1. marcumllp.com
The Changing Role of Today’s CIO
Who Needs a CIO and what would they do for me
anyway?
marcumllp.com
Presented by:
Kerry Mickelson, CIO for Hire
Raffa – Marcum’s Nonprofit Social Sector Group
November 8, 2018
2. 2
0914000N
Agenda
Who needs a CIO?
– What do you do anyway?
• Connect the dots between
Business and Technology.
• IT best practice
• Capacity and Capability
• Identify opportunities and
threats from technology
• Bridge between Business and IT
– What am I missing?
• Cloud, Mobile enabled
workforce
– How Raffa Can Assist You
Can your business
survive without
technology ?
Do you know what your
IT team is doing ? or
can do ?
Are you compliant with
the law ? With best
practice ?
How can you manage
change? What’s the
right priority ?
Who can assess
vendors
independently?
Is there a different way
to do this ?
3. 3
0914000N
IT Manager vs CIO
When is a CIO the
right choice?
May not need a CIO
all the time, but role
is critical:
• During major
change
• When IT is no
longer meeting
the enterprise
needs
• New Initiatives /
New Business
CIO Manager / Supervisor
Primary focus is Business opportunities and drivers Primary focus is maintenance / IT Operations
External and Enterprise focus – How IT is leveraged Business area inward focused on IT
Proactive, Opportunity seeking to improve Responsive to demands, reactive
Strategy and execution focused – What to perform Process and Procedure focused – How to perform
Critical during times of change or in larger
environments
Works in a smaller or stable environment
Generates and drives strategic plans Requires Strategic leadership from outside, may
generate tactical plans
4. 4
0914000N
Its not as simple as it seems
Sometimes you need Expert Knowledge
Does your
business have a
web address or
business email ?Your web address
Backup and
Disaster Recovery
Do you have legal
exposure for
sensitive data
What does the
group do all day
Outsourced and
Hosted services
are not secure
Do you own the
web address
No its Rented – the ‘DNS’ record links that
name with specific “Addresses”
Disaster recovery
vs. Business
Continuity
How will we
function if our
building catches
fire?
How long could you be down without
irreparable Harm
Do you know your
legal obligations
about data
Employees ?
Customers ?
Donors ?
PII, HIPPA,PCIDSS – who has access and how
Not just digital data. Voicemail, paper records.
Birthday including year ? Address and phone ?
Do you know what
they are doing ?
Do you know what
they can do ?
Expectation gaps:
Never want to say
‘No’. Set up to fail
Keeping the lights on (Housekeeping)
Maintenance (Obsolescence)
Growth (Volume / Size, Projects, Features)
Capacity and Capability
What are you
getting for your
investment?
Strategic
investments?
Maintenance and housekeeping
High Risk
High Cost
Low added value
5. 5
0914000N
What’s your tech inventory?
End user computers
(and software)
Back Office
Computers, Storage,
Data (and software)
Security:
Passwords and more
Network:
All the connected
devices
How important is
technology to your
enterprise?
Critical?
Essential?
Peripheral?
Will it stay the same?
What are your
technology lifecycles?
• Hardware?
• Software?
• End of Life?
• End of Use?
Don’t last long
(3-5 years)
Hate power
spikes, heat,
water ~ 5 year life
Keys to the
kingdom
The Domain,
LAN or WAN
6. 6
0914000N
What’s your Skills Inventory ?
How many
people / what
people
Generalists
• Helpdesk : Internal or
External
• Supporting Functions:
Supervision, Project
Management,
Business Analyst
Specialists
• Administrators
• Engineers
• Developers
What resources do
I have?
What are their
competencies
Certifications?
What do I need?
Is there a gap?
What’s most
valuable to my
business?
Where are my
biggest risks?
• Future specialists
• Can be a commodity
• Low investment
• Generic Skills
• Specific Skills
• Privileged Access
• Out of hours
support?
• Key System
architects
• Hard to replace
• ‘On demand’ ?
• Should not have ‘1’
• Need governance
7. 7
0914000N
Technology and Capability
– How does my Technology translate into Capability
– What you HAVE today is a constraint – created by past decisions
– Resources are focused around status quo and stability (reliability,
repeatability, Routine, Maintenance)
• Not the best environment for change – but do you need to
change?
• If the Inventory doesn’t match the Enterprise you can change
the inventory!
What you have and
what you need may
not be aligned
IT tends to over
estimate capacity and
capability to deliver
change
Result is delivery
below expectations
Processes and people
are harder to change
than systems
Who needs a CIO?
8. 8
0914000N
What does a CIO (or IT) do
anyway?
• What Processes you have in place
– WHAT does IT do, HOW is it
done
• Are you getting what you need ?
• Are you really getting good
value?
– Main Elements: People,
Services, Software, Hardware
– What Information you are
processing and storing
» Compliance – HIPPA,
PCIDSS, PII
» Accuracy / Quality and
standards
» Completeness / Controls
» Security
Technology uses its own
(arcane and full of
acronyms) language.
In a smaller enterprise the
CIO role is not a full time
job. Changing technology
is changing the role too.
The world is changing and
your enterprise needs to
keep up. It’s a survivability
issue.
