Why does IT exist?

Hint: It is the 'I' in CIO, writes Geoff Lazberger.

The only reason we need things like firewalls, servers, printers, hard drives, screens, encryption or networks is to either protect, access, print, store, display, encrypt or transmit information. Without the underlying information we wouldn’t need any of these peripheral devices.
The only reason we need things like firewalls, servers, printers, hard drives, screens, encryption or networks is to either protect, access, print, store, display, encrypt or transmit information. Without the underlying information we wouldn’t need any of these peripheral devices.
When Bill Clinton successfully ran for US President in 1992 his campaign strategist James Carville summed up their strategy in its totality as this: “It’s the economy, stupid.”

This theme was self-evidently ubiquitous throughout the campaign at every occasion and made the audience aware at each opportunity where they needed to focus – on economic management.

Not dissimilarly, when you look at how IT is ingrained within a large, complex organisation, it is obvious to see the core value lies in the information itself. The only reason we need things like firewalls, servers, printers, hard drives, screens, encryption or networks is to either protect, access, print, store, display, encrypt or transmit information. Without the underlying information we wouldn’t need any of these peripheral devices.

In short, the fundamental information within an organisation is way more important than any of the technology used to manage that information. It’s the information, stupid.

However, there are five key areas which will impact the quality and value of business information within an organisation which are sometimes under-addressed:

• Who is responsible for maintaining it?

• What is its purpose?

• How long do we keep it for, and where?

• How do we protect it?

• How do we ensure it doesn’t become tainted?

The key purpose of IT within an organisation is to enable the business strategy and help the organisation become the business it needs to become. This is achieved through both the strategic and tactical use of information, with the ultimate ownership and responsibility for information residing with the CIO. This is what the ‘I’ in CIO represents — ‘Information’.

Addressing each of the areas above can be expressed as per the following:

Informational management: In order for the CIO to help enable the business strategy, the two initial mandatory steps are to firstly create the right IT organisational structure (that is, what IT-related roles are needed to support the business and its strategy) and then ensure the right person is in the right position. Everything else flows from these initial steps. Without these key planks in place, delivering IT value is more difficult, expensive and risky.

Informational purpose: All corporate information should have a purpose and the ultimate goal is to use this information to enable the business.

This might sound tautological at first blush, however understanding this statement is germane to understanding the effect and value of information in the enterprise. I’m afraid I belong to the school of philosophy where “there are no IT projects, only business projects”. If an initiative is proposed which will have no bearing on contributing to the corporate strategy or supporting the business operationally (aka: keeping the lights on or scaling existing systems and architecture) then hard questions should be asked about its purpose for existing in the first place.

Informational lifecycle: How long we retain information should be less and less of an issue as disk storage has become cheaper and cheaper, with cloud storage further lessening the need to expand burgeoning corporate server rooms.

But I haven’t come across many organisations in past years that retain corporate records (documents, emails, online conversations) for the statutory seven years. (I’m sure they’re out there – but compliance is not commonplace.)

In fact, I’ve generally found most co-workers unable to retrieve an email from more than a couple of months ago as they (or the systems and processes) would have deleted these as part of some monthly purge process.

There are a number of excellent solutions available to effectively optimise and archive emails, whilst still have them retrievable for as many years as you wish (think Commvault, KMS, etc.). I remain bemused as to why email retention per se is still not being addressed as a serious corporate issue and why it is not monitored as de rigueur by company boards from a compliance perspective.

Informational protection: With the availability of file synching tools such as Dropbox readily available in the public domain, a number of businesses will see these as threats to corporate information rather than opportunities.

For instance, locking down the corporate desktop may prevent a user from installing Dropbox and therefore prevent the synchronisation of files outside the corporate network.

Yet this can also impede the cost of convenient access by the user to necessary documentation on devices such as iPads during meetings or when working remotely.

These situations could be an enormous hidden productivity burden to the business. Even with a locked down desktop, if an employee was really intent on stealing information they could take screen shots then save these into an MS Word document, encrypt and compress this document, then email the file outside the corporate network.

In other words, security should never be seen as a blunt instrument but as a trade-off — safekeeping versus convenience, security versus productivity.

But balance is required. You’d never use a $1000 lock to secure a $10 asset.

Informational integrity: Keeping data integrous is probably the most under-recognised and yet most critical area.

Once information has been stored, secured and validated, it can quickly become tainted through inadvertent changes by users who may have no malicious intent but who also have no formal guidance or governance over their actions.

How many CIOs could honestly say every new employee who joins their organisation (whether permanent, part-time or contractor) will be fully trained in core systems usage and information entry before being allowed access to maintain the information contained within the system?

Onboarding of new contractors particularly is usually seen as an expensive luxury and generally consists of being allocated a desk, a login and a phone extension.

The rest is usually up to their good (or bad) habits learned from other companies in other previous roles, or their ability to ask questions before doing something if they have the mind to do so. And how many outsourcing strategies are currently being planned without the first necessary step being in place — how to backsource again if, and when, the situation requires.

The golden rule is don’t outsource until you first have a backsource strategy. All relationships can go sour.

No PowerPoint necessary

So how do you impress upon the executive as to the real value of information? A few years ago, as CIO for a large investment bank with many billion of dollars worth of funds under management, I was invited to an all day offsite planning session with around 11 corporate CEOs.

Each of us was pre-allocated a time slot to present to the group. Having championed the idea of IT gaining a seat at the table for a long time, I was chuffed to be invited to present the case for IT and so spent a lot of time preparing my slides and message.

However, things did not go to plan. After around 10 hours of discussion and presentation by each CEO on funds and investments (the business) with everyone going well over their allocated time allowance, the chief CEO of the company told me I was the final presenter though, unfortunately, due to time constraints I could only take 10 minutes for my presentation.

I thought for a few seconds, looked at the dozen or so slides I had spent many days diligently preparing, then looked at the chief CEO and said, “I only need two minutes.”

I closed my computer and then went on to speak directly to the group. I told them apart from the people who work within the business, the company had two key assets — the money in the bank, and the information in its systems. Now, I proffered, if we turned both of those assets off for a week — which would hurt the business more?

Immediately, one of the CEOs yelled out to lose email or network access for even five minutes would be disastrous. I smiled and looked at the group of CEOs who were all concurring and nodding anxiously.

The consensus was it would be terrible to lose our information systems even for a very short period. “Well,” I said “I’ve been hearing all day to how we need to implement better governance over funds, greater segregation of duties with investments, better due diligence on acquisitions, etc. But if the information in our systems is even more precious than the money we have in the bank then why don’t we apply the same care and attention to our IT governance, spending and strategic execution?”

Without exception, every one of the CEOs instantly agreed with me, with the result I was immediately given as much authority as needed to implement whatever governance and IT spend across our systems as I considered necessary (yes, the illusive “blank cheque” model only heard about nowadays in legend).

And not one PowerPoint slide was used in conveying the message. Because, it’s all about the information.

Geoff Lazberger is a former CIO for three separate corporations across investment banking, property development and hospitality. Email comments and feedback to