In Episode 13, Mike and Nate and special guest Nathan Doyle discuss Chapter 15 of the IT Survival Guide. Chapter 15 covers Governance, and implementing good governance in your first year as a new IT Leader can be very difficult without consideration for all of the critical areas in which governance plays a part. We do our best to break it down for you.
Links to the tables referenced in the Chapter Read are here:
Chapter Read time mark 01:15:30
Chapter Read time mark 01:37:48
Chapter Read time mark 01:44:00
Chapter Read time mark 02:08:00
Post-chapter analysis questions:
What are the most critical areas of governance that need to be addressed in Year 1 based on the state of your company?
How will you educate others in the business on the importance and value of IT governance and effectively communicate this across different departments?
What goals should you achieve regarding IT governance components by the end of Year 1, and how will you evaluate and iteratively improve your governance over time?
How can you determine what level of governance is realistic given your current maturity and resources vs. aspirational?
Where else in the business is governance developing that you could support or collaborate on, including partnerships that could help promote acceptance of IT governance across departments?
What are the risks of IT not introducing governance promptly, and who will take the lead if IT does not?
What tools or techniques could help analyze past data growth to inform governance needs?
Considering the various areas of governance, what strategies and challenges are there to ensure they align with organizational standards and regulatory requirements?
What is the importance of having clear and realistic policies and procedures as part of IT governance and the role of leadership in fostering a governance culture?
How might emerging technologies/trends impact the future direction of IT governance, and what proactive steps can organizations take to prepare?
What are some strategies for prioritizing IT projects based on available resources?
We also take some time to break down what decentralized, federated, and matrixed IT organizations mean and supply the usual banter, including the introduction of the Mighty Tekakord!
00:03 Hello? Hello? Okay, we’re good. Rock and roll. Hey, we fucking did it. We made it. We’re all set up. Good to go. Good to go. Good to go. Greetings and salutations everybody. Welcome back to the Calculus of IT podcast. 00:32 It looks like we’re like, it’s like a mountain.
It’s like the Price is Right. Like sitting at the kids’ table. Welcome back to the Calculus of IT podcast, aka the cognitive load, aka the home of the sad salad, the one and only sad salad. 00:53 Love sad salad.
AF. I forgot to ask you by the way, do you know what AF means? Yes. Okay. Yes. Yes. What does it mean? What does it mean exactly? Always fun. Always fun. That’s right. AI is always fun. 01:05 AI always, that’s the other one, AI always fun.
Always fun. So over to my far right, we have the indomitable, I learned that word, and musically gifted Michael Crispin. I thought you said indomitable, indomitable, and musically gifted. 01:28 Thank you. Thanks to a musically gifted.
This is a drum solo. Michael Crispin, aka Crispo, I am Nathan Pride. I have no musical talent. I’m not abominable, and people just call me Nate. And we have a special guest tonight, Nathan Doyle. 01:45 Welcome
Nathan. Thank you. Thank you guys. Thank you for having me here. What’s your AKA? I’m that guy, but not that guy. So he’s the guy, behind the guy, next to the guy. Right. So, awesome welcome glad you could make it we have an epic show tonight I did a very short pre -read
Super short on Monday night for the chapter that we’re covering tonight so through the miracles of sort of modern technology technological things we’re just gonna all of a sudden be talking about the chapter in just a few minutes but it’s gonna be like I sat here and read the chapter all by
Myself unbelievable I know it’s magic what an advancement I know you do like these things now with the iMovie and Microsoft paint Windows movie maker does movie maker gift maker so before we begin I do want to make well it’s not really an announcement more of like we already did this yeah
We do have a website but up until now the website has pointed to the long walk consulting media page which is where our podcast was sort of centralized and now we have the COIT .us website we’re working
On some DNS stuff right now to make some some web trickery so if it doesn’t work for you at the time this episode launches just keep trying because we’re just trying to like bypass spending money. 03:33 We have failed
At that. And spend money to make DNS work so go figure DNS is not as democratic and free as we thought. We also have a new Instagram account we’re on the insta we’re on the line insta insta
Made it to the line Mike I’m loving it I’m loving all this social media presence I know and I was trying to get on the Facebook but apparently it’s called now Facebook yeah it’s under one workspace my account wasn’t working anymore so we went to the insta and and I I’m not actually
Sad to admit this I’m very happy to admit that my daughter Kate who is a social media savant I think would be the word I would use is actually going to be running our social socials because we
Have a tiktok too the tiktok is the calculus of IT yeah and the Instagram is the calculus of IT I was I was hoping that you would get that I I’m glad we’ve landed on a title that’s good
Yes episode what episode is this again episode 13 but chapter 15 could see I combined you know I did I did combine some episodes and stuff we’ll catch up don’t worry because we’ll have a chapter that takes like four episodes so it’ll all work out so this is great and Nathan’s overwhelmed
Right now he’s like I don’t even know what the hell I’m doing here my reputation’s swirling down the ball so so many things and new ways to bring extraordinarily intelligent though slightly inebriated technology discussions to the masses to the smart masses so when are we
Watching our calculus coin on web 3 .0 that’ll be in four years time okay so four years from now that’s 2020 today plus four years we’re gonna launch calculus coin on the web 3 .0 web 4 .0 I was looking on Instagram today and Gartner has an Instagram gardeners Instagram
They do and one of the things they put up on their Instagram publicly is that web 3 .0 is six to seven years away so we could technically beat that Yeah, we could get there before that. 05:59 Cheers. Cheers to, you know what?
Anytime we can be ahead of, we actually, we’re always ahead of a gardener. What am I talking about? Upper end quadrant, get there. Yeah, upper end quadrant. Troff of disillusionment. 06:10 I’m drinking the troff of disillusion right now. What are we drinking tonight? What do you have? The hype
Cycle. This is con -mara. Con -mara. They say that right? Con -i -mara. Con -i -mara. Con -i -mara. 06:22 Con -i -mara. Con -i -mara. Jeez. I’m also having con -i -mara. Con -i -mara. And you’re having? I don’t want to
Mispronounce this. What is the- It’s glendolo. Glendolo, yeah. Glendolo. Double barrel. 06:34 Yeah, very tasty. The single barrel, unfortunately, it was just not double enough. So we went with double barrel. So cheers, gents. Cheers. Cheers. Let’s have some more. You know,
I’ve been coming to this cool party for 10 years and it never gets old. 06:52 If you want to continue. So if you want to continue the conversations about all this deep stuff we’re talking about,
Want to learn about Web 3 .0 or 4 .0, we should actually beat Gartner on Web 4 .0, too. 07:06 Let’s just do Web 5 .0 and skip all that shit. You know how Verizon skipped 6, 7, 8, and 9G and went to 10G? Why can’t we skip a
Bunch of the numbers? Just need neural link and we can start moving the mouse around with our brains. 07:24 Did you read that today? No, we’ll get to that. Mike, you’re spoiling the show. Oh, I’m sorry. So stay tuned because next
Year we’ll have Web 6 .0 launched right here live on this show. And we can’t disclose it yet still. 07:38 We’re working with the NSA on some things, but we’re going to get that out there. I also want to mention that if you like our show,
Please give us the maximum amount of stars on Apple podcasts or Spotify or YouTube. 07:52 I don’t think YouTube does stars, but the maximum thumbs ups or whatever. listen to just give us the maximum amount of things we
Would we would give them to you if I could give you the listener the maximum of anything beyond the cognitive load I’m about to give you then I would give you that maximum amount of things so
In return could you please give us the maximum amount of things it would be cool also we have new merchandise in our spread shirt store oh I gotta check this out very nice we have our new
Sad salad shirts I’ll have one on next week the next week’s episode they’re awesome we did have cognitive load shirts up they were immediately pulled down because the logo looked identical to some random and you might have heard of it soft drink brand called Coca -Cola cool that one down
We violated a copyright so This show is actually now going to be called The Cancelled Show. 08:50 All the shit we get cancelled from, we’re just going to go ahead and call it The Cancelled Show. And tell you about what we
Got cancelled from this week. Those came out awesome, man. Look how awesome those came out. 08:59 Wow. The sad salad shirts. So that’s the C -O -I -T -T -H -E -C -O -I -T dot myspreadshop .com. Is that right? Or go to www .thecoit .us.
And there’s a merchant link. There’s a merchant link there. Plus, in all of our episodes, on all the things, you’ll see links in the description that has a link to the merch store. 09:27 So in order for
Us to afford Gaslight Nathan here and to afford to be able to buy him Glendolo for the show and feed him and nurture him and take care of him and mold his young mind, we need some money. 09:43 Airlines fees,
Hotel fees, all that. And honestly, if we get a certain number of stars, apparently we can open up ways to get better things on the socials. Open it up, baby. Let’s open it up. So before we go on, I want to comment quickly on last week. 10:01 So if you watched last
Week’s episode or listened to it yet, you probably heard a lot of cuts. I think there ended up being 10 or 11 or 12 cuts where I tried to say the word strategic. You didn’t. I know just that I did. 10:17 But
Most of the time I can’t say it. And I’ve been practicing all weekend. And so tonight I’m going to try a few times. But just even on Monday night’s recording, I had to cut it out. So I apologize if you’re like, what the hell did you say? 10:30 What was that word?
Start -a -chick? Or strap -chick? Or whatever he just said? Because I missed those and I didn’t cut them out. So that’s the word I was trying to say. Str -te -j -ick. Strategic. Strategic. 10:46 Strategic. That’s how I should start
Saying it. Anyway, I don’t know what was going on. I wasn’t even that drunk It just couldn’t come off my tongue and I lied words a lot. So anyway So in a bit, we’re gonna get to this week’s chapter,
Which is chapter 15 Of the life sciences IT survival guide, which is on governance, which if you ask me is just absolutely dead sexy Nobody asked me but I’m just gonna say that anyway. 11:09 Yeah In fact,
The only person who probably thinks is dead sexy is me, but that’s okay and next week though I want to play next week’s episode because we’ll be talking about the employee experience Or the employee lifecycle and the employee experience and this is a just a monumental
Episode I think we’re gonna be really diving into everything from two weeks before you’re hired to two weeks after you’re fired Everything that happens to you in between everything that IT has to do along that journey everything that you as an employee Go through on that journey.
11:39 And so as you can see, it’s no small feat the chapter itself just really captures that we’re going to discuss the element of what IT is responsible for, but we’re going to try and take on sort of the bigger enchilada for the episode. 11:52 So it’s going
To be really good. And it’s almost as sexy as governance. Like right there. It’s right up there. Solid number two. Yeah. And it’s one of those key pillars that we will come back to for the rest of the episodes is that employee experience piece. 12:06 Sure. It’s also
An important part of compliance, which is part of governance, which we’ll talk about in a bit. So be sure to tune in next week for that episode. Also, if you’re in the Cambridge area, Cambridge,
Massachusetts area on February 27th, and you want to see me go toe to toe with a quality veteran and OG, if you will, check out my LinkedIn post on my LinkedIn page, which is linkedin .com slash ITSN8. 12:40 I don’t know
What the rest is, but just go to that page. And we’ll get me a LinkedIn and you’ll see the post for the swear event. It’s hosted by swear when they have the rescue platform. I got a plug. 12:53 Swear makes this
Platform called rescue. It’s freaking awesome. It takes all the bullshit out of keeping your SaaS platform is validated. So we love them and they’ve invited me to be a panelist on this dinner. 13:07 It’s two -hour dinner, tons of drinks. Again, you get to listen to me make an asset of myself
By trying to say why next generation validation is for the birds and then how to defend my position. Like I said before, it’s free booze and food place. 13:26 So as a reminder, also when bio it world comes to Boston, April 16th and 17th, Mike and I and hopefully Nathan
And others will be well, we’ll be crashing bio it world. And I’ve already asked for a press pass. 13:43 I feel like I’m going to get rid of it. or canceled on that idea so if we can’t get into bio IT world and set up shop for a podcast we’re gonna
Go next door to either what is it Rosa Mexicana no Smith and Molensky is to the center right oh yeah yeah yeah the corner there Ruth’s Chris or something oh um what are you talking the seaport
No no no this is this is not a BCEC this is at the World Trade Center there so if you walk out of the World Trade Center and go immediately left right at the corner I think that’s Smith
And Molensky oh Mortons Mortons thank you Mortons one of those and we’ll tell you about it but you can come and be on the podcast you can actually come and be on the live podcast we’ll apply you
With alcohol if you’re over 21 get you food and then we’ll have a good time yeah so I’m also a ton of special guests either way mark your calendars for bio IT world in Boston April 16th
To 17th so okay I just talked for a little bit anything you guys want to note about anything? 14:42 I’m excited for bio IT world that will be fantastic to get everyone together and just to top it totally openly. Yeah Yeah,
Hopefully they won’t They won’t throw us out of Morton’s if that’s where we end up We don’t have a lemonade stand or something out front with some Should I bring a folding table just in case? 15:00 I think we’re gonna
Pretty much have to pack up all this shit here Yeah, and just nonchalantly walk up to a table somewhere and set it up and steal their power and their Wi -Fi And try to do this podcast. 15:11 I’m working on that
Too. We’ll make a solution for that possibly. He’s got some things going on We’re ready to go before we go any further Nathan yes, sir. We said your name. Yes, we didn’t say anything else about you. 15:26 Yeah, it’s like it’s like mystery guests with
Just a They’re just talking around me I’ll let you just can give you a quick overview of who you are. Where you coming from? Yeah, don’t tell us why you’re here because we don’t want anyone else
To know that no we bribed you to be here Yeah, no, no, let’s we’ll keep the hush money a lot. 15:50 I mean, yeah, right Yep. Yep. Yep. Yeah, appreciate the the invite guys. Thank you for having me on the podcast today see, you know as as I stated earlier Nathan Doyle,
I’ve been Working in industry for life sciences the last 10 to 12 years Overall though I’ve been managing IT and managing Services for businesses for last 23 years. 16:13 I got out of the military in 2003. I served as a gunner’s mate in the United States Navy
Not applicable You know, I found myself in a very interesting Position and it was you know, what did I want to do and I thought you know, there are three things. 16:32 I’m very good at Talking which anybody watching
The podcast that knows me is you’re the perfect place Genuinely laughing out loud right now saying yep, that’s that guy, right? Helping bring people together right and I love problems and that’s sort of a you know people use the term opportunity as a sort of you know you know rip and replace for
That but that’s since I was very very young I’ve always looked at problems as being intriguing and so I felt I could take being conversational being somebody that brings people together and somebody that can help you know look at problems in not just a unique ways but is willing to take it
On and how do I you know help people you know I started off by building MSPs supporting companies in the West Coast California specifically and then found myself in a really unique opportunity when I moved out here to Massachusetts working with a venture capital firm who specifically focuses
In biotech and they offered me an opportunity to go work inside you know internal IT it was first internal role I’d really sort of taken on in about 20 years and you know 15 years I said
Yeah I’ll do that and been off to the races ever since you know really focusing on life science in R &D The most perfect topic for you tonight, which is why we asked you to come on board,
Because who better to sort of help us sort of dissect this idea of putting in rules than somebody who’s been on the side of IT and in life sciences where all the rules are very critical. 17:57 Yes. Well,
Thanks for coming out. Yeah, I appreciate it again. I appreciate it. It is cold in the barn, by the way, but you know, you’re the mayonnaise in the Mike and Nate sandwich. It’s the sweater. 18:08 It’s the sweater.
I like that. That’s the type of mayo I can get behind. That’s the type. Actually, it’s mayonnaise between two pieces of dark rye. I love it. We want everybody at home to think we did plan this. 18:24 No, we didn’t. No, we didn’t. It’s like another
Certain type of cookie. But I did plan on playing Mike at the kid’s table. I got it out here. I like how this like this progression, you know? So I just prefer standing now. 18:36 I stood, we stood with it last
Week and it just feels, I don’t know, I feel like more You can talk more with your hands. More. So we don’t have a sponsor. Do you have a sponsor tonight? I don’t have a sponsor tonight. 18:46 Nobody called us for sponsor,
But I’m just going to replug soup because last week that was awesome. I mean, we love soup. This is basically by our definition. This is soup, by the way, it’s a liquid in a bowl, hence soup. 19:02 I got a call from
Rye toast. I did. So my plug just then was not intentional. What’s that? It was intentional. My plug for a dark rye. No, no. This is this is light rye. Oh, light rye. Yes. Sorry. Arnold’s. 19:21 Arnold’s in particular, Arnold’s
Rye or Billy’s rye. Billy’s rye? Billy’s rye is very good. I like how crispy rye toast gets. You get it’s very hard to burn rye toast no matter how much you cook it. Because you can’t tell. 19:36 It says you can’t tell. And it’s
Always you can burn the crap out of it. And it just didn’t. It doesn’t break, you know, you burn toast and it turns into powder. Like rye toast, it doesn’t happen. You can really, it stays together. 19:49 I just wanna. That’s
What I’m talking about. That’s real solidarity and continuity in a piece of bread. I think it’s fantastic. That is very meta of you. Rye toast is a symbol. So rye toast. Of how strong they are. 20:02 All right, well,
You know what, right, and by the way, if you have a bowl of soup and you have some rye toast on the side. You can dip it in, it will not get soggy unless you really, you really go crazy with that. 20:15 Wow, rye toast.
We should have some next time, we’ll get some out. Well, why don’t you ask your sponsors at rye toast to send us some rye toast and then we can have a plate of it out front and like a display of toast. 20:26 That’d be
Fantastic. I would be crunching on that the whole, all the microphone and everything, be all crunchy and gross. So next year while we’re talking about experience in the life cycle, we’ll be doing an ASMR session of toast eating live for you with burnt. 20:40 Bio -IT
World stacked up to the ceiling. Right toast, yes. Right toast. So, well thank you for that. I’m glad that the money keeps rolling in from the sponsors as well as the free hard bread and bread. 20:53 Well, I just got a call,
So I’m working on them still, but I figured I’d give them a shout out. Maybe that would push us over the line so they really will be a sponsor. That’s awesome. I did want to plug Focal, I .O. 21:03 again. We talked,
Mentioned about them in episode two or three, but that’s who we switched from, from Atlassian’s help to focal .io for our internal help desk workflow in Slack. And it’s awesome. I only get a few tickets a month anyway, but when I do get them, they’re automatically routed, right from Slack. 21:28 So,
Big shout outs to Focal. They’re basically filling a big gap too where help is being deprecated into sort of like the Atlassian wastelands. Focal is sort of rising to the cream of the crop in terms of what I think is the best of Slack -based help desk platforms.
21:48 It’s basically web -based too. I mean, there’s a portal and everything. All that is end desk, but it’s real meat and potatoes, I think is in Slack integration. So, thank you, Focal. And lastly, I know I don’t know if I said this last
Week or the week before, but did I mention how shitty one specific vendor is that canceled us? 22:07 Have I talked about this? Yeah, the last two weeks, we’ve brought them up. Okay, so I’m not gonna bring them up again. They’re
Getting free advertising on this. I was thinking the other day and I wanted to point something out. 22:17 Did you know that if you add the word or the letters I -F -Y to the end of any noun, you like immediately get an e -tail store? Try it now.
Like say a noun, any noun. Right -toastify. Right -toastify, what does that site sell? 22:35 Right -toast. Exactly, try it, Nathan, go ahead, try one. Mm. oh that was not the right word to pick in my head I was going to go with Twinkie a five but my brain went many different directions
Said don’t do that what is it was that site so yeah that’s the dilemma that I wanted to walk away from lard bombs Oh yeah magical lard bombs yes deep fryable so if you take any noun
And you put the word I or the letters I FY after it and then you do .com you can create a website that is it requires no talent like this other website that we know requires no developer skill requires no good customer service requires back ass sort of customer management and you
Too can have a a fi website just like somebody else that we know yeah so just take a noun or even a verb or an adjective Any word, anything, really, any sound, put a phi at the end of it. 23:45 Do you want to know something
That’s awesome, unlike the fis? What? As Nathan mentioned, Twinkies, you’ve got to try freezing one. Have you tried that before? Freezing a Twinkie? Take a Twinkie and put it in the freezer. 23:57 Or hold on, a Twinkie or a sponsor? No,
No, but maybe they’ll give me a call. I’m trying to help us here by getting some better sponsors. I don’t know. You’re telling me. I don’t have a response to anyone. 24:05 So put a Twinkie in the freezer. If you’ve got them, and then you eat them the next day,
It’s magical. Frozen Twinkies. I know what we’re going to do next episode. Frozen Twinkies? Next week, we’re going to start the show off by doing three things. 24:19 We’re going to, first of all, eat burnt white rye toast. Got to love it. To celebrate our sponsor. Two, we’re going
To swallow down a frozen Twinkie. Not the same one. We’ll all have our own frozen Twinkies. 24:35 Frozen Twinkies that will just start a timer so you can eat the frozen Twinkie the fastest. It’s still chewy. It doesn’t, you know. That’s the lard. Yeah, yeah. It’s still edible. And then the third
Thing we’ll do is we’re going to throw up in a bucket bag here after we’re done together. 24:54 Wait, we have a bucket sponsor? We don’t have a bucket. Buckets are so useful. So next week, turn it into
The show. Because right in the beginning, we’re going to do a double food boot challenge with you. 25:08 We actually won’t throw up. Mike will probably throw up, but I won’t. Not at all. I’m holding it down. I have an iron stomach. OK,
So. And on the governance from there, I mean, how do you, you’re bridging it. 25:20 It’s fantastic. See, watch my segue. Ready? OK. So tonight, we’re talking about governance. Did you see how I did there? They didn’t even know that that happened. That was beautiful. I’m the magic. So smooth.
26:26 Shake and bake. Shake and bake. Look at that. So, seriously now, seriously, it’s back into character. And my heater kicks on right at this moment. By the way, you have to get used to that noise, because that’s my 7 ,000 BTU blower blowing
Heat that direction in the barn, and it circles all the way back around and finally hits us later. 26:54 So we continue to come back to the idea of training and development in this podcast, and this is something that will probably be a cornerstone
Of every single episode, some more than others, in terms of how much time we spend on it. 27:08 But in terms of its importance, training and development is a key element of everything that happens in IT. Whether we’re discussing the need to train yourself, or the IT department,
Or your staff, or the organization at large, it’s a recurring theme. 27:26 So today we’re talking about governance, and that’s Chapter 15 of the Life Sciences of IT Survival Guide, as I already mentioned. This is one of those chapters that is both
Industry agnostic and also critical, I think, for survival of IT process. 27:39 So, I mean, basically, you can survive at being, and we’ve talked about budgeting, you can survive in a company by being a shitty budgeting manager. I mean, you’ll get by, you won’t be, like,
Everyone’s best friend, but you cannot survive at all by being a shitty governance architect. 27:55 Like, you just won’t make it, okay? Because when process starts to break down, everyone’s just going to wonder, like, what the hell you
Do all day? What did you say you do all day? So we’ll come back to the theme of governance and decentralized IT, which is a key part of it after the chapter read, and explore it in more detail. 28:14 But for the moment, before we get
Into the chapter, I really want to take a stab at essentially what are the basic three key elements needed to support what we’re going to talk about later, which is a decentralized IT department. 28:26 And how does this matter in terms
Of governance? Well, for governance, you need to actually have an organizational definition. Like, you need to say, my IT department is going to be matrixed, it’ll be centralized, decentralized, iterated, hierarchical, whatever you’re going to do for your organization,
You have to define it because as that definition will sort of as a definition will define the way your group talks to each other, so it will also define the way you talk to the organization. 28:56 So for instance,
If I have a matrix, the IT department, you know head of IT, four direct leads, they have direct leads, so on and so forth, and sitting in one place, single location, one set of processes, well then, we all kind of know up and down the stack, what we have to do
With each other, and it’s pretty clear across with whom we interact, what the processes are. 29:15 If you go into a decentralized structure, you get a sort of more autonomous way of doing this. You’re having sort of a person who’s responsible for IT, then you’ll have other groups that are all
Of course themselves responsible for IT, whether they’re responsible for IT for a certain team, geographical location, a certain business unit, a certain project. 29:38 Decentralizing IT allows you to have a single leader who mostly manages the general strategy of the company,
Then everything else is sort of sent across the different groups. This is where governance is such a key element, which is why I’m going to talk about today from a decentralized IT perspective, and we’re going to sort of dissect that. 29:57 So if you want
To build a decentralized IT model, and it’s kind of controversial for a lot of people, it does represent a loss of power. Okay, so CIOs that are sort of power -hungry, they like to build walls around their sort of departments, look at decentralized IT as sort of the anti -weighted IT.
30:16 But for those CIOs who have the capability and the time and are willing to sort of extend their reach into the business a little bit further, it might be one of the best scenarios you can do. So in the second book that I wrote, Calculus of IT, I did
Describe decentralized IT in a sort of high -level manner, and I’m just going to read that now. 30:40 You don’t have to read that book, we’ll get to that in season two. But effectively, in a decentralized IT, like I said, each business unit
Or office location or team has its own IT group, its own budget, its own set of processes, etc. 30:58 And there’s no centralized IT department as you would see it today. Okay, there is an IT leader, I’ll be an executive,
They report directly into the executive team, then there’s all these other groups that exist. 31:11 The IT leader provides some high -level strategy and direction, but does not control each of the separate IT teams. So you could have a global CIO,
Then you could have a CIO of North America, a CIO of Europe, a CIO of South America, whatever. 31:26 Is it called Europe anymore? It’s broken down into sort of small teams, Asian packets, etc. So the IT staff reports to the heads of their respective business units, not to any central IT organization.
