side is why is it hard for technical people to speak in business terms?

Given the amount of time they work on the technology side versus the amount of time they spend in the business unit side, it is so easy to lapse back into all of the different acronyms and the lingo the technology people use. I'll be honest. I have to force myself to be conscious of the fact that when I am speaking to a nontechnical audience to not be too technical. I have to force myself, today, and I am a sitting CIO with a new book out giving guidance to others on how to follow in my footsteps. It's hard.
Does it have anything to do with the notion that the kind of people attracted to technology are very concrete in their thinking; they simply think in a different way from businesspeople?

Working in the technology area takes an analytical, top-down, logical, process-oriented person. That said, I think at some point in their career they have to force themselves to branch off and submerse themselves in an environment, like an MBA, which makes them recognize the other side of the fence and to think like a business person. The technology field attracts far more the introvert than the extrovert. I probably started out as a pretty strong-typed introvert and became a forced extrovert as a result of going up the ladder.
When did you turn outward?

When I realized that it was absolutely one of the most important skills needed for an IT executive to have excellent communication skills.
How long did it take you to hone your presentation skills?

Oh gosh. I'll give you the answer in the form of advice given to me from one of my mentors. I asked how long it would be before I was completely comfortable giving presentations to an audience I had never met before. The answer was, once you've done your first 100 or so, you'll get the hang of it.
Your book's title is Straight to the Top, and top for you is CIO. Do you ever think there is somewhere else to go once you're a CIO?

Absolutely. I think it is the next-generation track to chief operating officer, and potentially a CEO of a technology company. I can tell that my career aspirations include one or two of these tracks.
You devoted an entire chapter to golf. I found that a bit shocking.

It wasn't the whole chapter. Half of it was about the vendor management function. I talk about the importance of relying on vendors, having a vendor management strategy, in my case reducing the overall number of vendors, and distinguishing between commodity-based vendors and strategic vendors. I consider Dell a commodity-based vendor. I buy stuff from them and put it in. A strategic vendor will actually help me go from Point A to Point B. It might be a CRM vendor. It might be a consulting vendor. And I talk about that whole process of how do you manage and scorecard your vendor and different approaches for doing that. And I ask other CIOs how they do it. So you'll see stuff about outsourcing.

Then, halfway through Chapter 8 is when I start talking about integrating sports to build your relationships and to grow your network and build stronger relationships with your vendors.
But why go out with them at all, especially given the sensitivity about conflict of interest these days?

Well, let me ask you, define conflict of interest.
There are some companies that say don't even go out for a cup of coffee with your vendors, because you don't need to be friends with them or beholden.

That would be the federal government. And you know what? I understand why they do it. But I don't think that a cup of coffee is going to materially make a difference in the decision to purchase goods or services. I think the federal government has just decided to take that track. But I take the issue beyond the level of the CIO. How many CEOs do you know who go out and have dinner with some of their partners and vendors and colleagues? And how many CEOs and presidents do you see on the golf course? I can tell you I played golf in a tournament and John Thompson was there. He is not a CIO. He is the CEO for Symantec.

It doesn't have to be about who pays for what, as I clarified in my book. My guidance to people is, check what your policies are. If there is a no-pay policy, fine, pay for yourself. There are some clear benefits of getting out of the office and spending some time with people, getting to know them. And at the end of the day, because I have a better relationship both professionally and through sports, I have several vendors who I can pick up the phone and say, 'Listen Tom, I need this done, you need to help me out with this.' Now granted, they should be able to do that regardless, as a vendor. But it doesn't work that way. And if you look at the quotes from the vendors in the book, people tend to reciprocate, form partnerships and get more stuff done, cut through the [bull], when they have a better relationship. And I have found that a 30-minute meeting in my office doesn't get me a better relationship with a strategic vendor.
Another piece of advice you give is that a CIO has to think like a chief financial officer. Why?

If you don't start thinking like a CFO, you're going to be reporting to one.
What is so bad about reporting to the CFO?

Because historically, CIOs who report to CFOs are doing so because the CFO is not comfortable with their financial management skills, or the CIOs need to be reined in on their cost controls. The other research that I found is that CIOs who reported in to the CFO spent overall less percent of the company's revenue than those that didn't. A CFO's job is internal controls, audit, cost containment, financial management and reporting. I don't think that is the best creative place to put a potential innovator and catalyst, such as the CIO, who interfaces with just about everybody. There is no other executive that touches every other point of the organization.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Gregory Smith, author of "Straight to the Top: Becoming a World-Class CIO" and CIO of the World Wildlife Fund, talks about his carefully plotted route to the executive ranks and offers some tips for aspiring CIOs.

