The media is awash with stories of advanced persistent threats and privacy breaches, but at least they’re well understood. For many CIOs, the really disturbing risks may be the ones that aren’t as obvious.
Real Times asks several experts about the hidden risks that should be keeping CIOs up at night.
1. running before you can walk
CIOs can be transformational, and they can be operational, but it’s not always easy to be both, warns Chris Moore. Moore, formerly CIO at the City of Edmonton in Alberta, Canada, now heads up AcuitasGov, a consulting firm for open government technology practices.
Many organizations don’t want the status quo, he points out. They want IT to bring new innovations to bear. “You end up with this dynamic of push and pull tension within organizations that want to do new, transformational things, but at the same time you have to balance the operational side,” he warns.
Visionary CEOs often have COOs to handle the operational side, leaving them to concentrate on strategy. Many CIOs don’t have that luxury. Not managing both sides of the job can risk divisional performance, and respect.
The trick for CIOs is to balance the visionary aspect of the job with the mundane tasks of keeping the engine running. It takes experience to do both. “If the CIO doesn’t keep that in balance, then it can create the perception that you want to do transformational things but aren’t interested in the operational,” he warns.
2. not running at all
The inverse of running before you can walk is not running at all, warns Huw Morgan, VP of CIO Research at Canadian technology advisory and market research firm Info-Tech Research. That’s an equally troubling risk.
CIOs can often get stuck in the operational part of the job, bogged down in a quagmire of maintenance and support. “We’re doing a lot of counselling with CIOs on how they can get out of that dreaded spiral of spending more or their money on maintenance every year,” warns Morgan. “The more money you spend on maintenance, the more reputation you have as someone that doesn’t have time to do anything interesting.”
Budgets only stretch so far, and if infrastructure expands, it quickly becomes a sinkhole for financial resources. This can happen organically, as business managers require new functionality, or through mergers, as new acquisitions bring applications that mirror existing functions in a business.
“People put applications on the shelf and never execute because they never get the funding to do the transformation,” Morgan says. The moral: rationalize early, and don’t let application sprawl infect your organization any more than necessary.
3. being risk-averse for the wrong reasons
CIOs must grapple with a range of technology options, some of which may challenge traditional notions of IT operations. Cloud is a good example. CIOs will reference security issues as a reason not to embrace cloud computing concepts. Those risks do exist, of course, but they are manageable, and can be addressed as part of a broader risk analysis.
Steering away from enabling technologies for the wrong reasons can be a big risk for CIOs, warns Moore. “Fear can be a great motivator,” he says, adding that there is also a risk associated with not considering cloud and mobility at all. “There are huge benefits in terms of cost reduction. You can move your expenses. You can capitalize your technology, and move your operating budget.”
4. being made irrelevant by shadow IT
CIOs that ignore the potential benefits of cloud technology may end up watching powerlessly as their users slip away. IT departments that are slow to respond to user demands risk business departments buying their resources ad hoc from third parties, creating problems in terms of data visibility and security.
From a business department’s perspective, it can be easier to expense a Software as a Service (SaaS) solution on a credit card, rather than endure a long, painful negotiation with IT for an internal solution that may not even yet exist.
“A lot of younger people are coming into organizations and asking the IT department ‘why do I need you?’,” warns Info-Tech Research’s Morgan. “It’s especially true of operations like HR and marketing, that haven’t traditionally been large recipients of IT resources.”
Figures bear this out. According to a January 2014 survey from Amazon Web Services, 93% of enterprise business departments have opted for cloud-based services. Of those, two thirds (61%) of them are choosing and financing their own, without the IT department’s help.
This is creating widespread problems for private and public sector organizations alike. “We found that many states were not examining some of these emerging technologies as risks,” explains Doug Robinson, executive director of the National Association of CIOs in the US.
5. neglecting governance
Bruce Maas, vice provost for information technology and CIO at the University of Wisconsin-Madison, warns that not putting effective governance structures in place can cripple CIOs in various ways.
He highlights the risk of sub-optimized IT as one example. “Entire organizations are at risk when there is no coherent strategy about how enterprise services get prioritized, and delivered,” he says. Not having a comprehensive governance structure in place can make everything from security breaches to poor business performance more likely.
Underpinning many of these risks is a common problem: isolation. CIOs that don’t build alliances among business managers and end-user groups alike risk being marginalized from key decisions that will affect IT in the business.
For example, CIOs can’t build IT governance frameworks alone, argue experts. They must enlist the help of internal business chiefs to attain management consensus across the business, and make governance frameworks binding.
The days of the purely technical CIO are over. Today’s IT leaders must be political animals, too. “You need to understand what is going on, what motivates business leaders, what their mandate is, what they’re trying to get accomplished,” concludes Moore.
Read about our consulting services, where we can help you identify and mitigate any risks.