Financial Understanding

In 2013 I wrote a series of posts about what to do as new CIO. My thinking continues to evolve on this topic, but I’ve come to rethink the need to understand the financial model for IT in your organization and to put greater urgency on that understanding.

In an enterprise, an IT organization and associated investments are made to facilitate the operations of the enterprise and to protect the enterprise. We don’t make investments just because they are fun or just because we want to do them. There is a driving force behind these investments.  Those forces are things like: operational improvements (reduce waste, speed, reduced friction, etc.), financial control, collaboration improvement, security, etc.  The benefits of these investments are mostly outside of IT. Yes, some investments benefit IT, but most of what we do benefits other organizations. Saying it differently, the costs might reside in IT but the benefits reside elsewhere.

That is the central problem/opportunity to understand. How does your organization account for this fact of life? This simply must be understood by all parties and it must be clearly highlighted to all parties and that takes a lot of help from Finance. This is probably one of my biggest failures. I should have done more in this area.

Projects in IT can save tens of millions of dollars in operations or across the supply chain yet cost millions in IT to make that happen.

M&A activity are particularly dangerous to IT in that unless the costs of integration are budgeted and called out and planned for as part of the go/nogo decision on the acquisition, IT can appear to spending a lot of money to integrate that that is not really an IT cost, it is an acquisition cost. I read a while back that the two biggest risks in M&A efforts is merging cultures and IT complexity/integration risks. A company board might decide to spend $600M on an acquisition but that decision should upfront account for the cost to integrate the companies together.

IT spend is a cost to do business. Probably, the best answer to this problem is to work out a clearly understood, above board way to charge costs back to business units that are driving the investments. That chargeback would include the startup costs for sure, but also might include the sustaining costs to run or support the capabilities. In any case, the costs need to be clearly visible and either chargeback or shown back to the business and across the business. Tools like Apptio might greatly help in these conversations too.



Homogeneous Environments

Dear IT Vendor,

Don’t show me presentations that are just about your eco system of tools and how well interconnected they are and how all are problems are solved with your complete set of tools or systems.

You need to understand that nobody has an IT environment that is 100% your systems. You might want us to have only your ‘stuff’ but it isn’t going to happen. And I’m not going to write a check for you today to replace all my other systems with just your systems. You don’t know all my constraints and prior decisions and poured concrete so don’t show me a magic fairy tale.

Instead, you’ve got to talk to me about interoperability. You must talk to me about how I can connect your messaging tool with the one I already have in place. Further, you’ve got to show me examples of where this is working. And you’ve got to convince me that this is what you want to support. You’ve got to talk about openness, open standards, APIs, etc. And don’t try to steer me in a direction that is going to lock me in. I’ve got enough of those lock-ins and I’ve grown tired of them so I’m on to you.

If your story is only about you, then I’m going to tune out.

Thank you,


[wrote this post long ago and it never got published for some reason…]

Rebooting Work

Last year (2012) I attended Dreamforce in San Francisco. As a CIO, I was invited to be part of an executive track of some kind and the first night of the conference, a reception was held at a nearby location. At the reception, I knew just about nobody. Well, nobody. However there was food, music, etc. I walked around for a while, got a drink, then got a plate of food. I looked around and saw someone standing off by themselves with a plate of food. I decided to join him.

Through our conversation, I learned that he was former CIO and that he was now on the board of His name was Maynard Webb. We proceeded to have a great conversation for about an hour and the we parted ways. During the conversation, I learned he was working on a book which is now out and called Rebooting Work: Transform How You Work in the Age of Entrepreneurship.

In the book he references a time at work where, “Maynard wondered if the people he encountered throughout his life would walk over to say hello or turn and walk away. He then stressed the value of conducting oneself in ways that draw people toward you.” which made me laugh given our encounter and conversation.

The book is about how work is changing and how one needs to be the master of their own career. Things are a changing.

What does all this—mobile, cloud, social, platforms, and applications—have to do with work and with you? In one word, everything. You can think differently about how and when you work, and you should. Technology, and applications of this technology, will continue to improve and evolve, providing unprecedented, global access to information, individuals, training, and opportunities. But perhaps most important of all, technology provides individuals with unequaled flexibility. You don’t have to be bound to geography anymore, and you don’t have to be tied to one company anymore.

If you are starting out or in the middle of a career, I recommend Maynard’s book to you. It is complete with stories and ideas that just might make a difference.

You can read more about Maynard here.

