Sometimes the truth hurts.
It can be hard to admit that you've lost control over how your organization deploys technology, or that your network is porous and your code poorly written. Or no matter how much bandwidth you've budgeted for, it never quite seems to be enough, and that despite its bright promise, the cloud isn't the best solution for everything.
In a world where anyone with a credit card and keyboard can spin up their own data center, it's easy for CIOs to feel irrelevant and redundant.
Good luck with all that. The gap between your dreams and cold hard reality just gets wider every day. That doesn't mean you should give up, but it does mean you need to get real about what you can change and what you must accept.
Here are six hard truths CIOs must learn to live with.
[ Beware the 12 'best practices' IT should avoid at all costs while heeding the 9 forces shaping the future of IT work. | Get an inside look at 13 real-world digital transformations. | Get the latest insights by signing up for our CIO daily newsletter. ]
1. Shadow IT has come out of the shadows
Five years ago, one of the biggest headaches IT managers had to deal with was the emergence of BYOD, as employees used their own smartphones on the job. Now, with a few clicks of a mouse and a credit card swipe, they can bring their own data centers.
"BYOD has become BYOIT," says Mike Meikle, CEO of secureHIM, a healthcare cybersecurity and education firm. "Employees can quickly stand up whole IT solutions, from applications to storage, with a few button clicks, and then access these platforms from their mobile devices."
But the definition of “shadow IT” has shifted over time, says Bobby Cameron, vice president at Forrester Research. It used to mean engineering teams sticking a server in a closet and using it to run their own skunkworks. Now it means the sales and marketing team signing on to a software service or spinning up servers on AWS without asking for permission. But that doesn't mean IT should just step aside.
"It's about digital empowerment, and it's customer-led," Cameron says. "IT is no longer pushing products and services to its internal customers, but it still needs to know what they're consuming and shape its deliveries to match that. "
The IT manager's job has shifted from controlling what technology employees use to offering guidance on the services they should procure, says Steven A. Lowe, principal consultant for ThoughtWorks.
"The issue isn't control," he argues. "IT lost control years ago and cannot get it back. The issue is strategic relevance — using your IT knowledge to help the business make better decisions about third-party apps and services."
2. You can't do everything in the cloud
Six years ago, more than 40 percent of CIOs surveyed by Gartner believed they'd be running most of their IT operations in the cloud by now. While the vast majority of organizations run some business-critical systems in the cloud, full migration is still relatively uncommon.
Instead, Gartner predicts that 90 percent of organizations will adopt a hybrid infrastructure by 2020, keeping some IT resources in house while outsourcing others to public or private cloud providers.
There's no question the cloud has had a dramatic impact on IT operations, but it hasn't always lived up to the hype. A June 2017 survey of 300 IT pros found that 80 percent said the cloud wasn't meeting their expectations due to problems with security, compliance, complexity and cost. According to a January 2017 survey by cloud management firm RightScale, from 30 to 45 percent of enterprise cloud spend is wasted.
That's because a lot of companies reflexively moved to the cloud with no clear understanding of why or how to do it, says Lowe.
"Merely moving a critical service to the cloud does not automatically make it more reliable or scalable," he says. "To truly take advantage of the cloud, software needs to be architected and implemented differently, using microservices instead of monoliths."
And some organizations that thought they could move all their legacy apps to virtual machines in the cloud have had a rude awakening, adds Tom Mainelli, VP at IDC.
"Companies will always find some app they can't virtualize," he says. "Like an expense program that's 25 years old and the company that built it has been gone for 15 years. You'll probably never be fully rid of old proprietary apps your company uses every day."
3. Your systems have already been hacked
It's a given that your corporate network has been compromised and your data is at risk. Things are only getting worse. In fact, data breaches increased 40 percent in 2016, according to the Identity Theft Resource Center.
The question is, What can you do about it? Many enterprises respond by investing in network security appliances. That's the wrong approach, says Meikle.
"Everybody wants systems that are easy to manage and hard to breach," he says. "But they usually end up with big ticket security appliances that are hard to manage and sensitive data that remains unprotected. A smarter approach is to assume your environment has already been compromised and design your security plan around that."
Instead of trying to protect networks and devices, smart IT organizations focus on securing company data on those endpoints, says Mainelli.