31:38 organization. IT decisions like technology purchases, systems, policies, processes are made locally by each business unit. There are no overarching company -wide standards for those smaller operational tasks. 31:53 So just to jump in for one minute, like I think we’re talking more in a smaller, small -medium size organization
Right here because a lot of companies do have different IT departments, right, and different geographies that all report into maybe one CIO or even into an executive team member. 32:11 Is the reporting into that ultimately matters? So if you go from the bottom most person and you can follow a
Logical chain where you’re connecting the dots to the CIO, you’re still centralized IT. Sure. 32:23 If you can, if you find a break in that chain where all of a sudden that person stops reporting up the IT chain and their units closed off, then you technically have a decentralized model. Yep. Okay.
32:33 Now there’s still a head of IT. that the head of IT is mostly saying, okay, in five years we’re switching over to Google Workspace. Now, everybody else go do that. They’re coming up with a big, giant idea strategy. 32:47 So you just said
That there are no global standards, right? I think that’s one thing with it. Even if you’re in your distributed or decentralized IT, maybe I misheard you, that the IT department will act as sort of the enablement governance function that will help the other distributed IT firms sort of make sure
There’s some semblance of organization and rules, whether it be cybersecurity or other, right? 33:14 Well, it’s not exactly what I said. So what I said was the IT leader provides high level strategy and direction, but does not control the individual IT
Team. So for instance, if I was the global CIO of a company, I was saying, okay, we’re all going to Google Workspace in five years, then it’s up to you as the North American CIO to carry this out. 33:36 Now, how you
Do that is entirely independent of your team. Yeah. You can do it in one year, you can do it in five. You can do it way before everybody else, or it could cost you three times as much, but you’re responsible now for doing that and communicating this to your team. 33:50 Got it.
But you said there are no overarching standards, right? Well, you could also say, like it depends on the CIO. You could say, we’re going to have everybody use two -factor authentication globally. 34:02 Now, you could then say, well, I’m going to use Okta, and you could say, well, I’m going to use Azure,
Or I’m going to use whatever. So in that case, yes, you’re setting more of a conceptual standard. 34:12 Everyone else is coming up with the technology standards. I mean, it’s semantics, but ultimately the CIO is setting a technology vision, okay? Let’s take it to the highest level possible. Everyone else
Is responsible for executing that, but to the standards necessary for their particular thing. 34:30 Got it. Got it. Now, in the case of decentralized IT, business students purchase their own PCs, server, software, mic, network, network equipment as per their local needs. Okay, yeah,
I mean, you can have, you can have a huge division in China, and they can’t use Google. 34:48 So what you’re going to do, you can’t actually have a Google mandate for the company, you have to use something
Else. Right? Like, the point is that the CIO is probably setting a very vague but broad standard. 34:57 Yep. Of some level. But everyone else is responsible for carrying that out. Sure. Okay. Interesting. Yeah. Notably, there’s no central IT procurement that’s usually handled by the individual functional units. 35:11 Many
Different technologies and vendors are used across the company as local IT teams select their own preferred solutions. As such, each business unit makes independent choices regarding cloud versus on premise, given that there’s no central strategy. 35:23 Unless of course, you get to the point where
The CIO is saying everyone will go cloud, but I don’t care how you do it. Like whatever the or as most cloud as you can. That would be a case where, you know, again, there’s a there’s a broad edict. 35:37 Everyone’s
Left to make their own strategic decision. Got it, right? And the strengths of this of course is the model aligns to the corporate functions that these individual units support IT is more specialized expertise which allows for of course increased responsive to their
Responsiveness to their respective functions So if I have an IT team that’s supporting a finance group for North America, we only care about finance Nothing else matters, right? 36:01 Mm -hmm IT allows it allows for more autonomy and agility the individual business aligned leads
Decision -making is localized between the function and the IT liaison Solutions can be tailored by function and tighter alignment and stakeholder relationships can be built But in the weaknesses side, there’s an abundance for a duplication of effort resources or systems. 36:22 Mm -hmm It
Can be difficult to coordinate IT programs at the enterprise level There’s a likelihood for inconsistent architecture and technology Standards can fluctuate and there can be difficulty implementing and enforcing IT policy and a lack of standardizations can be defragmented systems with process and platform wise Now in that cons column or problems column
Every single one of those something that can be solved by governance governance, right? 36:49 Now yeah, also from the same book. I took another passage out and again, I’m reading a lot We’ll get to the discussion in just a second. Let
Me just get through this Again, I want to point out that I’m a huge believer that an IT leader shouldn’t carry not only experience and leadership But should have a wealth and depth of experience across all facets of IT This includes having a strong background in security as noted above,
But the IT leader should also have an equally strong background in project management now What they ought to be clear about is we’ll talk about project management From a couple different angles tonight because after you go through this chapter read in a few minutes You’ll hear me use
Things like project management project guidance process management process guidance At the end of the day they all mean the same thing which is you have a structured set of steps which help you accomplish a thing that you said you would do here and it should look like this here and
Along the way you got it done okay like that’s the most simplified version I’m oversimplifying it to an extreme degree but when I say project management here that’s what I’m referring to. 37:53 For a new co -sake, for a new company’s sake,
It would generally already have a centralized PMO, a decentralized PMO, basic project governance, and no PMO where nothing at all resembling governance any one of these is possible okay so it could be the most experienced kind of project management office which is a centralized
One next level down you have a decentralized one but still one that functions then you have basic project governance which is we know how to install something and then there’s no organization at all and then lastly there’s just everyone doing everything for themselves Regardless,
This does not mean the IT leader, you, has no responsibility here, especially considering the majority of IT projects affect a large part, if not all, of the organization. 38:40 The bottom line is that IT will have projects that have business visibility, consume resources, use budgets, affect customers,
And have a lifetime of impact regardless of the length of their subject’s existence. 38:51 Therefore, it makes perfect sense that some type of project and task management model should be used within IT. Regardless of the model of IT, including decentralized IT,
The question here is, should there be an actual dedicated segment of IT for project management? 39:07 That’s a big question, and we’ll come back to that in just a few moments, but think about this. I’ve worked in companies where project management
Reported into IT because IT does the most amount of work with regards to different projects. 39:21 Other groups will do projects. Clinical will file an IND with regulatory, or research will go ahead and just run an experiment. These are all very process -based, step -based things,
But are they programmatically going to affect the entire enterprise? 39:39 Are they so in -depth where there’s multiple functional lines coming together to achieve a thing? Perhaps, but IT generally gets the burden of having a project management office inside of it. Now,
Somebody else in the business can also serve a project management office, too. 39:54 The question becomes, should IT have anything to do with corporate project management? We’ll hold that one for a moment. Let’s look at some of the positives and negatives of this possibility, and then we’ll discuss. 40:06 Having a dedicated
Governance team in IT means that it gives you the IT leader, and for the rest of the IT department, insight into project priorities, resources, and timelines for planning purposes. 40:16 You get the goods before anybody else. You essentially get the ability, the high -align into data, so
You can have the best strategic plan. See, I said strategic. Strategic there. Almost got it right. 40:29 Especially important for high vision. high visibility, high cost projects. The project team’s presence within IT enables the team to align project delivery capacity with demand. Further, it can also help with the prioritization of objectives.
40:44 IT project managers can leverage IT, including infrastructure, tools, and processes for managing their projects. So they also get the inside line of the best tools and procedures, but way before anybody else. 40:57 While they could do this from an outsider’s perspective, there’s an opportunity for linkage directly to
IT resources like help desk platforms and similar resources in terms of utilization platforms. While this may only seem relevant to project managers, having them inside of IT also allows for potential career, lateral development into other branches of technology. 41:18 So you can have
A project management person go into business analytics, which then transforms into development and then something else, okay? Rooting a project management function in IT also creates clear escalation pathways between project teams that goes without saying. 41:35 Now potential negatives Inherently, there’s
Always the risk that projects may become too IT centric versus business centric. It may also be perceived in the business that IT has an advantage over other projects that require technology. 41:50 And of course we do. But for which the business
Leaders sit outside of IT. It is more likely than not that many of the IT staff including managers lack experience or skills in project management. There will definitely need to be a quote -unquote period of patience in terms of bringing everyone in IT up to speed or project management is as
Defined by you the IT leader how it works and how it impacts the group and the company at large. 42:15 If your project managers are resourced within IT there’s always the risk especially an essentialized model that they will have less visibility to what is happening with the rest of the business operations.
42:26 This is one of those cases where decentralized project management comes in handy because if you have a functional if you have decentralized functional IT units across the entire division each one having their own project manager, then you can have those project managers create a decentralized PMO. 42:41 That’s right, Mike. Now
Depending on how much governance you install in your IT department, you may end up with a creating too much bureaucracy which can and does impede the agility and empowerment of project teams. 42:54 Especially those already operating at a slower
Pace than the rest of IT and I’ve seen this happen in real time where we went too far in implementing process. Too far such that functional lines didn’t meet their deadlines to launch an ERP or to launch
A solution because IT was too mild and saying no we’re sticking to these steps one at a time. 43:16 In fighting can happen. Disputes between IT and project managers lack a neutral resolution. If my IT project manager reports to me, I disagree. We don’t have a third party to go to. There’s
Sort of no neutral place to go and resolve that So you have to make sure that your IT project manager isn’t obviously total alignment with the IT strategic plan. 43:39 I said it again All right, I’m tired of talking Now it’s your turn Mike Nathan Okay, everything I just said Ignore
All of it and tell me about decentralized IT the pros and cons or talk about some of that But what I want to know is and what everyone wants to know is We’re about to spend a ton of time talking about governance How does decentralized IT fit into this? 44:04 I think so
Decentralized the description you gave I think it’s slightly more Out there than I would say I think of more of a distributed based on what you had written there that they’re being like no lack of standards in In terms of without without without governance, right? 44:22 So it’s important
That you know in a distributed There you go. Yeah That you bring that back in as an IT function, like even in a distributed or decentralized model that IT is ultimately responsible for holding down the standards and for helping to build a project management methodology
And to have a decision -making process for all of those functions that are going to have technology leaders in them, in IT people, perhaps, really there’s no IT people anymore. 44:56 It’s more business people who know how to use technology and there’s so many business technologists. There’s so many more
Of them now that I think more and more in sort of CVs and resumes, there’s a lot of technology built into even someone who might be in the finance group or someone who may be in the clinical group. 45:15 So, I see the decentralized model
Can really work as long as there’s a hub model in IT to handle cybersecurity governance, which we’re going to talk about tonight, which is crucial for a distributed or decentralized model to work. 45:30 So there are some rules. It’s like having
A country with no government, right? So you’ve got to have something in the middle that’s helping to make sure the rules and the laws are abide by. I don’t like the word governance because when I look
At, we can talk more about governance, but just in terms of governance as a sell, if governance is done well and business process management is done well, the company will operate smoothly. 45:54 It enables the business. And I think people hear governance and they go, oh God, more paperwork, more processes. I don’t
Even understand why you need to do half of this crap. And it’s got to be more about how we repeat the same processes that work over and over again, so they become part of the culture of the company. 46:13 And in a decentralized model,
That can all work if you have governance, but I think that governance, cybersecurity, perhaps even standards and enterprise architecture need to be centralized and the rest can all be distributed. 46:27 piece and the architecture piece kind of go together in my mind so so in your what you’re talking about is what
I define in the calculus of IT book as matrix IT where you have combination of both decentralized and centralized IT working at the same time so yeah IT leader their essential philosophy and that’s distilled down to the respective groups and they themselves have to execute that philosophy
Yeah you need I think you do need some some level of you have to have some rules and some standards strictly from a cyber security perspective it’s not as open as saying okay we’re all gonna do
This in the next five years you go figure it out to more like okay we’re all do this in the next five years and this is how you’re going to do it then the quite I guess a question back on
The decentralized truly decentralized model is what is the role of the CIO is it just to be a visionary I mean well that I mean we can bring consultants in to be visionaries. 47:20 Oh, so, I mean, I can,
I can, I don’t want to, I don’t want to, I’m not, I’m not going, I’m just saying that. I don’t want to say a name or a title. From a business perspective. The person’s not in this barn, but there’s an individual who is representing about $38 billion right now in corporate
Investments, who is a, a chief digital and technology officer, has no direct reports. 47:45 Wow. And this person, this person speaks a lot. They speak a lot. They talk about, you know, IT visions, and what their company’s doing,
And what they’re planning. They actually have no operational impact on their CIOs that also do IT. 48:03 So then that model, that person’s saying, yeah, as a company, we’re going to XYZ. They’re CTO, they’re publicly visible too, right? They’re going to. And this particular company, they’re not public, actually.
48:14 No, no, I mean, in terms of this person’s role is to be exposed and visible, and be very, yeah. So I know two of this person’s CIOs directly, and that is a decentralized model. They are given like these wackadoodle visions to understand. 48:31 Sounds awesome.
Sounds fun. But in truth, a real decentralized IT organization, when run right, means that I have, like I’ve gone ahead and assessed everything, as is a head of IT, I have a vision, and now so I go
To my CIOs or my leads from my functional units, and I say, okay, Mike, you’re overseeing Asia PAC. 48:51 We have to get to here. Like, do you understand my vision? You’re going to say, yes or no, or whatever. I’m like, okay, cool, now go do that vision. And then I’m responsible,
Like I get the credit. I’m responsible for, like, yes, Asia PAC did this thing. 49:09 Whereas Nathan’s saying, like, okay, North America, like I can do that, no problem. What if I also did this? And I’m saying, oh, that’s fine, you do whatever you want. But you’re going to execute this bigger vision.
49:19 up here got it so they’re setting that leadership part like oh you need help just come and talk to me otherwise I’ll be on my boat like don’t bother talk to me that’s what the decentralized IT leaders
Effectively doing a matrix the IT leader is doing that but also like saying okay you have to do it this way yeah well I think you know what Mike is sort of driving at I think what I agree with Mike
I think you know any model works you hire the right people the models can work right I think in a purely decentralized model what you’re looking for is truly a vision person right at the head there right and they are they are truly removed from the day -to -day operations
Right and what how do you get there is what’s important is people right so if you’re gonna have 12 CIOs right you gotta make sure you bring the right people in right because they’re they’re taking that vision for you and they’re putting that on the screen they’re putting that on the
Paper there you know whatever that product is that you’re delivering yeah that that’s so what you know sort of harkens back to something you said earlier in the cast here which is you know training you know and people that’s the most important part of all of this you know if you
Don’t have good people regardless whether they’re you know ego driven or you know ego -less right you’re gonna be in a problem you know it’s gonna be a world of hurt and so a purely decentralized
Model I think it could be very effective you know for all the reasons that you mentioned in in the earlier in the cast here where you’re talking about the pros and the cons you know those pros
Are phenomenal you want those things right yeah and I think we can manage the cons to your point through policy through training and attracting the right talent so what if in a decentralized model then so it’s almost like a page to say that decentralized IT model then this figure
Head this visionary leader is stating okay you’re you have a functional business unit you have to get things done here’s the governance under which we’re going to do it like I’m gonna take care of the governance piece so I’m not gonna set the IT vision I’m actually gonna go a different direction
So Mike Nathan you have your respective I IT units Asia pack North America you’re doing great doing every doing but no matter what I always want you to both follow the same process yes and I always want to see your OK ours your metrics your FOMS every month and they should always be
On this particular line yes that’s my governance right you’re gonna always do the same projects the same way okay yeah yeah that’s exactly what I’m saying is that that CIO does have to some or super CIO needs to have some sort of ownership of the overall governance plan for the company it’s
Not each group has their own I think that that’s one of the things that kind of different you and it might be country by country because there’s different rules and laws and everything else but
I think yeah I agree I agree I think it’s can be hugely effective I think there is in a small We’re talking more small -medium business, I think it’s a little more challenging to pull that off. 52:23 I think in a small
-medium business, it’s less like you have decentralized IT. Yes, agreed. Probably go with centralized matrix or matrix. Matrix. Yeah, probably matrix. I think matrix is very possible. 52:32 Yeah, very popular, yeah. Regions are so important. You map this back to things that we’re managing
Every day in our environments, right? Socks, what it might not be. I mean, the differentiation between the legal requirement in Spain versus Italy, right? 52:47 And understanding that at an intimate level and being able to guide, right? Is, you know,
Critical to ensure that your filings are on time and things are occurring on time, right? The last thing you want to be seen is the person holding up the ship, right? 52:58 So I think, you know, if you’re going to go a true decentralized model, you really need to
Take a step back and understand if you’re a regional player, are you a local player? And what does that mean from a policy or, you know, process standpoint, right? 53:13 What if, in a decentralized model, we’re… a matrix model, or even centralized model, you took the project management out of IT,
You created, or the business created, and IT, to a degree, participated in this creation, but the business created a project management structure that brought IT in, and in the case of decentralized, of course, brought in all the functional units into a broader structure. 53:39 But even
In a small company, had project management not reside within IT, but had IT play a major role in the governance. So how, so, we’re talking about decentralized IT, because I think that’s the most compelling case, so either from that perspective or another,
How do you make it so that IT can have a major stake in project governance, and project, prioritization, project process, but without having project management reside within IT? 54:11 I think that as an IT leader at any organization, most leadership is gonna come to you to ask
For a lot of the particulars around an IT project, regardless of the process, but I think it gives you the opportunity, when that discussion happens in your first week or two, to really instill some of the confidence in them that you have a procedure that you wanna follow,
And you have information and artifacts that you’re gonna provide to show them along the way. 54:40 You may not own the process, but by setting an example early on, they might want you to do more, and it’s a question of whether
Or not you want to be able to get the IT projects done within a certain framework. 54:54 I mean, a lot of times, agile is introduced by IT, and that is a game changer for businesses that go totally agile. And that, I think,
Is a great on -ramp to how you can potentially not need centralized project management or a big PMO. 55:12 Let the PMOs run the programs, the drug programs and the launches and that type of thing, and then have sort of this… middle
Ground sort of agile community of project managers that can sort of do what you’re saying, Nate. 55:25 You don’t necessarily have it in IT, but you have a community of project managers, which you mentioned kind of earlier on in your
Pros and cons of distributed, decentralized IT. I think there’s a way in that way. 55:39 For me, in the current role, there’s a project management, program management team, and they’ve done some outreach to say, where
Do you need help from us? Where can we help? And they’d be very open to me saying, this is how I want to manage project management, but not strict waterfall project management or more so than open. 55:58 Here’s a few artifacts we
Need to record. Here’s our timelines. Here’s our budget. Here’s our total cost. Nathan, what do you think about that? Yeah, I think, you know, I don’t want to just become an echo chamber here, right? 56:08 But I mean, it’s hard
When you find like minds, right? You know, one of the difficulties I’ve personally experienced in my career path and working specifically within life sciences, is that when you’re a small organization, you’re that baby co, right, that new co, you’re seen as the one stop for everything. 56:26 You’re that guy, right?
They’re coming to you for every single thing, right? And it can put a big burden on you when you’re trying to accomplish those year one, year two tasks that you point out in your book, right? 56:38 You’re trying to get to
These things because you recognize as that early stage leader that there are certain requirements, right, that are coming down the pike at you, right? And you need to prepare the business. 56:48 So, you know, you might be looking at platforms implement, you might be looking at trying to advise and inform the
Executive leadership team, right, whatever stage they’re on. You know, I’ve run into organizations where, you know, it’s 30 people and there’s no concept of project management across the board. 57:04 I’ve come into companies with 30 people and it is tight, very tight, right? You know, I think it’s, you know, you need to,
You sort of, you need to. Well, why is that? What situation did you walk into where it was tight? 57:17 I was an organization that was moving between phase two, phase three very rapidly with a medical device. And so I had never seen an
Organization have two people in R &D, right? And have the rest of the organization be supporting clinical effort, legal, you know, their IT department was two part -time contractors, right? 57:37 And so, but the program management teams were strong, right? And so, ancillary speaking, the other departments were using those teams, by
The way, the way I’d seen. So program management did exist. Yes, yes, it did, yes, yep, yep. 57:51 Okay, so we’re gonna come back to program management too a little bit later, because that’s an important function that can be very powerful. It can be like Skull and Bones,
You know, in a company. I mean, if you’re not careful, it’s like, we don’t talk about, well, we kind of do, like in chapter two of the book, we talk about key stakeholder interviews, we start talking about building your foundational plan and who you should talk to. 58:15 I’m remiss and. mentioning
That you don’t talk to program management, but you do talk to program management. If there’s program management in your company, buy them a six pack, get to know everything about it. 58:26 Because they get all the info.
They already got, they are way ahead of you. So to both your points, Nathan, you sort of mentioned this in a way that I like the way you said it. Mike, you got there from perspective of there’s already going to be potentially program, project management or program management in the company.
58:49 But what we’re going to talk about in a moment with the chapter is the fact that there isn’t. That you’re walking in as an N of one and to make IT and to your point, everyone’s like, wow, you’re the genius. 59:04 Where’s your freaking program,
Project management? Like I need an ERP so make this work and you got to put something in. You got to like, in the first 90 days, first 100 days. Even the first half of your tenure, expect that somebody will come to you and say, Oh, by the way, we just bought NetSuite.
59:25 We need you to put it in for us. Or we’re looking at these 10 vendors for XYZ. And by the way, at my last company, I used one of them. So we’re just going to go with them. And you’re going to hear this in your case, take
All the interviews, you’re going to hear, Oh yeah, my last company, I just use them. 59:42 So we just thought we’d go with them. We already talked to them. We have the, I have the terms and contract
Right here. Can you just sign it for us? Or we already signed it. Oh, we already signed it. 59:51 Can you put this in for us? No, we, we need you to support it. We don’t have anybody in our department to
Support it. You can hear all of these, right? I once was asked to implement an ERP and the, the actual documentation was in French, literally in French. 01:00:07 We, we didn’t have chat GPT to translate that on the fly. Translate this document for me. And it should say,
It’ll say you are fucked. Kind of. Kind of. Yeah. So AF on your ERP. So, so decentralized IT, we’re going to come right back to this because I’m in just a second to the magic technology. 01:00:29 I’m going to be the
Chapter, but don’t, don’t, don’t worry about it. Because when we come back, what we’re going to find out is that our new IT leader has no IT department yet. Maybe, maybe one person has no decentralized IT capabilities exists in the company. 01:00:46 It’s a, it’s the only frontier,
The only sheriff in town and has to sort of build this out. Decentralized IT though, is going to come back in the discussion. We will keep talking about it. It is an important thing to recognize and whether you’re going to think about taking something out of your
IT department and putting it somewhere else, then having that do its own thing and trusting it to rely on your process, we’ll sort of bring it, we’ll bring back, we’ll come back to that. 01:01:12 Excellent. Oh, hey there. It’s Nate It’s Monday night. I’m actually reading the chapter of this week’s
Podcast independently chapter 15 of the life sciences it survival guide which is on governance because it’s a long chapter and We have a lot to talk about on Wednesday night. 01:01:34 So through the magic of technology I’ll
Just sort of inject this into the middle of the podcast when the final video comes out But just note that we’re sort of skipping over this part on Wednesday night We will have a special guest. 01:01:48 His name is Nathan Doyle and Nathan was
Kind enough to recommend Glendolo double -barrel. I wish whiskey which I’m having tonight along with the podcast if if you’re buckling yourself in to listen to this one I highly recommend pouring yourself a glass of your favorite beverage Picking back and listening to the wonderful tenor of my
Voice as I read chapter 15 on governance from the life sciences IT survival guide Just a quick note, by the way, before I get started, there’s a ton of tables in this chapter and pictures. 01:02:21 I’m going to do
My best to sort of represent these. Some of them I’ll show on the screen for those who are watching this on YouTube, but others I’m just going to do my best to interpret. So hang in there. 01:02:32 You can always go
Look at the chapter later if you want. There’ll be a link in the podcast notes to see the chapter in the tables. But like I said, just hang in there and we’ll get through this together. 01:02:40 Okay, here we go. Chapter 15, governance.