2D) Mobile

I’ve not said a lot about mobile on this blog over the years. Frankly, I’ve not thought that much about it given some environmental reasons. However, I’ve reached the place where I’m agreeing with those who are saying ‘mobile first.’ I’m not a guru on this topic and I’ll defer to others who are better prepared and equipped to recommend strategies in this area. Here are some thoughts that come to mind based on my experiences:

  1. On mobile platforms, you must also make sure that you have some security components in place on the mobile devices to protect against theft or loss of the devices. You’ve got to enforce some policies on the device to require passwords and do remote wipes. If you don’t have these basic capabilities in place, then you need to start the mobile conversation here.
  2. Two-factor authentication or other forms of device password security need to be in place. Of course there are 3rd parties that will help with this for your organization. This part of a broader series of questions that you need to ask about mobile device security and roadmaps into the future.
  3. Once basic platform security is in place, you must enable basic mobile messaging, calendaring and chat features for your organization. Your people need to be able to connect reliably to the point of having no issues. These are table stakes. Related, we are past the time when IT can only offer Blackberry support.
  4. After 1-3, one needs to understand the applications strategy, if any, for your organization. Are you providing business applications for smart phones? If so, for which platforms (iOS, Android, Windows Mobile, etc.)? If you are limiting the platforms why? Is there demand for more platforms? What is your IT organization’s thinking about providing mobile applications for the workforce in general? Are you wanting to develop on mobile first? Is there a need for such? Is there a demand for such?
  5. Are you developing mobile applications on multiple different tools set and platforms? If so, why?
  6. Finally, does your organization have mobile policies in place that users must accept? If you are going to do a remote wipe on a device, it is best that they employee has heard of that possibility in advance.

It seems that the world is now going all mobile. We’ve all become addicted to doing transactions and tasks on our mobile phones when we can. For an IT organization to be successful in the future and for an IT leader to be successful now and in the future, you must have a mobile strategy and plan.

What mobile thoughts have I left out? And thank to those who follow along.



2C) Supply Chain

Screen Shot 2013-06-10 at 6.41.43 PMFor whatever your organization does, what is the supply chain?  From inputs to outputs? This is the engine that fuels the results of the organization. If you are non-profit taking care of babies, then what donations are coming from where, how is the organization processing those donations and then how are they being distributed? If you make something, then what parts and services are required to generate the output that you sell? All organizations have these processes and as a new CIO, one needs to get their arms around those processes and how IT is supporting the ‘chain’.

Related, the reverse supply chain also needs to be understood with the same questions asked and answered. The reverse supply chain is for items being returned for whatever reasons.

In some cases, the phrase Order to Cash(OTC) is used is relevant as it covers everything from orders being placed through receiving cash(or equivalent) back from your customer.

Questions that should be considered and reviewed:

  1. Prioritization of Projects: How are your business partners prioritizing what they need IT to do and how is the relationship with these partners? Does the business have a collaborative partnership with IT to get things done?
  2. Shadow IT: Is there an out of control shadow IT needed by the organization to be successful? If so, why? Are there IT components being sourced, paid for and installed by the business independent of IT? If so, why? In these cases, the IT leadership needs to work on better collaboration and partnership with the business. Typically these things are being done because either a) someone in the business wants to be in IT or b) the business is just trying to get their job done. In either case, a conversation and fresh start is needed.
  3. 3rd Party Collaboration with Suppliers and Customers: What is the strategy and what tools/processes are in place to tie your extended supply chain together? Are things like co-planning being done where customers are sharing their future needs with your organization and if so, how and what tools are involved and how healthy are they? Just as your organization might want better visibility with customers, you must do the same for suppliers. Be the customer you want your customers to be. How is IT facilitating the ease of doing business? Perhaps visit with some customer or suppliers directly. Here is a post from InformationWeek that addresses the collaborative supply chain strategy.
  4. Signaling and Metrics: Does the organization have the level of signaling and measures in place to have full and deep visibility of the supply chain? Visibility needs to range upstream in suppliers and downstream to customer warehouses. Are there dashboards in place? Are there analytics about the health of the supply chain that cover logistics, warehouse inventory levels, order status, etc.?
  5. Security of the Supply Chain: How are you securing the sharing of information between suppliers and customers? How are you securing plans, drawings, IP, etc. And don’t forget to think about the business continuity capabilities of your suppliers. Don’t assume anything.
  6. What else? Your business is unique and are you appropriately looking at those unique aspects too? For example, if you have sub-components that need very long lead times to produce, then how good is your forecasting processes and tools? Long lead times likely mean you have to order things before you might have real orders in place. Do you have those thoughts well underpinned?

