New demands on CISO.

Consumer Technology is inside the perimeter. Its been an invasion of devices, apps and cloud services. Enterprise data has found an easy bridge to cross the perimeter and free itself. None of this is unknown to us, though have to admit its been a sensational development at a sensational pace and technology adoption and work style adaptation has happened with passion that has never been witnessed or experienced by an enterprise app or project. As a CIO one only hopes and wishes that these virtues be associated with enterprise IT initiatives we lead.  All of this has caught us off guard  as most of this is unplanned induction and some definitely see it as an intrusion.

The CISO's role is all the more critical against this backdrop. The CISO, to be really effective, will have to don a new avataar or rather add a few more facets to their personalities. While setting the ground rules and policing to ensure adherence to policies have been the only traits CISOs have shown, and while some have undertaken branding and advertising to ensure awareness, nobody has seriously stepped into the shoes of a educator and a protector. Every organization has policies around ownership, distribution and life-cycle management of all its enterprise assets; specially data. Data is all over the place - documents, data in the enterprise database, spreadsheets, scribbles and notes on note pads. Employees create data on the go.

Consumer Technology has placed in the hands of employee, tools and devices that come to their aid in doing their jobs effectively. In this process, enterprise data is not just passing thru these personal devices and cloud storage, it is actually being created on them and then , hopefully, getting into enterprise systems. There is ample scope for data theft and data leakage. While enterprise governance is all about checks and balances to safeguard corporate assets and contain risks, employees are all about productivity, speed, quality of service and delivering the wow factor with attitude in their deliveries. Governance need to ensure employees can bring all of that onto the table in a secure environment as employees find lot more exciting tools outside the secure environment. One way to get around this is to step up the act on awareness and education.

The CISO is in a fantastic position to map the spirit and the letter of the corporate policies to these consumer technology choices that are all around us and highlight, clearly, in simple language, with examples, the possible damage that could happen to the enterprise if some of these apps were used. I reached out to 12 senior CISOs in the industry before I penned this blog post and everyone thought that it was a good idea and some called it innovation. I was actually a bit miffed. I reminded them, that this had always been an expectation from their chair, but all that one got was policies and policing. CISOs need to be aware that they are here to support the employees conduct their business in a safe and secure environment. Along with education and awareness, the CISO needs to push the CIO's team to fund small labs that can discover the best way to leverage these consumer technology ideas within their enterprise to achieve business goals.

It would be nice to see CISOs bring out videos and literature that shows how enterprise data and hence the personal credibility of employees could be at risk by unabated and un-mentored use of apps like Dropbox and Evernote. At the same time the CISO should work with the CIO to figure out ways of accommodating such features and functionality within the enterprise. CISOs needs to bring their expertise on the table in a lot more ways than just policing. This happens when CISOs wed their agenda with business objectives beyond just securing the enterprise and extend their expertise to areas around employee productivity and morale enhancement by support agility in the employee personal productivity space. Everyone loves carrying and showing off not just cool devices, but how they use it to deliver value. Most of the the time, the wow factor created is targeted around their individual selves, no harm in supporting it, if it does result in value to the organization.

Part 2 : My First 90 days : Maneuvering The Landscape

This is in continuation with my earlier post that marked the first 30 days of my first 90 day journey in a new group, in a role that has been created for the first time. My second set of 30 days in Interglobe Group as the Group CIO, gives me the confidence to bat on the front foot for the time being. Having gone through the induction and the learning process on the key businesses of the groups, it was time to get to know the people better. A lot comes out as you do one-on-one with your peers, their one-downs and your direct reports.

3 things have been achieved at the end of 60 days:

1. Re-validation and the associated satisfaction of having joined the right workplace.
2. Firm understanding of business strategies, priorities and goals
3. A fair amount of understanding of the formal and informal structures that is responsible for the enterprise's success

The moment the satisfaction of having joined the right workplace sets in, what hit me immediately is that the organization must be seeking similar satisfaction for themselves on my appointment! This is a fine line one needs to walk on. I am in a new domain and need time to get my head around the business operations, goals and the strategy. At the same time the organization is extremely keen to quickly test the strength of their investment. I listed down three initiatives I need to run, while as a parallel process I formulate and co-create the digital strategy for the enterprise along with my team. Engaging on small initiatives, is a great way to showcase your mettle and also understand your environment and eco-system. Dealing with various individuals helps you discover both the fruitful and the wrong engagement techniques. Each person is different and needs to be approached and engaged with in a different manner, till you firmly establish your leadership and by virtue of that respect, people start aligning to your needs on engagement. Architecting this turnaround is very key both for political reasons and for your influence sphere to be effective. This should not be mistaken for arrogance. There is a huge distinction between the two. 

It would be foolish to take everything at face value and dis-respectful if your behavior displays this intent! This is a fine line that needs to be walked again.  There are many aspects of the new organization that you want to learn by putting it to test. Small simple tests can reveal the underlying fabric of agility, pride levels and engagement strengths of the organization. These three attributes are very important to me and hence I tend to look out for these and so I mention them here. One might argue, is integrity not a key value and should one not test that ?  It is, but that is one aspect a person should research before joining the organization. Once in, it would be foolish to either question or test integrity of the organization. At leadership levels, once in, one should take integrity and ethics as a given workplace strengths and move on to re-enforce these, and not test these. Attempts to test these in the initial phase of your new job at the leadership levels, gives way to various interpretations that will most adversely affect your personal brand. Always remember that you are the new guy. Any perceptions on your personality or brand that get created for in the first 90 days, will last for a very long time. In good organizations, respect for leaders who cannot manage their perception in the early days, is very scant. A few places might entertain benefit of doubt, but most performance driven organizations don't. The leadership is always hoping on riding on the new leader's brand to get a few things done in the first few days. Usually the announcement of your appointment , specially the part where they articulate your strengths,will carry traces of hints on their agenda. If you hurt your personal brand, you tend to be of little use to them in the first 90 days.

