The five minute CIO: John Kost, Gartner

26 Jun 2015

John Kost, former CIO of the State of Michigan and group vice president at Gartner talks about the challenges facing CIOs today.

“CIOs should get more aggressive and figure out what the business needs before the business even knows it,” said John Kost, group vice president at Gartner Research and former CIO for the State of Michigan.

At Gartner, Kost leads the group of analysts providing research specific to the role of CIO, including Gartner’s Executive Programs members, and the IT aspects of the roles of CFO, CEO and boards of directors.

With his experience as a government CIO, he also continues to provide a worldwide leadership role in helping governments create, or re-create, the role of CIO and improve the effectiveness of the role.

Kost is internationally renowned for his work in government information technology management and procurement reform.

In the new business landscape where the emphasis is on digital, has the CIO’s role been enhanced or diminished?

In many ways, it is up to the CIO. He or she can go along with the changes or they can revert back to just being the IT person. I think it is down to the degree of comfort of dealing with the business processes and dealing with the political or business kinds of issues rather than the old technology issues.

And we are seeing some that are not making the transition quite well but we are seeing a whole new breed of individuals becoming the kind of roles you are talking about because there is no perception or expectation that they are IT experts – they don’t have the legacy or baggage in many ways.

We are seeing quite a few coming from very different disciplines and being very successful.

In terms of perception, is the CIO job now considered as sexy a role in the technology realm as that of start-up founder?

Again, if they want it to be. One of the things that Gartner has been talking about for the last two years is the whole notion of the bi-modal CIO. And as you may know in mode 2 it is really about innovation. One of the things Peter Sondergaard, our SVP and head of research talks about is that every company today is an IT start-up.

If they do mode 2 well CIOs can be at the forefront of a lot of innovation in the company, which can be very sexy stuff.

The other cool thing about mode 2 is that if it is done right there is no expectation that we have to start off with grandiose plans and big stuff.

But start small, start with cool stuff and different ways of solving business problems we didn’t know we had. In which case it can be sexy but does require that the CIO take off their blinkers in focusing all their time on running the business as opposed to trying new things and, again, some are not comfortable doing that.

Security has moved from being about being besieged behind firewalls to a more fluid, mobile battlefield. What are your thoughts on this?

We were at dinner a couple of weeks ago with Peter’s senior managers and while we were sitting at dinner one of my colleagues had his phone sitting on the table and without touching it Russian Cyrillic text started appearing on the screen. That is scary.

The way security is being viewed increasingly is if you look at the whole way companies, and governments for that matter, really worry about the issue of risk, but now the CIO has a seat at the table of the board because risk, whether financial but more likely cyber, is becoming so severe. As we look at our list of concerns that CIOs have as a result of our CIO survey, setting aside all the sexy stuff and the digital stuff, the meat and potato issues they worry about most is security.

They know it is extremely challenging and that there are new threats all the time that they don’t know how to confront and they are going to have to get help doing that.

As former CIO for the State of Michigan, how do you see the role of CIO protecting a country or state in the current state of cyber threats?

In many ways, it requires that you have a very powerful and robust network because government is expected to do so much more. But, as a result, you have to also constrain the points of entry into the system or at least have the appropriate firewalls.

What you are seeing in many governments throughout the world right now is an attempt to consolidate the infrastructure, in part because you want to save money but also because it is easier to protect a single environment rather than many.

When I took over as CIO we had 16 data centres and 19 networks. By the time I was done, we had one of each.

Now some people weren’t all happy about that but one of the benefits was that it was a lot easier as a tech bet, the downside is you have all your eggs in one basket at that point and that could be challenging as well so you better be at the top of your game.

The other thing you need to look at too is: what are the risk points? I was the CIO of a state in the US, probably the greatest risk to a state would be access to records related to birth and credit card information.

A lot of the recent cyber incidents occurring appear to be the spillover of cyber warfare, such as the Stuxnet virus that was created by Israel to attack Iranian nuclear facilities. What do you think?

