StrataFusion

Digital Transformation – is it a “thing”? or is it everything?

Digital Transformation continues to be a theme this year as we see in a number of predictions blogs and articles. But what is it?  Is it a thing?  Or is it everything?

DX has been going on in some form long before we called it that. The buzz today serves to direct our attention to the spectacular — inventing new markets, changing society. But not all companies are going to do that, or even need to. But every CIO needs to be looking at how the delivery of IT services is fundamentally changing, and understand how rapidly changing technology and market opportunities continue to impact their business.

Some things today are making DX harder and riskier than it used to be.  And those same factors also make NOT thinking carefully about DX in your org equally risky.  Some of these intertwined topics include the following:

  • Rate of change
  • Proliferation of technology options
  • Understanding/factoring in impact on IT organizations (and the rest of the enterprise)
  • Separating the fundamentally sound tech from the shiny objects
  • Delivering new services at the speed the market (internal and external) wants them, with the level of control and security also needed

Planning and managing technology transformations is more difficult now than it was in past years, and it’s difficult to know what to bet on. Change is changing faster than ever before.  With new tech coming out every year and the decisions being made having multi-year horizons, how do you plan and manage the tech roadmap in this world?

This is a topic we work on with our clients, and it’s one we think about deeply at The StrataFusion Group. We’ll share some of our thoughts on how we’re doing that next time…

Reed Kingston

Organization Structure and Digital Business

In the equation of people, process, and technology, getting the “people” part right has been a tough challenge for many companies.  As technology evolves, the roles and talents needed to drive that technology and utilize it to help keep the business competitive requires constant evolution; getting the organization structure right in support of this evolving landscape has been an area we value advising in at StrataFusion.

In an earlier blog we looked at organization structure and critical success factors; now it would be useful to give further detailed thought to organization structure guidelines that are important to both traditional and digital business. Because digital business is different from your traditional data center kicking off this discussion would be some of the most important structural guidelines to consider in assessing your organization:

  • Align business facing technology functions to match the business organization, this expedites specification, understanding, and support of business requirements
  • Align technical development organizations along development lines and logical technical groupings to maximize development activity efficiency
  • Constantly reinforce the importance of key organizational and business dependencies. The goal is to create an environment where cooperation and team focused response become the normal team response
  • Create a system of organizational checks and balances. This allows your organization to be self governing, and can highlight important issues
  • Be consistent in your approach, limit exceptions
  • Separate your delivery function from your development function. A key check and balance that can avoid a lot of pain

Each of these guidelines could support a blog of their own, but the incorporation of these thoughts into decisions concerning how your team is organized and structured can create interactions and behaviors that can be important long term in a digital business environment.

Once you’ve assessed your answers to these questions we also believe that creating an organizational focus around rallying cries or mantra is extremely important. The idea of a mantra gives great organizational concentration, and provides a consistent focal point for how your team should be thinking.

Mantras can be a tool to guide proper organizational response

In creative organizational focus, here are some possible mantras:

  • User Ownership of Systems
  • Empowerment of the Community
  • Standards & Integration
  • Make Use of Forward Looking Development Technologies
  • Business Intelligence and Knowledge Management Systems
  • Right Tool/Right Place
  • Flexible Systems
  • Global/Shared/Local

Creating a mantra allows your team to default back to a common base – set of values, practices, and knowledge that will help them respond to questions or situations arising that are new or undefined – this is especially so in today’s digital era.  For instance, a mantra of “empowerment of the community” can help instill in your team the concept of insuring their actions result in recognition of the fact they serve a community or business and that it is in their self-interest to empower and equip that community to solve their own problems.  You can have the concept of “travel in packs” – if for those of your teams that exist in a highly competitive situation where stress is high and demands are intense and daily, a mantra of “travel in packs”  reminds them that they can count of your team for backup – you’re more than one person, they’re not alone, so that when if (for example) a website that is up 99.9999 of the time but crashes for a few minutes – upsetting c level executives – you have emotional, structural, and organizational back up.

In thinking about “Global/Shared/Local”, the mantra leads with the idea that things that data can have different types of ownership, some are universal and shared by all but require consistent management; while some can have more than one owner.

That a mantra can create organizational focus also works with another interesting potential which I call the ‘Manufacturing Metaphor’.  In the transformation to digital business this can remind you of how your digital delivery of an information product is not unlike some traditional manufacturing concepts, and incorporating some of those proven concepts into your business could be useful.

