Part One of our Second Roundtable Conversation with Enterpriser CIOs.
Panelists
- Tim Elkins, EVP/CIO, PrimeLending
- Lee Congdon, CIO, Red Hat
Introduction
Marc Andreeson famously wrote in 2011 that software was eating the world. In his words, we are “in the middle of a dramatic and broad technological and economic shift in which software companies are poised to take over large swathes of the economy.” The disruption is occurring, Andreeson stressed, because all the technology required to transform industries through software “finally works and can be widely delivered at global scale.” [WSJ, 8.20.2011]
A more contrarian voice is the analyst Gartner Group, which earlier this year agreed in spirit to this change, noting that “every business budget is now an IT budget,” but warned that CIOs must “prepare for extraordinary new security challenges” that include employee data leakage and “highly sophisticated financially and even politically motivated attacks.” Moreover, IT will create 4.4 million jobs by 2015 around big data alone, but will only have enough talent to fill one-third of them. [The Nexus of Forces Changes Everything: Gartner Symposium/ITxpo 2012 Keynote, 1.10.2013]
This roundtable discusses both the “best of times” and “worst of times” argument about the age of the CIO and highlights some of the core issues.
Moving Beyond the IT Status Quo
The Enterprisers Project: To kick off, where do you see IT and the CIO moving into a new age? What gives you confidence? What gives you anxiety? And what kind of ability do you have now to affect change that was impossible 10 years ago or even five years ago?
Lee Congdon: I think we have to continue to get better at making production and projects routine and just deliver those services. In general, there are industry best practices that are increasingly adopted across IT organizations. Certainly, some IT organizations aren’t there yet, but the tools and the capabilities exist to be able to deliver production and projects in a straightforward fashion. Depending upon the support of the organization and the people you’ve got in IT, a tremendous set of opportunities is created by these commodity technologies. Think cloud computing, consumerization, and so on. I think the forward-thinking IT organizations see that as part of their responsibility and ideally are assuming that leadership role from – or with – their business partners. Other IT organizations potentially will get themselves boxed in maintaining a set of legacy technologies and the business will simply do an end run and start to consume those services directly. How long that is sustainable will probably depend upon the organization.
TEP: So you’re talking a little bit about the rogue IT effect, Lee.
Lee Congdon: I’m not even sure I would call it rogue anymore. You certainly can buy a lot of services with a corporate credit card and devices are increasingly driven by consumer technologies. Collaboration tools and other core competencies of IT organizations are increasingly available in the public space much less expensively and with much cleaner user interfaces, so I think it’s a challenge for IT organizations that are trying to defend the status quo. They really need to think about where in their business, based on their knowledge of the business, their capabilities – not easy, because you do have to also be proficient at production and projects – but where they are going to add value in the future? Typically that’s in partnering with marketing or another part of the organization in the short term to take advantage of this big data opportunity as well.
TEP: What do you think, Tim?
Tim Elkins: About three years ago I renamed our department from IT to just Technology. What we were seeing in the mortgage space was that technology was part of the process and, in fact, it was a gigantic part of the process to get a loan done. To me, IT meant keeping the lights on, phones working, computers working, servers are up, all that kind of stuff. But we were doing far more than that with IT. So we’re not typical IT. We’re Technology, a bigger, broader term and a different mindset than just IT. I’m familiar with many mortgage companies that are just IT. The business is really driving itself separately from IT. And what I’ve seen over the last three years is that our project load has grown maybe from running four or five projects simultaneously to about 65 at any one time. Essentially, though, they are all business projects. The business is the owner of about 75 percent of those 65 projects.
TEP: We’ve noticed mortgage rates start to creep up again. Is that affecting your department?
Tim Elkins: What we are finding is that our project load is increasing as our volume decreases, and it’s a conscious effort made by the business. They say, Hey, maybe we can accomplish some of these things that would make use of technology, as opposed to people. Before, during a downturn, it was across the board, okay everybody, we’ve got to reduce to make sure we make budget. We’re not doing the volume we were doing during the refi boom. But we’re finding that there’s just a bigger demand for technology. And our entire industry is having these kinds of conversations. An article came out the other day from National Mortgage News with title “Lenders Dilemma: Invest in Tech or Exit Mortgage Business?”. We’re starting to see it not just in the prime lending area but in our industry as a whole, that technology has huge play.
In the age of business, everyone must be IT-aware
TEP: Are you in a more confident position that IT really can step up and start to replace some things that humans were doing even a couple of years ago, or you do see both IT and the CIO role just kind of moving into this new, much more central position?
