100 MPH--The Wrong Way?

Once IT decides to focus on speed, two obstacles get in the way: security and governance.

Security's often the trump card IT plays. It's certainly true that security and regulatory compliance make business IT more complicated than consumer IT, but security can't be the overriding excuse for not moving faster.

CISOs must bring more of a business point of view to their security judgments, says James Dipasupil, a consultant and former CISO of financial services company Ameriprise and health insurer WellPoint. Having worked in financial services and healthcare, Dipasupil knows some risks are nonnegotiable. You'll never risk breaking a regulation or knowingly put a Web app out with a cross-site scripting error. But for some security problems, CISOs must weigh a delay against the risk and decide if the app can be rolled out and any problems resolved along the way. Again, it's velocity over perfection--and it's heresy to some security pros. "CISOs need to get comfortable with that," Dipasupil says.

CISOs also need to get comfortable automating more security testing, he says. (Dipasupil does some consulting work with a security automation firm, Veracode.) Skilled security staff will always be in too short supply to hand test every element. "Reserve these really good security people for the really difficult security problems," Dipasupil says. Another time saver: Have legal, compliance, and IT agree on key elements of a law or regulation. Too often, the interpretation of a law or regulation gets debated anew with every security problem.

For FBI's Fulgham, agile development is a "fundamental change in how the federal government does IT."

Governance covers a lot of ground: budgeting, priority setting, aligning IT and business sponsors. Done wrong, it's a lightning rod for criticizing IT for being too slow, and a major reason business units start their own rogue Salesforce and other projects without IT input. Project management offices generally don't do a good job of being flexible, says Shvetank Shah, who leads the Corporate Executive Board's IT practice. Too often, the PMO's methodology is built to handle complicated, long-term projects, and that puts too much overhead on small, quick projects. Having flexibility gets more important as companies do more iterative projects, those that have to factor in customer and employee feedback. "You want IT to be in constant test-and-learn mode," Shah says, "and IT isn't built for that."

But IT leaders who try to move faster without sound governance practices can end up going 100 miles an hour in the wrong direction, says George McKinnon, CIO of China-based IT outsourcer Bleum and former CIO of Nationwide Insurance and VP of IT at Expedia. To have credibility with business units, CIOs need good data on IT operations, he says--which projects are on time, or how speeding up one project will cause others to be slowed down. And IT must be transparent about quality trade-offs--does everyone agree that this app can go out as "good enough" and revised on the fly? Getting speed "without sufficient quality, you lose trust," McKinnon warns.

HP's Mott doesn't plan to give an inch on governance, even as he tries to slash IT project times. To force business leaders to prioritize IT projects, Mott demands that every one of them gets a cost-benefit analysis--no IT effort goes forward without a CBA. "If it's a one-week project, the CBA isn't that big," Mott says. "These things scale together." Yes, the first CBA employees do takes time, as they struggle to define the business outcomes they expect from a project. But with experienced people, a CBA on a small project can take 15 minutes. "It's not where most of your time gets spent," he says.