Within the first year, even within the first 90 days, you will inevitably cross paths with the genesis of corporate governance in some form. And already we have a footnote in this chapter. 01:02:58 Here it is. Throughout chapter 15, I use
The words governance and guidance interchangeably. Don’t be alarmed. In general, guidance is a policy reference or some other document that covers a series of steps necessary to support governance. 01:03:16 However, governance is itself also guidance. Don’t say you weren’t warned. Those early seeds of governance may just be subtle undercurrents
In the business culture, but they are there. This is because other leaders in your company have also come from places where governance was a part of their daily lives, and they recognize its value and directly or indirectly brought it with them into your new company. 01:03:44 However it may be,
They will be facing the same obstacles as you for instantiating governance principles in their areas of focus. For instance, your legal department may only just be starting to consider how to get a grip on managing future patent litigation. 01:04:00 While your finance department may
Be months down the road already in the process of formally documenting financial controls for a SOX audit, the speed at which each team is moving is relative to the available resources. 01:04:13 The general emphasis and pressure on them to implement good governance and their
Particular position on how fast they should be moving. Wherever the functional alliance may be in their respective journeys, you have to start constructing the governance that the IT department will need to be successful, and this must start in year one. 01:04:33 Why is governance so
Important for success? Governance answers one of the most critical questions about your fundamental objectives of leadership. How? How will you select the platforms you are going to implement? 01:04:47 How will you construct a security technology stack and deploy it? How will you protect corporate data and make sure
It is backed up? All of the hows are answered, in effect, through the implementation of governance. 01:05:00 If you were to give two football teams a ball, lead them to an open playing surface and then just blow a whistle but have no goals,
No referees, no sidelines, and no the result of the fact is akin to what you would experience. 01:05:13 If you tried to execute an IT strategy without governance Provide the how and all of a sudden you have a formal game with rules expectations of outcomes special teams Coordinated
Plays a game clock and even a coach But you are thinking damn it Nate. 01:05:32 You just had me write a strategic plan. Isn’t that enough? What more do you want from me? Yes, you did write a strategic plan
Which is actually one of the expected outcomes of IT governance in fact having an IT strategic plan is both a requirement of IT governance and finance governance The day will come when you need to submit that IT strat plan During a SOCS audit as evidence that you understand how
To write and how to get approval for an IT plan Your strat plan answered the what but it did not provide the guidelines of how Indeed you will have gone to some great lengths in your strat plan to
Define what you will do and the steps needed to do that But you are thinking damn it Nate. 01:06:19 I just wrote a strat plan. Isn’t that enough? What more do you want from me? Well, yes, you did write a strat plan,
Which is actually one of the expected outcomes of IT governance In fact having an IT strat plan is both a requirement of IT governance and finance governance the day will come when you need to submit that IT strat plan during a SOCS audit as evidence that you Understand how to write
And get approval for an IT plan Your strat plan answered the what but it did not provide the guidelines of how Indeed you will probably have gone to some great lengths in your strat plan to
Define what you will do and the steps needed to do it But how did you come up with those steps? 01:07:03 How are you going to ensure that they are the right steps? You certainly are not just going
To close your eyes and throw darts out of board when it comes to selecting the best platform for the company, so what is the methodology behind all of your choices? 01:07:17 That is governance. In a corporation, governance presents itself in so many forms, ranging from the formal to the informal and the hidden
To the overt. Governance can be presented as adherence to a state, federal, or global mandate, or it can be something that the company itself mandates as a matter of good business practice. 01:07:38 It can even be mandated by a single department. Certain departments in the life science area of companies, which includes IT,
Do have to create good governance models for their respective methodologies. 01:07:51 Though there are some stand -alone outliers to the common framework of what to expect from good governance in a life sciences company vis -a -vis any other company, I have categorized the bulk of corporate governance in the following six
Major categories, and under each called out the specific areas relative to those categories. 01:08:12 where you would find governments in its various forms, and I’m going to show a table up here on the screen now. Thank you. So, for the six major areas, you’re going to find technology,
Financial, programs, organizational, process and corporate compliance. 01:08:35 Now, for instance, under technology, you’ll see there’s prioritization and project management. There’s development, infrastructure and operations, security and risk, and there’s data management. Under financial, you’ll see things like SOX control, reporting, auditing. 01:08:54 Under programs, you’ll see portfolio strategy, business development, commercial,
Awareness and engagement. Under organizational, you’ll see things like enterprise risk management and business continuity, perhaps even culture and M &A. 01:09:08 Under process compliance, you’ll see quality compliance, medical, legal and regulatory compliance. Under corporate compliance, you’ll see intellectual property and patent compliance, contract management and whistleblower and ethics compliance.
01:09:23 So as we can see within the technology category, which I just mentioned, we have five main areas of governance. Now, while IT has its proprietary areas of governance in which it must create standards for operation, IT also plays a role in almost every other area of governance in the company.
01:09:40 In some specific areas of the business, IT actually plays more than just a bit part. So I’ve noted those areas above in the table along with a brief description below, which I’ll read now. So for SOX control management, where does IT play a role? 01:09:55 Well, in proof of controls,
Artifact retrieval, control mitigation and platform implementation. For enterprise risk management, information security response and data management. For business continuity, well, of course, continue to access the data and platforms in the event of around the world. 01:10:12 emergency. For quality compliance,
Well in the life sciences industry, it’s 21 CFR 11 adherence, computer system validation, quality control, and GXP. Under contract management, you might have a CLMS platform, electronic signature management, and even data management, and so on and so forth. 01:10:34 For this chapter, however,
I would like to place the emphasis squarely on our IT leaders’ shoulders and discuss IT governance that is to be led by IT. And here I have a footnote. When the time is ready, those other functions that require IT’s input into their governance will come calling for IT’s assistance. 01:10:55 In year one,
It is not practical for all of these to be implemented, as some just won’t be needed yet. And for the ones that are implemented, it is likely that only certain aspects will be launched, while others will remain on hold until the business matures further.
01:11:10 in years two and three or further down the road, and I have called these different aspects out accordingly. Those that will remain nascent or not fully matured until years two or three will be further detailed later on in this book. 01:11:23 By the way, this is an immense chapter,
So I have just sold it down to the respective five groups noted in the table above. Conceivably, this chapter could be its own damn book, and in fact, it was. Until I consolidated it into this chapter. 01:11:38 Take it one step at a time,
But do not, under any circumstances, neglect the importance of governance in your mission. So let’s start with prioritization and project management, and let’s go back in time and reflect on the key stakeholder meetings. 01:11:54 The chances are excellent that you
Heard at least one key stakeholder say something to the effect of. Well, at my last company, we used platform XYZ, so I already talked to the vendor there that I know about using XYZ here. 01:12:11 Not to worry, this is somewhat of an expected refrain. Your key stakeholders may have enjoyed
Success with a particular platform or a piece of software at their previous company. Still, they are unlikely to remember that at their last company, they also had an IT department of maybe 30 people or employ dedicated staff and their function for platform administration. 01:12:35 Your key stakeholders statement is not one
To take lightly, especially if they have already spoken to the vendor. Still, it’s a good indicator of where their mind is in terms of expectations for their functional area in the business. 01:12:51 Having good IT governance, especially as it relates to project prioritization and project management, will be the guiding
Principle behind your following response. That is wonderful. I look forward to speaking with the vendor and looking with you both at your selection process and the broader industry. 01:13:10 to see if perhaps there are vendors even better suited to align with our business strategy,
Resources, and long -term plan. Now, overall, when it comes to prioritizing anything, you have to account for the three primary assets which can assist with your prioritization. 01:13:27 The short asset list includes three very objective measurements of availability, time, resources, and money. In any given strategic paradigm, corporate
Or real life, you can only ever get anything done if you have the proper balance of each. 01:13:44 Now, let’s digress for a moment and talk about the actual numbers behind resources, specifically as it relates to availability. Now, over the years, the IT departments that I have had the great fortune
To lead have always loved the fact, and this is a footnote, by loved, I mean hated, that I routinely reminded them of exactly how many days were left in a given fiscal year almost every week. 01:14:10 I did not remind them so much
As to be a lording pain in the ass. But because time, as a resource, is too often disregarded as infinitely expendable, in fact, time is the greatest delimiter of the three assets. 01:14:25 Here is why. In a fiscal calendar year, a company can only count on an average of about 255
Available working days for every employee. If you subtract a few weeks of vacation, this leaves 240 days. If you subtract one week of training or conferences, this leaves 235. 01:14:43 If you subtract, say, five days for sick or personal, this leaves about 230 possible working days. But let’s be honest with each other
For a moment and say what we all know is true. The eight -hour day is a thing of the past. 01:14:57 Again, I have a footnote. Though what has replaced it is not very good. I uncovered some disturbing data from the U .S. Department of Labor
About the average productive working hours per day being somewhere around two and a half hours. 01:15:10 Now, this is 2020 data. But even if we sort of marginally assume that it’s gone up, it probably hasn’t gone up by very much. So,
For the sake of keeping the math to a nominal state of background noise here, let’s just stay with the notion that eight is still the number of hours your employees actually work in a day. 01:15:33 That means there’s eight hours that during all eight hours, they are working. There’s no break. They’re
Just working for eight hours a day. This means that with 230 possible working days, you and your resources each have about 1 ,840 hours to get everything done in a fiscal year. 01:15:52 Seems like a big number,
Doesn’t it? Well, when we first created our IT strategic plan, we created an extensive list of tactical goals to move the business forward. Those goals, however, just don’t happen on their own. 01:16:05 They need at least one person in IT to either
Do them or receive those that do. do. In all likelihood, and this is a number I have arrived at with more than a score of years of experience behind me, the IT specific actions in your strategic plan, those that are IT projects only and not aligned with the business, capture roughly
60% or what would be about 1 ,100 hours of your overall available departmental time per employee. 01:16:34 Since this 1 ,100 hours does not include the time set aside for implementing new platforms for the business, the amount of time available to support, implement, and improve business specific
Technologies is about 700 hours or about 88 days of availability. 01:16:52 And if we take the data that suggests that you will spend an average of five hours per weekend meetings, again there’s a footnote here, and I follow this big study from Ask Cody,
There’s a footnote in the actual document, you can read all about it, but it stipulates that the average employee spends about five hours per weekend meetings. 01:17:09 for some of us, it’s four times that. For others, they’re fortunate to be less, but let’s just go with five. You can further knock down that
Number to about 600 hours. Now I will not include all the hours lost to distractions, drive -bys, spilled coffee, quick trips to the kitchen to be the first in line for pizza leftovers. 01:17:28 600 hours is a pretty good estimate of how much time each person in IT can reasonably return
Back to productivity to the business per year. Again, not IT operations, business -specific operations. Again, it still seems like a significant number, but it isn’t. 01:17:44 It’s about 75 working days, or about one third of total annual work hours. Now,
How do you prioritize the 1 ,100 hours needed for IT goals versus the 600 available for business goals? Ostensibly, your 1 ,100 hours are related to business goals. 01:18:03 However, they only play supporting roles in carrying the functional line initiatives forward. Granted,
One of your key objectives in your IT strat plan may be a single platform implementation for a functional line, but even in that case, the model still holds true. 01:18:19 You will have X hours allocated
To the IT strat plan and Y hours available to the rest of the business. With all of this in mind, and thinking back upon our key stakeholder who used platform XYZ at their last company, we now recognize that there’s clearly a potential value in aiding them in accomplishing their objective. 01:18:40 After all,
They have demonstrated that the implementation and use of that platform leads to an important milestone for the business. However, after talking to the vendor for platform XYZ, we soon come to find out that platform XYZ will consume close to half of our
Available resources in terms of hours for the whole year in just four months. 01:19:03 When you put pencil to paper, what quickly becomes apparent is that if you blindly move forward with the… key stakeholders need at least one but most likely a few other functions in the
Business will not achieve their goals which may also happen to be important milestones. 01:19:19 Now that was a lot of math so I’m gonna have a drink. Math makes me thirsty. Okay so what the hell am I doing
With all this math? This is not a math book. Well this math is why project prioritization as a paradigm of governance becomes so essential in terms of saving the day. 01:19:45 Project prioritization allows you to develop a system of rank that supersedes opinion and ensures that the most important platforms are prioritized
Based on the three available assets time money and people relative to the businesses needs. 01:20:01 Though we have to account for the available budgeted funds. which themselves are finite. We’ve already gone through this. And the availability of resources from the functional lines also finite. And in a growing life sciences company, pretty rare.
01:20:21 Even if IT does have the available resources to implement a platform, and even if there is enough time and money, the functional line itself still also needs to provide resources for their roles in the project. 01:20:35 Again, this
Is why to execute a plan successfully, you need governance. You need a clear and objective method to adjudicate the three assets appropriately among IT and the business’s competing needs. 01:20:50 So what does that method look like? Well, before we can begin to rank any technological priorities and provide a
Basis for the strength of those ranks, we need to define our governance by developing the following. 01:21:04 A charter structure and the assemblance of a committee that will formally oversee prioritization. Criteria that the committee will use to determine what projects need to be ranked. A formal method for assessing vendors and requirements.
01:21:22 Criteria that the committee can use to perform the project prioritization ranking. A process to formally submit the ranking arrived at by the committee to the executive body for approval. A process allowing the committee to reprioritize on a recurring schedule. 01:21:41 Methods to continuously assess
Performance against those who were previously approved for prioritization. And lastly, a transparent and effective means of communication to the business for the entire process. 01:21:56 Now, as with most corporate governance models, invariably some phenotypic committee will be adjourned to preside
Over the maintenance and execution of this governance. And here I have a footnote. In IT, the three most likely committees to evolve due to governance are prioritization, statutory compliance, and information security and risk. 01:22:22 Committees do many things to uphold governance, not the least of which is ensuring, or trying to ensure,
Unilateral fairness. Ensuring fairness, especially when it comes to governance that oversees prioritizing which functional lines get approval or not is, of course, essential. 01:22:39 I won’t belabor all the details of the eight points above, but I do want to take a moment to focus on two of them,
Assembling a committee and formalizing a method for requirements and assessments. Now, when it comes time to create a committee, and it’s likely that IT will be responsible for creating such a committee because it is a technological prioritization committee, you want to strive to not only bring together the correct number of people to
Help administer the governance, but also to bring in the right types of people. 01:23:09 who understand how the various functions and processes in a life sciences company work in unison and this applies to companies of all industries. In consideration of what an ideal committee member would look like,
I’ve created a diagram which I will now show up on the screen for you. 01:23:26 Now looking at this diagram, there are six basic phenotypical characteristics that we want to sort of go after for employees. We have organization. And underneath the organization I’ve written has been previously employed in a
Company that has attempted to or gone public or attempted to or commercialized a product. 01:23:51 Under R &D and regulatory, conceptually at least, this person is aware of the R &D life cycle. Ideas to trials to submission to approval. And all the resources required and nuances involved. Under compliance,
We have this person has participated in or at least been on the receiving end of compliance related initiatives that compel adherence to regulations. 01:24:17 Under personal growth, this person aspires to grow a career within a life sciences company and is analytically minded and very fast
And a very fast learner. Under commercialization, this person understands the commercialization life cycle from research to clinical to manufacturing to commercial and the myriad steps in between. 01:24:38 And lastly, into manufacturing has at least a basic understanding of how our products are
Made and what the supply chain consists of, especially with the internal resources. Now, there’s a very low likelihood of you finding and recruiting large populations of individuals like this, at least in the earlier stages of growth in a life sciences company. 01:24:58 Furthermore, it is likely that those
You do find that meet the criteria are probably already on several committees or have other time commitments because of how much they know and their likelihood. position in the company. 01:25:10 Therefore, sometimes you have to
Make do with what is available to you. I recommend that, if resources are tough to come by to assist you in your governance plan, try to at least match three of the six criteria, but no less than two. 01:25:24 Even if one of those is considerable strength
In the personal growth area, incidentally, if you find yourself in a situation where it is just not possible to form a committee, this does not mean you are excused from prioritization. 01:25:39 Join forces with the CFO and anyone else who you can find, and while you await more resources to become available,
At least the two or three of you can execute the prioritization process by yourselves. 01:25:51 Now, before any request can come to the committee for consideration, you need to establish a formal process for building requirements and assessing platforms and vendors. We talked about this in the eight steps above.
01:26:03 Now, without a formal process for technology selection, the company will ultimately end up with what is known as technological debt. Technological debt comes from the ad hoc selection of technology based on subjective, generally borderline specious criteria bolstered by this is what I use in my last company logic.
01:26:23 Thank you. Technological debt is a gradual amassing of platforms and technology that no one can fully utilize because the original purpose was never truly established and no model for perpetual care and feeding was created. 01:26:42 While not a specific
Remit of IT or the business, though it should be, avoiding technological debt is the implicit backdrop for your IT prioritization governance. Prioritization initiatives based on impact of the company and careful avoidance or minimization of technical debt ensures that the most
Appropriate decisions are made for the long -term positive maturity of the company’s technology. 01:27:09 You can utilize a chart like this to help you understand how any investment in technology is likely or not to contribute to your technological debt. So under the question of resources and time,
Does the business have the necessary resources to implement, train, and administer this platform? 01:27:32 Under funding, has the technology addition been appropriately budgeted for? Under priority, is this technology and investment necessary to support a strategic business goal? And
Back to resources and time, does IT have the necessary resources to implement and support it? 01:27:50 Under funding, has the long -term care and feeding been budgeted for, including resources and risk avoidance? Under priority, does the business avoid risk or non -compliance by acquiring this technology? 01:28:04 And is
There a redundancy in place to prevent loss? institutional knowledge of this technology? Has the business properly accounted for incidental or unseen costs? And is the business able to stop the technology if it is deemed to be non -essential in the future? 01:28:22 Therefore,
Understanding this table from a high level perspective, here is what your formal process should contain in order. One, an initial discussion with the key technological needs leading to gathering requirements using a formal functional requirements specification, also known as an FRS but sometimes called a URS with the U standing for user.
01:28:50 Number two, a vendor long list which is a list of all known vendors that on paper would seem to meet the requirements for who will be included in the RFP process. A formal RFP or request for proposal,
Which is built using the FRS data is sent to those vendors who seem to meet the requirements. 01:29:13 During this time, a project team is also assembled, the formal group which will be responsible for the implementation. Number five, a vendor scorecard is used to empirically grade each
Vendor who presents against the RFP and how closely they match the requirements. 01:29:32 Number six, a vendor shortlist, which is the remaining list of vendors who successfully pass through the RFP process. Number seven, a business proposal containing the elements of the FRS. It will be
Presented to your prioritization committee along with a breakdown of expected costs, return on value, risks, benefits, resources, alternatives, and time commitments. 01:29:57 And lastly, a single vendor platform ranked as the ideal candidate is selected based on all information gathered. This process then dovetails into the remainder of the cycle of prioritization governance.
01:30:10 The steering committee leader, most likely you, will present the steering committee’s assessment of how the submitted business proposals ranked in order of importance to the business or to the executive team. 01:30:21 Executive team is then empowered to accept the committee’s recommendations or challenge the rankings by either asking for more information or,
Based on the information they have, proposing new rankings back to the committee. 01:30:34 In any case, the ultimate result is that there is a formal prioritization yield, the functional lines are notified, and all candidates are expected to accept the prioritization and carry on with or without their projects. 01:30:46 Incidentally,
Any formal prioritization acceptance does not mean that those who are approved are simply free to go. They will need to continuously come back to the prioritization committee throughout the lifecycle of their technology’s existence. 01:31:01 This allows the candidates to report back
On progress to ensure that the platform aligns with what was presented and agreed with. upon as the original scope. Further, any de -prioritized groups can potentially be re -prioritized if, for instance, a previously approved project needs to be cancelled or fails to deliver adequately. 01:31:22 If an already approved platform requires
An update or changes large enough in scope to require a new proposal, that will also require a return to the committee. While functional groups in IT may meet at any point in the year to develop a functional requirement specification, I strongly encourage you, the IT leader, to ensure
That the Prioritization Committee develops and publishes a schedule of meetings to the business. 01:31:48 This lets the business know when the committee will hear any new requests for business and hear readouts concerning the status of currently approved and ongoing projects. Ensure that your Prioritization
Committee meetings align with any budget beforecasts and any other quarterly milestones. 01:32:05 when strat priorities may change. Absent an FTE who can manage a decentralized project management office, also known as a DPMO, which is generally a concept for much more mature stature companies,
The role of IT project management will fall upon the shoulders of you, the IT leader. 01:32:23 Platforms such as Asana can significantly assist with this endeavor. These platforms will allow you to plot out a course for the year and beyond as needed to ensure that projects are
Managed across the groups and the overall portfolio is kept in a single location. 01:32:43 It is also a remit of the prioritization committee to determine which criteria will be used when deciding if a technological project will or will not be required to come forward to the
Committee or be budgeted and handled outside of our prioritization process. 01:32:58 Not every technological project will require a proposal before the committee. Your committee would want to develop a threshold matrix that looks something like this. All projects must come before the prioritization committee when any of these conditions is true. 01:33:15 One,
When the threshold of the internal and external resources for hours exceeds X. Two, when the threshold of a contract, sal, or combination of both exceeds X. Three, when the project directly supports the achievement of a strategic goal. 01:33:32 Four, when the project substantially creates or mitigates a current enterprise risk. And five,
When the magnitude of technological change substantially impacts the operations of the business. As a matter of best practice and to ensure fairness and transparency, IT projects that answer yes to the committee’s questions above must also come before the committee. 01:33:55 By establishing
Effective project prioritization governance, you can begin to detail how a decision to do X versus Y unfolds. Further, you are involving the business in technological decision making, which continues along our theme of making IT a core competency for the overall business. 01:34:16 Now the implementation of the
Project itself is the other side of the governance coin, so to speak. Good prioritization governance is not in any way predicated on the assertion that the individuals who are implementing the approved and prioritized projects have an established sense of how to implement the technology. 01:34:33 Again,
We come back to the word how. Per the governance prioritization aspect, they are required to report back frequently on the status of the implementation and utilization of their platform. Ideally, when they report back the news, it will be positive
Reporting that they are on time, on budget, and adhering to their proposed resource plan. 01:34:55 Deviations from any of these may not necessarily indicate poor project management, as spontaneous events do tend to occur to weigh even the best plans. However, any deviation should be understood and a mitigation plan established.
01:35:12 Good project management comes in many different forms, and is mostly an ideological construct. Bespoke IT project managers, and corporate project managers in general, come from a variety of different schools of thought and training. 01:35:25 Some may be
Entirely reliant on a PMP methodology, or PIMBOC. Others may rely on a waterfall, or agile approach, or something more akin to lean. You will find amalgamations of many project management types compacted together to complement one another through various project stages. 01:35:44 Some project managers
Can carry multiple industry certifications and be absolutely abysmal at the roll, while others who have no certifications at all can now track records of incredible project performance. 01:35:56 I will not spend the time delving into all the major forms of project management, there are too many good books already written on
This subject. I do want to touch briefly on the governance aspects though, and highlight the importance of responsible project management rigor, which I have written in the chart below. 01:36:12 And I will show this up on the screen. Thank you. For project stage and proposal,
The purpose of this is to advise the business as to the purpose, expected outcomes, resources needed, and timelines. This is effectively your change management process. 01:36:31 Governance applicability? Well, this is the big one because it answers both the how and why for a technological investment. For vendor selection, what’s the purpose? Well,
You want to select a vendor based on objective data, not because I used them at my last company. 01:36:46 Governance applicability? Well, it prevents tech debt and ensures the best alignment with your business strategy. For the project stage of vendor management, well, the purpose
Is it keeps the vendors honest throughout the contract negotiation and implementation phase. 01:37:00 Governance applicability? Well, it ensures vendor accountability. and it helps in preventing scope creep, delays, misdirection, and deceitful practices. For implementation, the purpose is to find start and go live dates as well as milestones in between. 01:37:17 It assigns
Resources appropriately and creates actions based on dependencies. For governance, well, it provides this full scope of activities, sets a clear expectation of deliverables to the business. 01:37:29 Now I’m going to jump down to the post -mortem because we haven’t talked about post -mortems yet, but the opportunity for
The project team in a post -mortem is to assess its performance after the project. 01:37:39 Now they have lots of terms for this. I like post -mortem despite the ghoulishness of it, because in fact, you are going over something that’s now
In the past and effectively done. Post -mortems are an essential element of business improvement and allow teams to openly assess how well the team performed without fear of recrimination. 01:37:58 And that’s the key. This isn’t in the book, but I’ll tell you that anecdotally, I’ve seen successful post -mortems where everybody
In the room was able to properly say how other people screwed up without fear of recrimination. 01:38:14 And it’s a form in which you should be able to do this. That’s the beauty of a post -mortem. If done right and led by
A seasoned person, you can actually make sure that the next time you do a project, it’s fantastic. 01:38:28 So, as you can see, a well -structured project management process, in this case, related to a technology implementation, has direct implications on the quality of IT governance for prioritization. Function
Alliance that continuously demonstrate responsible governance through effective project management practices reap the rewards each time they have to come back to their prioritization committee. 01:38:51 In fact, I worked at companies where Function Alliance that consistently performed poorly have been required to be trained at
Function Alliance that do an excellent job. Makes sense. One last important note for you to consider is how much project management is the right amount of project management for you to introduce. 01:39:10 You do not want to walk in on
Day one and detail your program for establishing a centralized project management office, also known as the CPMO. If you come out swinging that hard, you will alienate your customers, and of course they’ll think you’re batshit crazy, and they will turn against your entire governance model. 01:39:26 Plus,
They will probably think you have no touch with reality. Take a more straightforward approach. While it is advisable to use the chart above, make sure to take the time to walk the business into this model of implementing technology, one step at a time.
01:39:41 One way that I have found, which works wonders in terms of getting customer buy -in to the model, is to partner with any Function Alliance who will be coming forward with a proposal and take whatever time is needed to help them write their first FRS.
01:39:56 Don’t write the whole thing for them, but go ahead and go above and beyond to help them iterate the FRS by providing examples, testing their theories, and ultimately making an inscrutable document for the committee. 01:40:09 They will appreciate your efforts, and they will now have a document upon which they can
Build their proposal and RFP quite quickly. Prioritization and good project management go hand in hand when it comes to idealizing the project prioritization approach of governance. 01:40:24 That’s a mouthful. However, in some companies, it is entirely possible that you simply won’t need to instantiate the full
Scope of this type of governance in year one. It just may be that you do not have any projects which might fall into the scope of prioritization, or the business may just be too young. 01:40:41 It could also be
Dependent on the time of year. This is completely fine, and in fact is more of the norm than the exception. Find the most balanced approach, but do make an effort to gradually introduce these concepts into the business at least before your first significant project gets underway.
