The land of no.
Where dreams go to die.
You've heard all the negative things that get said about IT departments and their leaders, usually by disappointed business contacts who were hoping to deploy the latest newfangled app.
John Matthews, the recently appointed CIO of data analytics firm ExtraHop Networks, offers some ideas.
The Enterprisers Project (TEP): IT is often thought to be excessively risk-averse — the land of no. If true, why do you think this is? Or is the notion wrong, and are most IT leaders taking appropriate risks now?
Matthews: Ever heard the term "CI-Nos?" I sure have. I've been called one plenty of times. The challenge is that IT's charter is different from that of other groups within the organization. Finance has to close the books. Sales has to close deals. IT is tasked with keeping the environment up and running, and the biggest risk that any IT person takes is to do something new, because that something new could shut down your environment. The fact that any risk could take down your environment makes it very hard to want to do it. Nobody notices IT until something breaks.
So how do we change this? It's going to require a fundamental shift in how IT interacts with line of business groups. Right now, IT is seen as a support element, not as an essential part of the business. If IT can successfully pivot from a support system to a line of business stakeholder in its own right, it will be easier to take risks because IT will become a critical part of business enablement, not just a business support system. CIOs will be willing to take more risks because others in the business will understand that some disruption may occur in order to adopt technologies that will ultimately make the business run better.
TEP: What about the proliferation of "rogue" IT? How does this come into the risk-reward equation?
Matthews: Ah, the Magpie Effect. People see the newest, shiniest tool to help solve their business problem, and they jump at it before IT has a chance to evaluate it and its potential impact on the environment as a whole.
Absolutely, rogue IT in the sense of BYOD and BYOC (Bring Your Own Cloud) is a challenge, and there will be things that IT can't see or control. But rogue IT also manifests in plenty of ways that are visible to IT, with line of business groups vetting and purchasing tools designed to help solve a business problem without the input of IT. Simple though it may seem to the particular group that's planning to use it, for IT it can be exponentially more complicated. Adding tools willy-nilly creates a lot of complexity. In IT, nothing lives in a vacuum. Every system is interconnected. Think of it as a game of Pick-up Sticks. Every stick you touch makes every other one move. Imagine what happens when people just start throwing sticks your way.
So how do you tackle this problem? In my experience, it's best to use your rebels. IT should be working intimately and fostering a relationship with the most savvy, tech-focused people in each business unit, understanding their priorities, evaluating the tools that they are interested in, and actively working with them to help them solve their business challenges.
Sure, the worst outages I've ever seen have been caused by rogue IT. The flip side is that the best business benefits I've ever seen have come as a result of rogue IT.
TEP: Any advice you'd give CIOs for dealing with the risk of new technologies?
Matthews: You need to categorize risk, and then decide how much risk the business can take on. When it comes to tools that use or involve personally identifiable information (PII), risk tolerance should be very low. When it comes to applications or systems that have a high probability of bringing down the entire IT environment, risk tolerance should also be very low.
But what happens if your engineering team wants to test drive a new code validation tool, they don't care if it breaks, and it's very low risk to the stability of the environment? I'd call that pretty low risk. Even if the tool might bring down a part of the environment that engineering needs, as long as engineering understands and accepts that risk, it's probably worth doing. Likewise, if your marketing team really wants to try out a new tracking tool that might slow down the website. Do they understand the risk? Is the tool still valuable enough from a business perspective? Probably worth it.
IT tends to be very glass-half-empty, and very focused on how a new technology could be problematic. Instead of pooh-poohing every new technology that line of business groups inquire about, IT needs to focus on educating them about what the risk looks like. Then let them weigh that against the benefit they think it will bring to the business.
John Matthews is the Chief Information Officer at ExtraHop Networks where he oversees the continuous expansion of the ExtraHop IT environment and counsels the company’s enterprise customers as they evolve their IT operations. Before joining ExtraHop, Matthews led IT strategy at F5 Networks, where he was CIO for nearly a decade. While at F5, Matthews provided strategic technology and management assessments, as well as a common-sense approach to IT operations that provided the best capabilities to the business with the least risk. Matthews guided F5 to the early adoption of new technologies, such as SaaS and cloud computing, to drive costs down while raising overall quality. Previously, Matthews served as an IT leader for MSN Operations at Microsoft, as CIO at Towne Exploration Company, and as Director of IT Operations at Adobe.