What Your Execs Think of IT

and why you should care.

© 2015 The Advisory Council International LLC1

Jim NobleCEO, The Advisory Council International

Trusted Advisors to Executives Everywhere

WHYus?

2

ANot-for-Profit team of legendary CIOs

With more than 1000 years of

implementation experience

Offering advice to improve IT

business outcomes

© 2015 The Advisory Council International LLC

The Advisory Council International

Jim Noble, fmr. CIOAl Guibord, fmr. CIO Harvey Koeppel

fmr. CIO

June Drewryfmr. CIO

Carl Wilsonfmr. CIO

Bob Ridout

fmr. CIO

Ed Tobenfmr. CIO

Jody Davidsfmr. CIO

Michael Tasooji

fmr. CIO

Chuck Williamsfmr. CTO

Karl Landertfmr. CIO

John Cross

fmr. CIO

Ian Aldertonfmr. CIO

Georges Diserensfmr. CIO

Neil Cameronfmr. CIO

Simon Orebi Gann

fmr. CIOJeri Dunnfmr. CIO

Bruce Fademfmr. CIO

Steve Sheinheitfmr. CIO

Randy Krotowskifmr. CIO

Filippo Passerini

CIO

3

WHOmatters?

4

5

The Vital Few

~10

~5

~12

Board of Directors

Audit Committee

Executive Leadership + EAs

Level 1 Management

Level 2 Management

Employees

WHATdid we discover?

6

What They Tell Us

7

1) Business imperatives

2) Benefits realization

3) Unplanned outages

4) Absorbability

5) Risk

6) Systems of Record

7) Competitors

THEY THINK ABOUT YOU TALK ABOUT

1) IT strategy

2) Cost

3) Service tower uptime

4) Doability

5) DR/BC/Cyber security

6) Systems of Engagement

7) Innovation / Disruption

3) Operational Uptime

• 99.9% means nothing to them

• Availability of vertical services means nothing to

them

• Outages are related to the business cycle

• They are only interested in unplanned outage

minutes of end-to-end services at certain times

• “Silent running” is simply your ticket to the game

• Does your IT organization structure reflect this?

8

4) Doability Vs Absorbability

9

• It’s much easier for us to deliver than them to assimilate

• IT folk celebrate when the system goes live. The business thinks that the project starts at that point

• Is it better to sequence the traffic than to land it all at the same time?

Corporate Change Impact

Peoplesoft Enhancements

PetroTech

GFSC

TestingCompetency Mapping

PPI

ECM

CorporateSimplification

Peoplesoft Upgrade

EnterpriseRiskMgmt.

BPM

5) Risk: They Are Intellectually Curious About Cloud

• They read about it in an airline magazine…

• They have suddenly become technical architects…

• They have realized that it is a big opportunity and a big risk to your company:o An opportunity to make the business much more agileo An opportunity to keep IT headcount to a minimumo A risk to the governance and security of the company’s

valuable datao A risk of loss over regulatory compliance (SOX, PCI etc.)

10

What We Tell Them About Cloud

• 1980: Origins in telecomms – the Internet replaced point-to-point leased lines

• 1990: NASA SETI for supercomputer of distributed PCs

• 2000: First commercially successful SaaS application (Salesforce.com)

• 2006: First commercial “on demand” hosting (Amazon Web Services)

• 2010: Critical mass achieved on availability of web services (similar concept to Apple’s App Store)

.

.

.

11

• 2015: Average mid-cap company uses hundreds of cloud-based apps, mostly unsanctioned. Shadow IT gone wild.

It’s Here to Stay – Get Used to It

12

There are 5,000 enterprise apps today (and growing).

13

RISK = THREAT x VULNERABILITY x CONSEQUENCE

What They Tell Us About Risk

CEOs Have Woken Up!

1 High taxation2 Loss of customers/cancelled orders3 Cyber risk4 Price of material inputs5= Excessively strict regulation5= Changing legislation7 Inflation8 Cost and availability of credit9 Rapid technological changes10 Currency fluctuation11= Interest rate change11= Talent and skills shortage13 Reputational risk14 Corporate liability15= Major asset price volatility15= Poor/incomplete regulation17 Fraud and corruption18 Government spending cuts19 Theft of assets or intellectual property20 Failed investment21 Corporate governance and internal oversight failure22 Critical infrastructure failure23 Supply chain failure24 Increased protectionism25 Insolvency risk

1 Loss of customers/Cancelled orders2 Talent and skills shortages (including succession risk) 3 Reputational risk 4 Currency fluctuation 5 Changing legislation 6 Cost and availability of credit 7 Price of material inputs 8 Inflation 9 Corporate liability 10 Excessively strict regulation 11 Rapid technological changes 12 Cyber attacks (malicious) 13 High taxation 14 Failed investment 15 Major asset price volatility 16 Theft of assets/Intellectual Property 17 Fraud and corruption 18 Interest rate change 19 Cyber risks (non-malicious) 20 Poor/Incomplete regulation 21 Critical infrastructure failure 22 Government spending cuts 23 Supply chain failure 24 Pollution and environmental liability 25 Sovereign debt

Lloyds Risk Register 2012 Lloyds Risk Register 2014

Lloyds survey of 585 global CEOs

They Read The Media…

THE FACTS:

THE CONSEQUENCES:

THE LESSONS:

Hackers were able to steal sensitive personal and financial data from over 619,000 of the Company's employees and customers

Shareholder sued individual Board members for lack of “Duty of Care”AIG clarified that their D&O insurance does not cover neglect of Duty of CareFederal judge permitted FTC lawsuit to proceed against the Corporation

The firm’s Officers have to comprehend the risk posed by cyber security, and it can affect their personal wealth.

15

Many business executives believe that a competent IT leader can prevent an intrusion into their company.

It is impossible to prevent a focused intruder from gaining access, and yet 85% of IT security spend is

dedicated to prevention.On average, it takes 212 days to react to an intrusion.

And We Tell Them You Must Assume A Sophisticated Attack Will Succeed

The Bad Guys Don’t Have to be Experts

12

A Bank’s Vulnerability Scorecard

Just Buy Insurance?

19

CostOf

Coverage

Completeness Of Coverage100%

Sweet Spot

Insured Uninsured

So How Can Awareness Help?

20

• 85% of IT security spend goes on prevention

• Average of 212 days between intrusion and detection

• 90% of compromises exploit human frailties

• Be appreciative of the value-at-risk (i.e. materiality)

• Be alert to web phishing and e-mails containing malware

• Be sympathetic to strong passwords and regular changes

• Be observant for odd behaviors

HOWcan you get to them?

21

Conveying Your Message

22

• Befriend their executive assistants

• Avoid scheduled meetings

• Travel to nowhere on the same flight

• Outside interests: Golf, fishing….

• Be persistent!

23

Al Guibord – alang@tac-int.com 1 203 663 3888 X701