Call it a tale of two CEOs -- and their requests for up-to-the-minute technologies. As upgraded mobile devices and new cloud services become more mainstream, CIOs and other high-level IT executives are reaffirming their IT governance strategies so they'll be ready to implement and service these new platforms -- with or without a ton of advance notice.
One CEO at a large insurance provider recently called his company's help desk and asked for two iPads. The help desk employee said the iPad wasn't on IT's approved list of devices. The CEO replied, "It is now."
You have to make exceptions to the rules, said Joe Surber, vice president and CIO of Atlanta-based natural gas distributor AGL Resources Inc., who shared the iPad tale during a cloud computing panel at last's week's annual Society for Information Management conference in Atlanta.
"It's [IT's] job to make sure that new devices can meet our corporate governance standards around security and delivery," Surber said. "I don't want to be in the game of dictating standards."
Another CEO, a leader at construction material provider Martin Marietta Materials Inc. in Raleigh, N.C., approached the company's CIO, Chuck Musciano, with an unapproved new BlackBerry in hand and asked Musciano "to hook him up." Instead, Musciano told him to hand over the BlackBerry.
"You have to stand your ground," Musciano said. "If you have policies that everyone but the C-suite follows, the rest of the company instantly knows the rules can be broken"."
That is not to say that Musciano didn't fulfill the CEO's request for a new device. Musciano selected one that both met the CEO's needs and was approved by IT. The device was such a hit that others in the C-suite followed suit.
"It was an opportunity for us to show them what we could provide and what we support," Musciano said.
The key to maintaining an IT governance strategy with regard to the adoption of new technologies is to stay ahead of the curve, executives agree. Musciano, for example, was able to give the CEO what he needed because his IT department is a test bed for "every new device under the sun."
"IPads, iPhones, Androids -- you name it, we'll find someone in IT to play with it," he said. "IT feels like they're getting a reward, and we learn from IT what problems they encounter, so we can turn around and say [to users], 'We know how to solve your problem.'"
IT governance approaches for the cloud
If you don't think that end users are buying cloud services without IT's knowledge, pay special attention to this anecdote shared by Tim Crawford, CIO at IT services provider All Covered in Redwood City, Calif.
Crawford was recently told by a CFO not employed by All Covered that he'd asked individual business units whether they were using Amazon.com Inc. services -- not for the purchase of books, but actual cloud services.
"[The CFO told me that] 12 different departments were using Amazon cloud services that IT didn't know about," Crawford said.
For Paul Miller, the infiltration of cloud services is "a case where an audit can finally be my friend."
Applications are pretty useless without data, and if you want to get to the data, you'll call me.
Chuck Musciano, CIO, Martin Marietta Materials Inc.
"The more an audit focuses on end-to-end business activities … I haven't found too many cases where audit says that IT doesn't need to be involved in that," said Miller, senior vice president of technology infrastructure and broadcast transmission at Turner Broadcasting System Inc., based in Atlanta.
Miller added the caveat that IT absolutely does not have to be involved in every IT decision the business makes. "We have to break away from traditional paradigms and figure out what those things are that matter, versus those that don't," he said.
Musciano, on the other hand, said IT should be involved in any decision that involves corporate data potentially ending up in a public cloud. He has put a master data management strategy in place, by which any request for data has to come through him. There is only one copy of corporate data, and he keeps it locked down in the company's data center.
"Applications are pretty useless without data, and if you want to get to the data, you'll call me," he said.
His approach stems from a belief that IT has a fiduciary responsibility as the watchdog of data, especially in light of such regulations as the Sarbanes-Oxley Act, and the possibility of a lawsuit if data is breached in a multi-tenancy cloud environment or a cloud administrator loses a disk drive.
At AGL Resources, data security sits underneath the general counsel's office. "Instead of [IT] just going in as a hammer and saying 'no thank you' [to a request], [the general counsel] can say, 'Hey, look, you're putting confidential business information into a public domain. You need to abide by these security policies,'"' Surber said.
But again, it comes down to staying ahead of users' expectations, anticipating their needs and knowing what services and devices they are likely to go off and buy on their own.
For Surber, that means IT has to engage the business daily. "There's always going to be a lone ranger, but for the most part we come in and say, "We're going to listen to you, engage with you, consult with you and I'm going to take this off your plate,'" he said. "And they are happy to have you take it off their plate."
Let us know what you think about the story; email Christina Torode, News Director.