15 New Rules For IT To Live By

No. 5 | Evolve security to be data aware

Information security used to focus solely on protecting the perimeter through network firewalls and remote access controls, Johnson notes. Today, PNNL's security team focuses more on protecting the container via identity and access management, workstation firewalls, and configuration management on devices. Looking ahead, he sees a shift to "protecting the information"--knowing if a particular combination of user, device, and software can be trusted with access to a certain type of information. Perimeter and container protections will remain, but companies will add information-aware security. "This is the new world of defense in depth," Johnson says.

The challenge for PNNL is to provide that kind of protection while letting scientists inside and outside the lab share increasingly large and sensitive data sets. "We jokingly say that cybersecurity put the 'no' in innovation," Johnson says. There will always be tension between security and openness, but unless security leaders show an ability to balance risk and business need and solve problems, people won't bother to ask for help. "If we always say no, people are afraid to ask the how question," he says.

No. 4 | Create analysis tools, not stale reports

The old business intelligence methodology of delivering backward-looking reports doesn't work anymore--even if you digitize that data and call those stale reports a dashboard. Instead, IT needs to provide data views that tell people what's happening and also let them dig into why it's happening and plot what to do about it.

About one-fourth of the respondents to our Global CIO Survey cite getting better business intelligence to employees more quickly among their three most-critical innovation plans for this year. Fifty-seven percent say they plan to expand BI this year or next. It's essential that CIOs use those projects to provide decision-making tools, not just take-it-or-leave-it data.

Filippo Passerini: Let people "pull" the data they want

Passerini, Procter & Gamble's CIO, argues that IT organizations shouldn't even try to figure out all the data employees need to make decisions. Instead, they should create a first-class way for employees to access and analyze data, which P&G has done by giving 58,000 employees a "cockpit" of data feeds that they can configure. Then IT must make sure there's a clear channel for people to request data they don't have.

Passerini admits that this approach is "putting the cart before the horse," because it creates a way for people to access data before the data exists. But the old model--waiting for IT pros to figure out what data execs want, collect and cleanse it, and then deliver it--has failed. Only once executives are talking about data, trying to use it to make real business decisions like whether to cut ad spending or improve store displays, will everyone have a stake in collecting the data and getting it right. IT can then respond to the "pull" for data, he says, rather than push out what it thinks is best.

No. 3 | Plan to adjust, don't plan to be perfect

Rick Roy is CIO at CUNA Mutual Group, which provides services to credit unions, and he was meeting with his senior IT leadership early this year about their technology road maps, which generally look three to five years ahead. Someone asked about mobility. "I said: 'I think the road map is one year, and everything we're doing today might be throwaway in three to five years,'" Roy says. It surprised his team. He explained that they still need a strategic plan. But with the amount of change in mobile, Roy urged his team to be careful about costs. You can't buy a fleet of mobile devices that require a three-year life span to deliver ROI, because the technology's changing so fast they might be obsolete in 18 months.

Listen to what's not in Roy's message: Wait and see how mobility shakes out before doing anything. There was a time when most IT shops could afford to be fast followers, waiting until a tech segment matured before jumping in. With consumer-driven tech cycles, IT needs to make sure it isn't waiting and seeing its way to irrelevance. If a project involves consumer-driven technologies, like mobile devices, IT must adjust to their six- to 18-month product life cycles, not the classic two- to three-year enterprise life cycle.

PNNL's IT organization lays out a long-term plan as a baseline, knowing that it will change. That way, if someone comes back the next year and wants to shift 180 degrees, Johnson can ask what has changed so drastically to require the shift.