Among the greatest challenges confronting CIOs at small to medium-sized businesses (SMBs) today is wondering how they should be managing information technology infrastructure and services to boost business and increase efficiencies.
SearchCIO-Midmarket site editor Wendy Schuchart spoke with Raymond Laracuenta, a managing vice president at Stamford, Conn., consultancy Gartner Inc., at the Gartner Symposium/ITxpo 2012 in Orlando, Fla., about where IT leaders should be focusing their attention when it comes to managing information technology infrastructure on the SMB level.
Read the full transcript from the interview below, and watch the video to learn how SMBs can best manipulate infrastructure and software services to their advantage.
What are the biggest missed opportunities for an SMB today?
Raymond Laracuenta: Probably the greatest challenge and opportunity facing SMBs today is their use of technology infrastructure to drive the business. Their focus on trying to keep that in-house versus leveraging public cloud Infrastructure as a Service [and] Software as a Service limits the IT department's ability to really drive the business.
Unlike larger enterprises who have typically much more complex infrastructure and portfolios to manage, SMBs don't have a lot of that, and yet they are not taking advantage of the services in the cloud to leapfrog the competition. A small IT department in a small organization should be focused on the business. I mean, all IT departments ultimately have that objective, but in a smaller organization with limited resources, it's imperative that your CIO or director of IT is in line with the business, isn't making investments of time [that will not bring value to the business].
It's not so much just capital dollars, but the focus and attention of the IT team, such as it is -- and it may only be four, five, 10 people -- is on how do we grow the business, how do we win in the marketplace? To that end, outsourcing, if you will, infrastructure, desktop, operating systems, servers and so forth, and even basic applications like email and calendaring, will allow a very small operations team to change their focus.
Additionally, a smaller firm struggles with skills management and acquiring good skills. Very few top-flight IT professionals, unless they're looking for a lifestyle change, are going to bring their skills to a very small organization. They will, however, be interested in taking their technical and business skills and moving to an organization where they're focused on the business. How do we grow in this market? How do we move into new markets, different geographies and different industries? That is a compelling opportunity for someone who may have only been an IT manager in a very large enterprise, and would come down to a small business and say, 'I can actually impact the business.'
That, to me, a lot of words in there, is the biggest challenge for them, which is focus. They are focusing on duplicating the maturation of a large enterprise. They should not do that. They should take advantage of the technology that is there. Understand the security risk clearly, and focus on growing the business and how to win the marketplace.
Could you give us an example of a place where an IT director might be a little bit more cautious to engage in those efforts?
Laracuenta: Clearly, anything to do with customer information is going to be the most sensitive, and so while there are risks, moving anything into the public cloud has its own set of risks to it. With proper processing and working with the right vendors and partners, you can mitigate that risk.
For a smaller organization, if that's their franchise, it's the data on their clients, and they feel that if compromised [it] would damage or destroy the business, that should be one of the last things they move [to] as they build up their security chops in terms of moving things to the cloud. Because, obviously, when you move something to a cloud, whether it's infrastructure or applications or data, there are still security skill sets that you need to maintain in-house. It's everything from looking at the service-level agreements [SLAs] with those providers, understanding what you're getting, what the remediation is, what the risks are. It's better to start off small: email, calendaring, application technology that is commodity-based and where critical business assets or client data is not initially moved in. You start there.
More on managing information technology
The future of IT, according to Gartner
The top IT trends for this year and beyond
It's like if you want to do the marathon, you have to walk a little bit before you start to run. Once they've established a set of clear criteria, processes and requirements for messaging and calendaring and some of the lighter-weight applications, they can transfer that over into either full infrastructure, which would be network servers, servers, virtualization and the like, or Software as a Service applications.
Ultimately, the small business owner or small enterprise has to ask itself, 'Do we actually have the expertise and the technology in-house to provide a greater degree of security than a public cloud provider?' In many cases, the answer is, 'You don't. You have more invested emotionally and business-wise in that data in those systems, but in terms of the investments you can make on the technologies there, you are relying a lot on firewalling your own internal server, protecting you from risks that may not be as secure as you'd hoped.'
A larger provider that has professionals that focus on security management for both large and small customers is going to have a skill set that you may not have, [will] have technical and capital resources you might not have, so it really comes down to [your understanding of] how to manage a good security policy with a cloud-based service or deliverable.
The risk, really, is more a state of mind and its level of preparedness. Ultimately, if you are prepared, if you understand how to set up your own internal systems to access the cloud effectively, your risks can be managed. But there's no question, once it moves into the cloud, if that vendor is compromised, then you, along with anybody else in the cloud service, could be compromised.
The flip side is it's harder to find you when you're in a cloud with thousands of other companies than it is when you're Acme Inc. and this is your Web server and you do something specific for a living. It's easier to find you than it is to find you in the cloud, but, ultimately, you shouldn't rely on that. It's a skill set you need to deliver and have in-house.
That's what I talked about earlier in terms of focus. Rather than having people maintain all of those systems, you invest in some security people who can read SLAs and write SLAs with vendors, and that reduces your security risks significantly. The rest of your team is focused on business-related issues -- and that should be your core competency -- strength and security, and understanding and remediation, and then strengthen business focus and development.