The fact is that most companies still view IT and the CIO role through the narrow lens of providing technology-based services; they have not broadened that view to take into account the stunning changes wrought by digital technology. IT is no longer simply responsible for building, operating, and maintaining infrastructure; it’s responsible for data governance, driving growth through data analytics, cyber security, connectivity and integration. However, since most organizations are peering through the old lens of IT-as-service-provider, they are blind to IT as a revenue-producer. The irony here is that Sales, Marketing, R&D, Finance, and HR—those typically considered revenue-producing—are only able to do what they do because of IT and IT’s ability to stay ahead of the curve.

According to a recent IBM study of 4,100 C-suite executives, only 42% of CIOs were involved in strategy, as opposed to 72% for CFOs and 63% for CMOs. This is puzzling. Since IT touches everything, the CIO has an enterprise-wide vision that would be invaluable in integrating an enterprise-wide strategy. Luckily, the IBM study suggests that this is turning around—the CIO is soon going to be considered one of the C-suite “triumvirate,”: CEO, CIO, CMO.

Another reason the CIO role is more difficult than most is that it bears sole responsibility for ensuring business continuity through critical service level agreements that define uptime, availability and redundancy. At the rate of change today—BYOD and big data come to mind, besides the emphasis on ever-changing end-user demands and satisfaction—it’s a lot to juggle at once. Not to put too fine a point on it, the CIO is answerable in a very tangible way to every executive in the C-Suite as well as the end users, both internal and external.

Mary Shacklett, former CIO of FSI International and current president of Transworld Data says this about the role of the CIO today, “. . . virtually every aspect of the business these days is run on systems. When systems fail, even if the wrongdoing originates in business operations, the CIO is still a ‘best bet’ lightening rod to attract the blame.” Here Ms. Shacklett is responding to the resignation of Target’s CIO after the data breach last fall. To my mind, blaming the CIO underscores the notion that IT is still perceived mainly as the supplier of technology and that with the right technology, incidents like this would not happen. But this is patently not true. It cannot be the CIO’s job to absorb all the operational risk.

It is past time to realize that risk management is critical to your operations and adequate overhead should be provided for it. Preventative measures such as performing regular maintenance and security checks is not the place to economize; economies can be made by killing unnecessary demand and scrapping any projects that have either outlived their usefulness or whose value is questionable or negligible. Give IT the budget it requires to undertake the discipline, training, and governance necessary to do the job right. Data and operational security should always take precedence over functionality improvements if you are faced with budgetary constraints.

The U.S. economy for the past few years has been unkind to IT, and now that there seems to be a slight improvement, organizations will be making some overdue upgrades to their hardware, servers, and storage systems. IT will be at the forefront of these efforts as well as efforts to move to the cloud, coordinate the use of employee mobile devices, mine data, and maintain security. I read somewhere that the CIO is not unlike a conductor, orchestrating separate sections into a synchronized whole. I think that’s about right.

Give me your thoughts on how you see your CIO role. How are you/they addressing these challenges? Does the world look different from where you sit? What would you do if you were CIO or CISO?

According to Cenzic ‘s Application Vulnerability Trends Report: 2014, “While the majority of corporations have the important security building blocks, such as firewalls and intrusion protection systems needed for their security infrastructure, not enough organizations have comprehensive tools and practices in place for securing applications.” Faced with a worldwide shortage of Cyber Security professionals (Cyber Security has only recently become a discipline one may major in!), and companies unable to afford the overhead necessary for the requisite training, this situation is not surprising. Bad news for you. Good news for hackers.

Still think you can go it alone? Do you really understand the sheer magnitude of possible vulnerabilities? Here’s a sobering thought: Everything on the network is hackable. Everything—from your corporate computers to a 3rd party vendor to your employees’ Smartphones. Add to this the risky behaviors employees can engage in—sharing passwords, inappropriate web browsing, copying sensitive data onto mobile devices—and you’ve got exposure. Lots of it.

An objective Cyber Security assessment can assist with evaluation and establishment of controls to:

• Implement an information risk management program
• Ensure network security is adequate, including boundary and internal
• Guide user education and awareness
• Verify malware protection and prevention
• Deal with secure configuration and patch management for devices (network, servers, PCs)
• Manage user access and privileges
• Handle incident management
• Assist with home and mobile working

If you feel you aren’t ready to tackle all the items above, you should at least undertake a basic evaluation to consider only the most foundational building blocks for cyber security.

