The CIO May Want to Build their Own SPACE Program
June 18, 2012 1 Comment
Throughout many of the post we discuss the CIO Space Program (CSP) which is simply a unified IT management framework, analytical model and methodology.
I thought it would be useful to discuss the genesis of the CIO Space Program since it lays out the core rationale and benefits of the program. First, this is a summary of what CSP is and is not.
The CIO SPACE Program Is:
- A unified approach to IT Management that cuts out redundant data collection, assessments, portfolio analysis, policy updates and assessments
- A multiplier for Business Value Creation
- A method to improve mission-wide IT Maturity while spending less time, money and brain-cells
- Based on what we know works i the real-world
- Common sense and straight forward
The CIO SPACE Program Is Not:
- Another tool or software you need to buy
- Trying to sell you anything
- A competing standard or compliance regime (we have enough of those)
- Anything new intellectually (just a synthesis)
- A huge data collection exercise
- The answer to all of your IT challenges
How Did SPACE Come About?
A few years ago, A client asked me to help them reconcile the various management methods, projects, reports and assesement they were buried under while, at the same time, increase It maturity and tangible business value creation. It was my fault because I said it could be done so he called me on it. Four weeks later, we kicked off the effort with the first thing I do in any engagement of any kind, a standard problem solving and root cause analysis. This was pounded in to me when I was at McKinsey, and I am forever grateful.
The client team was made up of very solid IT leaders, far exceeding my not insignificant technical acuumen, Although the team included two PhDs, but this exact for of problem solving was new to them but really just an offshoot of the scientific method. Without going too much into how we made the sausage, we quickly got the issues on the table, such as not enough time, budget, skills, conflicting priorities, crisis mode behavior, and so on (27 as I recall). Some of the team thought these were the problems but, after a lot of pizza and support from the two scientists in the room, we got them to see that these were symptoms, not problems. Next we focused on a root cause analysis to define the real problems. Another order of Chinese and Thai delivery got us down to three problem hypotheses. These are hypotheses not yet the problem statements since we had not yet tested our three hypotheses them on the real-world with objective data and analysis.
The Three Problem Hypotheses were:
- No shared (business and IT) method of objective prioritization so everything was a top priority, with zero defect standard
- No unifying business and IT goal and measures such as the obvious maximizing business value creation
- Real IT strategy and planning was considered a luxury, since 65% of their cycles was “checking boxes, doing assessments and re-inventing the wheel,” “IT strategy became just another box to check.”
After this we did our first progress review with a cross functional team of business and IT leaders. where many met each other for the first time, and laid out our findings as well and the real-world testing we did to confirm the problem hypotheses. In one hour we were able to gain the support of the business that these were the core problems, and the business leaders would back off the zero defect, everything is an emergency and a priority approach in return for IT accountability to objectively and analytically prioritize IT efforts to maximize business value creation (we decided on a (hybrid of a NPV and Black-Scholes option pricing model) which also included value protection based on the “cost” of an exploit.
Now the real work started. We had to design a framework, analytic models, and supporting processes to address these three core problems. By the way, we were given only six months to show tangible impact. Not even two full financial reporting periods! So, we treated this like a software product since everyone was familiar with the model and put ourselves in the place as the product (not project) manager.
The first step: Define the product requirements:
We knew we needed to have three major capabilities:
- A unifying framework
- An analytic prioritization and business value creation model
- An efficient process for implementation, validation, syndication and execution
Any one of these could be a six month consulting engagement and we had 8 weeks. Well, after I put on 15 pounds in two months of the “pizza diet.” we came up with what was the grandfather of the CIO SPACE Program. This post is already too long so I am not going to dissect the CSP here but I will leave you with some of the benefits of the CSP.
The top six benefits of the CIO Space Program are:
- Places every mission, opportunity, gap, project, skill and so on, within an Unified Organizational Framework. to map everything against the missions of IT. Ergo we discovered SPACE. Security, Performance, Availability, Compliance and Evaluation.
- Give you a holistic view of the entire IT eco-system. System level (Widget Business Unit CRM), not server. The eco-system tells you which 20% of the systems, processes, skills and compliance to assess and address FIRST to improve IT maturity posture by 80%.
- Delivers a unified assessment and remediation method to support Compliance and Evaluation missions. Encompasses a standards based methodology to execute, prioritize and remediate performance deficiencies, IT services gaps, security vulnerabilities, skills gaps and so on. Leverages ANY proprietary framework or standard such as ISO 27001, NIST, Purchasing Card Institute (PCI), TOGAF, DODAF, ITIL, COBIT, you get the point.
- Provides a common objective and verifiable methodology and analytic model to compare and rank gaps or opportunities. based on Business Value Creation or Protection. (Translation: how do you compare the impact of a data protection vulnerability to your e-commerce system with an ERP refresh for the widget business unit? Which is more important? How much money should we be willing to spend to fix it based on a common risk/benefit profile? How do I answer this in a way that is defensible, comparable and reproducible, so someone, with same data, will derive the same result?)
- Identifies and collects ONLY the metrics, measures and data collection that will truly inform decisions instead of data collection and monitoring for their own sake (Translation: It doesn’t flood you with useless and expensive to collect data. It goes to the level of detail useful and no further.
- Enables truly granular IT strategies, remediation planning, analytical risk assessment. IMPORTANT: This enables you to focus on the gaps and opportunities on the systems that are most important. This is the ONLY way to Maximize Business Value Creation! [Sorry about that, I meet too many people who think broad brush baselines, gap analysis and remediation is sufficient. Unless you have infinite Time, Money and People it is simply NOT.]
I will start to lay out the CIO SPACE Program in pain-staking detail in later posts. Thanks for reading and let me know your thoughts as well.
Copyright © CIO SPACE™ All Rights Reserved
- Leading from the Front and Taking Back your IT Strategy (ciospace.com)
- How IT can become fluent in speaking “Money” (ciospace.com)