IT Turnaround: Strategic Rebuilding

By Eddie Ho, CIO, Los Alamos National Bank

Eddie Ho, CIO, Los Alamos National Bank

Information technology is the center-point of all business operations. However, and far too often in the business world, IT basic needs never make it to the top of the list. Degeneration of IT is common in a wide variety of businesses due to neglect. As a turnaround CIO, I have experienced this in many industries, and have been brought in to perform quick turnarounds to mitigate serious risks to the company. The risks include critical applications failure with serious customer impacts, daily front-page negative reporting, poor employee morale with high turnover, and regulators on-site intensifying their probes and discovery. Gone are the days of management letters and attestations as proof of a well-run IT program.

"An IT team that has been neglected for a period of time normally has inherited risks due to precipitates of the company culture, governance, skill-set, budget, leadership, and general apathy"

IT neglect can happen quickly and a broken IT shop is only a few decisions away. For example, no money has been allocated in the budget to keep the infrastructure up-to-date. Personnel are not required to have updated training and certifications. Proactive security is allowed to become sedentary and the entire business is at risk. This may sound like a far-off problem, one that won’t arrive for many years. However, consider that the shelf-life of a business’s IT hardware is only five years, after which the equipment is no longer supported, security is no longer updated, and maintenance becomes increasingly more difficult and expensive. This is not a doomsday scenario. Consider further the recent WannaCry ransomware attack. Regular patching would negate the risk from this pernicious attack that exploited a vulnerability that had been well known for two months prior. A simple, scheduled, and vendor-provided patch was available. Yet the effects from the attack were felt globally.

Of course, failure to patch doesn’t a broken IT shop make, but it is a symptom of breakdown. There are much harsher realities to contend with the truly broken. Data security is at risk. Regulatory compliance becomes more difficult and expensive. Good employees find other work while the less-skilled are forced to stay, leaving a dearth of knowledge and expertise just when you need it the most.

Road to Recovery!

Leadership change is normally the first step in driving overall transformation. A transformational leader with a determined, hands-on, tone-from-the-top approach is necessary to assess the current state and create a roadmap for recovery. Board level support and management buy-in is absolutely critical before any recovery program is launched. Continuous support and board level reporting is necessary to ensure corrective actions are completed to mitigate risks, improve customer service, and clear regulatory actions. Relentless schedule pressure and delivery milestone must be fulfilled. The road to recovery is no longer about doing the minimum, but operating at above-and-beyond levels in order to achieve a passing grade. Expect one year to start seeing results and up to two years for a total turnaround.

An IT team that has been neglected for a period of time normally has inherited risks due to precipitates of the company culture, governance, skill-set, budget, leadership, and general apathy. IT deterioration is a process over time and so is IT recovery. The management team must take action on the majority of the following items in the first 12 months due to the accelerated timeframe:-

• A cultural program must be established to address current IT values, turn-over, lack of industry standards, and change management issues.

• An IT governance program needs to be established to address every aspect of the organization. Quickly implementing new policies, company standards, and internal controls to drive a house-in-order culture and demonstrate a consistent IT environment is paramount.

• Bring in up-to-date skill set from the industry domain to augment the current resource base; this includes quick turnaround experience to speed up the recovery. Employee skills must be assessed to align with the recovery objective. A staff certification program in IT Governance must be established in addition to product education to increase the overall competency level.

• The Security Operation Team must be beefed-up to establish layered defenses and tackle the everyday risk of conducting business online. This cyber security program must be approved by the Board and robust enough to stand up to any level of inspection.

• Aging, neglected infrastructure, and end-of-life applications often are at the heart of the problem. Asset inventory and gap analysis must be budgeted and performed by the new leadership team.

• Since management owns all business and operational risks, a risk assessment and control framework must be implemented as part of the recovery program. Industry standards such as COBIT (Control Objective for Business Information Technology) must be leveraged to demonstrate process maturity and credibility. Internal controls are designed, operated, tested, and mapped to the established risk control framework to demonstrate the completeness of the control structure. The critical role of management is to provide supervision and resources for the control operation.

• Strong and consistent communications, including regular team meetings, must be established to ensure open communications and align actions with the recovery map. This should also include project status, internal/external bottlenecks/challenges, key performance indicators, best practices, and leadership expectations.

• Partner with internal audit and ensure IT controls are validated annually. The reports that are documented by Internal Audit, External Audit, PCI, or SOX are the report cards of a working IT shop. The opinions from both the Board and the Regulatory Agencies, and the data from the aforementioned reports are the key evidence of a successful recovery.

• A turn-around CIO must affect the culture in a positive direction. Excitement and enthusiasm must be generated for the multitude of projects that will be required. In many ways, I have had to be the loudest and most energetic cheerleader in order to enliven the apathetic.

The road to recovery is a journey of changes and challenges. A quick turnaround is normally two to three years and is well within an average CIO tenure. The burn-in time is normally six months. However, this is not an average situation and it might take a few CIOs in-turn before the problem is solved. This will take time and perseverance. A culture is built up over time and will only be changed over time. The payoff is a much more secure, standardized, and strategic solution that is sustainable and aligned with the company vision.