In a survey of its 3,400 global members, Information Systems Audit and Control Association (ISACA) found that although 83% of the respondents recognized Cyber Attacks as among their “top three threats,” only 38% felt prepared to endure one. Make sure you are part of that 38%. If you do nothing else, purchase cyber insurance. If you are ready to take additional steps, we can help.

P.S. On our C4C blog we recently wrote about the fallacy of thinking you are too small to garner a hacker’s attention. I can’t stress the following enough: While big companies more often make the news by getting breached for millions of records, they also have the financial resources to dig out of that hole. Small companies aren’t as lucky. A data breach at a small company can mean closing the doors, for good. Don’t let that happen.

Many companies think because they are small they are immune to a cyber attack—after all, they do not have the net worth of, say, Target ($38B) or Home Depot ($55B) or Walmart ($250B). This is a dangerous misconception. The fact is, whether you are worth millions or billions you are at risk, and your insignificant size might be the very thing putting you in jeopardy.

What makes a small business attractive to hackers? For one thing, smaller enterprises often don’t have the resources to implement the programs and training necessary to prevent, detect, and recover from attacks. Larger organizations do have the resources (including insurance) to weather a breach, but smaller ones may suffer irreparable damage. Another attractive difference is that while larger companies have a more holistic, integral view of IT security that extends across an enterprise, smaller companies tend to have a more myopic view where IT security is relegated to, well, IT. In addition, since smaller companies often have less sophisticated firewalls and detection programs, they may be targeted as a portal for later use as conduits to larger organizations. For example, preliminary investigations indicate that the mess at Target may have been initiated by an employee of their HVAC vendor who opened a malware-laden email. It has been said that you are only as strong as your weakest link, and all too often, that link is human.

Whether you recognize it or not, your organization’s systems and data are exposed in countless ways, including via mobile apps, third party vendors, remote employees, former employees, cloud storage, weak passwords, neglected legacy systems, and social media. In its September 30th report, Managing Cyber Risks in an Interconnected World: Key Findings from The Global State of Information Security Survey 2015, PricewaterhouseCoopers writes,

We also saw increases in attacks on connected consumer devices— such as baby monitors, home thermostats, and televisions— that comprise the Internet of Things, a nascent ecosystem of devices that interconnect information, operational, and consumer technologies. These Internet-connected devices are vulnerable to attack because they lack fundamental security safeguards…

According to Gartner’s 2014 Magic Quadrant for Security Information and Event Management, “more than 92 percent of breaches [are] undetected by the breached organization.”

Are you still feeling invulnerable? No matter how small your organization is, cyber hacking is an equal opportunity threat. As such, cyber security is no longer the province of IT; it is the province of everyone in your organization from the C-suite on down.

Our information security and risk assessment service will help you understand where you have critical risks in your cyber security landscape. If you are feeling uneasy or uncertain about your information security, let us know. We can help.

Why is Cyber/Computer Security so far down on your to-do list? If your reasons are any of the following, you might want to reconsider your priorities.

• Because you live under a mushroom or live off the grid.
• Because your environment is in such disarray that if someone did breach it, the chances of him or her finding anything of value would be remote.
• Because you believe that you are only a little fish in a big pond and hackers have much bigger companies to go after.
• Because no one has requested it and you have more than enough other problems to handle right now.
• Because you don’t know where to start.

Let’s address each of these points in turn.

They can’t find you.  On a recent episode of 60 Minutes, Dave DeWalt, CEO of cyber security company FireEye, asserted that 97% of all companies are being breached. Ninety-Seven percent. So, unless you truly live off the grid, you have likely had a breach already. The real question is how bad is the damage?

They can’t find your valuables.  These criminals are very sophisticated and have the knowledge, tools and patience to find your sensitive data and exploit it.  Hacking has evolved from the lone geek making mischief to an actual profession and, as Lance Cottrell, Chief Scientist at Ntrepid and expert on security and privacy writes, “In most breaches, it turns out the hacker has been inside the network for months.”