It helps to quickly see if there is someone out there who will hold your hand as you maneuver the new landscape, align with the culture and the way things are done, identify the formal and informal structures in the organization that the responsible for the organization's success and discover the most effective modes and means of communication. I found a fantastic guide for myself in this journey. This person had already made up his mind before I stepped in, to play this part. That is an attribute of a very mature workplace. The first thing to do is to cement this relationship with trust, friendship and integrity. My efforts in this direction will reveal their results in the next 30 days to come. But, best not to let the expectations go high on this, or rather on any support system in the organization in the first 90 days. 

Armed with whatever I could learn and internalize, I was nervously excited about my first leadership committee meeting at Interglobe, where I was to present my three initiatives. I wanted my first official pitch to set the tone for the next couple of months and lay the foundation of my brand equity as a strategist and direction setter. I was sure, I would be treated with kid gloves and loads of forced warm smiles, patronage and plenty of flowery language laced with nicety; none of which should affect me. Thankfully, the talk was cordial but straight and I walked away with the feeling that very soon, the language will reflect acceptance of my abilities at the table. None of "this is how things are done around here-you are new-you will learn." talk, rather they were looking forward to me setting a direction as the Group CIO. One of the key aspects I have to still work on is the interpretation and hopefully my guide will pitch in here as well.

Quality time one-on-one with business leaders was a must and I did get that to clearly drive my point home, that I am here to give a new direction and set agenda for driving business change, solicit their partnership in driving this change and striking the chord on the fact that its as much their change agenda as mine.

I am completely new to the domain and the following are very clear to me:

1. They know their business much better than anyone else (including their competition as they are market leaders) and hence I will learn the ropes from them.
2. I am an outsider and hence can quickly see where frog in the well syndrome is playing up and hurting the organization. This is my key strength at the moment and I bring this to the table.
3. I am neither boxed down by the organizational thought processes nor have been conditioned to the organizational constraint perceptions. This boosts my strengths further and is my trump card.
4. I am the new guy on the block and new ones at any level get some leeway. The new guys at leadership levels get loads of leeway for exceptionally short period of time.

So that's 3-1 in my favor as of now and for a very short time, as I add to my strengths, build relationship bridges and lead. That pretty much sums up the second 30 day block of my first 90 days in the new job!

Business Analysts - Key to success

The CIO round table on "war for talent" at the gartner symposium, brought forward someThe CIO round table on "war for talent" at the gartner symposium, brought forward some very key aspects around success having been delivered more often than not, when there is deep involvement of good business analysts.

We debated on the need for BAs to be part of the IT team and not as part of the business teams. The interesting question posses by fellow CIO of Cannon, was wether it would then be fair to say that business teams can then bring on board technical analysts! Aren't most business folks technical analysts any way!

Grooming BAs to the point where they really start delivering value is a long process. In environments that are friendly and embracing g, BAs could be productive in their second year. In large complex environments, sometimes it takes 3 or 4 years to really deliver value.

The grooming program is the key to success. These BAs need to spend at least 6 to 8 weeks in each of the key depts and SBUs working as apprentice to the line function 2 to 4 weeks each in the other depts of the organization. Once the business operations are clear, these guys should shadow the SBU leaders for 3 weeks and dedicate a day to be spent with SBU head exclusively one-on-one. These guys then been to serve as apprentice to the C layer for a week each.

Couple of aspects to be kept under active observation for grooming interventions in the first 6 months of their active deployment.

1) Do these guys come up with their own ideas for the Organization or do they come back with a list of things to be I proved upon as told by the business teams during the induction and the grooming program

2) Their attitude and their next steps after some of their plans are either rubbished or politely turned down due to prioritisation.

3) their approach to building their individual credibility and branding in the first 4 months of their productive deployment.

4) Their ability to assess risks and their approach to project planning where risk of failure is high

5) Their ability to effectively interact with the C layer and their ability to hold their own under the spotlight.

I have been in the past, been able to very quickly slot the guys into 4 buckets:

1. Self starters - self explanotary.
2. Efficient executors - they need to be told what needs to be done, and then you don't have to follow up
3. Solomon's spiders - keep trying repeatedly when faced with failure. They never give up
4. Batman - two faces, both strong suites
5. The Spielberg - builds larger than life plans and projects. Loves to take Complex projects. When handed over a simple project, paints a larger than life picture about it. Inspires participation from one and all.

Each of these strong suits are detrimental at one level. I don't generally work with BAs who have one strong suit and a equal or relevant mix of other aspects. I like to bring together people with these exclusive strong attitudes on one table and work with them as a team. The learning are immense. However, this results most of the time into an emotional drain on oneself. So if you don't enjoy roller coaster rides at work, maybe a different approach needs to be evolved.

The opposite of work is play. Human beings, I believe are wired to play. We need to choose our game and invite the players to team up. I love picking BAs from college. Good BAs work inside the business teams and get pro-activity going for IT. Instead of being told by the business on what needs to be done, IT can start defining for business the best path forward. For this to happen, the grooming process is key.

Couple of advantages with this approach:

1) CIOs will be integrated on the business plans at the SBU level by integrating the BAs into SBU structure. This move will be welcomed, if the BAs KPIs are similar to that of the SBU heads KPIs

2) The CIO can plan SBU's directions and can have more meningdul discussions at Mancom/ExCo - travesring the journey from order taker - agenda setter - strategy co-creator - pace setter.

3) Evolve the BAs to digital strategy officers