Tim Elkins: I’m highly engaged in all sorts of activity. In fact, our number one company objective right now is a major technology undertaking that we think differentiates us from the others. I think being part of the senior management team and to be at the table, to me, that’s behind us. I think if you’re at a company that’s forward thinking, then your CIO is a fully involved player in the business.
TEP: As you do become that new player who’s not just sitting at the table but perhaps leading part of the agenda, where do you see IT as not moving quickly enough, being part of the problem, not thinking through what some of the vulnerabilities could be? Are there areas that you both feel where IT really does have to step up if not what it does maybe in just its ability to make people aware of what it is doing?
Lee Congdon: Yes, IT organizations don’t always communicate effectively. Thinking about how you are presenting your story inside the company and outside the company is increasingly important for IT organizations, and they ignore that at their peril because you can be doing great work and not get credit for it. IT organizations need to continue to be responsible for information security, disaster recovery, incident readiness, business continuity, and so on, but no longer can the business pretend they don’t have accountability as well.
In the case of information security, for example, although the IT organization is accountable for setting the policies, ensuring appropriate education, auditing, monitoring, advising, consulting and ensuring that projects get completed to address risks, business folks have access to technology where they can incur substantial risk, or bad behavior can incur substantial risk, and they need to have accountability for that as well. You can’t control it all with centrally administered technology any longer. It’s just too pervasive and there are too many opportunities for problems to occur, so business people need to assume some of the responsibility.
TEP: Where else is that a concern?
Lee Congdon: The same thing is true with disaster recovery and business continuity sorts of exercises and programs. Even though IT is accountable for keeping the systems up and may be accountable for providing the overall structure and framework for the enterprise, business folks need to think about their accountabilities and their plans independent of the technology so that they can respond in the event of a disruption, whether that’s a weather disaster or a terrorist act. I think, increasingly, the accountability for some of the things that in the past you could locate in the IT organization is actually expanding to a broader part of the business. IT still owns accountability, as I say, for education, information, perhaps coordination, but to think that the IT organization can do it by themselves in today’s environment is probably wishful thinking.
Tim Elkins: I agree 100 percent with that. What came to mind for me is something that I had done recently. When you ask how do you play to win, being in financial services, security is huge. But again, we are a sales organization so we are really focused on doing as many mortgages as we can. Generally, we have quarterly offsites. I usually have the opportunity to present at most of those quarterly offsites, and a lot of times I’m given the flexibility of what I want to present on. This last one, I took something of a risk because I see information security as a huge threat to us, but also I need to convey to the rest of senior management just how important it is and how real it is. If I just present – put a bunch of slides up to show, hey, here are our threat vectors and here is all the number of attacks we had on the business it doesn’t really bring it home. What I did at this last offsite was cover off on some of those quotes and numbers of attacks and attempted attacks. But then I played a video called The Amazing Mind Reader. It essentially shows these people walking into a tent and getting their minds “read.”
TEP: That’s a great spoof.
Tim Elkins: I showed that video and they show that it’s just a bunch of hackers that were feeding information to the “amazing” mind reader. When the video finished, what I announced is that in preparing for this offsite I had actually hired my own amazing reader to do some research on the team in the room. I shared with them the fact that we had all of their Social Security Numbers, their driver’s license numbers, their date of birth, and, in some cases, copies of their signatures, the cars they drove, and information about their family. I told them how easy it was for me to get that kind of sensitive data on all the people in the room. It really brought it home and it made it real. When you talk about how do you fight the security threats, a lot of the fight is internal. You need to get the awareness up and then actually make it real. The goal of that was not just to spook them all, which it certainly did, but it was also to let them know, hey, when you see an announcements coming down and we care about these threats, this is how easy it is. This is what we are talking about and, by the way, we are all responsible for every customer. That was one of the most effective presentations on security that I’ve ever done.
TEP: You really hired someone.
Tim Elkins: Yes, and all I gave them was the names of the people and that they worked at PrimeLending. And I told them to keep it pretty narrow scoped. I’m sure they could have gone and gotten stuff in addition to what we got, but it came in a really nice report that looked very much like that video, if you remember, where on the screen it showed all this information popping up. My report put Xs where the last four digits of their Social were and that kind of stuff. I only did eight of the 25 in the room, but on all eight of them they hit 100 percent, except I think they missed one date of birth. And that entire research project cost me less than $5,000.
In Part Two of this conversation, we discuss: The future of IT: essential, but not sufficient