Your valuables aren’t worth it.  Wrong again. They aren’t always interested in your data; often they are interested in your financial partner, investor, supplier and customer. Anything sensitive they can sell or make profit from.

You have other priorities.  You will always have other priorities. But believe me, if the hackers come—and they will—you will have to deal with the fallout and that will become your new priority.  With several methodologies at hackers’ disposal such as viruses, malware, botnets and ransomware, cleaning up the damage will be more involved than you think.

You don’t know where to start. Improving your security begins with having a prioritized list of actions based on risks to your company.  A risk assessment will accomplish that and, at the same time, help you raise awareness and understanding with your executives of possible threats and the cost of inaction. It will also demonstrate confidence that you and your team are pro-actively dealing with the today’s cyber security reality: it’s not a question of if, but when.

What is your reason for not having an information security and risk assessment performed ASAP?

If the real reason is you don’t know how, that is where we can help.

The truth is change is coming to a theater near you and soon, but how it comes is entirely up to you. That is the measure of control you do possess. Change can come incrementally or manifest itself as the Big Bang!, and the latter will be much more disruptive than the former, we promise you.

Very often in our line of work we’ll hear someone in IT / IS or Corporate services say, Thank goodness that project is finally finished, as if one particularly pesky piece of business is behind them and it’s smooth sailing ahead. Well, no. If you don’t want to go through the Big Bang! experience (otherwise known as when the wheels fall off), this is not the mindset you should cultivate. Each and every day we at TAG spend considerable energy helping organizations become comfortable with the concept of incremental or continuous improvement. Why? Because if you’re constantly improving, you rarely suddenly arrive at the Big Bang! crossroad.

You can either be the Changer or the Changed, but it is better to be the actor than the acted upon. Change will not be denied. If you choose internal stasis through passivity or inertia, external agents will force you to change because the competition and market won’t take your everlasting comfort into consideration. . .and then what? Right. You’ve got the Big Bang! to survive, because staying where you were allowed the competition and the world to pass you by.

We know change is difficult, so we won’t belabor the point. Nevertheless, if you put the following conditions in place, it won’t be quite so arduous:

Mary Shelley, author of Frankenstein said, “Nothing is so painful to the human mind as a great and sudden change.”  Since change is (ironically) a permanent state of being, leading an adaptable organization focused on steady, incremental improvement is vital. If change is anticipated and implemented without fanfare on an ongoing basis, the hysteria of the Big Bang! will be kept in check.

Goals ► Priorities ► Outcomes ► Initiatives

Do your organizational goals sound something like this: Foster talent by building a culture that maximizes opportunities for growth. Sounds nice, right? But how would you measure that? How would you know when you’ve achieved it? The truth is, it would be next to impossible. Whether you’re creating goals at an organizational level or at an operational level, here are some tips for improving them so that you can demonstrate their achievement.

Describe the outcome.
The trick is to describe the result you hope to achieve rather than the activity. Measuring an activity can result in meaningless metrics. (It is also wise to stay away from words and phrases that cannot be measured such as maximize or more efficient.) Here’s a possibility: Growth and innovation will increase through training, mentoring, and creating time buffers around scheduled projects.

Studies have shown that goal specificity and level of difficulty have a direct impact on employee performance: Goals that are specific and challenging (but not unreasonable) lead to better performance by motivating employees.

Create line of sight.

Just as important, a clear line of sight should exist between corporate objectives and the goals set at the operational level—employees should be able to grasp their roles’ importance in the larger picture. In order to achieve this, it is helpful to include different levels of the organization in developing the goals to ensure consensus, cooperation, and realistic goal-setting.

Define the measure.

Once your goals have been determined, you will be able to think about how you will measure the outcome.

• What are we trying to achieve?
• What behavior are we hoping to encourage? (Key Performance Indictors)
• What will success look like?

Performance measures should be as explicit as your goals, and answer the following:

• What change is being measured?
• How will the change be quantified (generally a number or percentage of something)
• What is the starting point or baseline measure?
• What is the target performance? By when?

