Where does security fit in bi-modal IT departments
The bi-modal idea has its benefits and its pitfalls but the determination seems to come down to the size of the enterprise. In the mid to smaller companies, there is not the luxury of splitting the security group out into subgroups. In the bigger companies the question becomes where do the security folks belong.
For Dale Denham, CIO of promotional products industry company Geiger, he believes security should sit in operations. An innovation team is focused on functionality, but an operations team would focus on making sure everything is secure, he said.
The Lewiston, Maine, company has a 25-member IT department that supports 750 workers (400 of whom are independent contractors). While acknowledging that mixing operations and innovation within a single team has its own set of challenges, he says he believes a bimodal IT department could easily develop a “throw it over the wall mentality” – that is, once the innovation team is done, it just tosses the completed project to operations without adequate transition and concern moving forward.
[ ALSO ON CSO: 7 reasons why users have trust issues ]
“There is the challenge of when you pass that over. You have to transfer a lot of knowledge, and that’s hugely inefficient and then if you want to upgrade that project, where does that update [get tasked]” he says, noting his shop is “a big continuous improvement shop. We’re constantly making tweaks: Is that operational or innovation If you were set up in two shops, who gets that”
Denham says on his team nearly everybody does both operations and innovation. He says a handful of help desk folks and networking staff are straight operations, although they do help support innovation by, for example, spinning up a server when needed.
But overall, he explains, “when we launch new projects and new tools, the same people who support old tools are creating the plans and executing the plans for the new tools and then support them when they move to operations.”
Denham says the main challenge in this setup is keeping projects on track. “Your project planning is put at risk because you never know what the operational needs will come up,” he says, noting that a large firm might not be as comfortable with that risk as a small firm such as his. He says when he anticipates that his team members might be pulled away from projects, he builds that into a project’s timeline but it’s impossible to know how much time to build in.
That’s a big benefit, he says. The team members who are delivering innovation know they’ll handle it operationally, too. “You don’t lose the brain drain, you don’t lose out on the knowledge piece when a project transfers from innovation to operations,” he adds.
Robert Quarterman, vice president of Infrastructure Architecture and Technical Services at Service Benefit Plan Administrative Services Corp., is wrestling with how to bifurcate his IT team of 360 IT employees and 90 contractors.
With regard to the security task, he says, “security is moving at a pace that’s outpacing even agile at this point based on the cyber threats that are quickly emerging.” As a result, security has become a foundational function, “so security is embedded in every aspect of our lifecycle from the beginning, so we design our solutions for performance and security and functionality and that’s the only way we’re going to be successful with it.”
“That’s the way we’re approaching it, security is everywhere,” Quarterman says, noting that security people will be embedded in projects.
He says operations “is really about running the business, so once innovation is done, it becomes operationalized.”
He says that side of the house “operates at a different speed. They have different priorities, and different funding.” Funding for operations comes from the central IT department, he explains, whereas funding for innovation comes from business units – as does advocacy for individual projects.
Quarterman says the speed of technology advancements combined with the speed at which business wants to capitalize on them is pushing IT leaders like him to make the move. He says a split could also help improve talent management.
“We’re thinking about how to segregate them because we don’t have a clear distinction today so we lean on the same expertise in the organization to do the innovation but they’re still doing maintenance, too, so we end up with conflict on what gets priority,” he explains.
In other words, those on his team that are assigned innovative tasks are also expected to continue with their regular operations duties, too, he says. That means they’re sometimes pulled off an innovation project to handle an operational issue, which impacts IT’s ability to deliver projects as quickly as possible.
Brian A. Haugabrook, CIO of Valdosta State University in Valdosta, Ga., wants his employees to be creative and innovative at the same time. He doesn’t have plans to split his IT staff of 60 full-time workers and 40 part-time workers in two. He says he sees benefits in having people work on both innovation and operations.
That doesn’t mean that everyone is doing an equal split between the two tasks. The infrastructure team generally spends about 80% of its time on operations, for example. The same goes for the tech support team.
But they are still expected to focus part of their time on innovation, and Haugabrook says that yields real results. The infrastructure team, for example, is pushing innovative solutions using cloud technologies. The tech support team dropped its response time from two hours to under 15 minutes by looking at how successful police departments use data to enable rapid response to calls.
Rob Meilen, vice president and CIO at Hunter Douglas North America in Broomfield, Colo., believes security is such an important part of the company that it cannot be broken out.
It’s easier to maintain security when you’re more centralized. It sort of bakes into the way you do these processes when you’re centralized,” Meilen says.
He oversees an IT team of 120, supplemented by another 30 to 40 workers in outsourced or contract positions. Like other CIOs, Meilen says work often falls into one of two camps, with one focused on new technology-enabled business initiatives and the second focused on keeping everything up and running smoothly.
“We don’t have a formal separation, but in the past two years we’ve been talking more about the different focus of those two areas,” he says, noting that the company is beginning to review how it budgets and allocates resources to reflect those two IT functions.
Meilen says it makes sense. Operations is driven by efficiency; there’s a constant push to do better but use less time and money. The initiative side is driven instead by the need to enable business requirements and to do so quickly.
IT workers, too, seem to fall into these two buckets, Meilen says, although like the work itself, there’s usually some overlap.
[ ALSO ON CSO: Risk's rewards: Organizational models for ERM ]
“We have a lot of our folks who tilt more in one direction or another, but there are very few folks who do only one or the other. The size of our organization doesn’t lend itself to that,” he says, noting that most of his IT workers tilt 70% in one direction, with the remainder focused on doing work or pursuing interests in the second camp.
Although Meilen says there seems to be a natural split. He says he uses that for planning and tracking purposes, but he doesn’t anticipate drawing a stronger line between the two.
“We are moving toward a harder-line distinction in how we budget for costs and allocate costs to business unit customers. We track time for what people work on and our capital spending, we track operational cost spending. We believe we can get a pretty clear picture on how these two spheres are operating without drawing a hard artificial line on an org chart,” he says.
Daryl Tschoepe doesn’t feel as though security is pigeonholed into one camp or the other. “I think now security has to be part of every discussion. But I guess it’s operational because it has to be there in every aspect.”
He is a 26-year IT veteran, who now works as a technology support manager at Southwestern University in Georgetown, Texas. He says he sees IT work fall into operational and innovation work, but for small departments like his, “we have both factions within a single org.”
The IT leadership at Southwestern encourages that, he says. His CIO asks the 14-member IT team to think about what technology will be needed three years down the line, or how would the technology look if they had to build a new college from the ground up.
Despite such questions, Tschoepe says not everyone has an equal balance between operational and innovation work. He says management has more responsibilities around innovation and strategy, while individual contributors focus more on keeping things running.
“I would think being on the change agent side and being able to demonstrate that kind of track record; it would be easier to move up in your organization or move to other organizations. Organizations don’t usually staff up or hire people to stay the same,” Tschoepe says.
Tschoepe adds: “But if you have someone who can think outside the box and roll with the punches, they’ll be more valuable especially in a small organization like ours where the day-to-day commands can change dramatically.”
He says being in one group only is not a career death knell. “If you’re very specialized in an operational niche that is very important, you can have excellent earning potential,” he says, adding: “I don’t think you limit yourself, but the challenge is if you’re going to go into the operational niche you must focus yourself very narrowly and you go very deep.”