I recently made a 3-week whirlwind tour to a number of destinations (Germany, Bratislava, UK (London & Manchester), Poland, Mexico, Norway and the Netherlands, reaching out to around 650 people from different organizations. As Akshay Anand from Axelos commented, quoting a film title ‘It’s Tuesday it must be Belgium’ such was the feeling I had walking into hotel walls in the middle of the night trying to find the bathroom that seemed to change location every day.
The sessions were a series of presentations and simulation workshops to explore the following themes:
- Business IT Alignment – still a TOP scoring CIO issue! – What is the status? And are people exploiting BRM and Governance (e.g. COBIT) as instruments?
- Cybersecurity a number 1 issue in many surveys – Are we taking it seriously enough? And are we focusing enough on the ‘People’ aspect?
- DevOps driven by a top scoring business issue – The need for ‘agility and time to market’ – Are we addressing the culture and collaboration aspects effectively? Between Business – Development and Operations, making it BusDevOps.
- Attitude, Behavior and Culture – in both IT AND the Business – Do we still face the same issues after 15 years? ABC being the number 1 success or more often FAIL factor for all the above.
- Training – Are we realizing the required Value from our training investments? Or is poor training putting us at Risk?
During the sessions I made some worrying discoveries about the state-of-affairs that I’d like to share.
Business IT Alignment! Or Convergence?
The vast majority of people recognized the Top scoring ABC (Attitude, behavior, Culture cards) – These being the top cards for the last 15 years globally!!! (From workshops with more than 3000 organizations). The Top cards being:
- IT has too little understanding of Business impact and priority
- Everything has the highest priority according to the business
- Neither partner (Business & IT) makes an effort to understand each other
There was a wide recognition for the need for effective IT Governance and for the need to improve the Business IT alignment. Yet less than 15% are investing in developing BRM capabilities or adopting Governance frameworks such as COBIT.
COBIT – an Audit tool or an alignment instrument?
Those that are adopting COBIT use it as an ‘Audit instrument’ and are focused on a ‘tick in the box’. As Tichaona Zororo, Director of ISACA Board of Directors stated in his speech in Norway ‘many audit findings speak in framework language #csx #cobit not a language linked to core business impact‘, going on to add ‘it is vital for auditors and IT to understand the business better‘. As stated in the South African King IV report Governance should be ‘Principles and outcome based not rule based’. Tichaona went on to add ‘Too many audits report on what is NOT working rather than advice on improvements aimed at increasing Value’. Unfortunately many CIO’s also see COBIT as an ‘Audit instrument’ rather than a dialogue and improvement instrument to help change both Business & IT behavior – focused on shared business drivers and goals. Tichaona also stressed (which was also a top discovery in using the Grab@Pizza simulation) ‘….the importance of adopting and using the COBIT goals cascade’. (See recent blog on value).
I would like to use this blog as a call to action to ISACA (I made 3 years ago & 5 years ago) to re-market the value proposition for COBIT.
BRM an operational capability?
Those that have adopted BRM declare that it is an operational or tactical capability, often a ‘fire-fighting’ extension to ITSM. Those participating in the Grab@Pizza business simulation clearly recognized ‘lack of role clarity’ between BRM and SLM, and a lack of engagement with ITSM. Very few were actively initiating or were actively engaged in CSI (Continual Service Improvement) initiatives. Very few were helping bring business understanding into ITSM decision making and priority mechanisms. For many the step to strategic partner is hindered by ‘Trust’ and ‘Credibility’ – primarily as a result of ITSM capabilities! as well as the ability to operate at a Business strategic level. As with the COBIT findings above a key takeaway was the need to develop ‘a better understanding of business strategy and goals’.
(See results of Global findings into BRM challenges and Trends).
Once again I make my call to start by sending everybody from IT into the business for 1 day to understand how IT services deliver business value….or not. (See example 1 & example 2 as examples of engaging with the business)
Cybersecurity awareness – ‘Model behaviors’. Where?
‘Cybersecurity awareness and understanding’ scored the highest in ‘issues that need to be addressed’. A discovery being that awareness sessions are ‘too generic’, there is too little use of ‘incident management’ as input to awareness training or Risk management. Risk management is often not a continual, iterative exercise, and business users are not actively engaged in these exercises. Very few focus on identifying the ‘Crown jewels’ they need to protect. This was another important message from Tichaona. ‘Understand the Crown jewels, audits and advice must be focused on these’, which echoed a recent McKinsey report entitled ‘Protecting your critical digital assets: Not all systems and data are created equal’, which stated ‘The idea that some assets are extraordinary – of critical importance to a company – must be at the heart of an effective strategy’.
Many declared that board members adopt a hands-off approach and do not assume accountability for Cybersecurity – too often it is seen as an ‘IT thing!’. Although the majority participating in the OC99 Cybersecurity simulation were CISOs and CISM certified very few had read or used ‘COBIT 5 – Model behaviors’ to shape their Cybersecurity approaches. All delegates in the OC99 simulation this year (more than 100 CIO’s/CISO’s, Security professionals, Business members) focus on ‘Technology’ in the simulation and NOT on people and behaviors. As Tichaona Zororo stated in his speech in Norway he was ‘..very worried about skills and competences in #cybersecurity‘. (Here is an example of key findings, from an ISACA event which are fairly common across the globe, as well as the most recent findings from the Pink Elephant LATAM conference)!