New digital business environments can be optimized by incorporating the similar concepts, processes, and flows as exists within manufacturing – digital business hold the same counterparts. For example, concepts of development engineering product engineering in manufacturing can be re-formed into as software development and operations delivery concepts in digital business; the shipping function in manufacturing is the data center in digital business. The terminology changes but the functions are similar, and taking a similar approach could favorably impact your “product delivery” process. Understanding these parallels again provides a framework within which it become easier to understand how to optimally structure your organization – with people being your most essential asset towards success.

In our third and final on blog on this topic we will be discussing the importance of infrastructure readiness on digital business delivery.

John Dick

 

Leveraging Actionable Intelligence to Mitigate Risk Within Your Enterprise

I recently hosted a panel with leading CISOs from around the world. We delved into how “Leveraging Actionable Intelligence to Mitigate Risk Within Your Enterprise” can be approached from a set of common points and differences. We opened with an overview of ideas that led to each panelist posing their own comments and questions with initial answers. The comments and questions below recap our discussion flow, and provide a current base for understanding the breadth and context of mitigating cybersecurity risks.

Panel Opening Comments

  • Security threats are increasing both in frequency and complexity
  • Security leaders need to be proactive in this area and put programs in place (people, process, and technology) to protect critical assets
  • We have assembled a panel of experts in this area and our goal is to provide recommendations that you can immediately use when you return to your office

Initial panelist comments

As predictive analytics matures, we may see significant improvement in the value of threat intelligence data.

  • If you’re spending money on Threat Intelligence, you must have first solved a lot of common problems, such as patch management.
  • Be realistic about what you expect to get from Threat Intelligence. Are you looking for Indicators of Compromise? Attribution? Predicting the next attack? Understand the limitations of the various types of Threat Intelligence data.

Second panelists comments

  • How does the actionable intelligence change as you move “up the stack” or away from the stack (to human)?
  • How is the IoT changing the “actionable” part of actionable intelligence?

Third panelist

Leveraging actionable intelligence is the process of gathering analytics based on the identification and collection of relevant threat information. Unfortunately, threat intelligence is an elusive concept for many companies. By 2020 there will be 50 billion connected devices. There are not enough cyber specialists now to handle current security issues, so businesses need to leverage actionable intelligence and analytics for companies to protect themselves.

  • Should threat intelligence be managed internally by companies?
  • When threat intelligence is accumulated what is the important information for the c suite?
  • What are the company’s concerns regarding their employees in leveraging actionable intelligence?
  • How does actionable intelligence apply to regulatory compliance?

Fourth panelist

How do we deal with the increasing scale and frequency of attacks, and threat actors that far outstrip our budgets and resources? Traditional information security methods within the enterprise are not a match for any of the above seven events.

Threat intelligence provides a possible way to get ahead of these threat actors and threats — to have intelligence on the threats. But, threat intelligence is a new data source, another fire hose of information that requires analysis. And it has a different nature from traditional tools. We’ll only get value out of the threat intelligence information if we properly analyze it and make it actionable.

Mark Egan

@markeegan

@StrataFusion

Owning All Clouds

cloud-computing-multiple-clouds

By Doug Harr

As part of my career as an IT executive for the last dozen plus years, I’ve led several companies through a process of migrating their business application portfolio to the cloud.  At Portal Software, that meant deploying SuccessFactors for HR performance reviews, and OpenAir for Professional Services Automation.  At Ingres that meant deploying Intacct for Financials, Salesforce for CRM, and lots of other cloud solutions. The approach for me reached its zenith at Splunk, where we had a 100% cloud business application portfolio, and where 50% of our compute and store capacity was at Amazon. With so much functionality in the cloud the question of roles and responsibilities became a focus for the company. In this very cloud-friendly shop, what should IT’s focus be? What level of administration of these solutions could actually be owned and delivered by departmental owners, such as Sales Operations, Customer Support Operations or HR administration?

As one example, both at VMware, where I was program manager for their Salesforce implementation, and at Splunk, where I was the CIO, we had very strong sales operations teams, and fairly complex Salesforce environments. In those environments Sales Op’s began to take ownership of more functionality in the Salesforce suite. This included user administration, assignment of roles to users, territories to reps, and just about all reporting. This grew to include modifying page layouts, and other configuration capabilities normally owned and controlled by IT. In my view the idea of enabling the Sales Op’s team was attractive for several reasons: (1) they wanted the power to do these things (2) they were not waiting for IT on the things they felt were high priority (3) they were closer to the sales teams who actually worked inside the tool, and so they were good at interpreting issues and acting – as good certainly as an IT Business Analyst, or even someone with fairly good technical skills. In these scenarios it freed IT to work on deeper technical issues, level 3 incidents, environment management, integration, reliability, etc.