Tech is everywhere. There
are complex rules that you
need to be aware of.
Who needs a CIO?
• CIO aligns technology to the business goals (PERIOD)
Looks at what you HAVE / ARE DOING / CAN DO with technology in your
Enterprise, Compared to what you SHOULD HAVE / SHOULD be doing – and acts
to close the gaps.
9. 9
0914000N
What Can a CIO do for me?
Where does IT fit in the enterprise
What does IT contribute
Where can best value be achieved
Where are the key opportunities for improvement
Help manage IT better
– Reporting
– Scorecards
– Planning
– Execution
– Governance
– Projects
– Key Performance Indicators
– Communication
Yes, but how can I do
these things?
We have no dedicated
CIO and / or I still don’t
get these answers
Change is not natively
easy. Without
Governance, reporting,
compliance, its hard to
achieve accountability
for delivering value (In
IT or indeed elsewhere)
Help in bridging the cultural and language barrier
Simple tools to manage Technology resources and projects
10. 10
0914000N
Simple tools and processes
Routine Management
Cyclical tool to
manage a
department
Formal
communication
between execution
and management
Over time see trends
and patterns
Suggested Weekly or
bi weekly
Broad Focus Areas
■ What’s Important in the function at the
moment
■ Where are we spending time money
and effort
New Information
■ What’s New this cycle
■ What did we achieve in the last cycle
■ What did we find out
Targets for this cycle / week
■ What are we going to get done
■ Who is doing it
■ What’s the status of ongoing efforts
Open items / Roadblocks
■ Open Decisions
■ Things I am waiting for others (who)
on
■ Carried forward open issues
THE 4-BLOCK REPORT : DATE / PRESENTED BY
11. 11
0914000N
Simple tools and processes
Routine KPI’s / Metrics
Usually Monthly
Aligns with
Enterprise
Financial
Reporting
Meaningful
indication of
performance
MONTHLY IT METRICS DATE / PRESENTED BY
Item Content
Budget Operating budget with narrative. Performance to Plan
/ Last year
Reliability Uptime %, failure rates, downtime stats. Trended over
time (Network Phones, Backups, Servers)
Helpdesk Tickets handled, average time to close, Outstanding
unresolved by importance (critical)
Capacity Utilization: Storage, Compute, Network
Inventory Bought, Broken, Repaired, Retired, Lost/Stolen
(phones and aircards if owned as well)
Staff Gaps, new, exits, promo’s, Training, Skills
Services SAAS provider performance by provider
Change
Management
Planned and Deployed changes. Outcome summary
12. 12
0914000N
Simple tools and processes
Capital / Project reporting
Project reporting is
about how well
change is being
executed
Do you know what
projects IT are
executing on?
What are your
expectations on
scope and
delivery?
How are you gate
keeping and
prioritizing
projects?
USUALLY MONTHLY EXCEL 1 LINE PER PROJECT.
Item Content
Name Name and code for project (if coded)
Description Business name / meaningful to all
Purpose Why do this project (type, benefit, priority, risk)
Budget Project Lifetime (original) budget to actual.
Performance to plan. Estimate to complete,
contingency balance
Scope
management
Changes to scope – Approved, waiting, declined
Dates Approved, planned start, Planned end, Projected end
Status Green (on plan / target), Yellow (at Risk), Red (off
target –Time, Budget, scope, outcome)
13. 13
0914000N
Simple tools and processes
Project reporting
Individual project
reporting is about
progress and
execution of a
specific objective
Often weekly but
can change on
activity level on
project
CYCLES WITH ACTIVITY. USUALLY 1 SHEET
Item Content
Name Name, description, objectives
Team Who, roles, responsibilities
Budget Budget details, vendors
Changes to scope
/ dates
Changes to scope – Approved, waiting, declined
Milestones Key dates within project
Status Green (on plan / target), Yellow (at Risk), Red (off
target –Time, Budget, scope, outcome)
Current activity Good / Bad, delivered / Missed, Roadblocks /
Issues, Next Planned Activity, Projected outcomes,
Milestone reporting
All sheets = ‘Book of Knowledge’ a standard PMO tool
14. 14
0914000N
Simple tools and processes
Complex project reporting
Where a project is
high risk, or a large
project, with cross
functional teams or
enterprise wide
impact
E.g. changing ERP
systems
Copies from MS
project
Use Excel data Bars
for complete %
PROJECT STEERING / STAKEHOLDER MEETINGS
Item Content
Objective /
Milestone
Project Component being reported
E.g. Cleaned up Vendor Master file, Chart of accounts
sign off
Dates Planned start, Due, projected
Completion Percentage Complete
Actions Responsibilities and actions due / performed
15. 15
0914000N
Simple tools and processes
IT Strategy / Deliverables
Annual or
longer view of
multiple
changes or
projects
Simple
presentation of
complex issues
Present IT and
projects to a
board
Time scale /
Item
Q1
16
Q2
16
Q3
16
Q4
16
Q1
17
Q2
17
Exchange Upgrade
ERP Migration
New Location opens
Office 2013 deployment
IP Video Deployment
Intranet / SharePoint
Simple depiction of major initiatives that can
be easily shared and digested.