It is an old saying but true: you cannot manage what you do not measure. Measuring tracks the specific activities and conditions necessary to support your goals and provides the means by which you communicate to the organization what is important. Measuring also presents the opportunity to identify problem areas and affords employees the ability to monitor their performance and see themselves comparatively. It is therefore vital that you measure the correct things—not the easy things because they exist or because you’ve measured them before—the right things. If your goals have been delineated with specificity and the outcomes you wish to achieve are clear, chances are you will know what they are.

First, using the 80/20 principle, think about which projects are critical, must-haves, and core to your mission (about 20% of the whole array), and set aside those that are discretionary or not vital. During this exercise, projects that should be eliminated altogether should be obvious. (Be ruthless.) Of the mission-critical projects, decide which should proceed and which should be deferred based on urgency and capacity. Considerations during your deliberations should include:

• The organization’s ability to undertake the project:
  • Do you have enough funding and staff?
  • Is there a learning curve?
  • What will on-boarding require?
• Data derived from the success or failure of other projects
• Timing and competition with other critical projects, especially for key SMEs and Management attention and cycles
• How projects may be interrelated and dependent on each other
• New technology and business process changes

Second, having decided which projects should proceed, it is time to collaborate with the entire range of managers, from line managers to senior managers, to prioritize them. Each will contribute something to the debate, and it is better to debate now than waste valuable resources (time, money, and people) later. Line managers will have first-hand knowledge of processes and capacity; middle management will have a better view of the interplay and inter-relationships between departments and activities, and top management will possess the long view that encompasses the overall organization direction and strategy. And obviously, inviting greater participation overall means greater cooperation and commitment.

Third, once your projects have been prioritized, it is time to figure out who will be doing what. Streamlining your projects down to the vital few has the added benefit of not stretching the capacity you have, but concentrating it where it is needed most. Here I would offer a special caution: it is very important that you are realistic about day-to-day operations and the support resources necessary to Keep The Lights On. Too often organizations under-estimate this aspect and/or think of KTLO resources as discretionary. They are not. Borrowing resources from KTLO operations results in “robbing Peter to pay Paul,” and effectively lowers service levels and stresses organizational capacity. Perhaps even more harmful, it underscores the notion that KTLO work is of less importance or less glamorous, damaging morale and trust.

Peter F. Drucker wrote, Management is doing things right; Leadership is doing the right things. Getting your portfolio into shape by winnowing out projects of questionable value and tabling those that can wait will go a long way to making the choice clear.

Indecision rarely leads to anything positive. In my 35 years of experience working with clients, I have seen enough snafus, courtesy of a reluctance or unwillingness to make a decision, to know that any decision would have propelled the organization forward or at least broken the log jam. If you are one of those hesitating or hugely disinclined to make a mistake (as we all are), here are some pointers I give my clients:

YOU DON’T NEED ALL THE INFORMATION TO MAKE A DECISION. Very often you have enough information based on experience (knowledge gleaned from past mistakes and successes) and objective data. If 20% of a problem isn’t well understood, go with the 80% that is. Today’s competitive market isn’t conducive to lollygagging.

IT MAY NOT BE ALL UP TO YOU. SOUND OPERATING PRINCIPLES SHOULD DIRECT YOUR DECISION-MAKING. Most organizations have a Mission Statement and Operating Principles that support it. For example, Starbuck’s Mission is to “ inspire and nurture the human spirit – one person, one cup and one neighborhood at a time,” and their operating principles focus on quality in their product, diversity and respect among their partners, and making their cafés a haven of humanity as well as contributors to the community. What are yours? What are the Operating Principles that will create the culture and guide the behaviors leading you to your goals? Here are some ideas to consider:

• We focus our resources on activities that differentiate our organization
• We use all resources efficiently and individuals to the best of their abilities
• We continually seek better practices and processes
• We challenge each other to achieve excellence
• We encourage the exchange of ideas and perspectives from every level of the organization, and use conflict as an opportunity for creativity and innovation
• We encourage and support risk-taking among team members to facilitate professional growth
• We recognize, value and reward collaboration and teamwork

If sound operating principles are developed and agreed upon, 90% of the decisions facing an organization will already be made.

THERE IS NO SUCH THING AS A BAD DECISION, ONLY A MISINFORMED ONE. Once better information comes to light, take corrective action. If you have based the initial decision on the 80% known and your Operating Principles, the fix should be an easy one.

