Advice for a new CIO
March 25, 2011 10:30 PM   Subscribe

I am doing some research on CIOs and one thing I am really curious is what does the CEO of the 2010's need to review when on board. Your list of items please.

When a new CIO joins an organization (assume it is a mid-sized organization, at least not very small), what are the 3, 5, 10, 50 or 100 things he needs to review. Not so much from an organization structure or people perspective, but more from a technology perspective. Business alignment, Operations strategy, DR, Project Portfolio Management etc are some of the areas I could think of.

I have read some of the papers out there, including one called the 100-day CIO plan which was pretty much a waste of time. But the concept of the 100-day plan is interesting. Do you have an example, perhaps?

Are there any other resources that you can point me to? Preferably papers, blog posts etc and not books (although, if something is really good, that would be fine).
posted by theobserver to Work & Money (3 answers total) 3 users marked this as a favorite
Best answer: Your CIO's number one job is to ensure the IT investment reflects real value for the business. Your list of business alignment, etc. are mearly tools to achieve the above.

With my global planning and strategy manager hat on that works directly at CIO and board level, I'll reach into the ring and throw over some bones:

1. Competance. This is not about the helpdesk closing tickets, but rather do the people in charge of running the IT division have the capabilities to achieve what the business strategy requires. How do you find out about this? You get feedback from the business - complaints, praise etc and evaluate where the failures and success and then develop a plan to improve delivery. Trimming the herd and getting in new stock might be on the table.

2. Maturity. Most organisations go through various stages, somewhat akin to evolving with the ever changing technologies they work with. Is there a governance model in place? Does it work? Is the division using formalised frameworks like ITIL? Are the roles and responsibilities aligned to this?

3. Costs. This means sitting down with the IT senior management and understanding where the yearly budget is going. Finding out what the cost drivers are enables the CIO to have honest conversations with the executive team about funding. This is vital.

4. Saved the best for last. IT division alignment to the short and long term business strategy. In my field, I run across many senior and executive level IT people that just don't get the importance of this. A new CIO should examine what the business priorities are and implement an IT strategic plan meets the business objectives. This also gives the CIO a way to measure IT performance. Doing this increases the longevity factor of a CIO by at least 50%.

Hope this helps. If you need any other info from my perspective, just shoot me an memail.
posted by Funmonkey1 at 2:02 AM on March 26, 2011 [3 favorites]

Best answer: You said technology perspective, but being a CIO doesn't have much to do with technology. My first step would be to understand what I was walking into. Sadly, I'm not aware of any book list, or blog that covers this stuff. Probably because the portfolio of responsibilities can be very diverse from company to company. I'm going to favorite this question in case someone shows up with a good suggestion. Also, if you are a new CIO, you don't know what you are going to find, so a 100 day plan is either going to be very vague after the first couple of weeks, or make a lot of assumptions about you not getting any big surprises. Here would be my day one list, off the top of my head, that would keep everyone busy for a week or two:

HR stuff: bios of direct reports, detailed org charts for each of the directs, list of open positions and any in flight searches going on a one or two levels below me. Is there a performance management plan? If so, I want to see what my directs are working against and, if available, what my predecessor was held accountable for. Bios of all of my peers. If any of my directs have alternate compensation schemes besides a straight up salary, I want to understand what it is.

Project stuff: list of in flight projects. Is there a PMO? Is it in my org? Is there a dashboard or scorecard being kept for projects? Failing that, recent status reports and risk/issue logs for each project. How does project governance work here? Are any of the projects on the CEO or board's radar screen.

Strategic planning/IT governance: does the company have any kind of formal strategic planning process? If yes, I want to see the most recent plan and any detailed deliverables the IT org might have produced as a result. If no, does the IT function have a strat planning process? How do requests for projects or new work get into the IT function and get prioritized? Is it first come, first served, or is there some kind of IT steering committee to prioritize?

Security: is there a CISO or ISO? Do they work in my org? Do we have a security plan for each system? Are the systems rated (in the FIPS-199 sense)? Have the critical systems been assessed? Are there any audits or security assessments that have been done in the last 2 years... if so, I want copies. What regulatory requirements are the systems subject to (e.g. HIPAA, PCI, GLB, something else)? Have we done an assessment of those requirements against the controls we have in place? Do we have any special requirements in the event of a data breach? Have we had any security incidents in the last two years (if so, I want to know what happened).

BC/DR: Does the company have an operational BC plan? Does my group have their part of the BC plan Do I have a DR plan for the systems? Hotsite, coldsite, or something else? Do we have well understood recovery time objectives? Is it being exercised, table-topped, or is just in a notebook somewhere? I want a copy of the notebook the last CIO would have had.

Budget: I want to see the budgets for each of my directs. Do I have an internal finance person in the CIO org, or do I use a shared budget office? Either way, I want to walk through the detailed budgets for each area I am responsible for. I want to see the roll up budgets for the two previous years. I want to know about how my actuals are comparing to what was budgeted.

P&L: do I have P&L responsibility? If yes, I want to understand the revenue streams, the margins, and will be asking for a boat load of metrics on what has been happening for last two years

Internal cost allocation: is there an internal cost allocation model for how IT gets paid for? If yes, I want to understand it and when it was last updated.

Contracts: I want a list of all of the contracts that the group holds. How are contracts governed here? Is there a central procurement group? I want to review the ten largest contracts and understand how big, how old, how contentious. I want a calendar of renewals.

Outsourcing: are any pieces of my operation outsourced? If yes, I want to see the contracts, a history of contract mods, the SLAs (see SLA section later), any internal customer sat surveys that were done, understand the governance (how we manage the service provider). If a big chunk of the operation is outsourced, I would have a lot of additional questions here for each provider involved.