01:40:56 As more and more projects come forward, introducing this form of governance does increase complexity. Now, in terms of development, at some particular stage between the years one and three, you will have a need for internal development. 01:41:16 That development
May come in the form of writing or using basic APIs and web hooks, or it may be significantly more complicated, such as developing internally built enterprise application. Even something that’s fundamentally basic is integrating your new platform with an electronic signature platform
Could create a development moment and fall within the scope of development governance. 01:41:38 Regardless of the complexity of the development lifecycle you are facing, having a governance model in place will ensure that any scale of development is performed in a documented, secure, repeatable, and stable way. 01:41:51 Now, in the
Event that some aspect of development already exists in the company when you land there, the creation of development governance is an advantageous opportunity for you to not only understand the business needs of the developers, but to also work with them to
Create the foundation for development governance, using what has already been done as the baseline. 01:42:09 By incorporating the building blocks we will discuss below, you can work with the developers to create a framework that ensures the integrity of the development lifecycle and makes the
Developers’ lives easier by providing them with a set of common controls by which to operate. 01:42:24 Do not ignore the situation if you find that there are already developers hard at work at your company. You do need to partner up and make
Sure there is some level of control in place. Now, development of any kind comes with inherent risk. 01:42:38 The risk doesn’t so much scale in proportion to the complexity of the development as it does with the type of development being actually undertaken. The aim of your governance model is to provide a
Set of specifications that attempt to de -risk any development, regardless of its complexity or type. 01:42:55 Should a Slack webhook be treated on the same scale as a credit card web form? yes and no. I mean, yes, each should be evaluated equally against the governance framework,
But no, each will most likely result in a different set of treatment and scrutiny. 01:43:11 In this section, we will largely focus on creating development governance, where development of any kind does not yet formally exist. And in doing so, we want to keep in mind that, much like you wouldn’t want
To walk in on day one and turn your company into a mature PMO, you should also lower your expectations similarly for the rollout of development governance in the first year. 01:43:33 Walking in and declaring, we are now an agile shop, we will be using two -week sprints from here on out,
Will once again rapidly alienate your customer base. Smartly stepping into development governance is the optimal way to go to ensure a model that employees can understand and thrive in. 01:43:52 Now, unlike the other forms of governance that we will discuss later, which have myriad forms,
Policies, and intersections of thought, Development governance is generally guided by a core principle known as the Software Development Lifecycle Process, or SDLC. 01:44:05 There are methodologies that will complement and even sit atop a reliable SDLC program such as OWASPs, Software Assurance Maturity Model, or CMMI. Still,
They will generally not stand alone. They do not complement poorly constructed SDLC processes. 01:44:23 Further, using an additional methodology such as SAM is most likely a down -the -road item that you will begin to consider as your development program matures. A well -written SDLC will not ascribe
Itself to one specific type of development since the company may use multiple types of development. 01:44:40 For instance, one group uses Agile, one uses Waterfall, and so on. The ultimate aim of the SDLC is to provide a universal set of guidelines that ensures the highest level of customer satisfaction
By adequately building and testing the readiness of any product for release. 01:44:55 The word product denotes anything from a simple web UI change to a new API behavior to a fully functional application. If you want to understand
The basics of what an SDLC should include, have a look at the Wikipedia entry for SDLC. 01:45:09 Here you can see the ten phases of an SDLC most commonly found today. Some companies distill this down to seven or eight steps. In contrast, others will expand this process. They’ll
Either expand the requirements through the development phase to include several intermittent steps or more depending on their software quality testing and models. 01:45:28 There also needs to be a compliance element within your SDLC which details in the case of life sciences companies how GXP impacts software or is controlled through a series of
Change control steps. These steps are in addition to the steps I mentioned above. 01:45:44 I have worked in companies with two distinct SDLC processes which were processes related to validated software environments and those in non -validated software environments. While it is not mission critical to have two distinct policies,
Outcome will ultimately be determined through your partnership with your quality department. 01:46:03 The SDLC, much like the overall development governance, is a documented process that will mature in time. Do you need a fully functional corporate SDLC on day one? Absolutely not. Should you wait until a
Functional line needs some substantial development and then write the SDLC? 01:46:19 Also substantial. No. Thank you. The SDLC, much like the overall development governance, is a documented process that will mature in time. Do you need a fully functional corporate SDLC on day one? Should
You wait until a functional line needs some substantial development and then write the SDLC? 01:47:03 Also, no. And that’s a hard no. Begin the process of socializing the SDLC concept within the business, especially to those customers most likely to require some type of development, shortly after your first 90 days.
01:47:16 In this day and age, that can be done by just about anyone. Still, you will come to find out in the first 90 days and through your stakeholder interviews – which groups are most likely to consume technology at a scale that
Would require development versus groups that will simply use what the rest of the company is using. 01:47:34 Suppose you find enough willing participants, for instance citizen developers and business developers. In that case, you can even form an SDLC committee, whose remit it is to develop the SDLC and meet
On a recurring basis to discuss ongoing corporate development. 01:47:50 This is especially important if their range of development is broad within the business. It provides an essential level of transparency that will help prevent rogue development and be used to ensure adherence and potentially even reward the overall development experience.
01:48:04 Now in terms of creating and maturing your SDLC program, Below is an SDLC maturity index that I have put together that aligns with their company’s first three years. In terms of creating and maturing your SDLC program, Below is an SDLC maturity index that I have put together that
Aligns with their new company’s first three years. 01:48:25 It makes some assumptions about your development environment as it relates to 2021 and beyond. It could be that your experience in maturing governance is faster or slower, so you would accelerate or decelerate as needed. 01:48:44 The matrix
Also assumes that you either have an FTE or more in your roadmap or that you have accounted for third party consulting dollars in your budget for one or more development projects. Now I’m not going to read this entire chart, but it will give you the periods of time. 01:48:58 So, months 0
Through 12 would be the crawling phase. Months 13 through 24 would be standing, and here, just to give you an idea of where we are in the process, we have some basic test methodologies in place. 01:49:13 Months 25 through 36,
You’re in the walking phase. In terms of process, you have some good capabilities now. You can do load testing, you can do automated testing, you even have QA collaboration in place. 01:49:23 Months 37 through 48, you’re now in the running phase. You have security development processes introduced,
Such as DevSec, and you have usability testing implemented. And then lastly, for months 48 plus, for your process, while you’re killing it, so now you’re introducing risk management, and it oversees all testing through deployment of all development. 01:49:45 In year one,
It is also essential you ask questions about, and pay special attention to the business areas where API utilization is probable. Peel back the layers of any platforms in use and determine if there are already basic development instances. 01:50:00 Look for low -code,
No -code environments, also known as LCNC, and these are called things like Zapier, AppSheet, and IFTTT. Most of the SaaS apps in use at your company will have an API component, rest most likely, that is exposed by default, so dig in and find out what’s going on. 01:50:18 You need to do
This before basic API usage suddenly becomes production essential API usage and you are unable to rein in progress. For the next area of governance, infrastructure and operations, we’ll be focusing on establishing governance in several key areas of IT, namely public and private cloud environment management, data backup and restoration, physical access for on
-premise infrastructure, change control policy and management, and IT services and support. 01:50:49 There are other, more specific areas of infrastructure and operations governance areas, such as routine operations and alert reporting, which I won’t spend time on here. Those are either superseded
By one of the above, or they are a routine practice within IT as a matter of doing business. 01:51:06 Further, in year one, you will most likely only start to deploy your I &O governance in the form of change control and
Aspects related to business continuity, such as data backup, physical controls, and remote access. 01:51:19 Physical controls and remote access, it should be said, are both a part of I &O governance in as much as security governance. In fact, of the three remaining areas of IT governance we will cover,
Infrastructure and operations, I &O, security risk and compliance, data management, there are significant overlaps and dependencies between each of them. 01:51:38 While it is essentially true that the previously covered development governance also overlaps with these three, primarily because the SDLC required in development is entirely dependent on how these
Three governance areas interoperate, I believe it as a standalone area of governance for now. 01:51:55 now. But wait, there is more. There is one other interstitial area of governance that falls somewhere between development and operations. I mentioned it before, but it is known as DevOps or DevSecOps, depending on your role.
01:52:09 Sometime between 2002 and 2009, the term DevOps became part of the standard IT vernacular. No one knows precisely, though, although Wikipedia authors seem to push that date more towards the latter time. 01:52:22 DevOps has come to mean many things to many people. It has spawned an entire industry,
Even huge conferences devoted to arguing about who is more important, development or operations. I’m not going to wax philosophical on what DevOps is or is not. 01:52:37 Suppose you successfully mature your development, security, and infrastructure domains
Over the next three years. In that case, you will be ready for the big time and you can roll out your amazingly innovative DevOps governance strategy that’s fit for you. 01:52:50 As DevOps governance is born out of the other governance models we will discuss, we will move on. I mean, geez,
We’re only still in year one. Now, I’m going to show this up on the screen. But if we were to visualize where the most essential overlap occurs between the three areas mentioned above, we would see a Venn diagram that probably looks something like this. 01:53:15 Now, what I’ve done
Is three circles, one’s for infrastructure and operations, one’s for data management, and one is for security risk and compliance. When you overlap them in the middle, you get controls. 01:53:27 Now, using the term controls is slightly ambiguous, but it does convey the central thesis of the
Governance. Let’s take a look at physical controls, for instance. If I have a need to ensure that only certain people are able to access a certain locked cage in the data center to perform systems administration on a certain server to allocate more storage space,
I would need to address that need recording the following governance. 01:53:50 Number one, I and O settings, which specify the correct physical device along with all of its current configuration settings in any given day and guidance to go with that. I and O guidance on how to properly test changes in a
Test environment before rolling into production, both a security and I and O guidance mechanism, which states who can badge in the data center, who can also use a physical key to open the cage. 01:54:17 Security guidance that provides details on who may access that specific server along with
Guidance as to how to see the credentials. Data management guidance on how to properly allocate space while retaining data integrity and how to classify the new storage space appropriately. 01:54:32 And lastly, data management guidance on how to test to ensure that after space has been allocated,
The prior data is unaffected. It seems exhausting, and I’m just going to take a drink here because I’m getting thirsty just reading that. 01:54:49 Yum. But take heart in the fact this is by no means your definitive outlook for you. year one. Year two may even be
A stretch for some younger companies in terms of having this entire process constructed. 01:55:02 You and your partner will undoubtedly craft these guidelines as the business matures and finds that it needs controls where none currently exists. So let’s get started by diving into the five main
Areas of infrastructure and operations governance, which will most likely need to appear in year one, whether as mandates of overarching compliance or by virtue of complexity. 01:55:22 They are one public and private cloud environment management, two data backup and restoration, three physical
Management for any on -premise infrastructure, four change management, and five IT services. 01:55:40 Now when it comes to governance in the public and private cloud environment management area, I feel that it is better to break this down into two distinct areas of control guidance creation. One. Guidance for the administration of SaaS applications,
Which either store data or act as brokers of data en route from A to B, or two, guidance for the operations and management of compute environments, such as Google Cloud and AWS. 01:56:07 Though they share common aspects of guidance, especially related to access control, each also has its requirements
For creating sound governance principles. In the chart below, I have broken down the essential information you will want to make sure you cover with the guidance in year one. 01:56:23 Keep in mind that there are additional elements you may add later to ensure even more comprehensive governance. For instance,
Under security, for SaaS applications that control data en route from A to B, you’ll want controls to ensure the SaaS platforms behave according to standard practices. 01:56:40 This can include SOC 2, ISO, SSA 18 audits, or documentation review. Now, for access controls, for data that’s transferred
From A to B, you’ll want controls to ensure that the least privileged model of access is enforced. 01:56:58 Service accounts are used wherever possible. Lockout standards are in place, as well as anomalous behavior detection and
Prevention protocols. Now, I’m going to show this table up on the screen so you can better see this. 01:57:12 Under maintenance, for administration of SaaS applications, which either store data or act as brokers, unless there’s a secondary FACT client, for instance, Google Drive, maintenance controls are limited and focused on ensuring access
Vehicles, for instance, Chrome, are updated to the most secure versions whenever in a session. 01:57:31 There are several other examples in this table, and I recommend that you read this when you get the chance. I will bookmark this in the notes for the podcast. Now, under data backup and restoration, a single
Comprehensive backup and restoration policy will generally satisfy your needs for this aspect of corporate data management governance insofar as state, federal, and global mandates are set. 01:57:52 concerned. Effectively, so long as you can realistically satisfy the question, can we back up our critical data and
Restore it to its original state if needed, then your policy is most likely a sound one. 01:58:03 I have a footnote here. If you feel that it is necessary to split out your policies into separate mandates, for instance backup policy, restoration policy, retention policy, that is also fine. Keep in
Mind that you will eventually need to align your backup policy with its counterpart, a corporate data retention instruction policy, which enters the scene a bit further down the road. 01:58:24 The data retention and destruction policy is something you may end up co -authoring in year one, and you would most likely
Do this alongside your general counsel. The funny thing about this policy is it tends to never get past the draft stage in life sciences companies, which is a shame because generally, by the time you desperately need it, for instance your first lawsuit, it’s too late to implement. 01:58:44 Furthermore,
If you are a company that is accountable for satisfying GDPR controls… You also need to have a corresponding set of policies that demonstrate your capabilities to destroy your archival data. 01:58:56 For now though, let’s focus on the backup and restoration policy. We will address data retention,
GDPR, et cetera, further on in this book. Your backup and restoration policy will want to include at least the following seven domains of guidance, quality, ubiquity, functionality, notifications and failures, access and restoration. 01:59:20 And here I have a few
Notes. You should be able to answer these three main questions. When I need the backup data, will I be able to get it? How precisely will I find the data when I do need it to access the backup? 01:59:33 And once I
Finally found it, will I be able to use it? Now, let’s start with an example. I use a SAS engineering and workflow platform called Lucidchart, which thankfully comes with built -in functionality that provides me with an easy way to schedule backups to
Google Drive on a weekly basis, which is Lucidchart’s designated time interval. 02:00:02 Lucidchart’s backup file type is .laf, which is proprietary to that platform. So after each weekly backup occurs to my Google Drive, my primary backup solution then takes over,
Which allows me to back up my Google Drive data to an AWS S3 environment. 02:00:19 Now this occurs on a more frequent basis daily, and it picks up any deltas and changes. In addition to the weekly backups, the Lucidchart platform also backs up newly created
Documents immediately. So ultimately, this is what the backup flow looks like. 02:00:34 And again, I will show this on the screen. And as you can see, the answers to my three main questions above are yes, unless both Google Drive and AWS are down at the same time. Two,
The backup file is labeled by default as Lucidchart -backup -year -monthday .laf. 02:00:57 So I only need to search on that string with the appropriate date inserted. And three, yes, unless Lucidchart is completely down, otherwise I have no means by which to open the
LAF file. As with most of the SaaS platforms I use, this is the norm, not the exception. 02:01:14 You can generally only restore the backup files of any SaaS vendor to the original SaaS platform due to their proprietary nature. In
The case of Lucidchart, should I ever find myself in a situation where I have a highly critical document that must always be available even with an outage of their platform, I also have the manual functionality to take on -demand backups in a more standard format such as PDF or PNG. 02:01:37 My approach
In the backup guidance is to directly call out these platforms, which have unique file types as their default backup methodology, detail in my guidance how each backup will be performed. and then detail how I will perform manual backups on those documents deemed business critical. 02:01:53 Those two will be saved in AWS S3
Via Google Drive. It’ll be universally accessible and platform friendly. Some environments will also save to a friendly format by default, but there will be several caveats included in that backup. 02:02:07 For instance, users of the Smartsheet platform know that it will allow for daily backups upon request. Still, it converts your Smartsheet
Plans into Microsoft Excel documents. Now, even though these are re -importable into Smartsheet, all attachments are stripped out and you lose formatting, though the core data is retained. 02:02:28 Furthermore, in the case of Smartsheet, the backup must be downloaded manually from the Smartsheet website,
Although this could be automated via creative scripting. Other platforms such as Asana require you to be on an escalated plan type, for instance, enterprise. 02:02:43 Only then can you export your data manually in a JSON format that the universally friendly also comes with very
Specific caveats regarding re -importability. A friendly chart embedded in your guidance, which calls out file type exceptions, can assist with this governance aspect. 02:03:02 Now, I’ll show up a sample on the screen of what that can look like. As I said, this is the most time
Consuming and challenging aspect of backup guidance. Having to note how every single platform behaves, especially in a heavy SaaS environment, can be a giant pain in the ass. 02:03:23 Still, it is essential that this must be accurate, read, not aspirational, and tested regularly to ensure
That accuracy is maintained. Then there’s the last two elements, security and encryption and design. 02:03:38 So those are the seven elements of the backup procedure. Now, in terms of physical management for on -premise infrastructure, well, suppose you
Have a single piece of physical IT. infrastructure in a building owned or leased by your company. 02:03:51 In this model, you will need to have guidance that details how you will physically maintain that equipment’s integrity. I will be covering those specific items in the next section on security, which begs the
Question, why doesn’t guidance for on -premise infrastructure also belong in security governance? 02:04:08 Well, it does, and I will get to that later too, but this guidance pertains to the physical protection of equipment from improper access, damage, and loss. For instance, what if our physical
WAN equipment in the data center exceeds a temperature threshold due to an AC failure? 02:04:24 What if the tenant on the floor above has a leak that wipes out several WAPs? What if our primary WAN circuit fails and
Does not fail over? And so on and so forth. So as with the prior governance constructs, we can cycle back to considering how to address this guidance by asking and addressing a primary question. 02:04:42 How can we ensure that adequate physical controls are in place to keep the business running
Continuously? This type of governance has many approaches, and here I have a footnote. One approach that seems to be gaining in popularity is leasing equipment from a remote management shop that will not only install but remotely manage and heal your hardware. 02:05:02 It requires
A bit more trust than I am willing to exercise myself, but you may feel differently just your policy as necessary. You will have to pick the one that most realistically aligns with your expertise, financial bandwidth, and what the environment presents in the way of challenges. 02:05:19 For example, number one,
Do you want there to be an automatic failover redundancy for all key points of infrastructure on site? Well, to do this, you will need to essentially duplicate your environment in a location that is preferably not in the same IDF closet as your primary equipment. 02:05:35 If you cannot provide a secondary
Location within the site and elect to utilize your secondary equipment’s primary location, you have only really mitigated a small portion of the risk, and this is the most expensive option. 02:05:47 Number two, do you want to create a secondary site for the failover of key points of infrastructure? This
Viable model was quite popular when VMware and Ddoping technology were peaking. In addition to replicating your environment, you would also need to pay a space fee in a co -location facility. 02:06:04 Some facilities may let you rent a pre -built secondary environment for less than the cost of your primary environment,
But in that case, you should examine whether or not you should simply stick with number one above. 02:06:13 This is also very expensive and does not include the cost of traveling to and from that location. Number three, does IT want to equip employees with the necessary tethering on
Their phones and let them work via that method in the event of a failure? 02:06:29 Sounds innovative, and it is undoubtedly very low on the cost spectrum, but it gets extraordinarily difficult when taking into account things like VPNs and inadequate wireless coverage in buildings. So this
Is obviously the lowest cost option, but if you were to tell every employee, go home and use your home Wi -Fi or just simply turn on your tethering on your phone, then you might have a problem. 02:06:52 Most likely the answer for right now will most closely align with number one above,
Though striving for all key points in years one through three may be overreaching a bit. If you have a physical server on site and it is mission critical, determine how the employees who need to access that server will continue to do so from a control’s perspective. 02:07:12 Tailor your guidance to match
The realistic expectations of what you can achieve in terms of providing physical management in the early years. In your guidance, do not ignore acts of God, but do not try to solve them all either. 02:07:24 Have in your guidance
A plan to routinely test your controls. As you add or change equipment in your environment, continue to keep your physical controls guidance updated and accurately reflective of your world. 02:07:37 Now, when it comes to change management, which is our fourth significant aspect of I know governance,
The instantiation of change management is key to your IT process. I recommend that you ensure this is done before the end of year 1 for several reasons including 1. 02:07:54 You will be building in the cultural rigor needed to manage the more extensive changes coming in year 2 as the
Business will start to make changes to platforms and accounts which will require change management. 02:08:05 2. You will have a bona fide period to develop and optimize your change control process before your first audit, unless it has already happened in which case you would want to do this as soon as possible.
02:08:16 3. You will have already started to make important changes for which there is likely to be little or no documentation. While this was convenient for you to move very quickly in year 1 and react to the business’ needs, it can no longer be considered an acceptable activity norm.
02:08:31 As a governance mechanism, change control is a good business practice for regulating all things that change. Realistically, that would essentially grind a company to a halt if it was done across the board. 02:08:41 IT did not be
The only functional area in the business that considers this tool, though it is often the only place where you will find change control outside of the quality function. Additionally, the maturity and scope of change control will vary from company to company. 02:08:56 Just like you need to have an ideal model in mind
For your security stack, as covered earlier in the book, you will also want to have a preferred model in mind for the governance of change control long before you step into the batter’s box. 02:09:09 If no two companies’ change control structures are the same, what then should be included in the scope
Of a change control policy? Ultimately, any technology, service, or platform used by the company to perform business functions falls within the scope of change control guidance. 02:09:24 That list includes, at a high level, corporate networks, on -premise hardware, XAAS and physical system
Password changes, any change of role that will be used to assign an individual employee access, core business application systems, hosted cloud -based computer systems, on -premise software applications, and cloud -based software applications. 02:09:49 From there,
You can whittle down or increase the list as much as you feel relevant for how you wish to translate the concept and actions of change control. Your quality leadership may also have an opinion, especially as it relates to how frequently changes can be made and under what circumstances. 02:10:05 All of these ingredients
Will provide context for the construction of this guidance. As far as what is not in the scope of change control guidance, that list is much shorter. It generally contains areas beyond your control, such as vendor -hosted systems, as well as areas that are within your control, but
Diminutively unimportant, such as routine changes, simple UI updates, and notification changes. 02:10:32 Initially, as it will most likely only be you, or you and your partner, the very model of change control will not yet be as inscrutable
As it should be. If there are only two IT people in the department, then one is always the changer. 02:10:47 One is always the approver. Sure, you can stop that role back and forth as much as you like, but ultimately, until there is a third, or more, personnel on staff,
You are quite limited in declaring your change management process as genuinely objective. 02:11:02 As more IT staff come on board though, you will not only be able to delineate the change control process further, but you can ultimately begin to build a change advisory board, or a CAB. The
CAB can formally become a governing body for approving changes to mission critical systems. 02:11:17 This is a reasonably attainable goal on your march towards compliance, and it is generally only held back due to resource constraints. One of the critical characteristics of good
Change control governance is your ability to build an emergency change control procedure as a matter of standard business practice without abusing change control’s sovereignty. 02:11:37 All too often, as with many policies, circumvention and straight lines to the result can begin to become the norm, especially when there is a particular issue is absolutely
Business essential. In order to mitigate this abuse, governance should clearly indicate who can submit emergency change controls and under what circumstances. 02:11:58 For instance, suppose that a copy machine becomes uncommunicative within the business and affixes for someone in IT to implement a
New change for DNS. If this were the only copier, and the business needed to print a large volume of documents that very day, that would potentially be enough evidence to support an emergency change. 02:12:17 However, if there were other copiers around that were still fully functional, an emergency change
Should not be warranted. An emergency change is a type of change control that reflects your ability to recognize a critical issue and immediately fix it, which is then immediately followed by the emergency change control submission, instead of the other way around. 02:12:36 The idea behind an emergency change
Control is that the person responsible for fixing the copier knew that, even with a rapid change, it would take too long to fix the copier and still help the business make its deadline. 02:12:49 After repairing the loan copier, our IT responder
Would have submitted the emergency change control, explaining not only what they did to resolve the issue, but why they could not wait for a standard change control to run its course. 02:13:00 As your CAB matures, the review of emergency change controls will be one of its primary limits. The
Last important note for change control guidance consideration is that an emergency declaration ensures a business risk and an impact analysis should be done before submitting the change. 02:13:16 In most ITSM -based service platforms, the built -in change control process will have a section that requires you to fill out,
At the least, the following four areas of information. The reason for the change, the impact of doing the change, the rollout plan for the change, and the back -out plan for the change. 02:13:35 Now, using this information,
And whatever other fields are provided to you or customized by you, you can construct the language in your guidance to match so that any change requester is required to complete those fields. 02:13:47 and provide specific language in each that
Will be reviewed before acceptance. For example, if we use our copier scenario above without the emergency change, we would expect to see those fields completed with similar information to this. 02:13:59 Reason for the change, copier XYZ and the third floor has stopped communicating. Impact of doing the change,
Copier XYZ will be out of service for 30 minutes. The rollout plan for the change, I will log in and make the changes, back out plan for the change. 02:14:14 If the issues are created for any reason by what I
Did, I will undo them. Now you would provide more detail than that. I’m just giving you a high level census of what I would say. Now the next approval, the change control will quickly review the summary, ask any additional follow up questions, then send it back as an approved change control.
02:14:32 This is then followed by the actual change resulting in a pass fail type response and the change control workflow. If it is a pass, the change control is updated as such and then closed. If the remedy is a failure, your change control guidance will
Want to include language about remediation and attentional, additional attempts at changes. 02:14:50 This is important to note. Let’s suppose that what was supposed to be a routine change as stated above was the wrong change. Did not work as expected, though the assessment about DNS was correct.
Your guide to stipulate that either another new change control will be added with the updated language or the prior change control would be reopened and the amended change is added. 02:15:10 In either scenario, we arrive back at the start for submission and approval. Change control will save your bacon
Many times over the months and years ahead. When a year or so has passed and you are wondering why a specific platform or piece of hardware is behaving a certain way, you’ll be able to rely on your change control process and change database to reflect on what was done at that time.