Did you have a backup data center outside the city? How did that work?

We were running out of California on the back-office system. On the first day of the hurricane, we were able to migrate all the Web site functions to Dallas.
Was that a prearranged plan?

I'd love to tell you 'Yes' -- that I had that foresight. But honestly between you, me and the grand piano, I was trying to migrate away from California and get back in house. And I was very thankful that was one of my timelines that slipped. I (would have been) flipping on the New Orleans migration that week. So I learned a very valuable lesson there.
And that is?

And that is... there is no one hardened environment that is anywhere near as powerful in a disaster as a distributed one. Period.

In other words, I would not say, 'OK, if New Orleans goes away I still got Houston.' It still wouldn't work for me. What happens if Houston's not there when this happens? You're still putting yourself at a single point of failure, is my point. So what you do is think in terms in of pure workflow. What are my critical things? Dispatch. What does that really involve? Well, it might include home data to CAD (Computer Aided Design) data to federal data. And you build a system and a workflow around that. And you can do that via relational databases. You have to have your process flow across those things, various supporting infrastructure, if that makes any sense. It's kind of out there.
Your strategy would have to originate with the CIO, not a vendor?

It has to come from the CIO. The CIO has to be much more of an enabler and less of a keep-the-trains-running kind of guy. The reason I got all the other departments I got is because I was fixing things. You've got to be focused on fixing things, not just keeping things running.
And now you are on your way to pick up an award from the Center for Digital Government and Education?

We were ranked 70th out of 70 major cities (prior to my arrival). We had an all mainframe shop, completely 100%, and a one-page Web site with a picture of the mayor on it -- which, by the way, when I got here, had the wrong mayor on it. We were dead last in everything. What's funny is we had a budget higher then than we have now.

What we did was focus not on gee-whiz stuff, but bang-for-buck stuff, to get the cash. It's like those IBM commercials about things that don't really happen in the real world. I didn't have the luxury of only flipping a switch for this department or that department because I knew I would have to do the back-end integration, and there goes all my savings. So if I flip it all at once, and get voice and data at the same time then I really do only buy one switch. And I really do save the cost of it.

People say, 'Man, you did the largest VoIP in one year. You did 2,500 phones. No city has ever done that. Man, you must really love VoIP.' I say I couldn't care less about VoIP.' So why did I do it? The features? Or the Web browser? Nope, I'll tell you one reason I did it. The same reason we did everything: saving money. Because in the end, we had a $3.2 million budget for phones. And $1.1 million of that was getting the Bell South guys to keep moving the same damn lines back and forth.

They charged me $100 per hour to do that. With VoIP, I plug it in -- and the number follows me. I think I can save $1 million per year doing that. Then we said, 'Well how do we do that? What we can do is get the VoIP. We flip it all at the same time; we count the dead lines. So we turned off 25% of the lines, right there.
And is that the basis for the award, those productivity gains?

No, actually, that's the kind of weird part. That is the stuff I'm kind of most proud of, but no, it was pure functionality on the Web site. We went from zero to 30 online services. We built in a lot of access for the handicapped and whatnot. They don't even know that we built it into a product, which is why we could do the hurricane stuff, why it morphed so quickly.
Your surveillance-camera project got a lot of national attention prior to the storm. Did those survive Hurricane Katrina?

Those stayed up. They stayed up, man. They stayed up in a Class 5 hurricane and not only that -- even the Feds started using them for evacuation. They ended up becoming a signature through this whole thing, because they stayed up. And we're using them now. There's a lot to it. It's not one thing about the cameras that makes them unique. It's the fact that it takes that super high res type camera, combines it with motion detection, separate motion detection software that walks a virtual beat with PTZ, pantone zoom, in conjunction with the way the images are processed and captured. It preserves the chain of custody and limits bandwidth issues while still giving you clarity on the suspect's face, etc. By the way, that one sentence you have no idea how hard that part is to really do.
Get clarity?

Well no, you can get the clarity. But the fact is that with full-motion video on high resolution, I'm going to need build up the Internet the size of Texas to hold all this stuff.

