Tuesday, March 1, 2011

The New CIO as a Risk Manager

The primary role of the CIO ten to twenty years from now will be risk management. This includes network security, protection of privacy and confidentiality, the safeguarding of the databases and the assurance of service availability.

Server farms, currently managed by the CIO, will be deployed either as private "clouds" operated by large computer services enterprises that enjoy the economies of scale of billion dollar data centers. CIOs will cease to have a direct operating control over hardware, as the management of “cloud” assets becomes a specialized commercial service that requires highly skilled personnel that individual firms will find difficult to retain. 

Enterprise private “clouds” will be in completely secure enclaves and operated for a fixed fee. However, there will be “hybrid” cloud configurations that will provide peak-load, testing and fail-over capacity as a variable cost. The distribution and the sharing of workloads will a way to reduce fixed expenses.

A significant reduction in the scope of a CIO’s responsibilities will be found in the shifting of the distribution of computing power by means of wireless connectivity. This will largely replace the existing hard-wired connections, routers and switches.  The large cost for the upkeep and re-installation of the existing cabling in ceilings and ducts will be eliminated, while security will be improved. Customers will be increasingly mobile, insisting on Gigabit connections to their handheld devices that will match the capacity they presently receive at their desktops and laptops.

The attention of the CIOs will shift to the assurance of the reliability of a firm’s own network as well as connectivity with customers and suppliers.  Much higher levels of service availability – approaching 100.0% - cannot be achieved through more robust equipment. Uptime reliability can be delivered only through redundancy and real-time fail-over methods. Even the largest enterprises will have to rely on hybrid data center connections that will kick in whenever a firm's own private "cloud" requires added capacity. As the demands for service level quality rises (which includes latency), the CIO will be engaged in the engineering of network performance under conditions of failure.

Enterprises will also have to buy peak-load capacity, because the average 24/7 utilization of assets will continue to be low, despite virtualization. Peak load sharing will be also used to run in parallel modifications to existing applications, in separate partitions, until the robustness of a new version of software is tested under live conditions. CIOs will have to managing such shifts in computer capacity and start dealing with computer capacity brokers who sell spot machine cycles. A capacity and service level center, under the control of the CIO, will look like the power dispatch operations nowadays used in the management of electric networks.  

Commercial vendor services (from billion data centers) will have the economies of scale and a level of reliability that no major company will be able to match. Data centers with >500,000 servers can deliver a minute of computer processing power for less than a penny.

The principal role of the CIO, as a high-level advisor to top executives, will be based on a full accountability for total systems (end-to-end) information security. Networks will be re-engineered for protection from incoming malware and for safeguarding outgoing communications by means of strong encryption. CIOs will have to create a link with personnel systems, which authorize and then authenticate individuals for systems access. CIOs will have to extend this role to include read/write/modify privileges assigned to designated persons.

The centerpiece of the job of the CIO will not be the data center, but the Network Control Center (NCC). Highly specialized personnel will occupy seats that monitor and evaluate network connections, computer processing power, the functions of all devices and the security of incoming as well as outgoing transactions. Such surveillance takes place around the clock. Unless there is an over-riding cost issue, the NCC should never be outsourced. Its personnel will require an in-depth understanding of a firm’s operations. It will become a human resources platform for career development in the enterprise.  

How the future CIOs will develop or acquire software is hard to predict. Meanwhile, highly specialized contractors will build custom software because software development becomes an increasingly specialized task requiring exceptionally high priced talent.

The job of the future CIO will change radically in the next 10 to 20 years. It will not depend on the direct ownership or control of hard assets (data centers) or soft assets (programmers). Except in cases where special security mandates ownership, all information technology will be either contracted or purchased.

The core functions of a CIO will be risk management, which becomes broadly defined as the prevention of information technology failures, avoidance of operational non-performance or the stopping of security incidents.

Threats are up exponentially. Service level requirements are rising rapidly. The costs of failure can be catastrophic.

When the CEO encounters a risk that somehow relates to information technologies, they will still have to turn to a CIO. It will have to be a different CIO.


  1. Interesting post, though I'm not sure I agree with it all, especially:

    "as the management of “cloud” assets becomes a specialized commercial service that requires highly skilled personnel that individual firms will find difficult to retain".

    While I'm pretty sure most cloud computing will be outsourced like this, I doubt that it'll need anyone particularly skilled to manage most of the tasks in a private cloud - they're already pretty heavily automated and in 20 years I can well imagine the individual server consisting of a box with 2 types of cables - power and network.

    Once you get to a heavily automated setup, and equipment that's essentially interchangeable, there's very little need to have more than a couple of staff to manage the infrastructure.

  2. I wish you were right, but the operations at a network control center will be getting more complex and more demanding. The operators will have to:
    1. Provision new hardware
    2. Validate bug fixes and new software versions
    3. Monitor detected malware intrusions
    4. Search and analyze anomalies in network connections
    5. Manage fluctuating network capacity
    6. Continue assure that the system is in fail-over condition
    7. Keep track of on-line failure diagnostics
    8. Relocate virtual machines under failure
    9. Verify new network connections for authorization
    10. Deal with a cloud operation that in all likelihood will process > billion transactions/hr
    11. Re-balance storage capacity

    etc., etc.


For comments please e-mail paul@strassmann.com