02:15:31 When the SOX auditors show up and we should know who approved that ERP database update from version 11 to version 12, you will have all the information needed to demonstrate how this was performed and why. 02:15:43 Now our final area
Of I know governments, which is IT services. has to do with supporting the business. We went into a substantial deal of information regarding services and support back in Chapter 11. 02:15:55 Still, it is worth taking a brief look at one specific IT services area and support
Area directly related to governance. This type of governance has many names, but it is most commonly referred to as the Service Level Agreement, or SLA. 02:16:10 The SLA doesn’t just address the how of your support methodology, it also addresses the when. If you recall,
I strongly urge you not to utilize any urgency or priority ratings for your service incidents. 02:16:23 Your SLA will describe in detail how you will address all of the possible types of issues in the business and within what reasonable maximum timeframe. Ostensibly,
The SLA is your implicit commitment to the company to always do your best to provide a specific level of service to consistently meet or exceed the standards you established. 02:16:42 It will describe what your typical offers hours are. expected response times,
What the procedures are for getting assistance, and who is on staff at what times. In addition to all the other relevant information needed to govern your services environment. 02:16:58 Now, I will show a sample of an SLA structure on the screen, which you’ll be better off
Looking at this in the footnotes included in the podcast notes. I won’t read the entire table, but just note that basically for every type of potential incident, we talk about an issue and maximum time to resolve, including some higher level categories. 02:17:30 Now creating the SLA is one
Half of the process. To fully function vis -a -vis using the SLA as your governance framework, you need to support your service and support metrics against the terms that you established in the SLA. 02:17:43 A primary metric for you is
Whether or not you are adhering to your own SLA. If you are routinely missing your SLA guidelines, either your SLA needs to be amended to reflect better the availability of resources in the business, or you potentially have far more severe problems with your staff and your technology. 02:18:02 Your SLA should
Be made publicly available, as should all IT governance, and combined with your monthly IT service metrics so that your end users can see whether or not you are upholding your standards. 02:18:13 Creating and adhering to an SLA is the baseline for IT services governance, and it must be done within
Your first year of operations. Now, in our last area of governance, security risk and compliance. 02:18:32 We’ll be talking about several of the aspects related to these items. Up to this point, the primary emphasis on security has been on the initial tactical implementation of a security stack that protects the company’s assets.
02:18:46 cover this in detail back in chapter 2 and in chapter 10. In year 1, much of what you will do from a tactical perspective will represent your overall security program’s foundational technology layer. 02:19:01 Therefore, we now turn to the governance
Aspect and shine the spotlight of the how on your security stack. By addressing security, we must also begin to address the concept of risk management as it directly is correlated. 02:19:15 Ultimately, how much security is needed to align with the business acceptable risk threshold? Furthermore, when we consider both security and
Risk, we will inevitably arrive at a point whereby we need to address the scope of compliance. 02:19:28 Consider, for a moment, that almost all of the statutory guidelines relevant to the life sciences industry, to which the company must adhere, have a substantial emphasis on data control. You can’t control data without logical security
And you can’t discuss logical security without discussing the associated and allowable risk. 02:19:46 Much of the guidance related to security will come in the form of documentation, read policy. Though some will come in the form of adherence, read process, to statutory guidance. For instance,
You may decide to write a standalone security policy called GDPR policy, in detail within all of the actions you intend to utilize to show how you will satisfy the requirements of GDPR. 02:20:09 Alternatively, you may decide to design an automated workflow that ensures data is classified appropriately and
Based that workflow on individual policies that guide the unique aspects of GDPR, for instance, data classification policy, data portability policy, etc. 02:20:26 Neither model is incorrect. By using individual policies specifically designed to defend the integrity of process, you will allow your future self to be able to refer to those documents over
And over again with regards to other related statutory controls such as CCPA and its kin. 02:20:44 Now, as we begin to discuss these various domains of security risk and compliance governance, I’m going to put a link in the podcast notes which shows a very large table where I cover this in detail.
02:20:55 But basically, this looks at the most common aspects that will fall into the scope of that model. I’m not going to show the table on the screen because it’s quite large. I’m going to skip right over that. 02:21:06 But again, please
Refer to that in the podcast notes. So what will you realistically need for year one? Incorporating the information in the chart above and applying it to the assumed course of operations at your new company, at a minimum, you will want to have policies and process in place for the following.
02:21:24 So for policies, you’ll want to have access control, endpoint management, anti -malware, a written information security policy, also known as WISP, acceptable use policy, also known as an AUP, information transfer policy, but only if GDPR or some statutory compliance from a state level applies, data retention and destruction, incident
Management, new hire and termination, also known as employee lifecycle, and network security. 02:21:54 Under processes, you’ll want to have onboarding and offboarding employees or employee lifecycle management. You want to have deploying new equipment and managing lost, stolen, or damaged equipment, also known as asset management. 02:22:06 You want
To have responding to a breach, employee testing against policies and procedures, access request changes, and data classification and portability. Intituting these policies and processes does not mean that you may not need additional governance in place in year one. 02:22:21 If your company is much further down the road with
Certain aspects of growth, you will undoubtedly require further guidance to compensate. Likewise, once these policies and procedures are in place, your work is still not done. 02:22:34 These policies and procedures will mature and change as the business grows. New policies and procedures will also be introduced to complement
Existing guidance or reflect updated business changes. And what does that maturity look like? 02:22:48 Well, if you look through our futuristic telescope, we can see that within a few years’ time, our security governance model
Is expansive. And I’m going to show a graphic on the screen. And by the way, I have a note here. 02:23:05 Full credit for this graphic goes to Steve Simmons. If you recall, he was a guest co -host on episode two
Of the podcast. Steve is the vice president of IT at Nimbus Therapeutics presently, but he’s been a CISO for many, many years, a brilliant security analyst. 02:23:27 So again, even for the audio version of this podcast, there’s no way to sort of accurately read this
Graphic. So I’ll put a link to it in the podcast notes, but you can see here just how much security guidance and governance comes into play over the next few years. 02:23:47 So one last note on this aspect of governance. In the life sciences industry, compliance is everything. As much as you think
That you are technologists first and foremost, you are a compliance specialist above all. 02:23:59 It doesn’t matter how many security certifications you have, but just try to do anything in IT that doesn’t have a compliance dependency. You start
With GXP, and while that slowly envelops you, throw in six months of SOCs testing every year, add in state level guidance like CCPA, Sunshine Law, and global compliance like GDPR. 02:24:18 Before you know it, compliance becomes the very air that you breathe. Take heart, however,
This is a good thing. You will come to view the world from the perspective of risk. In doing so, you will habitually consider how your policies and your processes impact the business. 02:24:35 Good governance for security risk compliance considers a global approach to a global question. At the end of the day,
How can you ensure that your data is both good and safe? All right, we’re almost at the end now. 02:24:48 Hang in there. So now we’re on to data management, and this is sort of the big final piece of governance.
So with data management, we see a lot of the same themes emerge over and over again throughout all of our other compliance and guidance and governance controls. 02:25:05 But specifically, I wanna focus on four aspects of good data management. Classification, growth, search, and control. And to some degree, all of
These will become at least a discussion point, if not an area demanding action in year one. 02:25:20 And no matter what you do, the company will create and ingest data at an ever increasing rate. That’s just a fact. It will
Never go in a decreasing direction. If you are interested in understanding how your data grows, you’ll wanna track several key characteristics that would allow you to gain insights into your data spectrum over a large span of time. 02:25:42 Such a scope would include data
Ranging from emails received per day to new files created per month to space used in AWS by quarter and so on. In your case, you haven’t been at the company long enough to complete this exercise. 02:25:55 So we’ll just step back a moment
And assume there’s a current natural rate of data growth over the longterm. Now we should also agree on the veritable nature of the axiom that data will always grow. In that case, we will also reasonably infer that the relationships between the data will become more complex as it grows. 02:26:14 Furthermore,
As the business matures, the content of the data itself will become more complex. Where once you mostly had PowerPoint and Word files in your servers, you’ll now have gigabytes of biostats data, chromatographic data, and everything else under the sun. 02:26:31 So data will always grow and data will always
Grow more complex. And while it is relatively straightforward to measure data growth rate, it is nearly impossible to accurately measure the rate of change in complexity over a specific period. 02:26:48 As data is created, it needs to be stored somewhere. That somewhere has particular characteristics
That will differentiate it from another somewhere. The number of possible somewares continues to grow because the somewhere in and of itself is also data. 02:27:04 Those characteristics include folder name, folder location, file name, file type, file content, file author, file owner,
File size, collaborative requirements, and so on. What do these all amount in the aggregate? 02:27:16 The classification of data and metadata. And metadata is data. Now we’ve evaluated data in several other governance areas, yet there remains one constant that is necessary for any of those other areas of governance to be realistically applicable.
02:27:32 They are all aspirationally unattainable unless you can identify your data. In the case of security governance, you simply can’t have a realistic access control. policy for your data unless you know who needs to access the data, which means you need to know what the data is and where it lives.
02:27:51 In the early days at your new company, you will most likely uncover one of the most common data classification structures out there today, the ubiquitous departmental folder structure. Of course, it is the most logical starting point for a corporate layman’s data structure. 02:28:06 Every department gets their
Share of drive, and they each create some type of unique folder structure that makes sense to them, then they store their data in that structure and yada, yada, yada, et cetera, et cetera. 02:28:17 Now, it should be noted that the structure
Is not flawed in a basic sense of operations. Yes, you have a finance department, and yes, they need a place to put the files used by their department. This so far makes complete logical sense. 02:28:31 There’s now a finance department folder
In our shared drives and everything is humming along nicely. If someone comes up to you and says, hey, where’s all the finance files? You just point over there and say, in the finance server. 02:28:44 It’s the very next stage of growth, however, where the complexity immediately escalates. You see, one day the finance
Department decides they need to work on a slide deck with human resources. Well, let’s see now. 02:28:57 If they put it in the finance department folder, they can still share it with HR, and from a data perspective, it’s technically still owned by finance. Okay, so not too bad. Finance still has
Control and ownership, but they started to lose a little bit of control here. 02:29:13 See, HR can now download the deck and put its version in some other location, even while still being worked on and versioned in the finance location. So anyway, after a few turns of this collaboration,
Both finance and HR realize, oh, now we need to have legal provide some perspective on this deck. 02:29:31 Oh, so now what do we do? Well, one of them HR legal or finance will probably take one of three obvious approaches. One, leaving the finance folder and invite legal to
It. This is recommended. It’s a tactically sound and reasonable collaborative approach, but did they remember to disable the download capability for legal? 02:29:52 Let’s hope so. Option two, take the file out of the folder, email as an attachment to legal and CCHR to
Produce an email thread with multiple emails and attachments. This should be avoided at all costs. 02:30:06 It’s essentially a time bomb. Be assured that both legal and HR will be saving some of the attachments, not all mind you, in their respective department folders, on their desktops, in their email, or who knows where.
02:30:20 Option three, create a new folder called finance HR on legal, in which this document and other future similar documents will be placed. This kind of fits in the middle. It’s not recommended. Maybe it doesn’t have to be avoided, but it’s not
Bad for an immediate term solution, but long -term pitfalls are absolutely going to happen. 02:30:39 The model breaks down at the precise moment, the collaborators realize they must also invite corporate communications to their deck. Now, what do we do? Plus, someone still
Needs to own the deck. The third approach is not as incendiary as the second option, but get this methodology close enough to a lit match, and it falls apart very fast. 02:31:01 Now, let’s take this to one more level, and
Then I promise I’ll stop this pain. This new deck, which all these groups I’ve collaborated on, let’s just say now it’s done, version 1 .0. Thankfully, our trustee finance department disabled anyone else from being able to download the document, so all collaboration was done from the finance drive. 02:31:20 Obviously,
Thanks in part to your extraordinary IT leadership and guidance. Now the finance department needs to share this deck with external investors. Well, we knew that sooner or later, more than one version of this deck would have to exist. 02:31:34 They now need to make
A copy of it available in your third -party virtual data room with the likelihood that the future updates to the deck will be made in a separate editing tree from the first editing tree. 02:31:44 Our original little deck grew from a well controlled little seedling into a multi -dimensional briar
Patch. This tale of complexity growth is one you will experience thousands of times, and the above example represents a prevalent scenario. 02:31:59 For this reason, government should start with the classification element. Classification is the antidote to complexity if it is applied very early on in the data growth trajectory. The difficulty
Of implementing classification is directly proportional to the rate of complexity growth. 02:32:14 As data structures become more complex, so too does the ability to classify them until you eventually reach a point where you would
Literally have to start all over in any attempt to do it right. The good news is that data management and governance, especially as it relates to classification, need not be overly complicated. 02:32:32 In fact, for the creation of initial data classification and governance,
Start with basic logic. If the data equals x, then put it here, otherwise put it there. Now x could represent anything from confidential data to raw machine data. 02:32:47 The intended result is that you have to have a specific starting point in your classification decision matrix,
As bland and straightforward as it may be. From here, then you will continue to ask this question over and over until you have exhausted all additional classification options. 02:33:02 Naturally, several points will arise when your decision -making matrix cannot be boolean. You will soon need to add in a third variable,
Or a fourth, and so on. Your x’s will multiply, and so will your y’s, and your z’s, and so on. 02:33:17 Your classification structure could include phenotypic aspects such as department vs. project, confidential vs. not confidential, draft vs. final, and so on. Where you wish to start this is up to you.
02:33:28 I recommend, however, that you start with what you have, or at the very least, what your experience has taught you that works best. If you walk into a company and they are already using or attempting to use a dependency. 02:33:40 based classification model,
See if you can make that work further for now. It may save you some time in the long run, but not forever. It may also end up being that you continue to use a department model, but you also add other complementary models around it. 02:33:56 There’s no one -size -fits -all solution
Here. Additionally, as you consider other possible data management classification structures, you will want to keep in mind the other aspects of your governance, growth, search, and control. 02:34:08 Now, in terms of growth, over the years, whenever I’ve sat down with departments and project teams to
Discuss how they think they should build their ideal data structures, the one question that I drill down on relentlessly is, does your model scale? 02:34:23 I am intentionally trying to dissect their proposed data structure to ensure that it can handle any growth. For instance,
If the head of the department leaves the company, will the model break? If their department brings on three new hires next year, Will this model still work? 02:34:41 If the company brings on another asset, or decides to start a new clinical program, will the model flex enough to allow for
This? The question is no longer one of the actual total size of your data. The industry has seen fit to it that you can almost infinitely scale these days in terms of gigabytes and terabytes. 02:34:58 No, this line of questioning is designed to prevent the one scenario where the only
Response to here or there is neither. It may take a while to arrive at the point whereby you can be reasonably sure the model is built to be truly scalable. 02:35:12 Now, considerations of growth and scalability are only half of the equation, but they are an
Essential part of the discussion. By constructing a scalable model, you have also created a model that allows for ease of data at location, aka search. 02:35:25 So growth and search go hand in hand in your guidance. The entire ontological discussion requires that you also consider how someone will
Find something, not only today, but in the future, not just by location, but by name and data. 02:35:39 Again, reflecting on the scenarios where I have set down with departments to consider growth, I have also pressure tested their scenarios to consider how anyone will find anything.
One question that is useful in this area is, if a new hire walked into your department tomorrow, would they be easily able to find what they need on their own right away? 02:35:59 Now, if you think
About this for a moment, consider what happens when you started at a new company. How easy was it for you to find anything? Did you have to ask around a lot for this or that document? 02:36:09 Did people point you to directories that were not in any classification alignment with the actual
Content? Oh, no, no, the company or chart isn’t in the HR directory, it’s in the corporate communications directory under HR public documents. 02:36:22 Going back to our scalability questions, our guidance also needs to consider how anyone will locate anything. So remember when we covered backup governance earlier?
Like an hour ago? That backup governance is directly dependent on this as well. 02:36:37 Suppose your growth model is scalable enough and data searchability is fast enough. In that case, your data backup should also reflect these elements, thus making it easy to retrieve data from the past. 02:36:48 Let’s back up a
Bit. A moment ago, I advised you to consider how someone will find something, and not only today, but in the future, and not just by location, but also by the name and data. Now, naming conventions are an important component of data management, not to be forgotten.
02:37:03 Corporations struggle mightily with the idea of comprehensive enterprise -wide naming conventions, and I’ve never seen or heard of a company that got this universally correct despite best efforts, even with adoptions of fair standards. 02:37:17 Even if you manage to construct
A global naming convention for the company, you are still facing an immense, almost sisyphean effort in two areas. One, there’s a treasure trove of data that existed before you got there, which is incorrectly named, and two, you have to train every new employee to not only adopt your
New mechanism for naming, but also to ignore anything that you’ve ever learned in the past. 02:37:38 What can you do? My first response is don’t throw in the towel. In your guidance you can provide a document naming convention within the company and you can provide reasonable guidance that can be followed.
02:37:50 Will it work 100% of the time? No. Can you automate some of it? Most likely, but that will depend on the platforms you use and the amount of effort you put into the automated naming schemas. My second response is work on this the same way you worked on your growth structures.
02:38:05 Don’t try to boil the ocean. Start simple and go from there. Some areas of the business will have an easier time adopting this concept than others. Take it one area at a time. You will eventually find some common allies across the business, for instance no one should use spaces anymore
In their file names, underscores only, and unique naming conventions specific to groups. 02:38:25 Let’s look at two examples of unique naming conventions that share a common corporate characteristic. First we’ll start with an example of guidance for naming convention for a research team. File names should reflect the contents of the file.
02:38:37 File names should contain information such as project acronym or study title. Start file names as the most general component and progress down to the more specific qualifiers. And file names should never use spaces. 02:38:50 Be descriptive, not rely on nesting in folders, etc. Now here’s a sample of guidance for a naming
Convention for your legal legal team. File names should reflect the contents of the file. It could include enough information to identify the data file uniquely. 02:39:06 File names could include information like document type, other company, state or country. Start names as the most general
Component and then progress down to the more specific qualifiers. And don’t use spaces again. 02:39:19 As far as historical data is concerned, you can spend the time if you have it, which you don’t, to go back and clean up data to match your
New file naming conventions. You will most likely migrate some if not all of that historical data into your new scalable structures anyway, so it’s worth considering despite the effort. 02:39:36 Regardless of the historical and its naming structures, it does possess one immutable characteristic
Which is useful for you when it comes to future searching. It has a date. In fact, it has at least two dates attributed to it, the creation date and the last modification date. 02:39:51 There may not be much to go on,
But they will undoubtedly help when it comes time to find data further down the road. I want to briefly touch on metadata again I just mentioned a few moments ago, but before we dive into our guidance controls aspect, it’s worth mentioning. 02:40:07 There’s no way
To put this gently so I’m just going to call as I see it. Metadata adherence sucks. It is very hard to get people to adhere to a metadata standard, I mean unless you automate it of course. 02:40:21 I mean this
In every possible way. The process of entering metadata sucks for all applications and modern day tools for searching on metadata also pretty much suck. A lot of suck going on. lead to folks throwing the towel when asked to employ metadata in all the work they do. 02:40:40 Certain
Groups in your company love metadata, or like they think they love metadata, and will either attempt to enforce the use of metadata through templates or enterprise platform validation or share brute force, but are more of the exception than the rule. 02:40:55 If getting any naming conventions
Established across the company could be viewed as the holy grail of classification, e .g. the FAIR standard, then getting your company to routinely use metadata would be seen as a sacred keg. 02:41:07 Now I’m not saying that metadata is not useful. It is absolutely useful, and I personally love metadata. It is
Glorious when you can effortly search on metadata to zero right in on what you’re looking for. 02:41:19 The larger enterprise sharing platforms like Google Drive and Box have good metadata structures, but it’s not on all data content. I need to add the word survival to my
Metadata of this document when Google has already contextualized this entire document and bring it right to my fingers before I even finish typing S -U -R -V. 02:41:39 If you would like to include language in your data management governance related to metadata,
My only advice is to be realistic. If the enterprise platform you’re using in regulatory will not let you submit a document without keying in metadata, awesome, go with that. 02:41:53 If your quality management system has four metadata fields that you must fill out before you approve a document,
Sweet, ride that one into the sunset. Embrace those few blissful moments of metadata, but as for the rest of the company, be thoughtful about whether or not the enforcement of metadata in your overall governance will help you or just make people wonder about your mental state. 02:42:15 Almost done, hang in there.
The final aspect of data management governance, and governance in general, is an area I’ve already covered from multiple angles. Control. However, now I’m considering the implications of control. 02:42:36 policies and processes within the context of data management guidance. This guidance will evaluate control mechanisms
From an access perspective. Who should see what? And a lifecycle perspective, how does data live? 02:42:51 The former questions addressed through our security governance and managed when considering the here or there concept, while the latter is addressed by creating new data management guidance. Our classification,
Scalability and growth are all essentially delimited by the who question. 02:43:06 If I am building data structure guidance for a certain department, I am going to ask the following questions at every level of the structure. Who should see this and what should they be able to do with it?
02:43:16 Now, if we use the familiar concept of hierarchical data structures, it is true that regardless of which operating system you use, or which data storage platform you rely on, there’s a rights -based structure in place. 02:43:28 It is strictly
A top -down structure for some platforms, meaning that you can move from the least restricted to permissions. to the most restrictive permissions as you travel down the hierarchy, but you can override that as you travel down the structure. 02:43:39 In other platforms,
It may only appear to be hierarchical, but it in fact is a flat structure, which means that while it starts at least restrictive at the top and defaults to most restrictive as you navigate down, it is agnostic, and you can override and assign privileges in either direction. 02:43:54 Some platforms, like Box,
Embrace the idea of waterfall permissions, which is actually like our first example, yet does not allow you to override the structure permissions as you travel down. So how do unique data structure controls impact our control guidance? 02:44:09 Well, for one,
It means that your guidance cannot be so specific as to discount the unique nature of the platforms in place within your business. You will either have to create guidance unique to each type of structure or develop single guidance that is broad enough to cover the entirety of the enterprise.
02:44:24 There is no right or wrong approach here. If the data in question sits in a sensibly flat data structure, you will want to focus on control guidance that considers that aspect when discussing those affected groups. 02:44:36 Flat structures provide the most options for collaboration, but they can also yield the most complicated
Structures. Hierarchical top -down structures offer the least amount of collaboration options, but they provide the most straightforward structure designs. 02:44:50 Consider all of these aspects when designing your controls as part of your data management governance. You will have already created a security governance model that ensures least privileged access,
So you can now take that approach and apply it to the data storage models you construct. 02:45:05 In terms of filling the gaps related to data management control, we asked how does this data live? It’s accidentally speaking, data is truly binary. One moment it is not there,
The next moment it is, a virtue of reassigning ones and zeros. 02:45:17 Where formerly there was a conceivably blank space, it has now been filled with some logical bit of data. How and why did it get there? And now that it is there and it’s been seemingly classified,
How long should it stay there and where should it go next? 02:45:28 To answer these questions, we have to go back to the beginning to our classification structures. Now, I’m going to show a table up on the screen, which basically shows the breakdown of this information.
02:45:43 If you are listening on the podcast, unfortunately you get to miss looking at it yet on their table, but I recommend you go to the book to read it and it will be in the notes. Knowing that data can be generated in many ways,
We can create a global understanding of our digital assets using a model like the chart above. 02:46:01 For instance, if we want to effectively control our Slack data, we want to understand how it comes to exist and understand what our capabilities are
For allowing it to continue to exist. Supposing that we continue to fill out this chart and further down the line, we identified platform ABC, which does not allow us to control the lifecycle. 02:46:18 We would need to make sure we enumerate this in our guidance. In this example,
The platform ABC automatically sends SMS notifications to specific phones in the business related to alerts. While you may be able to delete the text from your phone, unlikely. 02:46:33 an intermediary outside of your control exists, the phone company, which keeps your text for three years. Therefore,
You only have some control over your data’s lifecycle, but not all the data. Now, depending how far along the business is in creating a data retention and instruction policy, this would ultimately be a superseding aspect of governance, which will help you frame how you respond to the types of data your business generates.
02:46:58 The three most likely scenarios which apply here are, one, there’s already a data retention instruction policy in place, so you can simply lean against that policy to create a data classification, growth, and control structure. 02:47:10 Aging and removal of data will be considered when making your classification and growth schema. Two,
There is no data retention and instruction policy, but there is a desire to create one. Three, there is no desire to create a data retention and instruction policy now or at any future point. 02:47:27 In this case, it’s not entirely safe to just assume that all data will be here forever. You should
Still include some aspects of control, especially regarding personnel data, but by and large, you have to assume that you will keep everything forever. 02:47:41 On that note, if you do already have a data retention and instruction policy in place,
You will need to build the controls into your governance that allow you to both detect and automatically age out data that meets or exceeds the thresholds in your policy. 02:47:52 This is easier in some places than others, but the burden falls on you to make sure this happens, at least from
A technological perspective. Simply stated, the better your data management governance is, the easier it will be for the business to, A, adhere to policies such as data retention and instruction, B, conform to statutory compliance concerns, C, scale up and be
Unrestrained by data inhibitors, and four, utilize the best data at the right times. 02:48:18 When I started this chapter on governance like years ago, I emphasized that IT governance is just one part of the overall organizational governance structure. It is essential that even the absence of other
Governance, the IT leader sets an example for for how good business practices can and should exist. 02:48:36 This means that you and your department must carry the torch and effectively create the model for the rest of the company to emulate.
This transcends merely eating your own dog food. And as the saying goes, this is bigger than that. 02:48:48 This is you, the IT leader, incorporating effective governance into all of the activities you do. This is you, the IT leader, recognizing the difference between realistic and aspirational goals
Between today’s company and tomorrow’s company and between what should and should not happen regarding the entire scope of technology you are obligated to manage. 02:49:08 Remember, governance is your how, make it count. Now, in terms of chapter 15 summary, key takeaways. You need to begin creating and implementing IT governance in the following
Areas in year one, prioritization and project management, development, infrastructure and operations, security, risk and compliance and data management. 02:49:33 Your goals for year 1 at a minimum should be to address and culturalize the necessary components of these
Governance concepts. You will discover early on how much the company can ingest of any of these. 02:49:44 Look for other examples that support governance that may be growing in the business and lend your support to those causes. Likewise, ask those individuals to help you support yours. With that in mind, sometimes
IT has to be the first department to introduce the concept of good governance to the business. 02:50:00 Do not sit around and wait for someone else to do it first. You don’t have the luxury of waiting. Any governance that you construct must be realistic and non -aspirational. You should never write
Guidance or develop a policy that includes languages for activities you do not do. 02:50:15 For instance, if you do not take backups of all systems every Sunday, you would not state that you do that in any documentation. And lastly, governance requires that you consider both
The short and long term regarding how you will build it for each of the areas of focus. 02:50:29 Short -term governance should not be established just to get short -term wins, but as a foundation for growth that aligns with where the company is headed. Pro Tips Avoid aspirational language in your governance.
