Few things in the world have changed more dramatically over the past 10 years than technology. But many tech leaders are still playing by old, outdated rules.
Gone are the days when IT gave orders that everyone in the enterprise was compelled to follow. But equally absent are the days when IT itself was strictly an order taker, simply trying to fulfill the demands of business executives.
The increasing pace of change means enterprises no longer have the luxury to take months (or years) to roll out big, expensive IT projects; continuous delivery and constant iteration are the new laws of the land. Nor can organizations choose between innovation or security — they need both. That puts more pressure on CIOs to deliver new initiatives in a safe and compliant way.
Today, IT leaders are helping business users pick the best of breed from an ever growing catalog of tools and services, while guiding the organization through its technology transformation. As enterprises become more dependent on data to drive decisions, tech leaders have more power and greater responsibility than ever before.
The old rules IT used to swear by are no longer relevant. Here's what has replaced them.
Old rule: IT makes the rules (and tries to enforce them)
New rule: Users make the rules (and IT tries to keep them out of trouble)
Establishing policies, enforcing standards, whitelisting applications, and making sure everything with a flashing LED is locked down good and tight.
Remember the good old days?
Today users make the rules. Your job is to gently guide them in the right direction, to make sure they don’t stick forks in light sockets or get gum in their hair.
"The role of the CIO has shifted from enforcer to curator."
“The role of the CIO has shifted from enforcer to curator,” says Jonathan Stone, CTO/COO at Kelser, a tech consultancy.
Five years ago, tech leaders decided what applications the business would support and who had access to them. Now they are constantly evaluating how new technologies could benefit the business, and guiding users toward the best solutions.
“The whole team still has to be on the same page, and the CIO still decides what page that is,” says Stone. “But you no longer see them make sweeping decisions such as, ‘We don't do anything based in the cloud.’"
Old rule: Keep the lights on
New rule: Keep the data flowing
The old day-to-day chores of IT — administering access rights, managing data quality, and generating reports — are now typically handled by business teams with little to no IT oversight, says Mark Settle, CIO of enterprise identity provider Okta. Today it's all about the data.
"IT’s primary responsibilities have become increasingly focused on integrating data across multiple applications, managing master data at an enterprise level and enforcing cybersecurity safeguards," says Settle. "IT makes businesses more competitive by automating processes, democratizing data, and reducing user friction."
Of course, everybody has data; it's how you use that data that can make or break a company. And CIOs are uniquely positioned to understand data and how to take advantage of it, says Ari Lightman, a professor of digital media and marketing for Carnegie Mellon University's Heinz College.
"The data you use to create new service or product offerings is becoming more critical to a variety of folks across an organization," he says. "CIOs have a very intimate knowledge of what data the organization collects, how they retain it, and how they offer it to different groups. The special sauce is how you communicate the actions the organization needs to take based on what the data is telling you."
Old rule: Don't release it until it's ready
New rule: Iterate until you get it right
In the past, technology projects notoriously dragged on for months or years before being put into production. The new agile world is all about continuous delivery and iteration.
"IT used to be, 'Oh it has to be done perfectly,'" says Heather A. Smith, a senior research associate for the Society of Information Management and co-author of Driving IT Innovation: A Roadmap for CIOs to Reinvent the Future. "Now they're saying, 'We'll work with you until we get it right.' I can't tell you how many times I've heard business people say, 'IT put this system in and just walked away, but it's only got about 50 percent of what we need.' Now IT is getting that they're going to have to work to deliver this value."
As CIOs partner with CEOs to foster a culture of innovation and transformation, IT must change the way it works, notes David Rosen, digital transformation technologist for Tibco Software.
"CIOs must promote a culture where a focus on perfection is replaced by greater emphasis on speed and the willingness to take risks and fail fast," he says.
Old rule: Protect the perimeter
New rule: Trust no one
The explosion of cloud-based services, the widespread acceptance of BYOD and remote access, and the emergence of IoT devices have completely changed the security model for enterprises, says Hed Kovetz, CEO of multi-factor authentication firm Silverfort.
"We cannot rely on perimeter security controls to block the bad guys out of our environments," he says. "We can no longer assume insiders can be trusted. We can't trust anyone."
With threats growing exponentially and major data breaches happening almost daily, enterprises can no longer treat employees and other insiders as innocent until proven guilty, says Kovetz. In a zero trust network, anyone trying to gain access to network resources must be authenticated and authorized, no matter what their position in the organization.
"In the past, when networks had clear perimeters that could be contained and controlled, network security was owned by the CISO," says Kovetz. "But thanks to changes wrought by trends like cloud migration, BYOD, and IoT, CIOs need to become more involved in network security than ever before."
Old rule: Lock down every device
New rule: Keep your users happy
Work no longer just happens at the office between the hours of 9 and 5. Employees are working on their own time, in their own spaces, and often on their own devices. That means IT can no longer realistically expect to control what's on everyone's home laptop or smartphone, says Avani Desai, president of Schellman & Co., an independent security and privacy compliance assessor.
By 2020, half of all U.S. employees will be working remotely. Even in highly regulated industries like finance or healthcare, locking out social media or limiting the apps that can live on user devices isn't going to fly. And if you try, you risk losing your most talented employees to an organization with more flexible policies, says Desai.
"More than ever, IT must balance the compliance and security needs of the organization with the wants and desires of end users."
More than ever, IT must balance the compliance and security needs of the organization with the wants and desires of end users. In other words, modern CIOs need to be as good at HR as they are at information security.
"The first thing the CIO needs to do is sit down with business leaders and ask, 'What are we doing to meet our users' needs? Are we using something they can't use at home?'" says Desai. "That opens doors to conversations CIOs may not have been a part of in the past. Then they can suggest ways to mitigate the risks of data going out or coming in."