DevOoops or BusDevOps
The majority of delegates were just starting up DevOps initiatives or investigating what it is. A primary focus is around the adoption of technology with Communication and Culture as secondary considerations. The biggest challenge appears to be breaking down the barriers and silos and getting people on the same page. There are many DevOps certification schemes such as DevOps foundation, DASA fundamentals, Exin master, but will sending people to open training help break down the end-to-end barriers? All attending the #DevOps Phoenix project simulation recognized:
- The importance of BusDevOps – with Business at the front and at the end to ‘demonstrate that expected feature value has been realized’, and to balance new features with technical debt. Many teams struggle with prioritization, as product owners insist on ‘new features’ above ‘technical debt’. Many IT organizations are unable to demonstrate the impact of the technical debt – coming back to the lack of understanding of business impact & priority – the top scoring ABC of ICT issue.
- Teams adopting DevOps struggle with ‘Reflection’ and ‘Continual Improvement’ skills, yet these are crucial capabilities. As stated in the 2016 State of DevOps report ‘…The DevOps mantra of continuous improvement is both exciting and real, pushing companies to be their best, and leaving behind those who do not improve… High-performing organizations spend 22 percent less time on unplanned work and rework. As a result, they are able to spend 29 percent more time on new work, such as new features or code..;.
- A key learning was the fact that Visual Management Systems should not just be used for ‘managing the work’ but visualizing and managing ‘Improvements to the way of working’.
- The simulation was seen as an important enabler, bringing end-to-end stakeholders together to learn to effectively communicate and collaborate. A recent article on DevOps.COM by Jan Schilt covered more about team skills that are needed).
ABC of ICT STILL the number 1 fail factor
The vast majority recognized the fact that ABC (Attitude, Behavior, Culture) was a key barrier to realizing success (BRM, COBIT, DEVOPS, ITSM). Yet too little attention is paid to developing capabilities to adequately address this. The South African King IV corporate Governance report also stated ‘..Governance should be concerned with ethical leadership, attitude, mindset and behavior’.
- COBIT has an enabler ‘Culture, Ethics and Behavior’ that has NOT yet been developed as it was NOT seen as a priority. (see my call to action on this).
- ITIL Practitioner addresses OCM (Organizational Change Management), but many ITIL experts and holders of certificates other than Foundation DO NOT THINK THEY NEED THE PRACTITIONER. 2 ITIL experts in ITIL Practitioner ABC workshops called their CIO and signed up directly for ITIL practitioner as they recognized the issues they were facing and were NOT currently able to solve.
The HOPED for Value from a Training investment
I showed the 8-field model and asked how many of the organizations measured the impact of training at the level of ‘behavior change’ – less than 10%. How many measure the impact of training in terms of:
- Value, Outcomes, Costs, Risks (ITIL)
- Benefits realization vs Risk optimization (COBIT)
- Value creation vs value Leakage (BRM)
ONLY 2 hands went up from 650 people representing more than 500 organizations.
- The vast majority recognized the fact that they HOPED to get Value from training, and were NOT getting the expected value from certification! Recognizing that current programs are focused primarily on ‘Theory’ and ‘Education’ and NOT on practice, coaching or facilitated transfer of learning into the workplace.
- Too many training initiatives are ‘generic’ focusing on demonstrating an understanding of the subject and are not contextualized for the problems delegates are hoping to solve using frameworks.
- The vast majority recognize that they send ‘SILO’s to training and not end-to-end stakeholders to the same training to learn together.
ALL target groups recognized that ‘Continual Improvement’ or ‘CSI’ was a core capability yet the vast majority had no formal approach to CSI, and continual improvement was not embedded in the culture or stimulated as a strategic imperative. All teams participating in the business simulation workshops struggled to facilitate their own reflection and improvement.
I attended sessions for the BRM, ISACA, ITSM, and DevOps communities. ALL are facing the same issues with ‘Business understanding and Business VALUE’ (Business IT Alignmentyet ALL are approaching it seemingly independently of each other in SILOS. It is as if they are operating in parallel Universes. Very few events are multi-disciplinary events, something we keep telling client organizations – the need to effectively collaborate. Perhaps it is time to ‘eat our own dog food’, as it were, bringing end-to-end stakeholders together at events to focus on solving problems rather than sharing knowledge. Barclay Rae also touched upon this in his recent blog for itSMF UK stating ‘…an aligned way of using different ideas together under a practical banner of value-based guidance’.
ALL of the people participating in the Grab@Pizza ( Business IT Alignment simulation), Oceans99 (Cybersecurity) and Phoenix Project (DevOps) were certified (ITIL Experts, BRMP, CISM, Agile/Scrum coaches).
- ALL captured new insights and NEW behaviors to take away following this type of ‘experiential, learning-by-doing’ form of training. This type of learning clearly helped translate theory into practice! Many commented ‘This type of learning should be a MUST have’ element in training (hands-on, practical), yet at the start of the sessions most thought a simulation was a ‘nice-to-have’ addition to training.
- All teams participating in simulations struggle with effectively communicating (active listening, feedback, open-honest, no blame) and collaborating. It was concluded that organizations expecting ‘self steering teams’ to materialize after foundation level training (e.g DevOps) is an illusion if it is not facilitated with some form of coaching, or using this type of learning intervention.
#GROMIT – Grumpy-Old-Men-in- IT
It was clear to me from my whirlwind tour that the majority of organizations are still struggling to realize the improvements required to become strategic partners to the business, and the way that best practices are translated into transferable skills and competences needs to be improved. It would appear that the solutions require an end-to-end Industry approach to dealing with this. Personally I do NOT see it changing in the foreseeable future.
Latest posts by Paul Wilkinson (see all)
- IT and the Business – A Worrying State of Affairs - June 28, 2017
- Model Behaviors in Cybersecurity…let’s just continue to ignore them! - June 22, 2017
- Attitude, Behavior, Culture – Not an Afterthought! - May 9, 2017