In another example, at Splunk we made wide use of Amazon EC2 for compute and storage capacity. In these cases, IT System Admins were not needed – environments were spun up and used directly by personnel in Engineering and Customer Support. This was an amazing success, and it freed IT to work on monitoring usage, working deals on cost, and managing the overall vendor relationship.

Not every department has a team or individual ready to own or take a major role in the management of a SaaS or IaaS platform. For every HR department that manages Workday, there’s a finance department that does not manage Netsuite. It depends on the tool, and the personnel. What I’ve found is it can also depend on the CFO and management of a business function – some execs are happy to have these resources placed in the business, some are more afraid of  “shadow IT spend” or they’re caught up suggesting that IT can’t deliver and granting this power is a cop-out. Actually, I had a moment like this at Splunk, where I had not adequately updated two peer execs on our intent to get more deep IT skills hired into Sales Op’s, and had to sort that one out, to make sure everyone understood this was not a shadow operation! So there can be bumps in the road, but in my view adopting this approach is inevitable really, as software platforms and micro apps are becoming widespread, and so is the ability and desire by departmental teams to be more involved in the direction of how those tools, platforms, and apps are rolled out and used.

All this speaks to the future role of IT, and I for one have lived that future, as least in part. It’s one where IT is more strategic, focused on vendor/portfolio management, integration and security. To be sure some functions that are broadly used across all departments, and some that are task specific, still accrue to IT in most cases, or to partners that offer elements of typical IT as a service (think Help Desk). But done well, each department owns more of its technology, feels more in charge of its future, its technology adoption, its responsible use, along with other benefits. And, IT focuses less on being everything to everybody, maintaining disparate queues of backlogged work, and more focused on higher level matters, transforming the business for the digital age, and accompanying delivery of more complex technical solutions.

Right where we should want to be.

@douglasharr

Welcome to Cuba

old-havana-with-cuba-flag

By Sharon Mandell

Introduction

It is an exciting time for Cuba, with its doors opening, and the positive impact this will have on commerce, IT, and global cultural integration.

Obama recently issued a presidential directive that seeks to institutionalize and cement his policy changes toward Cuba and encourage further engagement even after he leaves office. Obama called the presidential policy directive “another major step forward in our efforts to normalize relations with Cuba” and said it “takes a comprehensive and whole-of-government approach to promote engagement with the Cuban government and people and make our opening to Cuba irreversible.”

The landscape of technology and IT in Cuba, where it is currently, and how it will evolve is also of great interest.  I have been fortunate to be one of the earlier travelers to a newly opened Cuba and have witnessed first-hand where IT can go, in light of present challenges. I am going to delve into these challenges and sketch possible scenarios in a couple of posts.

Business didn’t take me first to Cuba; it was my daughter’s university research and my love of ballet. As a person whose business and technology career largely started overseas, however, I was eager to see what was true and what wasn’t about technology usage there. Whenever I travel to a new country, I’m eager to see what the environment looks like – visiting the tech marketplaces of Tokyo or Hong Kong, for example. Or participating in my company’s recruiting efforts at an international university campus.

My daughter was struggling on her first visit, adjusting to a new language and, more surprisingly, finding people who would engage with her openly. Our communications were largely limited to 30 minute WhatsApp sessions, given the ongoing embargo and still closed telephone networks to US companies. With the limited time (wifi remained very expensive, even for an American, at the time) and narrow bandwidth we had for our daily “conversations,” it was hard for me to understand her struggles, and I decided to make an unplanned trip to support her efforts in person.

Before leaving, I went online to see what I could learn about Cuban technology – I quickly found some published computer research and attempted to reach out to a few University of Havana professors in Computer Science. It was late June 2016, however, and most folks I could communicate with were unavailable for the summer.

Cuban culture, remnants of the past, steps towards the future

The contradictions began before I even arrived on the island. First, I was somehow upgraded to first class on my flight – always a welcome event. Still, it felt strange, as I was flying Cubana, the national carrier of a communist nation. As we drove through Havana to our “casa particular” in our restored Chevy, I could recognize the long term relationship with the Soviet Union in the Ladas, and the present day trading partners in the Kias. Despite the embargo, it wasn’t long before a motorbike appeared with an HP printer strapped on the back of it. While I didn’t see all that much computer technology that first trip (it was often a Dell) cell phones were oppositely abundant. However, many were of the pre-smartphone generation, and my iPhone couldn’t connect, so for the first time in a long time, I was on a forced digital holiday.

Cell phones weren’t the only thing that didn’t work for an American — neither did your credit or debit card, despite the recent announcements about financial openings. Commerce was, and I suspect is still, almost entirely conducted through cash. The first cadeca my daughter brought me to was even closed early, because it had run out of cash.