02:50:41 Keep it realistic and align with the expected growth. You will be amending your governance many times over time as the business matures and becomes more complex. There are many third -party tools that will
Allow you to do a low -level forensic analysis of data to get a better sense of growth over time. 02:51:00 Looking into these options of getting a full grasp of data is of near -term importance to you. When it comes to deploying
Governance in the business, you have to ensure that IT follows the governance to the letter. 02:51:12 Just like I said, it’s about eating your own dog food, but more so. This applies tenfold when it comes to getting
Governance buy -in across the business. Things to watch out for? Well, in the case of life sciences, as sure as the sun sets and rises, people hate policies rules and committees. 02:51:29 That’s good for any industry. Sadly,
There’s not much you can do to eat. ease the pain. If you go on this mission alone, you will clearly find resistance to your pedagogy, as it will seem to come out of left field. 02:51:41 If, on the other hand, you try to enlist every
Group in the company to help you develop your governance, you will find that it is impossible to deploy because of the myriad of opinions. Find a middle ground, get the best partner to join you. 02:51:53 I screwed up getting good governance deployed more times than I can remember, and it generally came down
To having the wrong people, or too many people, involved in getting governance off the ground. 02:52:04 It is totally okay to swing and miss, so long as you at least try to swing for governance. At one company, I tried
To deploy project management and prioritization in the first year, and it totally fizzled out. 02:52:16 All of the key contributors were buried in FDA submissions, and no one had the time to do good old -fashioned project management and prioritization. It didn’t stop us from trying our best,
Though, and we did ultimately manage to get the basic building blocks in place, but it wasn’t until my third year we were able to get deep traction on governance. 02:52:34 From there on, it went quite smoothly. Thanks for listening to that chapter. It was exceptionally long. I’m
Gonna turn it back over to, well, myself and Mike and Nathan Doyle to continue on with the podcast. 02:52:52 My throat’s a little dry from reading for the last 10 minutes in that chapter. That was a short one, actually. No, it wasn’t. That
Chapter was long AF. Long AF. L -A -F. But I said, like I said before, just critical, governance. 02:53:14 Well, I said it in the chapter read. I mean, that was its own book before I was like, no, let me just shrink it down,
Slap it into a small little box and make it in 46 pages of writing. That’s governance. 02:53:26 And so many people have written about it. I took my take on it. And I think, I don’t think I did it justice, but I think what we do is we cover the
Key points. Now, you wouldn’t run, you wouldn’t run a prison without locks and doors, right? 02:53:42 So why would you try to run an IT department without processes and principles? I mean, maybe prison’s a bad example, but you wouldn’t try to do something very
Complicated without having rules. And that is essentially the bare bones of governance. 02:54:01 Anything that has strict rules, anything in the manufacturing, walk into a manufacturing form of a plant, there’s a method. I’m talking six sigma methods now, but there’s a method, right? That’s a process that’s governance.
02:54:15 So at the top of the show, we did discuss decentralization of IT. We’re gonna come back to that now because I wanna talk about that for a bit. And then I wanna focus on some questions about this chapter we just read. 02:54:26 Now, Mike and I, or Mike was talking
Earlier about sort of… of his particular vision of decentralized IT. And I want to come back to that for a second, Mike. And now you mentioned there has to be some sort of, let’s be some sort of centralized something with regards to, you can’t just have completely, and I think the idea
We were getting at was maybe decentralized and federated are two different ideas. 02:54:52 Sure, yeah. But in decentralized, the way that I was describing it, there has to be some kind of glue. Yeah. Like if you were to sort of try to sum up what that glue is,
Like what would you say? I think the one thing that comes to mind, 100% is cybersecurity. 02:55:10 In with cybersecurity, there needs to be some guardrails and some rules, I think. So I mean, I think that plays into the government’s governance discussion as well, is that cybersecurity is truly unique to that role.
02:55:25 And I think even in some, in many organizations, cybersecurity lives outside of IT. So, I think there’s this thought process across a lot of bigger companies, especially software companies, that feel that needs to be a separate function, a centralized function. 02:55:42 Why does IT, why does cybersecurity
Report in IT? I think because it went under the technology moniker, and it’s a compliance and risk function, right? Not that IT isn’t, and often is, it has to be to some extent, right? 02:55:57 So, it fits well there in small organizations. But I think now with SEC legislation and just
Cybersecurity so publicly visible in terms of it being a risk and a huge impact to different businesses in the stock market, and also just in terms of performance and overall, not wanting to have your name on the front page of the paper, is to have rules and constructs
That cybersecurity teams are respected and able to put certain rules in place. 02:56:29 That being said, I think the same level of risk reaching out from cybersecurity is true in business process. You know, if you don’t have any business processes, it’s pretty easy to get hacked. If you have
Business processes and everyone knows what they are, they can raise their hand even if they don’t know anything about cybersecurity and say, we’re not following our process. 02:56:50 Something’s not right here. I better tell someone. So, that sort of business process governance comes into play
Where if everyone has their own certain rules of the road, it’s hard for cybersecurity to understand what the norms are, what patterns they need to look for, that type of thing. 02:57:09 So I think it is very important for cybersecurity to be a centralized function. But it doesn’t take away the fact that
For cybersecurity to be successful, that’s to be a huge element of distributed awareness across the whole organization, and that cybersecurity has to be woven into the culture of any company. 02:57:29 We don’t have to call it cybersecurity. at risk and other things too, but I think it’s kind of both in
Terms of how we get it out there from a compliance perspective. Sorry, I was going to… No, no, no. 02:57:40 You know, it’s inspirational. What you’re saying in many ways is it’s sort of a stoking thought, right? It’s not clear I’m not used to being on podcasts. No, no. Here’s another moment. No,
I think, you know, so if we’re talking about decentralization, right, and we’re looking at the ways businesses can decentralize, right, their various functions, but yet improve process, right? 02:57:58 Mike, your point is very, very astute, right? You know, that could prevent some additional risk as we decentralize, right?
What if TMA and TMB look at cyber differently or look at security differently, right? 02:58:09 And effectively train differently or don’t pick up on typically new trends, right, in the same ways, right? You might have a business unit that’s fully exposed as far as a risk and another one fully secured, right?
02:58:23 I think in a decentralized model, to decentralize cyber away from IT, your security, I want to use the word security, not just cyber security, but security away from IT, is an improvement upon our service delivery. 02:58:36 I think there’s been an overburden, our unicorn
Viewpoint on IT talent that she or he, they are going to come to the organization and they’re going to be able to be fully capable across the broad spectrum of great technology management. 02:58:49 There are so few unicorns that truly exist and
Even those that consider themselves unicorns are seen as the unicorns in the environments or within the industries that we all serve in, specifically the life science industry, they need help. 02:59:04 They want community help. It’s one of the things we love about this community,
It’s a true sense of community, but I think if we’re going to really take a decentralized model, you have to look at security as another component of that, it needs to be decentralized as well. 02:59:17 End of the day,
There’s rules and regulations. It needs to be outside of IT, but I think it needs to be a centralized function. It’s just not within IT, so yeah, I agree. Absolutely. This is my opinion. 02:59:31 Very important, very, very important. It’s the one thing that keeps me up at night and it’s the
One thing that will keep you employed, so to speak, is doing that well. You do that poorly and you’re very quickly out of a role and maybe out of an industry. 02:59:44 Take incident response planning, right? That’s a huge cross -functional effort. Yes. It’s got to be owned really centrally by
Probably one group, not multiple ones, so yeah, cyber security scares me to death. 02:59:57 I mean, there’s so much of this stuff that’s out of our control. I mean, could you imagine the communication, when you’re implementing an IRP, you’re implementing these different response mechanisms, right? 03:00:07 If you have one
Business unit that’s effectively escalating and communicating in one method and another one’s using another method, then all of a sudden, because method B was used by department B, you’re now exposing yourself to litigation or potential further harm, right? 03:00:23 That’s that’s a
Risk. So I just feel at this great point. Google the vice president information technology job description And I found this one the first hit They may also drive the implementation of development best practices through the organization While governing control and ensuring objectives are achieved risk management resource allocation project prioritization and
Research and recommendation of new systems Round out the vice president of IT’s typical job duties. 03:00:48 Mm -hmm. So why is that like so? Let’s back up a second So you’re saying that we take security out of IT which I totally agree with by
The way Put it in the middle of the organization Let it run and IT would be a customer of it or sort of have a dotted line to it totally agree We’re gonna talk about in the chapter We just
Talked about was about governance and there was a big part of that about project management Sure, but you’re both suggesting and you were saying this or anything that you can take a PMO and put
An organization and we’ll talk about sort of what kind of person would go in there in just a second but what this job description is saying again this is a random one I just pulled up is that
They want this VP of IT to run project partition for the business so and I could probably look up a bunch of these and find the same exact description in many of them because it seems pretty generic. 03:01:42 It’s very common yeah
But why do we keep coming back to that point so if I have to hire an expert right in IT okay okay I’m a new I’m a new co right gotta go hire my IT leader now we gotta file that IND or we gotta go
Ahead and watch this program I need them to be able to be operationally astute they need to be able to like do cloud stuff and security and they need to be able to do support and service and be a good business person and also project management we just basically listed all the jobs
That are in IT in one person now to be fair when we described the IT leader back in episodes one and two we talked about this exactly thing this thing yeah you have to have all those things yeah
But the point is you have to have them because you yourself are building IT yes because you’ve got to bring the right resources you’ve got to bring the resources in to then do these things you have to
Know how they work you knew what good looks like too right to some extent here’s what happens I agree yeah because what happens is if you are good at them well you end up doing them so so I have a
Question Nathan in terms of the person yeah we’re talking about so in episodes one and two of this podcast we speculated and I wrote that for someone to come in and lead IT they should be well rounded
In all areas of IT now when I said that I was speaking about and this is my own classification now because I’ve been led to believe this I was speaking about again hard hardware software, security, service and support and then there’s that sixth element which is project management.
03:03:31 Even I’m putting into the portfolio. What does that person, what does that mean? It means you’re looking for a unicorn. It means you’re looking for that mythical creature that can do everything and we, you know, I’m going to take some liberty. 03:03:44 I think, you know, those that are, you know,
Participants of this podcast that have read your, you know, the materials that you’ve published over the years, Nate, which are awesome, right? I mean, massive help, right, to us in the industry. 03:03:55 You can come back anytime,
By the way. Thank you, thank you. But the, I think the hyper focus on finding that one person that can do it all actually presents a bigger risk to the business, right? One, you’re not hiring, you’re not bringing in talent soon enough, right? 03:04:12 Because you’re
Hyper focused on that talent having to check every single box, right? In an anecdotal way, I’ve had colleagues that I believe are… much brighter, much smarter than me, right? Who have stated that they have gone in for 15, 20, 30 interviews for a head or IT role, right? 03:04:31 And these,
It doesn’t help that the model that we’re seeing in our industry, which is supported by the v -seasoner industry, are again, super focused on this one person can do it all model, right? Now, not to go too wide here, I think that’s typically just within the GNA functions,
If you look at other functions, they don’t typically have that level of requirement. 03:04:53 And GNA, by the way. General administration, so your finance, your legal, your IT, right, HR, sometimes you put an informatics department in there, right, as well, you know, the more mature companies will put that under R &D, right,
For budgeting purposes and whatnot, but yeah, you know, I think that unicorn piece is hard, right? 03:05:13 So, you know, one of the deficits I personally had earlier in my career, right, was a lack of project management understanding, right? There were certain terms I didn’t understand, I didn’t understand the function of it.
03:05:23 I ended up having a really good leader help me through that, provided me the training, provided me the opportunity, and got me up to speed, and I have to say, that was the one thing that helped me land more roles,
Become more effective, however, I don’t think that needs to be the end all be all of what an IT leader has, or, you know, they can bring that in, you can bring that talent in. 03:05:44 I think that’s some of what
They might depend upon with some of these roles, is that you may have the background, but it’s even better if you know the vendors, if you have a, you know, there’s many of them, but like ones that can come in and run IT projects, and you’re just resourcing and budgeting appropriately, especially
In the VC kind of funded stuff, it seems like, you know, there’s a lot of MSPs that are in, there’s, you can go get a third party for implement, an implementer, you get a good bench of, you know,
Kind of a statement of work type projects, and that you can not so much manage the nuts and bolts of that, but actually be able to bring that in and have a, do a more portfolio management type. 03:06:22 model and rely
On a source. You may spend more money, but that might be some of what they’re looking for, is just to make it happen by hiring whoever you need to hire. Not FTEs, but going out and just renting. 03:06:37
Well, I’ve got to unpack what you just said. I’m saying that some companies may look for a head of IT to come in and just go rent the labor they need to get things going. So hold that for a second, because a moment ago you said, take cybersecurity out of IT. 03:06:54 Again,
I agree. Yeah. Don’t function. I’m talking about the job description you just read, and you asked why. Yeah. But you’re saying that the unicorn role, which we all know, for startup companies especially, for new coves, you need an IT leader who does come with all the tools. 03:07:13 That’s the
Best thing you can possibly invest in. But now, you need to think about another thing, which is, what if you take? to take governance out of IT, make it its own function. So now you have IT does not have governance, it does not have cybersecurity, and the IT leader can come
In and work with those people, work with that leader of governance, work with that leader of security in their first 90 days, first year, and say, okay, so what’s the cybersecurity plan? 03:07:44 Oh, this is your standard? It’s cool. I’ll go ahead and build my foundational plan. Oh,
This is how I do processes? Cool, like this is how I do my stuff. Yep. How much more velocity can they get? Like how much more could that IT leader do if they’re focused on everything else, but cybersecurity, well, they’re not focused on it, but it’s sort of like peripheral,
Like, okay, I got the standards, but I’m gonna do everything else. 03:08:09 How much more velocity can this person get? Well, I mean, you’re giving somebody some foundation, right? So instead of telling them, hey, there’s the driveway, there’s all the supplies, go build the house, right? 03:08:18 You’re actually providing them
At least some base to build up of, right? And how many of us have gone to those places where we were promised a driveway full of materials and there was nothing there, not even a driveway, right? 03:08:29 And how many times
You’ve walked in and you’re like, well, there’s a little bit of something. Okay, I can work with this, right? I can actually get more done than what you’re suggesting in your book in year one because there was a foundation there, but maybe there’s a program management team. 03:08:39 Maybe there’s
Other teams that have, maybe a PM function already there. I was gonna say, sounds like one of the things that could be really effective as if very early on in some of these businesses, especially if it’s more of a distributed functions around risk and compliance and cybersecurity,
Which I think a lot of cyber orgs, they’re taking GRC completely. 03:09:05 So they’re actually, even some GXP stuff is coming to cybersecurity on the life side. So you’re seeing this sort of function get built. But what I was gonna say is I think that, you know, you have people come in,
You said have a great foundation, having those in place is for a company. 03:09:22 and this seems everywhere, I think I’ve been, I don’t know, a few of them that have done this more so once they have a product on the market, but it’s to have an operational model, right? And if
They start really early on, maybe it’s hard to tell because you’re not sure what your product roadmap’s gonna look like and whatnot, but that can help foster kind of any distributed model, not just in IT, but in finance and other places, but it’s about how does a company wanna operate?
03:09:47 How does, and it’s not just an IT or CIO decision, it’s a fundamental executive team, COO decision, if they have one. And I think that’s what can really, it can really foster and feed, though, the idea of decentralized models across the business. 03:10:04 So you’re basically- Small teams. You’re basically
Gonna put garden -rounded business, by the way, if you keep going. Because now what you’re supposing- I’m just saying it’s a different approach to starting a business, more than anything else. 03:10:15 No, I mean, I get you. Believe me,
I’m on board. I’m subscribed to your magazine. I love all the issues. All my logos and my diagrams. I have them all saved in my library. Think about this idea. Don’t think about this idea. 03:10:32
Mind blown. IT is going to get hired someday for this new co. So before they even hired IT, they hired the security person to come in and start building security. So I’m working with a company right now, and I’m helping them sort of begin to define. 03:10:49 They need a head of
IT. They’ve come to me to help them find one. And I’m working to help them find it. And of course, in the job description is, build a cyber security plan. I simply suggested, well, what if we went out and found a cyber security person for you and we focused on the IT role?
03:11:04 Well, no, no. It’s got to be inside the cyber security role. I mean, the IT role. It’s all going to be one together. Well, what if you just kind of took it out? Like, I don’t MSSP we can use. They can get you going. 03:11:14 Let IT just focus on it. No,
No, no. I want it all together. So I mean, I’m getting paid to get my best opinion. I give it. But then you have to sort of relent. You know the drill. So what was it going with this? 03:11:27 So what if, in this scenario, that
Person already existed? And then, again, we’re still pretending. So let’s pretend again that also is a strong program manager in that company. And they have an idea for program management. 03:11:40 And so the IT leader comes in and says, oh, you have cyber security. You have program management. And again,
We’re pretending. I’m going to say two things. One, and if you did that, every single thing, every single conference vendor that’s ever been invented up until now, they have to stop presenting because all their conferences are bullshit. 03:12:01 So every security conference,
Everything like that, they all just dissolve because they don’t work anymore. You’ve disrupted the whole industry in one fell swoop. That’s the one thing. And just give me one second. 03:12:13 And I’ll say the second
Thing. The second thing is, what if you did one more? What if you did one more group out? What if you took out the employee? experience part of IT and put that in its own group. 03:12:27 Now hold on and
I’ll explain in a second. So decentralized IT, what you’re doing is you’re bringing people to do process and governance. Now that’s a distributed function like you’re putting process and governance in the business but you take out or so you’re bringing IT rather,
Sorry I screwed that up, you’re bringing an IT to go ahead and build that IT, build that operational structures, make the business run, linky lights are on and all that stuff. 03:12:51 You’ve taken out cyber security, put them over here, you’ve said okay well we need process and all these other things
In place. So someone’s actually running that too as a PMO. Then you’d say okay well we want employees to have the most like the best possible experience possible if they can. 03:13:04 So from the moment that
They’re hired to the moment that they leave, the whole thing is governed by a group like they’re running some play experience. Yeah. So IT is still left with the lion’s share of operational work. 03:13:14 They still have to
Make sure that all the things work, to make sure that all the software and systems and all things are communicating. They still have a huge burden. They’re not getting off easy. But what they’ve done is they said, cybersecurity, you’re over there. 03:13:26 Program management and governance,
You’re over here. And then employee experience, like you’re the glue that holds us all together, but you’re over there. You tell us what the employees are feeling, how they’re thinking, what they need, like what’s coming next. 03:13:40 Take that out
Too. And what are you left with? You’re still left, like I said, with a huge IT burden. You need a strong IT leader. But now all of a sudden you’ve changed the model. Yep. I know that’s not what the chapter was about, but I just wanted to talk about this for one second.
03:13:54 No, this is great. So what are your thoughts on that idea? Am I completely bash it crazy? No, this works. Or do you take all three out? I think, so what is, is there anything left in IT at this point? 03:14:06 Just IT operations? Okay,
That’s it. Yeah, I think that that works. And employee experiences. Think about it. You need data retention and destruction policies. You need backup plans. You need, everything’s got to work. 03:14:18 There’s got to be redundancies. I got to be able to log in, right? Now, cybersecurity is saying, well,
Here’s your access controls, but I still need to count. I still need to be able to get email. So largely it’s almost going back to what traditional IT is, right? 03:14:35 It’s kind of going back to having, if you, unless employee experience includes kind of the front end customer service, it’s a help
Desk type model. That could potentially be part of employee experience, right? 03:14:46 Because the touching, the feeling, being able to see and know everyone in the company. What’s Gen AI doing for that? Yeah, okay, forget that. That was a big one. I’m just saying, where were that, does that go in IT ops?
03:15:00 Because I would say that really, the ops piece is infrastructure, almost traditional IT stuff, servers, laptops, you know, that type of thing. Let’s say experience is, let’s say the IT side is, okay, build a hundred laptops, we have a hundred new employees. 03:15:15 That’s IT’s remit. Experience is,
Hey, welcome to. new co, here’s your laptop, I’m going to help you set it up. And you’re going to go about and do your job with your function line. Yep. It is like this other thing that did that. 03:15:30 Then they’re like, Oh,
I have a problem a laptop. Okay, go in this portal type in your thing. You’re talking to him being who’s or bought. Yeah, it’s gonna help you solve the problem. If you can’t, it then goes into it. 03:15:41 But it is solving the
Technical problem and kicking it back to the employee experience person. Yes, who is then handling that from there. Mm hmm. works totally. And so it also had to integrations and automation. 03:15:53 All that. Okay, you wouldn’t put automation in the employee experience side. It’s still too technical.
Put it in the back end ups. Yeah. So so what happens is employee experience says, Hey, listen, we, we’ve noticed that we can shave six minutes off of the orientation. 03:16:06 If we do this automation here, you have to do that for us. To your point, it goes into an Azure workflow,
Two weeks sprint comes back out. Yeah, employee experience changes. They’re now a better group because of it, but they used it as their partner due to employee experience. 03:16:19 It’s not in it got it. I think
That works too radical. No, no I think it’s just it’s separate functions Who do they all report into to the five heads of those groups report into the CFO or the CEO or experience reports into? 03:16:35 Digital experience lead or Yeah,
Some digital concierge or That’s the only downside I see of it is the direct report discussion Like does a CFO want six direct reports or the CEO or is there they go into program management? 03:16:51 It’s what’s the
Top level look like where you can make the case? I’m a huge fan of this. This sounds amazing. I’m just thinking about how the prospect of you’ve got now You’ve got kind of this committee and maybe that’s it making it more of a small teams model that that has a community -based Decision
-making process where they just report back to the ELT, you know, like or the executive team, right? 03:17:15 So I’m only gonna pause you right here Mike because I’m gonna answer that question And this is like kind of like a little this is like
A little It’s like a cliffhanger for next week. Yes. We’re gonna answer that question next week. 03:17:28 Oh good that So next week keep us on the GRC because we’re talking about governance and Nate completely derailed Nate not Nathan derailed this whole fucking thing by taking Mike down this journey. I love
It I’m loving this Do you have a brief answer for that Next week and also talk about that. 03:17:48 I’ll come back. Okay. I love that. Yeah next week. We’re gonna We’re gonna answer that question. Yeah, don’t you worry? So we’re gonna add so employee experience I love it in IT or
Outside of IT and how does it work with IT and this new decentralized Nirvana? 03:18:05 Nexus of Neverland The islands of invention but sadly we have to back to governance. Man that was fun. I gotta find that
One. Alright. Okay I just brought it way down. So I did write down some softball questions for you. 03:18:39 I feel like I should have index cards. Like okay so hey how was the pizza the other night? So I’m just gonna read a couple
Of these. You guys probably already saw them if you cheated but and now you have to answer. 03:18:55 So let’s think about year one. I mean the chapter was on year one. Yeah it did cover some basic elements of years
Two and three in your new IT role but in terms of year one you have 12 months and regardless of what time of the year you start although it can have a major impact on what you do for governance. 03:19:13 What do you do
In your first year? I think it’s Very dependent upon what you’re what you’re coming into right? You’re You’re sort of you know, you got two two two areas. Okay, so let’s pick three three areas. 03:19:30 Okay, complete shit show. Yep Things seem to be okay. All right, and they’ve already got a project
Manager in place. Ah, okay you know One in two, I think you’re You you can be more successful as a seasoned IT leader, you know sort of wearing that unicorn hat You know, just be clear. 03:19:51 I do think
Unicorns exist. I just think they’re very hard to find, you know They’re very hard to find. They’re hard to identify You can put you know those things on paper of what they should, you know Have experience wise but it’s hard to quantify that and qualify that
When the hiring team itself doesn’t have that experience That’s another topic though. 03:20:10 Um, I think what if it’s a complete a show, right? You’re looking at a total shit show in first year, right? What you’re looking to do is you’re trying
To impact the culture in the most positive way in that first year Which is you know, you want to in? 03:20:22 Right size the governance or policy right red tape whatever you want to call it right to what you see. So Go down
One level. Okay, so I’m in my first year. All right, I’m say let’s say I’m seven months in. 03:20:37 Yep And it’s a shit show right what would I have done what would I ideally have done? What if I would have first,
You know outside of the initial fact gathering right that first 90 -day fact gathering that you’re doing your interviews Right all the prep work you do leading up to the job right Nate that you so eloquently sort of you know Call out in the book. 03:20:58 Um, you know, I think in that
Seven -month mark, right? What I would be hoping to sit back, you know over a glass of whiskey at home saying to myself man Look at me. I did it right is that I got buy -in I got collective buy
-in and I have I have established the idea Or the concept of a steering committee in some format and or I have at least check -ins that focus not only on what their needs are but where they’re headed. 03:21:23 What does the
Steering committee do? Well you know in a complete shit show it might just be to have a beer on a Friday like seriously just try to drive culture right I mean honest to goodness you know making friends in a complete shit show is probably one of your best you know strategies
Right make friends right across across the spectrum of that business right yeah I mean you know if they’re gonna be hiring to let’s say it’s a complete shit show and it’s an early stage company and they’re gonna bring on ten new people do your darndest to be on that hiring committee
You know help help affect change be involved Mike build that credibility right that’s that’s huge and you know some some of it could be quick wins too if you can find based on that fact finding quick wins shit show or not shit show determining and documenting IT standards are
Huge making sure that you know what people are using even in a well -oiled machinery company I think Often there’s a lot of they’ve brought you in for a reason a lot of times It’s to really set the course going forward most the time that’s identifying and starting to build a map, right?