High level summary – Low level details can
be built as required.
16. 16
0914000N
The World turns – New terms
• The ‘Cloud’
• A different way of providing services and managing technology
• Enabled by “virtualization”
• Virtualization
• Compute capability can be separated from computer hardware
• Less hardware, more efficient. Shared data and resources.
• Cloud Applications
• Programs designed to be delivered via the internet (E.g. Turbotax online)
• Software as a Service (SAAS)
• Rental agreement rather than purchase
• Usually priced on usage over time or volume
• Platform as a Service (PAAS)
• The ability to buy or rent computing capacity, rather than acquire or build it.
• Someone else is responsible for ‘Plumbing’
• Azure/Amazon WebServices
• Big Data
• Marketing term for a specific product / business problem
New
Technologies
New ways of
delivering
service
New Risks
New
Opportunities
New Language
to describe the
capabilities
17. 17
0914000N
What is the ‘Cloud’
The ‘Cloud’ a Simple definition
• Computers / Programs (What computers do for us) are managed and
provided as a ‘Service’ rather than components. This service is generally
made accessible to users via internet connections
History:
• Mainframes
– Big, Expensive, Did one thing, Inflexible, Local
• Client / Server
– Smaller unit cost, Networked, Distributed, Generally focus on 1
function
• Virtualization - Separation of ‘Logical’ and ‘Physical’
– Shared Hardware, Dynamic load and capacity.
» Inside your network= “Private cloud”
» Provided externally = “Public Cloud”
– What is the computer (Mainframe, Server etc)
– Less important than
– What it can do
– How it is Accessed
Ill defined term’
Multiple uses with
different meanings
Most significant is
‘Public Cloud’ and
‘Private Cloud’
Computers/services
as commodities
18. 18
0914000N
What does it mean for IT
– Virtualization
• Mainstream technology
• Efficient (cost, support, reliability, resilience)
– Outsource/Cloud IS better than on premise
• All inclusive models (24/7, Risk Mitigation)
• Remove single point failures / dependencies
• Security is as good or better than in house
• Scalable at short notice
• Changes what IT does
• Is IT Infrastructure good ‘Value’ for you ?
• Is it a Core Competence ?
• What’s your Risk ?
• What should your energy be directed towards ?
Should we be
virtualized or in the
Cloud?
Absolutely to both –
Hybrid model
depending on
enterprise
Self host generally if
very high data volumes
(scanning many his
resolution images for
example) or high level
of integrations with
localized systems
19. 19
0914000N
What does it mean for IT
Possible Strategies /
viewpoints
Are we BIG enough to
have enough skills to
support specific
technologies in
house?
Using SAAS we can
avoid having to hire
skill set specialists
Should IT functions
be a primary
competence of our
business ?
Can also consider full
outsource models
Product SAAS Status Impact Results
Email Common High Reliability, resilience, Frees resource for
Enterprise mission
Payroll Common High Compliance, Security, Risk
SharePoint Rare (but growing) High Resilience, Accessibility
Website Common High Security, Reliability, Capacity
ERP / Accounting Becoming common High Reliability, Accessibility, Key skills
Helpdesk (system) Common Med Reliability, Accessibility - Stays up even if you
are down !
Telephony Becoming common Med Depends on installed base and equipment
HR Systems Common High Security
CRM systems Common Med Reliability, accessibility
POS Common is small orgs High Risk, compliance. Can be more efficient in
house but higher risk
Network /
Connectivity
Growing High In house skill is expensive. Key man
dependencies. Critical infrastructure
20. 20
0914000N
Closing viewpoint
Things change – Entropy vs Development
We make decisions with what information we can gather and digest
• Research
• Experts
• Evaluations
As new choices (and mandates) become available
• Need to re-evaluate options
• Context of past decisions and current status
• Some ‘trigger points’ – Obsolescence, Contracts, Strategy, Staff turnover,
Compliance, Growth
Not all new options are right – Change vs Stability
• Lots of marketing hype. Don’t get sold on shiny toys
• Biggest benefits are not always cost
• Will it help achieve the goals of the enterprise - how
How do you stay informed?
• People like us. Field experts, Benchmarks, Peer review, Sector experience,
Passion in our fields, Constant Research.
Where am I
compared to best
practice
Where am I
compared to my
peers
For my type and
size of enterprise
What keeps me
awake at night
Am I happy with
what IT is doing
for me now
21. 21
0914000N
Everyday issues / Global best practice
Stop keeping credit card numbers (everywhere):
• End to end encryption for POS
• Tokenization for Web
Don’t host your web site from your office
• Resource and access sharing is a bad idea. They will conflict.
Only collect personal data you NEED and keep it safe. Have a clean up process
• Most executives who lose sensitive data lose their jobs. Minimize
the data and take care of it.
Check your backups work and are safe
• Perform test restores, Keep offsite copies (secure). Understand
how you would recover from a failure.
SAAS and Cloud / Hosting is not a silver bullet
• New flexible solutions – New issues. Wont solve every problem
but are a game changer
Some simple
thoughts to
take away