James Thew - Fotolia


Reconciling great user experience with data risks: CIO tips

Harvey Koeppel recounts his quest to deliver great user experience without inviting undue data risks. The journey was not easy.

Creating a compelling user experience is the holy grail of mobile (and even desktop) app development, but there are plenty of factors that get in the way. Managing and designing apps that appropriately handle data risks, multiple device/operating system constraints, environmental considerations, legacy system constraints, and the granddaddy of them all -- enterprise risk appetite -- are all reasons why the grail remains holy and often not achieved. But alas, my fellow crusaders, there actually is a path to the Promised Land of great user experience that will most definitely include walking across water, as well as other feats of intellectual, physical and spiritual preparedness and fortitude. There are, of course, many opportunities, if you are not careful, to become road kill.

My CEO and the NY DMV

My journey to find the holy grail of great user experience began in early March of the year I was summoned to the office of the CEO of the BigWorldBank, where I served as a CIO for the global consumer division. After dispensing with the usual niceties around the good health and well-being of my kids and her grandkids, she quickly got down to business. "When was the last time you were at the Department of Motor Vehicles in New York?" she asked me, appearing to be quite serious. Despite the rather odd nature of the question, painfully aware of the "What the heck?" expression that must have broken out across my face, I quickly regained my composure and recalled CIO Rule No. 2: You don't tug on Superman's cape and you don't mess around with the CEO. I responded, "Probably about five years or more -- why do you ask?"

There actually is a path to the Promised Land of great user experience that will most definitely include walking across water as well as other feats of intellectual, physical and spiritual preparedness and fortitude. There are, of course, many opportunities, if you are not careful, to become road kill.

Note: For readers who may not be familiar with the New York State DMV experience, suffice it to say that, pre-transformation, it could only be described as the stereotypical (perhaps ultimate) bureaucratic, administrative nightmare that should only be endured as a last resort when all other means to get done what you needed to accomplish had been exhausted.

My CEO then went on to explain that during a recent visit to the DMV to renew her driver's license, she found the experience to be completely transformed and actually enjoyable. "I want you to go there and figure out what they did; find out how they transformed themselves from everyone's worst nightmare into a friendly and efficient place to conduct business. Let's learn from them! I want people to come into our branches, transact their business in a comfortable, professional and courteous manner, walk back out onto the sidewalk and turn around to look at our branch and say, 'Wow!' Let's meet again in a couple of weeks, so you can update me on your progress."

I felt as though I had been promoted from CIO to knighthood status, a true member of the Roundtable, as if Excalibur had tapped my shoulder. I could not believe that I was being given the opportunity to lead the charge on delivering a great customer experience at BigWorldBank. "Wow!" would have been an understatement. Little did I know what would happen next.

Anything, anyplace, anytime by anyone ... vs. data risks

 "The journey of a thousand miles begins with one step." -- Lao Tzu

Within a couple of weeks, I had completed the mandated visit to the DMV, figured out their secret sauce, documented high-level business goals and objectives for the program, and outlined a high-level technology and operations architecture and a very preliminary business case. I still have the original napkin. At my two-week CEO checkpoint, we refined the pitch and created the basis for transforming the napkin content into a couple of PowerPoint slides to present at the next board meeting. The presentation outlined, in board-of-directors language (no words greater than two syllables and all the text in, at a minimum, 24-point font size), a vision for a new (at that time) concept in banking: "anything, anyplace, anytime by anyone." Mobility was a core technology presented since it was the only way to achieve the "anyplace" objective. From a security perspective, we advocated the use of a fingerprint identification system combined with a single sign-on capability to greatly simplify the UX, reducing the application interface from 89 disparate systems (and user IDs and passwords) to one. From a data perspective, the vision required the creation of a 360-degree customer view, needed to enable the "anything" objective. Some very lofty stuff, even by today's standards.

Several weeks later, we went to the board to present the vision and request approval for an investment of about $250 million for Phase I (the mobile UX, infrastructure and data management required to support our North American base of about 80 million financial services customers). The presentation went well, the board was intrigued with our vision to provide a great user experience … and they refused to approve our investment request. One of the board members was concerned about data risks: In order to create the proposed 360-degree customer view, we would need to store all of our customer data in a single location, which would almost certainly leave us vulnerable to a data breach with immeasurable reputational, financial and regulatory consequences. Despite an eloquent performance of our most fanciful dance number, we were unable to prevail. Note to self: Don't go asking anyone for a quarter of a billion dollars without being over-prepared.

I rallied my team and, within a few days' time, all of the king's horses and all of the king's men came up with a most elegant solution to the board challenge on data risks. I could tell you how we solved it, but I would then have to shoot you. A month later, we were back in front of the board. That afternoon I received approval for my $250 million investment. Needless to say, during the days, weeks and months that followed, we experienced some of the best of times and, not surprisingly, some of the worst of times. All of that was quite intriguing and likely a good subject for a future post. Let me just say here that we did achieve the customer experience goals and objectives that we established from the beginning, and the holy grail is still in a box in a brown paper bag stashed in someone's desk drawer at corporate headquarters, indelicately placed between the moldy Bon Bons and the stale Twinkies.

CIO lessons learned: 13 tips

 "Some days you go bear hunting and you get eaten. Some days you come home with a nice rug to roll around on, and bear steaks." -- Laurell K. Hamilton

For those few readers who may not have access to $250 million to invest in the quest, here are a few of the highlights from lessons learned during the quest to balance a great user experience and data risks.

  • Start with a clear and well-articulated vision, goals and objectives. Communicate the new gospel early and often to all program stakeholders.
  • Create a robust business and technology architecture that can become the basis of the program roadmap.
  • Create clear and well-articulated operating principles for leading and managing the program.
  • Tailor your business/technology governance methodologies, procedures, standards and tools to include the new architecture and operating principles.
  • Never ever underestimate the criticality of having the right data available as needed, likely in real time.
  • Address data risks by building data security into the overall architecture, infrastructure and application design and implementation. (Data security that is implemented after the fact is generally better labeled data insecurity.)
  • Data security management is as important as data management. Consider managing data security by user role and extend it to the application and data element level.
  • Data quality management is not just a technology problem. Creating, storing and maintaining high-quality data are everyone's responsibility.
  • Entitlements to functions are as important as entitlements to data.
  • Enable function and data security controls at the earliest possible point in the process.
  • Involve business, operations and staff function representatives in the program management process from the beginning and keep them involved throughout the quest.
  • Involve internal/external audit and regulators in the program management process from the beginning and keep them involved throughout the quest.
  • Learn from missteps and celebrate victories often.

Let me know what you think. Post a comment or drop me a note at [email protected]. Discuss, debate or even argue -- let's continue the conversation.

Next Steps

Harvey Koeppel's recent advice to CIOs:

Taming the cyberthreat landscape

AI comes to the enterprise

Improving mobile payment systems is a CIO job

Dig Deeper on Enterprise mobile strategy