During that first trip, wifi was still available in limited locations (mostly upscale hotels) and if you didn’t want to lose your shirt paying for it, it meant standing in long lines at ETESCA offices to buy the access cards with the codes approximately $4/hour. While I was there, however, 11 new public hotspots (based on Chinese technology) were lit up and the price dropped by half. The buying process shifted, where most of the $2 cards were sold out early in the AM. Now, as a tourist, one buys them on the street from the guys who woke up earlier than you – with a 50% markup and risk of getting arrested, but still easier and cheaper than before. Recently it was announced the entire Malecon would be lit up, and I’m sure that will change the economics and process again.

The New Crisis in Cybersecurity

cyber-security-lock-image

By Mark Egan

There is a new crisis in Cybersecurity.  A recent article highlights the current lack of trained Information Security professionals and ties this lack to the digital revolution and other technology advances, leading to “mega-breaches on an unprecedented scale.” Stealing IP has become a billion dollar business; couple that with the fact that it is also much easier to break into a system than protect it.  All the criminal needs to do is to find one hole in your environment and they can slip in. Why there is a dearth in Cyber Security professionals and what can be done about it I have outlined briefly in a few key points here.

One of the biggest reasons why there are fewer trained security professionals is due to the fact that the Office of the CISO is still a relatively new organization, compared to that of the CIO, which role has been around for significantly longer.  CIO titles started in the 80’s when Information Technology became a critical component of daily business operations. The CISO title is more recent and in 2006 only 43% of large organizations had a CISO. This has changed over the past 10 years and now most larger organization now have a formal security function and overall leader.

However, companies show a trend of being focused on hiring very experienced security staff externally, as opposed to developing and training individuals internally.  It would be more effective to take existing staff and train them, or hire in trained entry level professionals who you can develop.

Going Forward

The solution to Information Security is that companies have to develop their existing staff and then cultivate a mindset where everybody is “mindful” – like a Neighborhood Watch, where everyone is involved in the program. Most attacks still originate from phishing email – someone clicks on an email, and that email comprises that machine. And once they compromise that machine, they move laterally within the environment to elevate to a privileged level of access.  So if you have Neighborhood Watch, everybody is on alert. When they see the suspicious email, they notify someone, and through this behavior you can build and grow and perpetuate a more “security aware” program.

Ultimately security is a people issue. To this effect we created the Merritt College Information Security program as a fully accredited A.S. degree with majors in Applications and Infrastructure Security. The program has been two years in the making and serves the San Francisco Bay Area East Bay School districts, which include students from less advantaged backgrounds. It results from the partnership with the CISE CIO organization, Merritt College, and CIO’s / CISO’s from leading San Francisco Bay Area companies. The program provides trained, entry level security professionals from which an organization can then expand on and develop other existing staff internally.

They are currently for hire; please contact me for more info.

Organization Structure to Support Digital Business – What to Consider

digital-business-image-1

By John Dick

Central to the changing landscape of IT and business is the proliferation of devices and Internet of Things; by 2020, more than seven billion people and businesses, and at least 30 billion devices, will be connected to the Internet. This interaction leads to the evolution of digital business, and with that evolution is the need for companies to think about how to organize their most important asset – people – in a way that best supports the delivery of their products and services in this new digital business structure.

We have been giving advice to companies on how to thoroughly think about the role of people and organization structure within this evolving and complex equation of people, process, and technology. I have captured some of our leading points around structural questions to consider and critical success factors related to the organization of a company’s technology engineering and delivery groups below. In turn, this blog will lead to a future post outlining digital business organization structure, and guidelines around your company’s infrastructure readiness.

First, there are some questions to consider in thinking about digital business, technical engineering and delivery organization structure.

The first deals with how your company is organized, because it is probably organized the way it is for a reason, such as to most optimally support effective product sales and delivery.  Also, that structure is the eco-system in which you will need to co-exist.

Important Company Structural Questions and Considerations

  • What is your company’s approach to centralization vs. decentralization of responsibilities and structure?
  • Does your company impose structure through traditional functions, product, process functions, or technical expertise?
  • How does your company think about direct line vs. dotted line reporting and to whom?
  • Do you fit the technology organization to the business requirements or to the people?
  • How do you handle regional | international units?

Understanding the relationship of your organization within its larger context is critical to how you organize your group. For example, if your company is decentralized, it will probably be important to understand why your organization is also decentralized. What are the key reasons your business is decentralized? How will you provide digital support to the decentralized units in a meaningful, personal manner? How will you understand unique customer regional requirements? What if it has aspects of both? A carefully crafted hybrid solution may then become necessary.