Your organization is unique so don’t assume what others do or say is the right answer for you. And certainly don’t assume just because a big software vendor wants to sell you something because everyone is doing it doesn’t make it right for you. I’ve learned that lesson myself.

What else?

2B) IT Operations

There are lots of topics in this area and those in IT have lots of stories to tell about their operations. I’ll list a few points here and perhaps do another list later or update this later with further points.

An IT shop begins and ends with how well it does basic operations. The services that are provided need to work reliably before one can begin discussions about adding new services or systems. One needs to have an honest assessment of how things are going and this should include both a qualitative understanding and a quantitative, metrics based understanding. When you talk to your peers, what did they tell you about how IT was doing? Did they give you any insights? On the metrics front, do you have real trend lines about uptime and costs and power consumption and outages? Can your team account for outages and talk about them to root cause? Is the team trying to fix problems at the root cause or just doing a ctrl-alt-del type fix?

Even if your ‘services’ are outsourced to a 3rd party, you still are accountable for it to the organization. You aren’t off the hook if the system runs in the Amazon cloud or Google Cloud or Salesforce, etc. Putting a service in the cloud doesn’t relieve you of this responsibility.

So here is a list of some ideas some of which are repeats from above:

  1. Power costs and consumption for your data centers.
  2. System/service uptime/downtime events (frequency) and duration (how long down). Note that these are different things and have different solutions. You need these for all your mission critical services and core or base level services. Remember that email is a mission critical system to your knowledge workers.
  3. Disaster Recovery testing data.
  4. Overall IT Operations costs and trends in a fashion where you can drill down to understand what is driving your costs.
  5. Equipment aging.
  6. Patch status on all levels of the stack. Network, server, OS, database, applications, clients, etc.
  7. Audit findings, testing and assurance practices.
  8. Accounts and in particular trusted account review process and frequency.
  9. Security monitoring and logging.
  10. Integrated monitoring across your whole stack where you can related events between systems and services. Security Information and Event Management (SIEM) tools and practices that are robust.
  11. And your help desks should be providing you a rich set of information about what services are providing the most grief to your workforce, suppliers and customers. Why are people calling in for help?

There are more ideas and I could probably keep writing. Screen Shot 2013-05-13 at 8.11.05 PMI must highlight a earlier post on Checklists that I think helps you assess the maturity of your operations. Are you using checklists; are your escalation rules followed and clear; is your team researching problems to root cause; are all indicators of maturity.

If I’ve left out some major thoughts or you want to add to this list, please let me know in the comments.



2A) Collaboration Tools

Given I write about collaboration frequently, it would obviously be a front-burner topic that needs investigation and understanding in a new role. You need to understand how your employees are working together to share information, work on projects, communicate with each other and generally get things done. This would include the following topics:

  1. Review the health and status of the email eco system. Is it appropriately robust, secure and reliable? Is SPAM filtering effective? How is the system protected from malware? If a locally hosted system is it secured and is it relatively up-to-date on patches? How is the uptime on the service?
  2. Look at other collaboration systems. This might include Sharepoint, wikis, instant messaging/chat services, and Yammer, etc. How are these tools being used and ask similar questions to the email service. Are your employees using these tools? How much overlap between tools do you have?
  3. Telepresence/Video Services. What tools are you using and how are they being used? Are the appropriately secured? Are they being used? Is the technology up-to-date? Are they easy to use?
  4. Partner Connected Tools. For the above tools, are they being used to connect with customers and suppliers and if so, do you have the proper policies and security setup? If email is the only option for your folks to connect with partners, then you might want to consider alternatives since there is not a lot of control on email.
  5. File Sharing. How are files routinely being shared between internal work groups and then with external partners? Is the proper security in place and at the same time are the tools and services easy to use?
  6. Other Tools. After reviewing the above tools that are supported by your company, what other tools are being used that are not supported? For example, if your IT team doesn’t support Dropbox are your employees using it anyway to store files and to share with 3rd parties? Lots to think about here. Depending on your business you might need to put some restrictions in place or roll out a supported platform and steer use to the supported platform.
  7. Social Platforms. And then what about services like Facebook and Twitter and the like? Are you allowing or blocking and if so why or why not? I’m not recommending one way or another, but you need to have a discussion on it and be purposeful in your direction.
  8. Mobile. I’ll likely write more on this later, but how can all the services above be accessed by mobile workers.

There is a huge inventory of topics on this one post and they are complicated with lots of interdependencies and lots of security implications. Your collaboration services are inherently in conflict with your security needs so you’ve got to understand both sides of that coin for these services. The point of listing this for new CIOs is to make sure these topics get carefully reviewed.

What have I missed on this topic?