"Obviously you don't want your networks or end points compromised, but what happens once somebody plugs in a USB drive?" he says. "Is the critical data the company relies on secure? What happens when it's moving from email to email or hard drive to hard drive?"
Security has gotten worse in part because there are more devices and more data to protect, says Cameron. But technologies like Docker-based containers for cloud data and AI-driven automated breach detection are helping to mitigate the problem. And after high-visibility breaches like Equifax and Yahoo, Cameron says the C-suite and the board are finally starting to pay attention.
"It's like we're in Star Trek and the Klingons are coming after us," he says. "But we do know how to deal with it."
4. Your software is unpatched and insecure
Unpatched software is a huge security and compliance risk. Yet according to a Feburary 2017 survey by Flexera, 10 percent of U.S. users were running unpatched versions of Windows. A May 2016 report by Duo Labs claimed that one in four business systems was at risk due to outdated software.
"We've seen customers who can't keep pace with patches, which are rapidly growing in size and take longer to apply," says James Lee, executive vice president and CMO for Waratek, an application security company. "This is coupled with legacy applications that can't be updated or secured short of complete rewrite or replacement."
Worse, adds Lee, security is often a lower priority for software developers, who are incentivized to emphasize features and deliver code on time and under budget. The result: software that is increasingly vulnerable to attack.
The problem stems from a failure to conduct true software quality assurance, says Mark S. Kadrich, interim CISO for Martin Luther King Jr. Community Hospital in Los Angeles.
"I've been in the industry long enough to know that if I'm losing sleep over technology failing, I'm in the wrong industry," he says. "Eighty percent of software is crap, while 20 percent of it just sucks. There's very little that can be considered well-engineered."
His response: Assume the software will fail and plan for the worst case scenario.
"You know the software will fail; you know you're going to get hacked," he says. "So I plan for failure. I make the network fail, see how long it takes for us to detect and recover from it, and implement my procedures accordingly."
5. You'll never have enough bandwidth
It's inevitable: Just as you've finished installing that 100-gigabit ring around your corporate campus, some bright bulb in the C-suite decides they need to stream all training and marketing videos in 4K.
"No matter how fast the internet gets, we keep shoveling bigger files through the pipe until it clogs," says Simon Jones, application delivery expert at Cedexis, a software-defined application delivery platform.
Thanks to the influx of mobile and IoT devices, the amount of data flowing across business networks is expected to more than double by 2021, according to Cisco.
The good news is that companies are getting better at intelligently managing network congestion, Jones adds.
"Telemetry, data processing, and AI are moving so quickly that avoiding slowdowns is getting easier to automate," he says. "Managing internet traffic will work much as Waze works for drivers: With intelligence available to find all the possible routes around congestion, you'll only get slowed down or stopped when there simply isn't an alternative pathway."
6. IT is still relevant — but only if it adapts
Despite the explosion in self-service IT, tech expertise is still highly valued in organizations. But tech pros will need to up their game, hone some new skills, and be willing to accept some help from robots.
Successful IT pros are good at adapting to change, says PK Agarwal, regional dean and CEO of Northeastern University-Silicon Valley. A few years ago, IT pros were talking about data management and development; now they talk about IoT and devops. The topics may change, Agarwal says, but the requisite skills do not.
"Today's IT leaders need to be more reliant on soft skills and emotional intelligence, so they can guide complex conversations about the collision of digital transformation with legacy eco systems," he says. "The upsurge in automation and self-service also means IT professionals need to be more committed than ever to life-long learning."
AI-driven automation will change tech delivery in significant ways — eliminating low-level and repetitive jobs, while enhancing tech pros' ability to pull meaning from vast quantities of data, says Isabelle Dumont, VP at Lacework, a cloud security company.
“Cloud security is a good example where machine learning can augment IT's ability to perform," she says. “From breach detection to investigation analysis, ML can compile and analyze the billions of events and the output of thousands of VMs faster than any human, so IT teams can focus on the things that matter most."
Still, the onus is on CIOs to overcome the stigma of IT being seen as a cost center and technology pros as order takers, warns Lowe.
"If you want to be treated as a strategic partner, you have to act like a strategic partner," he says. "This may make for some uncomfortable conversations, but only by inserting IT into upstream strategic thinking can it have impact and change the perception to one of partnership."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.