03:22:27 So if you’re not documenting you’re not consistently documenting, right? You’re only screwing future you right? You’re only hurting future you and the future people you bring in so it’s scenario three where is already experienced program lead or project lead in place is your remit to
Get on board with everything that they’ve done accept it Hey, I think you should be allowed to challenge it I mean, it’s just specifically I mean Especially if it’s taking a long time to get things done and like I said depends on the situation. 03:22:57 Yeah You may be able to lend some
Some ways to make things move faster or even take more risk in some scenarios Yeah Some people have been in the industry for 30 years plus have come in they get a very set way to do it and it Might
Take way longer than it needs to take and build that friendship build a connection build trust So that when you walk in and you say hey We could kind of change us a little bit You’re already a couple beers in and you’re getting you might actually tell us some output there some results
You know I think one of the things that gets a lot of people in trouble is the human element right your ego gets in the way And so you walk into these these these roles these situations with
People and you you know You have this inner the inner it sort of wanting to say oh make yourself known make your presence, you know felt right You know my gentle recommendation here is don’t do that You have plenty of time to do that later on when when you really need something, right?
03:23:49 Spend those spend that for seven months right in that phase three right that you know There’s a program manager align with align with them. Ask them. What have they done? How did they get success? You know, what have they found to be challenging? 03:24:01 It’s a point. I mean that’s him In
All my years I’ve only ever walked in a situation where they’re with the company where they’re which happened one time where there was somebody who was I would consider an experienced program lead and this person was very open to not only sort of my way of thinking because we met pretty early on.
03:24:24 Do you want some more ice? Ah, I’m good, yeah, yeah. This person was very open to it, but also was like, you know what, honestly, I’ve been doing this for so long and I’ve only done it one way. Can you perhaps help me out? 03:24:38 Now, I actually told this person,
Said, actually, the way you’re doing it’s pretty awesome. Let’s do it. We ended up creating this sort of mixture of the two of us and then this person left. So I ended up turning the torch,
But I still to this day actually use a lot of their process or a lot of their ideas anyway. 03:25:00 All right, so year one, I think that if you can come out of the year, and this is my belief,
With basic principles in place, maybe like three or four actual policies that support your claim, a prioritization or at least like a team or at least a concept. 03:25:18 You communicated like we will all sit down at
The budget cycle together We will all talk about the fact that you can’t all have a million dollar project, right? One of you gets it and here’s why yep I think those are key elements for your one. 03:25:33 Yes, absolutely You know,
I think one of the things that a lot of these organizations are missing right is you right? They’re missing you the IT leader that’s gonna join them, right? So they don’t know they make assumptions based upon previous experiences both good and bad Right and they come to the
Table with their own agendas you need to come with yours, but remember two years one mouth listen a little bit more those first seven months because Later on you’re gonna be able to use your mouth and other people start listening That’s right I also think that if they’re bringing you
In as as an IT leader that they really do want to hear what you have I say Yes, you’re you’re if you’ve made it through the interview process and you’re in there taking a leadership position. 03:26:10 You’re on the management team That they’re gonna
Listen they want some respects. They may be like We’re gonna do what you want to do like you get it. You’re you’re here This is your responsibility you own this come back to us with the plan and
They can push back on it But ultimately there the decision is yours in a lot of these instance. 03:26:28 I think in smaller companies They’re they’re entrusting you with that capability and that talent to come in and and make those decisions. That’s why you’re there So I’m gonna
Then with that thought in mind Let me ask you this next question sure that I want you to answer the next question with that thought in mind Yeah, which is okay. 03:26:45 So now that you’ve said that When you walk in there and they’re saying no,
No you do what you’re gonna do like you’re the expert you do your thing And we’re all gonna sort of get on board with that How do you determine what level of governance is realistic? 03:26:58 What? What are all
The metrics you’re going to use what are all the points of data you’re going to use to determine okay for this company I’m going to do this Or for this company over here. I’m gonna do that. 03:27:11 Like what are
The things that you’re gonna do and how do you keep them? Like realistic and not aspirational But more importantly, and maybe this is a second question we can tackle in a minute, but eventually you’re either going to bomb as a company or you’ll succeed. 03:27:29 Sure. And
Is it going to be your legacy that’s going to carry you forward? And how do you make sure that what you do today is going to be in that legacy? But before we get to that, let’s enter the first question that says, okay, so you’re now sort of the top banana.
03:27:43 How are you going to come up with your ideas? What are you going to do? I think you’ve got to assess the overall IT spend. You’ve got to understand what that is. What’s your portfolio of systems and tools and processes? 03:27:54 What’s the
Org structure in the company? Who reports into who? Get to understand the connections within the company, sort of the social culture. Like Nathan said, you know, getting out and connecting and meeting people and building bridges and connections. 03:28:09 You’ve got to do that. But
In terms of the data, cyber security information, any assessment you can do around identity. And, again, assuming IT is part of your role, having that in place, assessing the IT standards and how decision -making process is happening for IT investments is important to know. 03:28:30 I’d say also just getting
Partnered with a life -scientist organization, understanding any quality metrics that exist and how they work, what their expectations of IT are, whether it’s for audit needs, whether it’s for overarching risk management, understand if those policies and procedures already exist, make sure you have that library of policies that you’re getting from the company.
03:28:55 A lot of it is identify, data fact, understand if there’s any rules at anything at all. And it’s a big uphill effort if you don’t have those things, because not only do you need to help design those, you may be
Accountable to design them, you need others in the organization to review and buy into them as well. 03:29:19 So I think there’s artifacts you’re going to get your arms around, the data, typically IT, if there’s data governance or anything like that, kind of doing your own assessment, that has to happen right away.
03:29:31 And then you can go back and say, here’s what I think the top three priorities are. And they very well may be, great, this is why you’re here, thank you. Or it might be, look, we just had someone come in earlier,
We had a previous set of IT, this is what they did, how do you want to assess that, how do you want to move forward with that, we think this is good enough. 03:29:52 And going back and forth and having that dialogue. But to Nathan’s point, that first few weeks,
Months, building that rapport and relationship helps you to go and present those top three things and build that sort of trust with the management leadership team. 03:30:09 And if we could build on Mike’s points here, right, but not necessarily repeat, is that you build that wave of consensus, right?
By gathering the data, right? So they hired you for a reason, right? Your point’s perfect, right? 03:30:21 Like you don’t have imposter syndrome, right? You were brought in for a reason, right? She or he is there to do the leadership portion of technology management, right? Information technology management.
03:30:32 Get your head wrapped around security first and foremost. Get your head wrapped around your data, right? And then your people, right? Once you get those three sort of tenants in place and you said you have an understanding, now go ask questions. 03:30:44 Be inquisitive,
Right? Go gut check this. You may have collected data, but it doesn’t necessarily make it fact, right? Go see it. Go pressure test it. And then advocate. Advocate strongly for security. 03:30:57 One of the biggest pushbacks I see in our industry is that the anti to spending money on security. I can’t hear,
Advocate. Correct. To whom? To the broader business. Yeah, the broader, you know, in the roles that I’m serving in, it would be an executive leadership team. 03:31:13 Typically, there’s not a steering committee yet, I’m typically recommending a steering committee. There’s typically not enough
People for a steering committee. People are already… That’s a steering committee for… 03:31:21 Steering committee for decision making. Because there are those three tenets around project management. You have resource time and money, and you have a finite amount of all of those. Recognizing that the
Business has an agenda to develop a product that’s going to be delivered to market, hopefully, and that’s where they want to focus the money and the spend, both on the talent to make that product. 03:31:44 We need to advocate for
The business, and this is the position I have taken for years is that I’m advocating for IT, I’m advocating for us, the business, the whole business. That’s the key. I think that you mentioned the three key resources and the three key pillars of governance.
03:32:07 I think what we talked about was the idea that you have a pretty clean environment you’re walking into, but let me just twist that prior question. You walk in and, hey, Mike, Nathan, great to meet you, it’s so wonderful that you’re here. 03:32:28 Oh, my God,
We’ve heard so many great stories. By the way, our ERP implementation starts tomorrow. Now you have a single data point on which to build your governance. Do you at that moment, and again, let’s just pretend in whatever context you want about that company, everything you know
Up to that moment, do you at that moment try to implement governance, or do you go with that? 03:32:53 I would go with it. And then kick it down the road, governance a bit. Unless you feel like you have the ability to
Stop the project, if it’s not, it depends on the project, I guess. ERP, you might be able to push a little out, but it depends, you know, you’ve got to go public next month. 03:33:09 I don’t want to get overly semantic,
Let’s just say that it’s ERP and then you… I need it in because it’s four months before quarter close or that wouldn’t work actually. Well, I think it also is mathematically irrelevant. 03:33:22 It’s four months before year end close. There we
Go. Thank you. Right. There we go. Yeah. Yep. All right. So, you know, we’re, you know, yeah, the, I think you’re, you’re as, as somebody that tries to help nurture leaders, build leaders, right? 03:33:39 In some way,
Right. I don’t make waves those first few months, right? Human beings react in very specific ways and very, very sort of common ways, right? I am not a psychologist. I happen to be raised by one. 03:33:53 So that’s why I have all the problems I have.
But it has given me a little, right. And that’s given me a little bit of insight on, you know, the way that humans work. And I tell people pretty consistently, you’ll see on my LinkedIn profile and other things I’ve done is that I try to lead with a humanistic approach, right?
03:34:09 Because at the end of the day, I’m here to serve the, serve the purpose and intensive humans, right? I would not recommend creating a wave now I would advise them that this may not be the best time to do
This because you have other Deficiencies that you weren’t aware of because you didn’t have me there. 03:34:23 Yeah, but it would be an advisement not a full stop. Yep Okay, I agree completely. Yeah, it’s it’s you don’t want to like we were talking about the low -hanging fruit and building credibility You don’t
Want to just my opinion want to drop in new constructs and ideas if there’s priorities in the business that They’ve already decided need to be done Now you can as that implementation happens You can start to instill those values and principles into that project But it’s not
Going to be it may not be exactly what you do for the next project Right, but you can try to start to use that as an example to steer One of the ways I would do this a post -mortem Yeah,
It’s it’s an area where a lot of companies and new Co’s right are they’re they’re unaware, right? 03:35:20 Sorry, no, no, no, that was I want you to be right we left off it I found out to nationally called post -warms
Anymore. Oh Yep So I still call them post -mortems But they’re technically called post project assessments or or there’s all there’s several terms with these PPAs Is what I was told to call them post project Yeah, because post -mortems has kind of a dark tone kind of
A dark sort of morbid tone Which is actually assumption the accurate for most projects. 03:35:50 It’s like what are the project went? Well, is it a post -mortem when I wrote this book in 2020? I was recently
Told in somewhere in the last few months that it’s actually a no one would call post -mortems Nate They called post project assessments now that person could have made that up, but we will call the post -mortems here Yeah, post -mortems man. 03:36:07 That’s what I remember
Thank you. So the topic great governance, right? If we’re coming in as leaders, which we are, and we’re expected to apply supply governance that’s effective across the business, both now and in the near term, one of the ways you can do it is by trickling it in.
03:36:26 It doesn’t have to be a deluge, right? So drop in the idea that at the end of this, you’d like to have a session where you both gather internal feedback, but also feedback from your external partners on
Things that you could do better, things that you could have improved upon in that nature, and then have a real, real conversation inside, professional of course, right? 03:36:49 That really takes an assessment of what was done, how it was done, and allow it to be, and this is one of the things I
Think I love most about working in life sciences is that you can always go back to a room of scientists or researchers and say, look, I’d like to use the scientific methodology around this. 03:37:04 And typically you get very little
Pushback from the leadership team because they are former scientists mostly. So that’s great. So, you walk into a company, hey Mike, nice to meet you Nathan, great, glad that you’re here. 03:37:17 I know you’re only nine days in,
We’re putting ERP in next week. Mike, you would just let them run with it. Let’s do it. So, would you then use a post -mortem later to retroactively sort of walk them through how project management would have made the project better? 03:37:37 Yeah, I think doing some sort of PPA,
No just kidding, post -mortem to review the project. They’re actually called PPAs now, Mike. What do they call it? They’re called PPAs now. PPAs? Yeah. What did I say? 03:37:50 Post -mortem. Oh, post -mortems. They’re called PPAs. Just kidding, they’re post -mortems. Post -mortems. Yeah, I would use- Mike, you gotta
Stay with it. I would use that project, that as an example like to, first of all, like we were saying, implement, trickle it in, but doing some sort of review afterwards would be very helpful, using that as- And then by the time you’re going to know who your friends are, right?
03:38:14 And friends is probably a strong word, right? You’re going to understand who your advocates are and within the business, and so you’re going to understand how to work and politicize the things that you need done, right? 03:38:24 And if the project goes great,
Maybe you don’t need it yet. But you still- No, you still offer it. Yeah, you still offer it. Because that’s that first point where you’re bringing everybody together as a collective, and you’re saying, we need to make this a cultural change. 03:38:37 I’m saying that in that post -mortem,
You’re basically saying, wow, that went really well. Oh, I see. And I don’t need to drop all this stuff in, I can prioritize on something else. Well, okay. So, totally agree, and agree. 03:38:50 But I will say that
I have one more thought on this, which is post -mortems, that I think there are actually four areas that you cover. You cover what went well, and that can be a very long list. Oh my God, we were so great backslapping and toasting, and then what didn’t go well.
03:39:08 You had no project ever. Absolutely. It’s free of things that don’t go well. Well, I would have been okay if Mike hadn’t fucked up. Right? But post -mortem’s are finger free. That’s right, yes. So there’s no, What can we do better? 03:39:25 There’s no like, if Mike,
It would have been like, actually, I wish I would have worked harder with Mike to help Mike through his deficiencies on his project. I love that. Man, is that what that means when you hear that? 03:39:40 Yes. I take
It a step further, right? So two things I do want to work with. Sorry. No, no, go ahead. You’re the host. No, that’s okay. I’m just arrogant. No, I’m just kidding. No, before I forget, if I don’t say those two things, I’m going to forget them. 03:39:55 So there’s what went well,
What didn’t go well, what we’ll do better next time, what we’ll improve upon next time, and then C. I’m sorry. C, letter C? The letter C. That’s the fourth thing. It’s the letter C. 03:40:10 You just write it at the top
Of the. Anyway, so the three things for Project Mortems are what we did well, what we did well, and what we’ll do again better in the future. Three things for a post -mortem, not for, I lied. 03:40:22 Go ahead. Well, I… Yeah, and apologies. I was
Just talking with you. No, yeah. So, I do a few things, you know, from a leadership standpoint, right, as it relates to, like, trying to impart, you know, this idea of process and rigor, right? 03:40:41 And it’s to, one, when I’m talking with people, right, departmentally speaking, when I’m speaking to
A department or speaking to, like, how something was done, what I’ll do is I’ll suggest what could have been done, not from an individualistic perspective, but more from a group sense, right? 03:40:55 It typically is poor process and planning leads to poor performance, right? And so, like,
If you do proper processing… Is that a background? From the military, yeah. So, if you do proper planning, right, you could potentially impact proper process, right? 03:41:10 You could also mess it up completely, right? Sure. Planning doesn’t necessarily mean that you don’t fubar the mission,
Right? Whoa. I like that. Yeah? Great. All right. So, that means fucked up beyond relief, right? 03:41:21 Got to be sure. Fubar. Fubar, baby. Yeah. Fubar AF. So, the… Where I try to recommend is, like, you know, let’s use… Poor Mike has been using an example. We’ll use Jerry. Jerry is
An example. So, Jerry, instead of saying, hey, Jerry, you really… 03:41:37 He’s used to it. You really screwed up that process. What I would say is, from my perspective, former, I’m sitting as a new member of this group, I’m seeing a lack of process, documented process, which could have potentially helped
A number of teams and groups here to deliver the product on time and on target, right? 03:41:54 Instead of, again, isolating, you know, another bit here is, you know, if you’re going to be doing that sort of feedback piece, right? If you do have individual things as a leader,
It’s upon you to bring that person to the side, not wait, but bring them to the side right away privately and say to them, hey, Jerry, this is what didn’t go right, you know? 03:42:11 And I typically… start the conversation saying, but, hey, how do you think that conversation went? Okay, here’s how
I saw this, right? And you sort of, you praise in public and you correct in private, right? 03:42:22 That’s a really important component there. So you don’t publicly belittle and shame? I mean, I thought that was, oh man. A SharePoint sign of mikestucks .com, you know, it’s not probably a believable idea.
03:42:34 I’m sorry. I think that part of the chapter about belittling and shaming. So I, and I want to make a note real quick. I looked up my policy, actually lied. It’s not four or three, it’s five things you have to do in a post -mortem. 03:42:48 They are Samsonite. I’ve
Missed opportunities, incorrect assumptions. I thought Mike could do this, but he’s in the little chair. That’s true. Things done right. Things done wrong. And the lessons learned. 03:43:10 So I, I’m sorry, I just spent a lot of time in the car today. It’s essentially five things, not four,
Not three, but five. And it’s important that if you’re going to be doing that, if you’re going to get the, you know, post project, you know, analysis together, right? 03:43:23 Is that what that is, PPA? I don’t know. The post -mortem. The post -mortem. Yeah, let’s just come with that. That’s easier.
Post -mortem analysis. And by the way, these don’t come because dark humor is a thing for us, right? 03:43:32 So like, you know, you need to collect this feedback widely, right? Do not limit yourself to just internal teams. Collect it widely
From everybody. Right. Distill it down, right? Give people good guardrails to work, work on. 03:43:46 Right. Yeah. And have it be open. Ideally, I mean, the project priority. That fucking word, strategic project, prioritization committee, the PPC would help with the PPA, right? To align the tease with the eyes.
03:44:09 No, I’m just kidding. I don’t know where it’s going. So the project prioritization committee would be the one that would conduct the post -mortem and that team would be the one that had all the members say,
All the members of the working team in that project in a room saying, OK, it was Mike’s fault. 03:44:27 But because Mike doesn’t just know what he’s doing. Exactly. It’s happened to luck. It’s so familiar for me. And for future projects, we probably should not have Mike on them. Yes,
That’s true. And then and then when they say, Mike, that was great. 03:44:40 Could you go down the hall for a minute and come back? Thanks so much. Thanks, Mike. We’ll see you in a few minutes. I’d like
To be on the next project team, but your job will be to sit over there. Yes, for the whole project. 03:44:53 OK, go find me a do you have any more docking stations? So, OK, one more question on this topic. I think we’ve kind of beaten this a little bit to
Death. Well, it’s actually not the last question. We’ll come back to governance in future episodes. 03:45:10 But for tonight. You just had to listen to a huge chapter and us talk about this, but I do have a question for these young
Gentlemen here. Looking ahead, okay, so Mike, put your Apple VR headset on. Looking ahead. 03:45:29 My Neuralink. Your Neuralink. Your quantum computing iPhone. How might emerging technologies and trends, and I don’t really know any big technology trends right now, but if there was one,
How might those technology trends impact the future direction of IT governance? 03:45:49 And what proactive steps can organizations or IT leaders take to harness these trends? And again, I don’t know of any trends. I don’t know if you know any trends going on right now, but like,
Could those trends impact governance and how might they impact governance? 03:46:05 And while you think about it, I will start. Go ahead. I do not think that AI… will have a big impact on the outcomes of governance could have a big impact on the creation of governments. And what I mean by that,
I think that I can go into my favorite, you know, GAI engine and type in, write me a project plan. 03:46:34 I have to have this project you’ve done in 90 days. Here’s the resources I have. Here’s how much time I
Have per week. And then it will write it for me. Okay. And it will probably be mostly accurate. 03:46:46 Yeah, I can probably use most of it and then go back to my team and say, Hey, look, I spent this all night writing this project plan.
And yeah, it took me all night. I haven’t slept like two days. That’s the creation of governance. 03:47:02 I spent all night writing this policy. And I think it’s the best for our organization. And then of course, you
Did GAI to write it for you, right? The creation of governance, but the outcome of governance. 03:47:13 Well, I created a policy, I created this awesome project plan, but then GAI has nothing to do with getting the people in the room,
Getting the vendor, doing the thing, connecting the thing, doing all the things to the outcome. 03:47:28 So where do you think, and I’m just using one particular little trend, but where do you think any of the technological trends are coming out today can impact? I don’t
Know if it’s an emerging trend, but I do think the abundance of cybersecurity incidents has refocused the need for risk governance, risk and compliance across organizations. 03:47:46 And they’re in the public eye, they’re in the consumer market, you know, they’re happening to family members,
You know, it’s all sorts of things, people being scammed. And it’s helped to refocus the spending on cybersecurity, but not just spend, I think, you know, get what is it, eight to 10% of your IT budget should be cybersecurity, it probably should be more. 03:48:11 Can I ask you a
Question? What percentage is your budget for cybersecurity? 10. 10? What about you? Well, reflecting on your last FTE role. Right, yeah. So yeah, my current roles are mostly working for large pharmaceutical companies and early startups. 03:48:29 Well, let me use both as
An example, right? I know that one of the large pharmaceutical companies I’m working with right now, their budget for this, and I don’t know how I came out of this, was pretty significant. 03:48:41 And I asked them, what is that
Of your overall percentage? And they said, well, it’s up 3% from last year. So their leadership is hearing them, right? I don’t want to give the total number out, but it’s higher than 10. 03:48:52 Yeah, it should be. I think it should be much higher than 10. Well, the costs are there,
Right? So it supports it. You have the data to support the need, right? For the early stage biotechs in life science companies, you know, 10 years ago was security, not cybersecurity. 03:49:09 It’s matured into cybersecurity, because the threats have matured. It’s now becoming not only okay, but expected that
You come in with a cybersecurity plan and approach. In my last budget, I think it was, I used a sort of decentralized model where I had nobody really on my team that was a cybersecurity expert, but I hired cybersecurity companies to help support me, and then I aligned them with
My various service providers and put together an incident response plan that included them. 03:49:39 That was about 8% of my budget. About 10%. I think that’s where AI comes in, is when you’re talking about fostering, if we’re talking about a cybersecurity security lens, fostering the change,
The governance culture, is that you can use AI, there’ll be a lot of bad things, but on the cybersecurity side, to be able to use AI to train people on what real bad looks like. 03:50:04 So that’s almost both. That’s almost both the input and the outcome, using it to create the
Training and then potentially having it do the training. But also be the person, be the hacker, be the social engineer, and those products are emerging already. 03:50:20 They’re pretty new, but to help people see how scary some of this stuff is, but also to be the person
Who is being the victim as well and show them how to react and put them through a situation. I think that will drive the learning piece, but the governance piece around policy and procedure governance and risk is just, it’s going to continue to escalate and in order to show that
You’re going to have to have some semblance of governance to be able to do that successfully. 03:50:52 Absolutely. Agreed. And I think, wow, in terms of governance, you can write out the process you want. There still requires a majority of human interaction to make a process occur, especially on the governance side.
03:51:08 And we talked about… sort of three big areas of governance, but if you just take governance at large, it’s still a very human, person -to -person sort of process kind of thing. It’s not really- You need constant engagement and buy -in, right? 03:51:21 So you can
Write a very tight policy. You can even train a very tight policy, right? But if you’re not consistently engaging them, right, the companies, so one of the trends that I’m seeing is a positive in the governance and sort of cybersecurity, security in general, right? 03:51:34 Or maturity,
Let’s call it a maturity that we’re seeing in an industry, and clearly from my perspective is that I’m now seeing conversations had with COOs, CEOs, right? Where they hear what we’re saying, right? 03:51:47 Around security and the
Needs. Before it was a line item on a budget, okay, can you get that down 10 %? Not realizing they’re cutting the nose despite their face yet. We said that for years, right? There have been so many incidents that have led to large financial payouts from the insurance companies
Which that’s the trend I think you see chub and the others their rates have gone through the roof. 03:52:06 Yes Why because the payouts right? So now they’re hearing us I think we’ve been saying it but that’s the
Trend I think is now sort of emerging is that they’re they’re listening now So, you know, you need to take that power you’re being given and use it for good That’s a Nate Nate had mentioned in a previous chapter just tying those cybersecurity incidents to your Your
Crucial assets to the things that you go and you interview the business you ask what what would happen if we lost X What would happen if we lost Y and having those discussions immediately raises takes it away from an IT problem and makes it a business Not to derail the conversation Mike,
But I in Nate here But I think one of the areas where I think if in my first seven months and I’m looking at that shit show the sort of The medium in the good company one of the things I’m
Absolutely doing other than a pen test Absolutely doing as I’m homing a company -wide cybersecurity training event where I tell them and explain to them Yeah, how this can really impact their
Business And you have it every year so that and I typically hold it in q3 Why do I hold it in q3? 03:53:04 So when I’m sitting in front of you in q4 saying I need this number. It’s it’s it’s front of mind Yeah, right great timing to yeah,
Do it right before budget season. Yeah Yeah, I mean we’re God it’s such a big chapter and there’s so much about governance that needs to be unpacked and We’re really only scratching the surface I mean I skipped over a bunch of stuff But when you when you go back to your
Organizations and actually I’ll post all the questions that we’re I had sort of put down For tonight in the in the podcast notes, but when you go back to your organizations and you go back to your your IT function You think about governance sort of writ large Think about all the
Ways not only today, but in the future and as far as you can see we’re using of governance, change management of governance, how you’re going to sort of get the business to buy into governance is all going to be impacted by what’s sort of happening and coming. 03:54:04 I mean just,
I mean I started at Exilio in September of 2022 and I came in with a relatively sort of current project methodology and governance methodology that I’ve used. My security stack, my compliance stack, everything, but it’s only a year and a half later and it’s mostly outdated.