Operations -- incidents/problems: Are we following any ITIL processes? How does the incident management process work? Do we have a ticketing system? What kinds of reports are being generated daily/weekly? Is there a turnover call or turnover report? I want to see statistics and metrics on tickets (how many, what severity, how fast are they getting closed). What about problem management? Is it happening? If yes, I want to see a sample RCA from a recent problem.

Operations -- SLAs. Do we have downstream SLAs we are responsible for? Do we have upstream SLAs that our service providers are responsible for? If so, I want to see metrics, understand the methodology, and missed service levels for the last year both upstream and downstream.

Operations -- change management. Do we have a formal change management process? Is there a change advisory board signing off on things going into production? If yes, I want to sit in on a meeting. I want to look at some changes and see if people are rubber stamping them. I want metrics on how many failed changes we are seeing.

Operations -- monitoring. I want to understand how we are monitoring the network, servers, and applications, whether it is rolling up to a NOC/SOC, what technologies are used.

Operations -- patching and updating. I want to understand what our patch strategy is for servers and how we update. I want a list of anything that is out of support or will be out of support. I want to know who, if anyone, is keeping up with all of the vendor roadmaps so we know when products are going out of support.

Operations -- backups. I want to know which systems are being backed up, what the backup schedule looks like (from a record retention point of view), how the offsite vaulting works, and how often the backups are tested. I would assume some kind of daily or weekly backup report is being generated -- I want a copy.

Operations -- end user support. Am I responsible for end users? If yes, I want to know how we are supporting them. Do we lock down the desktops? Is there a formal help desk? Do we use tools to push patches or remote in? Patching strategy? Do we vet the third party software getting installed? What are we using for AV? Who is keeping up with AV definitions to make sure everyone is patched? What are we using for anti-spam? How is email working? Any outages in the last year? What is the impact of an email outage for the company? Am I also responsible for blackberries/PDAs? What about voice communications in general? Do we have standards around this stuff, or is it running loose? If standards, I want to see them. Have we done any customer sat surveys with end users? If yes, I want to see them and understand if any actions were taken.

Operations -- service desk. Do we run or outsource a service desk? Does it just face into the company, or does it handle external customers as well? What kind of channels do they support? What kind of volume do they get? What kind of first call resolution percentage do we have?

App Dev. Do we do internal app dev function? Are they developing apps for internal use, or is this a product group? If product group, I would have many additional questions for them. In either case, I want to understand the SDLC, the tool sets the devs are using, whether they have a formal release schedule, road maps for the applications, sunset strategy, what they are doing for source code control, what they are doing for defect tracking, whether they are using open source and if so, does everyone understand licensing implications for whichever licenses are getting drug into the code base. I would also want to know if they are following a specific methodology (are they climbing up the CMM curve? Using agile? Something else?).

Architecture. Are we following an architecture? I want to see any of the high level architectural standards and any deliverables around "as-is" and "to-be". Is there governance around technical decisions? If so, I want to sit in on a meeting and get a copy of minutes of those meetings for last couple of months.

Miscellaneous assessments. Have there been any consultants in evaluating anything in the last year that produced some kind of report or recommendations? If so, I want to get a copy and understand for each whether anything was done as a result.

Other responsibilities. As CIO, do I have any other responsibilities that I need to fulfill? Maybe participate in a trade group or a standards body or something like that? Any speaking engagements or anything like that I'm obligated to do?

Those areas/questions would be my starting point. The goal is mainly to understand what kinds of business risks I'm carrying, what drives the organization, and how it is perceived. There will probably be some bright points and other areas where everything is ad-hoc. To gather this information, I would give a lot of that out as a homework assignments to my direct reports and for most areas, ask for one or more live briefings with the direct report responsible and whatever of their staff they need to pull in. In the mean time, I would seek one-on-one meetings with all of my peers who were running lines of business, the HR director, the CFO, and the COO. If I reported directly to the CEO, I would schedule a meeting with him or her as well. I would introduce myself, explain what I was doing (all of the above), ask if they have any immediate concerns I need to look into, and tell them they can expect me to be back in one to two weeks to discuss their business problems in detail. I would also meet one-on-one with all of my directs to get to know them, go to their staff meetings to get to know the next level down, do some kind of town hall session for the entire org (if in one geographical place). I would also start meeting with key vendors and service providers.

My time would be split: during the day, I would be meeting as many people as I could, at night, I would be reading all of this stuff that I asked people to bring back for me. Rinse, lather, repeat. The goal is to get through the "understand my organization" phase as quick as I can -- like a week or two. By 100 days in, people are going to be expecting me to show substantial change, so I need to figure out what that looks like so I can start driving the organization that way.
posted by kovacs at 9:05 AM on March 26, 2011 [4 favorites]

Response by poster: kovacs - This is really good. I am sure that existing IT needs and capabilities will be unique to every organization, but there are some fundamental things that will be common. For example, DR/BC, security, operational SLAs (either internal or external), some portfolio management process for managing projects etc. You have covered these and more.

And as you mention in the last paragraph, create short-term low-hanging fruits as well as a long term strategy is exactly why a CIO needs this info.

Also, if there are any new disruptive technologies like virtualization, moving into the cloud, or supporting new devices (tablets), these might be important for the CIO to know.
posted by theobserver at 10:49 AM on March 26, 2011

« Older Wandern   |   What was on the table at 'A Poet's Christmas'? Newer »
This thread is closed to new comments.