You have to keep the bandwidth down through a series of frame-grabbing things, but also keep your chain of custody clear so the lawyers can't it throw it out. So we had to go through a lot of rigmarole and ACLU guidelines. And then on top of that we … didn't have this huge network to handle that bandwidth. So we had to make them completely mobile and peer to peer, it was really a gumbo of a lot of stuff.
How did you find out they were up?

Well, we were driving around by Office Depot and looked up and said 'Hey man, look there, they're still up.' It was amazing. That's the good part about the fact that we were forced to make them bulletproof. I guess they were hurricane-proof too.
What is the one image that epitomizes Katrina for you?

I think it's when I was handed the phone that I took from a looted Office Depot with the President on the other line. It showed how thin government got.

Air Force One calls and you have to call a number back for security reasons. I said, 'Mr. Mayor I've got Air Force One on the phone that I just stole from Office Depot yesterday.' Stole is probably not the right word -- commandeered -- but that defines it.

The tragedy of it, for me, was that we went through six days of hell and then the guy I was bunking with killed himself. It was both of those things. It sounds cliché but it was really, really a one-of-a- kind triumph and one-of-a-kind tragedy. Actually, there were a lot of moments that I won't forget. There was also, frankly, pulling people from the water. I hate the way this sounds, but I've got two Mercedes and a 60-foot yacht and I've traveled the world, and all that stuff. But there's something about pulling somebody out of the water that is just a wonderful feeling. She had broken ankles. The fact that I could carry a lady with broken ankles and put her in the back of a Humvee... It's that feeling. I won't forget that. I won't forget the bad part. But I won't forget the look when somebody's there and you're pulling them out. You just never get a chance to actually save a life. That's better pay than anything. I've lost a lot of money from lost opportunities -- and just money -- by being a civil servant. But that kind of pay you just can't get anywhere else.
The Web site has morphed in recent days to include press releases, the interactive map showing flood levels and other services. How did you prioritize these?

That is something that came out of my private sector handbook. When we built our Web site, for example, we built our own content management system, verticalized for government. We instinctually did that, instead of just putting up the Web site.

What that allowed us to do, and it's so much easier even than FrontPage, because you literally are able to add functions for credit card costs that really work and take into account all the government factors of doing that. We built a product on that. Before we were low tech; New Orleans had no reputation for tech. Then Steve Ballmer was bringing New Orleans up once a month I heard, talking about Great Plains and our help -- and we were just a stupid little city doing that.

But the Web site doesn't go down and it doesn't crash and we're able to add really complex services back in and out -- because of this content management system we run it on. So we moved that to Dallas (due to Katrina). I've got a handful of Web guys here and they just log in and move objects around. You're going to continue to see that Web site morph from rescue and recovery to now, restoration and things like that. And we're able to do it in the middle of our trimmed-down, army-fatigue-type setting we have here. And just move the objects around.

For instance, we turned on a donation type Web site. People said 'You've got to do one for New Orleans.' And literally 36 hours total, from start to finish, from the mayor saying 'I want to do that,' to us making it live and taking credit cards, we have a Web site up. That takes credit cards. That runs to the government account. That has all these government-oriented ways of doing things. Bureaucracy is kind of built into the product. We're very seamless here. We don't have a rigid customer-vendor thing. It's much more accurate to view the city of New Orleans and our relationship with our contractors as though we were business partners.
New Orleans CIO Greg Meffert and his IT team are due to receive an award this week for having improved their city's portal in a pre-Katrina world. Now the custom-designed features on that portal, and its flexibility, are allowing New Orleans residents to see aerial views of property lots and get the latest information on rescue and rebuilding efforts. Meffert has a private-sector background and a reputation for rewriting his public-sector job description so that he directs several public departments. He has an IT staff of about 100 and a $30 million budget. And now his resume includes Hurricane Katrina, which forever changed the way he looks at disaster recovery, and distributed models. Here Meffert talks with SearchCIO.com about his most harrowing moments in recent weeks and tells us what it's like for a tech guy to be designated to the front lines.

weigh use of social media against security concerns
[Linda Tucci, Senior News Writer]
CIOs are trying to balance the business use of social media with their...

definitions and guidelines for security, privacy and data interchange among identity providers (such as higher-education institutions) and cloud service...