03:54:30 I would change a lot of it if I could right now, but most certainly will as the months and years come forward. As I have opportunities to change my model, I will because I see inconsistencies now. I see ways that I could skip over sort of hurdles
Because you have to not only build governance, but you have to go back and investigate it. 03:54:53 And you have to rip it apart, to tear it down, you have to investigate sort of why you thought the way you did when
You made this, and then find ways to improve it. One of the questions I really like Nate, if I can get a second, is question number seven that you proposed to us, right? 03:55:07 Which is what tools or techniques could help analyze past data growth to inform governance needs,
Typically in the data management governance areas, right? That’s an area where I think there’s sort of a gap in a lot of our technologists’ leaders, right? 03:55:21 It’s these are products that a lot of them don’t have the budget or exposure to, and it’s an area where that can
Help you in that first seven months, eight months, really help identify things you weren’t aware of, because there’s nothing worse than the unknown unknowns, right, you know? 03:55:38 So it’s just one of those questions that really, like I was like, ooh, that’s a good one. I like that
One. It’s a big one, too, because we all have our favorites. Yeah. Do you want to call anybody out? 03:55:49 Well, I’d come up with a list of a few here, right, that I thought might sort of fall into- I’ll get my air horn ready. So there’s, here are my eyes, old,
Old man over here. Atacama One is one. Calibria, data governance, and then- Oh, I love that one. 03:56:08 I’ve used them before. Data governance. That is, and I made it number two only, because I figured if I
Said it number one, it would be like fanboy. Yeah, I’m a fanboy. And then IBM has a really good data governance service as well, which is- Probably not the right audience for IBM, right? 03:56:25 But that’s an area where- Oh, my watch is. Oh,
There you go. There you go. Well, this is an area where I think it’s, again, it’s, you know, if you don’t have exposure, you’re not sure how to lead. You know, you’re not gonna lead. 03:56:36 And it’s hard to make good decisions without a-
I’m sorry, I’m busting a ball. No, no, yeah. IBM, I mean, we, there’s an enamorment that we have, sort of this idea that good project management tools, good project, they can only be current. 03:56:52 Like there’s only- The newest new can
Be the things that brings us to the promised land You know the notions and the asanas it’s there in the right each other but in fact, why wouldn’t we look to what we already know like has been tried
And true and Some of us and I’m guilty of this or like Oh Try and true, but new and shiny and touchy things over here Get that shit over there It’s a cute logo I think you bring it up Calybara brings
A whole other won’t go down the rabbit hole But one thing that at some point we should definitely talk about is the idea of data governance Yes, and the implementation of data governance. 03:57:39 It’s I think it’s a
Very challenging thing We are oh great because let’s talk about it then but I think that is that is one that now more than ever whether it’s cyber security or it’s IT governance or it’s automation or it’s AI, you gotta have data governance before you can do any of those things.
03:57:59 This feels like one of those pivot things that sort of becomes a central focal point. For each other, 2 .0. Exactly, yep, yep, absolutely. And if you don’t have it, it’s gonna be really hard to get there. 03:58:08 Yes. Season two,
Episode nine. Oh gosh. We got a long way to go before we get, it’ll be called something else by then. Bookmark this. They’re gonna wheel mate and Mike into the barn and be like, here you go. 03:58:23 Mike will be in his little chair.
Data governance, oh crap, I gotta piss again. We don’t have to wait all the way. We can talk about data governance because you know what, you know who loves data governance more than anybody? 03:58:39 This guy. Yes. I fucking love data governance. I love talking about data governance. I love data architectures,
Unstructured data, structured data, metadata. All the data, AF. I feel like that is a… 03:58:52 We should have a podcast in just on data. I feel like there’s so many large consultancies that do data governance as part
Of their portfolio, their service catalog. There needs to be a company where that’s all they do. 03:59:06 Dude, we talked about this. Just data governance, because it’s that important. Like, do one thing really well. What was that? Have a repeatable model that you can… Ray Wang’s report on… Yeah, the democratization of data.
03:59:20 The democratization of data. Yeah, yeah. And the data company that’s coming? It’s just… I cannot wait. Just get that right, because that’s a huge influence. You need to influence, you need to be able to build a cross -functional team. 03:59:33 You need to be able to agree on
Every data type, I mean, in the data dictionary, and just data catalog. I’m working with a company right now where I can see the infighting. Right, within trying to let all this out. 03:59:43 It’s a huge debate. So
Bio -IT world, April 16th and 17th, we’re gonna do this. We should. Data, then, and then we’ll do it again. season two, episode nine, which will be about October. But it’s challenging. 03:59:56 We’re going to get to it because
It’s awesome. That’s multiple episodes. It’s like a podcast season. Proms are good to have. Yes. Proms are good to have. They’re fun to discuss, too. All right. So listen, that was awesome. 04:00:12 Thank you so much. Literally,
I could talk about governance for a while, actually, and there’s a lot of questions we didn’t answer. And I apologize. There’s a couple other things that happened in the news recently, though. 04:00:24 And I just kind of want to jump
To those real quick. Sure. OK. Sorry, I’m just making a note here before I forget. So there’s a group called Algorithm Watch. And another group called AI Forensics. Okay, and these two groups are the first to request data under this Newly formed EU digital services act or the DSA. 04:01:02 Hmm. Now we’re
In North America. How does this impact us? Well, you know, we’re seeing a lot of states put in Consumer Privacy Act statutes. There’s six already in place that are active There’s multiple more sort of sitting in the wings waiting to come out CCPA sort of being the
The bulwark for United States, but This new DSA DSA is like taking GDPR to another level. 04:01:28 So if you’re familiar with GDPR You understand the idea of sort of personal privacy rights in terms of non American data. Well, the DSA is designed to give citizens new powers to their rights online There’s
A actually a creation of a new thing called the digital services coordinator in every EU member state So every single EU member state has to have a DSC in place Now how is this important? 04:01:56 Well Here’s what algorithm watch found a Dutch teenager That algorithm watch talked to built an Instagram presence
That brought her over 20 ,000 followers over two years then overnight. It was gone She had become victim to malicious reporting of her account for the sixth time in a row Many content creators, especially women are readily reported to meta Either by criminals who want to take over accounts
Or by online trolls in theory with the DSA They now have a powerful tool to protect their rights, but it may fall short now What I want you to do is as a as a viewer of the show. 04:02:41 I want you to Go read
About the DSA I Want you to read about the DSC and the rights that they’ve been given especially as it relates to meta. There’s some disturbing news out there. And again, the reason I bring
This up is because this DSC, and again, I said every EU member as of, what’s it say, the 21st? 04:03:05 Yeah. As of four days ago, every EU member state had to have an appointed digital services coordinator. And
This individual has a wide range of powers. This essentially can not only complain about users, any user in their country, but also hear complaints about users. 04:03:30 These are called out -of -court settlement bodies, which means they require no court jurisdiction to settle disputes made. For instance,
If Nathan does not like what I am posting on X, he can make a claim and have me taken down. 04:03:45 OK. It’s supposed to be a straightforward independent body. But as it turns out, it’s becoming quite corrupt. So read
About the DSA and the DSC. I’m actually not going to read this whole article just in terms of time. 04:03:59 But inform yourself about this new DSA and DSC process for all EU member states. And so I did have one other interesting
Article I found. By the way, I did find out that the .af domain, ai .af is not available. 04:04:20 Apparently, the French have not been paying their .af payments, which is the broker for .af outside of Afghanistan. So I even wanted to register ai .af. I couldn’t anyway. It’s a
Bummer. It’s apparently worth a lot of money anyway because it’s a two -digit domain. 04:04:37 So the other article I found that I thought was interesting was that OpenAI, Meta, and other tech giants, and this is from Reuters, OpenAI, Meta, and other tech giants signed effort. So they signed a document,
Which we all know, like works wonders, to fight AI election interference. 04:04:55 So Fox in the Fox House or HEN in the HEN House or whatever. A group of 20 tech companies announced on Friday, this is last Friday, that they have agreed to work together to prevent deceptive artificial
Intelligence content from interfering with elections across the globe this year. 04:05:18 So you see how this is going to go, right? They’re going to try. They signed a document. It’s a pledge. It’s a pledge. It’s a pledge. I pledged to raise $5 for Mike’s 5K. It’s like the Amber Heard argument, right?
04:05:33 You pledged. You didn’t donate. You pledged. The rapid growth of generative and artificial intelligence. This is, again, Reuters. So Reuters has to dumb it down, by the way. If you’ve never read Reuters articles, they sort of bring it down into the lowest common denominator. 04:05:49 The rapid growth of.
Generative artificial intelligence, also known as GAI, who would have known, which can create text, images, and video in seconds, mind you. Did you know that, Mike? I heard about this. 04:06:05 I heard about this somewhere. Has heightened fears, okay, that the new technology could be used to sway
Major elections this year, as more than half of the world’s population is set to head to polls. 04:06:19 That’s a big, actually, number. That’s not them, that’s me that said that. Signatories of the tech accord, tech accord, which
Actually is, should be tech, I don’t know, which was tech accord. What the fuck is a tech accord? 04:06:40 It sounds good. That’s a t -shirt right there. Yep. Tech accord. Is that what you said, tech accord? Yes. So,
Signatories of the tech accord. What the fuck is a tech accord? That’s a shirt. That’s a t -shirt. 04:06:54 Tech accord. Signatories of the tech accord. Sounds like a Star Wars thing. Oh no, it’s the tech accord.
It’s a four -legged tech accord. T -E -K -A -K -O -R -D, tech accord. That’s more like Minecraft. 04:07:11 It’s a Minecraft tech accord. So, signatories of the tech accord, which was announced at the Munich Security Conference.
That’s in Germany. You know, gotta be serious. Munich’s in Germany, right? I think so, yeah. 04:07:30 Just kidding. Just testing your geographies. Let me Google that. Hold on. Include companies that are building generative AI models used to create content, including open AI, Microsoft,
And Adobe. Other signatories of the tech accord include social media platforms that will face the challenges of keeping harmful content off their sites, including Meta, TikTok, and X. 04:08:08 X is here, alright. So, so far that’s six companies. That’s six. They count six? So we have… Is Google on there? Is the alphabet
Not there? OpenAI and Microsoft and Adobe. It’s gonna say alphabet, yeah. 04:08:26 Meta, TikTok, and X. Okay, so we’re getting there. Hold on, there’s a whole bunch of ads. Okay, there we go. Where’s your Brave browser, Nate? Come on.
I’m using Chrome. X. AF. The agreement includes commitments to collaborate on developing tools for detecting misleading AI -generated images, video, and audio, creating public awareness campaigns, to educate voters on deceptive content and taking action on such content on their services. 04:08:55 So this is all going
To work because, you know, technology to identify AI -generated content or certify its origin could include, and this is underlined because it links to more clickbait, watermarking or embedding metadata the companies said or they signed in their tech accord. 04:09:17 The accord, the accord, the tech accord,
Did not specify a timeline for meeting the commitments or in any way how each company would implement them. So they just signed the tech accord. I feel like I’ve heard this before. 04:09:36 I think, no, you’ve never,
No one, they’ve, no one’s ever done this before. No one’s ever signed a tech accord before. I think the utility of this accord is the breadth of the companies signing up to it said Nick Clegg. 04:09:49 president of global
Affairs at metap platforms we should get Nick Clegg on the podcast and find out what he does for his job Google is on there it’s all good and snap I don’t think Reuters likes Google though it’s all good and well if individual platforms develop new policies of detection
Provenance labeling watermarking and so on but unless there is a wider commitment to do so in a shared interoperable way we’re going to be stuck with a hodgepodge different commitments Clegg said after using his generative AI to generate that statement generative AI is already being used to
Influence politics and even convince people not to vote this is where the FUD part of Reuters article comes in I love their FUD parts because they usually take a couple paragraphs and just FUD the FUD out of them in January a robocall using fake audio of US president Joe Biden circulating in New
Hampshire voters urging them to stay home during the state’s presidential election presidential primary election oh my god I’m not even going to edit that out that’s gold right there despite the popularity of text generation tools like OpenAI’s chat GPT their third mention in the
Article so far or the ad the article sorry the tech companies will focus on preventing harmful effects of AI photos and how do you so how do you prevent the harmful effect of an AI photo? 04:11:21 Mike? watermarking
Watermarking? you put your watermark on it and it prevents the harmful effect so if I see oh that can’t be real I’m like oh it’s a watermark on it I’m cool my brain will just clear that out of my head that’s right no uh partly because people tend to have
More skepticism with text said Dana Rao adobe’s chief trust officer an interview. 04:11:51 So again I’ll just kind of rephrase that. The tech companies will focus on preventing harmful effects of AI photos, videos, and audio partly because people tend to have more skepticism with text. So basically text dumb, pictures good,
And therefore if I see a picture I’m gonna vote for somebody versus something that they write. 04:12:21 It says Dana Rao, Adobe’s chief trust officer, an interview. Hmm. And then it finishes up by saying there’s an emotional connection to audio,
Video, and images. He said your brain is wired to believe that kind of media. 04:12:41 So zero substantiation. There’s no references to the study. There’s no references to Data to support these claims, you know, it’s a Reuters article, so they don’t do that. But essentially,
The final statement is that your brain is wired to believe that kind of media. 04:13:00 So there we go. Great. Did you know that every time you see a picture, you immediately connect it with reality, but when you read text, you’re like, fuck that, that’s not true. I didn’t know that. Yeah.
04:13:13 And that’s, that’s sort of ridiculous. That’s why I wrote my book in text, because I wanted people to be like, I don’t know. It was written down in a book is written down in a book can’t be true. If only he
Had put it in a picture, a single picture of like a dog taking a dump in the lawn. 04:13:33 I would have believed his book. And how many people like these books or text, even if they have sources in them,
Who’s going to click on them? I don’t know. That’s the next AI, you know, the misinformation, AI is they’ll put sources in where you can click on them and they’ll go nowhere. 04:13:49 You know,
Well, by the way, there is so much noise, too. So people, I think, you know, at some point, people, even already, people don’t know what to believe. So add more noise to the to the world. And even
If it’s fake from AI and I’m not sure they’re looking for they’re looking for to sell ads. 04:14:09 Right. Every one of these companies. Right. So they’re going to do whatever they can to put a snippet of in the news media that says, hey,
Look, we’ve done something to affect change when not affecting any change through any real policy. 04:14:20 They can’t control it. Chat GPT, words, words, words, words, words, chat GPT, words, words, words, words, chat GPT, some more words, chat GPT. Yep. And I’ll get a click. I’m getting a click. Chat GPT.
04:14:34 All right. So the A .I. Election Accord website has all of the seven principles. Read to me. All right. Provenance detection. So I like provenance. Attaching provenance signals to identify the origin. 04:14:49 of content were appropriate and technically feasible. What does that mean? It’s trying to hunt down the source
Of the origin of content. Who is? This accord, the services. The tech accord? Yeah, the tech accord. 04:15:03 The tech accord. Probably the company that’s trying to adhere to these rules. AilerbyTechAccord .com. And then detection, attempting to detect deceptive AI election content or authenticated content,
Including with methods such as reading provenance signals across platforms. 04:15:24 That’s interesting. Let’s see, evaluation. Undertaking collective efforts to evaluate and learn from the experiences and outcomes of dealing with deceptive AI election content. That does sound like it was produced by AI. 04:15:38 All of these boxes,
What do you think? Oh, tech accord .com is not available. Oh. What the hell? What the hell is on this site? Oh, and resilience. A new website isn’t the worst. Supporting efforts to develop and make available defensive tools and resources, such as AI literacy and other public programs.
04:15:59 Wait, wait, say that one more time. So resilience is the box, the foundational box in the bottom of the diagram. It says resilience, supporting efforts to develop and make available defensive tools and resources, such as AI literacy and other public programs, AI solutions, including open source tools where appropriate,
Or contextual features to help protect public debate, defend the integrity of the democratic process, and build whole of society resilience against the use of deceptive AI election content. 04:16:29 You know how that was written by a generative AI bot, because it’s- Commas. That makes no fucking sense. It’s a bunch of words. Oh,
This is great. I wonder if this site was created by AI. Let’s look at the source. 04:16:43 But if they had followed their own tech accord, they would have watermarked the site with- So is this deceptive use of AI for election,
That there’s an AI elections accord? It’s very meta. Yeah, it’s very meta, right? 04:16:59 It’s very meta. Like maybe this is bad for elections. Just by the way, just by looking at that, you’ve now entered
My IP address from my house into the registry for people that want to be deceived in the election. 04:17:12 Okay, perfect. We’ll see how you hold up. See, you’ve opted in. So what’s going to happen is I’m going to be watching TV. Random pictures might be
Flashed like every 25th frame. I’m like, why do I all of a sudden want to vote for that candidate? 04:17:26 There’s a webcast. There’s a webcast. Look at this. I wonder what this is. Look at them, I’ll sit around the table. I can’t even
Turn it up. Yeah, they’re all there. They’re all pledging. But they’re all there to sign something? 04:17:46 Hey, can you hear me that link? I’m gonna put it in the podcast. Yes, we want you to see the live tech accord signing Yep
Which is being held in this like ostentatious room with a chandelier like it On the fourth floor at the MGM Grand Right as you went across in the kino slots So, what does that put our wall -e status level at Michael we still have five five, all right, we’re still at five yep,
There’s hope because 20 companies have signed the tech accord and Apparently it’s a tech accord comm website, which is being developed More on that we’ll find out what’s going on there signed to buy pretty much every big hold on Let’s look at some of these companies adobe
Amazon tropic arm Well, so but 11 Microsoft open owns openai Microsoft owns LinkedIn. 04:18:45 Yep Well, it’s on this list is Microsoft own Well, well, I don’t think Amazon owns AWS which owns anthropic. Yep 11 labs is the vocal the voice the voice AI Metas in their trend micro didn’t he go insane?
04:19:07 Yeah, that’s a great documentary. Have you seen that? frickin great This list of companies like half of them are irrelevant and the other half are owned by somebody else on the list So no, this is gonna go really well. 04:19:19 I suspect this elections process is gonna be like
So clean and No one’s gonna cite interference. I promise you No one will put a flag up like the guy down the street that says it was stolen by a certain so -and -so You heard it here first. 04:19:33 Yeah here first this year clean
Elections. Thank you meta. Yep Adobe with your 642 products That all do the same thing. All right, so So we’re at level 5 for Bali status. That’s fantastic. I love it I don’t have to go down
To the bunker yet This was the longest podcast that we have done to date by a Lot of minutes like 15 minutes or something unreal so cheers cheers to us Relaxing times so thanks to Nathan. 04:20:34 We’re coming on. Thank
You Hopefully people still talk to you after this. We’ll see anyway so it doesn’t matter. Next week employee lifecycle and employee experience we’re gonna tear this mother down it’s gonna be a good one in fact I think it might even be better than this one I’m thinking it’s gonna be the
Bees knees the cat’s pajamas seven out of seven bananas seven out of seven bananas six stars. 04:21:12 The reason I’m so excited about this and I didn’t say this before but I did kind of mention the
Digital concierge idea yeah but I want to dive into that let’s do it can you imagine well I don’t ever used a concierge for their special abilities at a hotel before mm -hmm you know like getting methamphetamines or something yeah all the time you’re definitely seeing
It better hotels than us Are the people that know everything about everything? 04:21:49 Yeah. And like a? What’s going down? Where to go? Like, did you ever see The Lincoln Lawyer? Oh, yeah. I haven’t seen it. You haven’t seen The Lincoln Lawyer? No, I haven’t. It’s really good. Oh, watch.
04:22:01 I should watch that. Trying to think of a, what’s another show that has, like, a kick -ass supporting role? The Cleaner with, no, no, not The Cleaner. The, what’s the one with George Clooney, where he’s the lawyer, cleaner guy? 04:22:13 Oh, yeah, Michael Clayton.
Michael Clayton? Yeah. Or Winston and Wolf? Yeah. These are the people that, like, They’re on the inside track. You’re like, hey, I got, Nathan, I got a problem. I need you to fix it. 04:22:25 Nathan’s like, no problem. I’ll go fix it. And it
Comes back and it’s the fixer. The fixer, but the digital concierge version of the fixer. Like, hey, I need a laptop. And you’re like, there you go. Or meet me at the back of my trunk in three hours. 04:22:42 I’ll take care of
You. That’s kind of like a digital concierge. That’s what I’m talking about. So next week, we’re talking about digital concierge. Let’s do it. I like that. I got some more ideas. I’m just sort of, I’m still flushing it out right now. 04:22:51 They’re coming out. Coming
Out right now. Sort of riffing on it. So as I said, very, really long time ago in this episode, hours ago, if I could give you all the stars, I would give you all the stars. 04:23:08 And I know that sounds actually
Like a, like an early 2000s movie between Star Cross Lovers or something. But if I could give you all the stars, Mike, I’d give you all the stars. I mean, Nathan, you get all the stars. 04:23:21 My listeners and viewers,
You get all the stars. So if you could please just give us back like some of those stars, like five of them on all the podcasts and things, that’d be awesome. Because we can’t, well, we can’t get better until we get more stars. 04:23:37 I mean, we’re just
Going to keep being like a flat line. Stars makes us go like this, like up to. two stars up no to the stars oh to the stars fuck like I see that one slow pitch to two stars up man two stars up so in
Our show links we have in our show we have links we have links to buy us a beer which actually goes directly to buying us beer and by Mike a taller chair yes my asses we have so sorry right now
To our merchandise store oh the CO IT dot my spread shop dot com now I know why they didn’t want that domain name I misspelled it we have a new we haven’t we have an instant post coming out
Tomorrow and I know I have to say that because Kind of dumb like they should be coming out like I guess every five minutes if I was really doing this, right But my daughter’s handling it. 04:24:50 She’s an Instagram
Savant. She’s got the whole thing covered all kinds of funny stuff coming out Don’t be a dick especially to people in IT They work very hard They do make pretty decent money, but they’re generally underappreciated and all the problems the world following them.
04:25:10 They can work great 354 days a year screw up one time and then their whole year is over. So don’t be a dick be nice to IT Be cool to IT actually and it will get paid back in spades I people love cool people call friends of IT Be cool to IT.
04:25:26 We’ll come back to you bark less wag more Above all else for human beings remember that for human beings And we only have a very limited time. Yeah So make a positive impact Thank You Nathan for coming in. 04:25:44 Yeah, it’s
Great to meet you for the first time. Yeah Yeah, and everyone hang in there. It’s gonna be an excellent week next week and we’re up why Because it’s just gonna be a great week. Oh, I love that I feel like it’s gonna be warmer the day seemed to be getting longer.
04:26:00 I drove over here and the Sun was still up It was great So excited to be here again next week and we’re gonna talk about employee experience and we’re gonna do some fun stuff I am looking forward
To crashing the bio IT world and Ending up on a on the street on the fold -up table. 04:26:16 I think it would be more fun If you were like kicked out, that’s what I mean set up shop I I sort of envisioning this like who the hell are you
Guys get out of here? We’re like we’re caucus of IT like we’re this is what this is our thing What we do and they’re like, well, where’s your media pass and I just pull out like a Laminated card. 04:26:35 I made up
My house Like right here Medium once I’d pass on the other It says, like, PAX East 2014 on the back. It’s right here in media. Right here. I got it. Get out one of our old conference badges. 04:26:55 Take them all out of
Your shirt. Put like 50 of them on. It’s got to be in here somewhere. That’s what we should do. See if we can find any of our old… Just wear all of them. I have lashes by OIT Worldcast. 04:27:05 Just wear it in. No one will
Notice. They’re not going to notice. This is for life. Okay, we’re in so much trouble. Thank you everyone. You guys are the best. Thanks for watching. You know, you are the best. 04:27:19 No, you’re the best. You’re the best. You’re the best. You’re the best. You’re the best. Peace. Peace. That’s what the
L -E -G would say. Hey, when did we get to chance music? I thought you were working on some stuff. 04:27:30 I’m working on some stuff. Outro tunes. It’s not ready yet. I just put together a huge… If I play anything,
It’s going to cancel. It is. It is. It is. The drum machine appears. We could just do an outro… 04:27:45 It’s a whole separate podcast. I think we just do a big online trance, like six hours. Just blast it all through. Just
Start off, and we really suck in the beginning. Then as the hours go on, we slowly get better. 04:27:57 All the beats are off. It’s like, it’s all screwed up. Like 12 hours later, by the very end, we managed to compose
One beat. We just put it on a loop. Such a fat loop. Oh, listen to the synth sample we made. 04:28:19 It took four hours. Doo, doo, doo, doo, doo, doo, doo, doo, doo, doo, doo, doo, doo, doo, doo, doo, doo, doo. OK, I’m
OK. I just swallowed the plate. All right. Goodness. That was awesome. That wasn’t good. 04:28:34 That was? Yeah. That was really long. Holy shit. You could cut that down. Ah, I’m still 40 and a half hours. My ass is so stupid.
My ass is so stupid. This is an accident. This is an accident. This is an accident. 04:29:05 This is an accident. This is an accident. This is an accident. you