Finally, make your decisions REAL by assigning responsibility and accountability. Set milestones with deadlines and consequences for missing them. . .otherwise, decisions are merely good intentions, and we all know where those lead.

Making decisions means risking what is known for what is not. In my line of work, I have seen many organizations mired in keeping the status quo because the bogeyman in the hall is whispering, what if you’re wrong? The irony, of course, is that by not making a decision—right or wrong—you end up doing nothing, and this poses a far greater risk because your competition is certainly doing something. ​

Fear of the unknown and fear of being wrong are formidable inhibitors to decisive action. There are others, such as a reluctance to be held accountable, but even that is anchored in fear. Another inhibitor is being overwhelmed by the number of factors involved: the people who will be affected, the processes that will change, available resources, and so forth—aspects I call the “what.” The “why” of a decision is the part usually easily identified; Something has driven the case for change. It may be an eroding top line, a dissatisfied customer, excessive overtime, the competition, or staff malaise. But how to address the “what”—that becomes the immovable object stopping many decision-makers from acting quickly and decisively. Often, they feel compelled to have all the answers before embarking on any course of action. Unfortunately, seeking those answers, they usually consider the internal ramifications—conditions within their control—and neglect those coming from external sources such as the market, competition, technological advances, etc. And those considerations don’t wait.

This is why Change Management is an important weapon in your arsenal against indecision and inaction. Change Management builds the business case by objectively assessing what is versus what should be and engages the organization in why it is good for them. It garners the right sponsorship and builds coalitions; it demands commitment and ferrets out resistance; and it focuses the entire organization on a singular goal. Change Management is grounded in communication—communication that is clear, consistent, and candid. Change Management champions intellectual honesty and trust, and encourages open dialogue and debate that fosters buy-in and mitigates the possibility of decisions being undermined.

Theodore Roosevelt got it right: “In any moment of decision the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing.” Decisions should evolve; they should never be made in a crisis. Making decisions is a daily event. If you don’t make the small ones today, you will have to make a big one tomorrow—chances are, it won’t be pretty.

Now the truth is if you start with a structural reorganization, it’s like going on a crash diet. Everybody knows the naughty non-foods you can cut out, just like everybody knows which low-performers could be eliminated or how work could be shuffled around to immediate effect. So you lose a few pounds by cutting out “empty calories” and get rid of some of the obvious encumbrances at work—a quick fix that’s very gratifying. But what happens after that? Usually all the weight comes right back (and then some) and the reorganization doesn’t really change a thing—everything reverts to the way it was. Why? Because the underlying behaviors are still the same.

A diet that relies on simply cutting calories is bound to plateau or fail because there’s considerably more to maintaining a healthy weight and body that includes exercise, eating complex carbohydrates, drinking plenty of water and getting plenty of rest. It is a lifestyle change. Likewise, restructuring an organization is much more complex than focusing solely on getting rid of problematic players or reshuffling the team. The key to sustainable organizational change is to look at the organization holistically and to define the operating model and its various components: roles, processes, governance, sourcing, services, and then structure, and how these are interconnected and measured. Are the right people in the right roles? Are there processes that could be simplified, platforms that could be shared? What does the Business want from you in terms of capabilities and services? What are your differentiating (core) activities that would be at risk if anyone else performed them? What core activities do you monitor and measure?

Whenever we have a client who wants to start with a structural reorganization, we encourage them first to map their capabilities to their services and then to identify those services that are differentiating (core) that would be at risk if someone else (i.e., a contractor or vendor) performed them. Once you know what is core and what is non-core, then you can begin to understand where staff spends most of their time. What we often see is that the majority of the organization is bogged down supporting non-core activities, e.g., enhancement, maintenance, and support. They are held hostage to these activities because they are the only ones who know how the processes work and their managers have come to rely on them. Usually people inherit processes and, as a consequence, documentation is scant or non-existent. This lack of documentation is another reason resources remain where they are rather than shift to new core activities/services.

Changing structure won’t change the fact that the most of the organization is performing non-core work instead of focusing on perfecting the services that are core to IT and your company. Evaluating what’s core and non-core is often the best way to demonstrate why changing the structure or moving the parts isn’t the answer.

Has your organization ever attempted a reorg before understanding the underlying issues? How did it turn out?