I think it is much harder to play defence rather than offence. There are so many different offensive variables you can play with, whereas in defence you are blind and waiting to see where the attack will come from next. Increasingly, there are organisations that are looking out there, but rather than defence why not go on offence to prevent that sort of stuff.

You may recall the Sony hack – one of the consequences was North Korea’s internet went down. Coincidence?

But I think you are going to see more of that. Organisations that are at great risk are going to have to go on the offence, not in a malicious way but find their enemy and confuse their enemy and make them worry about other things. If you are concerned about Iran attacking you let’s put them on the defensive by disrupting their ability to do so.

They didn’t destroy Iran, whoever did this, but it shifted their focus and distracted them in a very significant way.

Companies are under pressure to be digitally relevant. Is this hurting the available budget available to CIOs?

You raise the most common issue. Marketing budgets for IT are becoming substantial now across the board and are approaching the point of attacking the central IT budget. But I think the CIOs shouldn’t necessarily fight that. They need to recognise that virtually everyone in the C-suite has skin in the game just like they do and figure out how to support and enable that.

Back to the mode 2 capabilities, the CIOs could just sit back and let the other parts of the organisation develop their own capability but our advice is CIOs should get more aggressive and figure out the business needs before the business even knows it.

We look at different types of CIOs and different types of businesses and you could begin to describe easily how CIOs themselves could become value creators in the sense they are not just enabling IT but finding opportunities for IT to be identified of reaching for the company or government and in that case they could very well be out in front of what the other leaders in the business are trying to accomplish.

One of the big areas of opportunity right now for most organisations is the use of big data. How do we take data we have in abundance and find new ways of identifying usable information.

Big data is closer to the CIO’s domain than others in the C-suite. Yes, good digital marketing people need to know how to parse databases to find nuggets of information and that’s good but CIOs should be very good at that to the extent that they could cross reference huge databases and do trend analysis and predictive analysis that could be enormously powerful.

Jobs and skills five years from now don’t exist today. How should CIOs prepare?

CIOs need to recognise that it’s going to be very difficult to compete for the traditional types of IT jobs and increasingly that’s going to be one of the value-adds of the cloud suppliers. They are going to be very aggressive in the marketplace, hoovering up all those skills. As a result, the big opportunity for CIOs is to try to use non-traditional disciplines to figure out how to do the cool, sexy things in digital that companies are trying to do.

One of our analysts interviewed Genevieve Bell, she’s an anthropologist and a vice president and Fellow at Intel. The key point is what she brought was a different way of thinking about things. If you think about what a company is trying to do to use big data and drive value, doing so may mean different ways of thinking about things.

You are always going to have skills problems in the public sector for lots of reasons. I met a government recently on this very issue and one of the things I suggested was why don’t you approach the universities with a series of projects and meet the graduates, but not in the computer science department, and say we have a public sector business problem here. Bring in lots of different disciplines from across the university to find out how to solve this – arts majors, sociology majors, humanities, all sorts of different mindsets.

I think ultimately we will get to the point where infrastructure becomes less consequential, less of a focus of CIOs in part because they won’t have the skillsets, which frees them up to have more of the customer-facing things, the predictive analytics that no longer require the STEM skills that they relied on.

We see an Uber-like model coming to bear here where governments will eventually get talent as needed on demand using different intermediaries than they use now. Rather than large body shops, or consultancies, unique skills will be rented on demand through a public marketplace. Talent is more mobile than ever and millennials seem to be less inclined to be tied permanently to large institutions. So, the needs on the demand side will converge with a different labour model on the supply side.

Are CIOs struggling with the shift from keeping the lights on to being business visionaries?

For many it is human nature. The comfort zone, especially if you are well on in your career and life, is about running a data centre, it is very difficult to make the transition. But increasingly organisations are not looking for that skill set.

I don’t have a technology background, but I was put in the CIO role because of my deep knowledge of the business processes of state government, not IT. I learned what I needed to do in the course of doing that stuff.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years