From here, we offer key initial points to consider toward optimizing your organization structure for success.

Once you’ve thought through and understand how your company is organized for success around its products and services, you’ll want to transition to what are the critical success factors for your technology associated group. That, once aligned with the rest of the company structure, will assist in developing success criteria.

Critical Success Factors

  • Aligning organization with business strategy and function
  • Allowing organization to keep pace with company growth and changing business dynamics
  • Providing effective decision support and related performance | scorecard tracking
  • Integrate organization approaches within company culture

While the first three points are a common theme and well accepted, I believe the last point is often overlooked. All companies have some aspect of company culture in their environments. If your organization is not organized or motivated within that context, success could be difficult. A good way to support this is to subtly develop success criteria that is natural to your environment.

With new roles other supporting or catalyst roles will emerge, and CXOs will need to develop digital leadership capabilities in order to execute an effective digital strategy.

In the next post I will delve further into what this means and how to think about your company’s infrastructure readiness to complete the picture.

Information Security Training: Merritt College Enters Its Third Year

 

Merritt College logo

Merritt College in Oakland, CA will start its third year of classes this Friday, August 26.

We’re excited to be entering the third year of this program, having graduated our first set of students this past June 2016. The Merritt College Applications and Infrastructure Security program (as a reminder) is a fully accredited A.S. degree with majors in Applications and Infrastructure Security.

This program results from partnership with the CISE CIO Organization, Merritt College, and CIO’s/CISO’s from leading San Francisco Bay Area companies. These groups have given their time and expertise toward building up this program from its inception. Donations from the CISE CIO group now amount to $130K, and with this amount, we have developed the current curriculum and put a new cybersecurity lab in place.

This program and its impact couldn’t be more timely, given that one of the biggest threats to companies is a lack of trained cybersecurity professionals.

You can find an overview of program here.

We are also looking to place our recent first class of June graduates into Information Security roles with leading companies and organizations. Please contact Mark Egan you are interested in hiring our students to improve your Information Security programs.

Lessons Learned

Lessons Learned green image

In our recent StrataFusion Partner leadership meeting the topic of lessons we have learned, or the ‘big mistakes’ we have made, with our subsequent learnings, came up in our discussion. Lately there seems to be a proliferation of these learnings, and we thought it would be a good time to present some of ours.  Below our Partners have recapped some of their biggest lessons learned.

Maureen Vavra:

  1. Focus on building relationships with the business leadership and aligning with their goals at the beginning of a new consulting relationship.
  2. On projects: Have a defined sponsor and a clear set of measurable business objectives before you allow a project to start.

Mark Egan:

  1. Be proactive with low performing staff, putting an improvement plan in place, before waiting too long to take any action, with hope that things would improve.
  2. Gage and focus on projects that help the company build high quality products/ services or sell products/services.

Reed Kingston:

  1. Stay focused on critical projects. Verify constantly.
  2. Let projects be led and driven by data and facts instead of “enthusiastic hopes,” hanging on to some projects/initiatives/products too long.

Doug Harr:

  1. Taking too long on a termination believing the person in question could be coached to success.
  2. Make the timely effort to establish a great relationship with the peer customer on your management team to reap the benefits of great communications and emotional deposits 🙂

Ken Crafford:

  1. Cement the approval and support from all executive stakeholders before engaging in large, critical projects.
  2. Understanding that managing up the organization is as critical as managing down the organization.

 

Improve Your Information Security Program and Give Back to the Community

Merritt College Cybersecurity Students In Action

We are very excited to announce that Merritt College in Oakland, CA has graduated its first Information Security class. Merritt College serves the San Francisco Bay Area Central East Bay School districts, which include students from less advantaged backgrounds. The Merritt College Information Security program is a fully accredited A.S. degree with majors in Applications and Infrastructure Security. This program has been two years in the making and results from the partnership with the CISE CIO organization, Merritt College, and CIO’s/CISO’s from leading San Francisco Bay Area companies.  Please find a fuller summary of the program below:

  • Courses are designed and delivered by security thought leaders from leading companies including Symantec, Wells Fargo Bank, and McAfee
  • Security program includes 30 credits of Information Security classes, hands on labs, and internships with Bay Area companies
  • Class projects include forensics of a pharmaceutical organization that suffered a security breach, securing systems on Amazon Web Services, and developing Information Security strategies

We are now looking to place these graduates into Information Security roles with leading companies and organizations. Contact Mark Egan if you are interested in hiring our students to improve your Information Security programs.