Recent events have thrown things up in the air for CIOs, forcing them to reevaluate their operations and take a more mindful business approach. Richard Blanford, Chief Executive, Fordway, discusses where CIOs should invest to ensure profitability and success, while keeping their organisations working effectively in highly challenging circumstances.
Six months after implementing home working for all staff at short notice, CIOs find themselves managing IT in a very different world. COVID-19 opened the digital floodgates and technology roadmaps that previously spanned several years were compressed into weeks or even days. Many employees are keen to continue working remotely, so systems need to be refined and strengthened to ensure digital working is productive and secure in the long term.
However, we can also expect a deep recession in the coming months. Although IT is fundamental to business operations, it is unlikely to be immune from budget cuts.
To tackle these two issues, CIOs need detailed knowledge in two areas: a clear understanding of the risks digital working brings in order to manage them effectively without restricting innovation and collaboration; and a comprehensive picture of their organisation’s infrastructure and usage so they can reduce costs proactively without cutting services.
Understand your organisation’s risk appetite
Rapid implementation of remote working and use of a range of endpoint devices mean perimeter security architecture has become increasingly irrelevant. Organisations need to reexamine traditional castle/moat (or hub/spoke) architecture, along with the relevance of MPLS connectivity, firewalls and VPNs. Digital technologies also create new ways for those with malicious intent to try and infiltrate an organisation, from malware to phishing attacks and social engineering. So it is more important than ever to provide assurance that data is secure, maintain customer trust and protect your organisation’s reputation.
To address this, CIOs need to consider behavioural and pattern-based security and Zero Trust networks. But before implementing any new technology, they must define the risks they face in a risk profile and assess their organisation’s risk appetite. A measure of risk appetite could be the threshold value above which the organisation treats each of the risks identified in the risk profile as a potential threat. This will depend on its ethical stance and culture, the legal and moral frameworks it operates in and its security requirements, which will partly depend on sector.
When CIOs understand their organisation’s risk appetite, they can make informed choices about where to invest to protect against the most critical threats they face. They can then embed this in governance and compliance policies, which can continually adapt as technology and associated threats change. ITIL 4 will assist here, as it is designed to help organisations make change at pace while maintaining integrity.
It is vital to obtain commitment and buy-in from the board and senior management. CIOs need to ensure fellow directors understand the importance of implementing strong governance and what this means in operating a profitable and secure business.
Governance needs to be supported by appropriate training to ensure policies are understood and everyone in the organisation understands their roles and responsibilities. All staff should understand the threats that exist and the importance of complying with the correct processes to reduces risks. This means putting in place cybersecurity training and awareness, with acceptable use policies that are linked to HR policies.
Proactively reduce costs without cutting services
As someone who has managed a business through two recessions, I know only too well the pressures CIOs will face. Remaining in control means proactively identifying opportunities to reduce costs before changes are imposed – and after working with a wide range of organisations, we’ve found areas where the majority can find savings without cutting services.
CIOs need to start with a thorough understanding of the assets their organisation has and how these are used to deliver services. Staff churn, lack of documentation and time pressures often mean the picture is not as clear as it should be and services that have grown for valid business reasons may no longer be appropriate to the current situation. In a virtual environment it was easy to spin up servers without incurring additional costs, but when using cloud, the meter starts running as soon as a new server is added.
For example, we worked with one organisation with around 200 staff which was using over 90 servers to deliver services. After analysing usage, we were able to rationalise to just 40 servers that supported all core business processes while providing better results and resilience.
Another organisation had 10 separate and unlinked Azure tenancies with 120 servers. This was rationalised to 76 servers in one master tenancy, giving the CIO control while using sub-tenancies to provide capacity to individual departments. Costs were reduced by 40%, a saving of some £10,000 per month. Avoiding this type of situation is all about having a proper change management process in place, with ITIL again providing guidance and ensuring that departments cannot act unilaterally.
Linked to this is the need to measure everything. Transaction logs are helpful for tracking both capacity and security. Does a server really need to be that size and shape? Another area where savings can often be made is network connectivity. Organisations typically install 1GB connections, but traffic analysis may show that normal use is just 20-50MB/s and providers often give burst capacity.
Analysis should also clarify the impact of running legacy systems. Maintaining these can cost organisations dearly, as they usually require dedicated hardware and may be impossible to put onto cloud. They also limit flexibility, while being a sunk cost that cannot be recouped. Now could be the time to consider whether there is a better way and to make a business case for ‘investing to save’.
Find your Sherpas
CIOs have already implemented massive changes in the last six months and should take a moment to congratulate themselves for keeping their organisations working effectively in highly challenging circumstances. However, they now need to manage the risks of continued digital working and ensure they find ways to reduce costs without cutting services. In doing so, it’s important to remember that they do not need to climb Everest alone. Like mountaineering, the world of IT has its Sherpas – people who have already helped organisations achieve success and can provide support in the journey. Many will provide an opinion at no cost, while benchmarking against best practice will provide guidance and ITIL principles will assist with process definition.