Having pondered this question over and over again for the last year, the CIO says that it looks like they have three options if they want to include technology as part of their strategy to make the next few board meetings less conflicted.
Option 1 - Private Cloud
This option could also be called the "I want my cake and I'll eat it too" option. This approach asks the CIO to take the best of Public Cloud (see Option 3) in terms of automation, scalability, self-service management, unified-support, and OPEX-centric - and marry it with a desire to maintain strong control over the data and security for compliance, legal or "I'm just not sure about those outside groups..." reasons.
Private Cloud means that the business maintains control. Control of their data, control of their operational model and control over the pace of adoption. The faster they drive the pace, the faster they can begin to leverage the technology for greater cost savings or operational flexibility.
Private Cloud requires some organizational changes, since the technologies are blurring the existing silos within the IT organization - or at least a new level of collaboration between the organizations that currently have the skill-sets in each domain. Private Cloud requires a change in the mindset about how to run IT operations - it must be focused on automation, virtualization, mobility and flexibility. It must focus on pools of resources. At first blush, IT operations groups often view this as codewords for "eventually get rid of the IT people". The reality is this probably isn't happening (unless you're a person that doesn't keep their skills updated), because the growth of data and the demands for new IT services continue to outstrip existing IT resources. Making them more available and flexible to the business-units or end-users (via automation, virtualization and standardization) means those people will continue to be in heavy demand. They might be managing 2x, 3x or 5x the amount of resources as before, but they aren't going away.
Private Cloud is dependent on the vendors and IT operators figuring out "massive automation". If there is one major area of risk for Private Cloud it's the chance that vendors and operators don't get that right. That they just build boxes or software that only fit into silos of manual processes. If that happens, everybody loses. The good news is that frameworks/frameworks/frameworks for automation are being defined by broad groups of developers and moving to available products/tools at a very rapid pace.
The Private Cloud option introduces some change, which means a level of risk. The trade-off, if done properly, is a new operational model that provides the best of both worlds - reduced costs and greater efficiency. And if it's built on open-standards and frameworks, it also has the potential benefit of interaction with the Public Cloud when applicable.
Option 2 - Incremental Change (or Business As Usual)
While people generally don't enjoy change all that much, Moore's Law means that living with change is a regular part of being in the IT industry. Many companies do nothing more than just ride the wave of Moore's Law and update their environments every 3-5 years, picking up incremental change with each refresh cycle. On the surface incremental change is easy, it doesn't disrupt existing process. It doesn't disrupt existing organizational structure. It's the "not broke so don't fix it" mindset.
Incremental Change involves the least amount of risk as it allows the IT organization to spread the early adopter challenges to 100s or 1000s of other companies before they jump in. It also allows consulting organizations to come in with their blueprints, built on the backs of other customers, and implement the incremental changes at a pace that fits their models. In slow moving industries, where globalization or competition isn't a major factor and IT just provides computing services, incremental change is an excellent option because it provides controlled levels of change for both the technology and people involved. It's driven by consulting engagements which allow IT organizations to defer some of the risk outside of their direct control.
But after a while, Incremental Change can lead to problems. In most cases, it leads to IT sprawl and IT silos, the same problems that lead to the Cloud Computing movement in the first place. At some point the data centers run out of space or capacity to power/cool all the devices. The IT operators never get encouraged/forced to learn skills across boundaries and they can't truly take advantage of the advancements from the Incremental Change. The consultants might understand it, but do they actually transfer the knowledge the operations groups (or just outsource them)?
Option 3 - The Public Cloud
Just like the Manufacturing group did in the 80s / 90s and the Operations group did in the 00s, the IT organization now has a legitimate option to "cloud-source" their technology operations. The Internet has so radically changed the world that one option is to look at a radically different approach to how to deal with the IT needs of the business. Just as Asian manufacturers dramatically reduced the costs of making physical goods, "cloud computing" from public service providers is now available for a fraction of the cost of trying to manage the IT operations ourselves. That is potentially radical cost shifting (and cost savings). But this new paradigm comes with changes:
- While they could just move existing applications onto somebody else's computing resources, this doesn't lead to radical cost changes. The computing resource (rented) might be less expensive, but it would still require people to administer the application. They would need to target a new set of applications that are written to take advantage of the scale of cloud-computing. These new applications might just be that innovation spark that the board has been asking the CEO to drive within the company!
- They are going to need to invest in a different type of developer group that can take advantage of the underlying systems available in these public clouds.
- Since their data will now reside outside their company's facilities, they will have to look at risk (loss of data, system downtime, system security) and compliance differently. This may be a good thing, or it might add more complexity to the move.