December 18, 2023 • 24 mins
This time my guest is Mark Nicholls. He is CEO of the Information Professionals Group , who help businesses to leverage digital technology to achieve their business objectives. We had an excellent chat about all of the IT good practices that still need to be done to ensure that good clean data can drive our business processes.
A bit about Mark:
“With experience across almost every industry, Mark Nicholls brings more than 30 years of accumulated knowledge to each and every project, leading technology transformation within organisations across Australia. A member of the Australian Information Industry Association Board, Mark is at the forefront of technology transformation. Known for his ability to engage people at every level, he is adept at honing in on client priorities and finding the right formula to help organisations grow their way.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Hello and welcome to another episode of the Data Revolution podcast.
(00:18):
This time my guest is Mark Nichols who is the consulting partner and chief executive
for the Information Professionals Group.
Hi Mark.
It's really great to have you join me and can you tell me a bit about what you do?
Okay, well our company does a range of things which is all helping digital leaders or I
(00:44):
should say business leaders actually leverage digital technology in the best way that they
can.
And so it covers a range of things like development and strategy, how they make decisions around
technology, how they decide whether or not something is a good investment, with what
business purpose they try to apply technology and then how to deliver a business outcome
(01:07):
with technology which of course includes the technology elements but often includes other
things around the outside of that.
Some people might call them more central which would be business process design, data, organizational
change and then good project delivery practices and then we also cover the risk and cyber
elements of protecting people's presence so that they are using digital technology but
(01:33):
they're using digital technology in a way which doesn't undermine their business because
of poor cyber practices.
So that's kind of what we do and that's what I do.
I talk to a lot of clients, I lead a lot of our engagements, plus I've got a great team
of diverse expertise that we work with.
That sounds like a full dance card for you.
So one of the things I was thinking that we could have a bit of a chat about is, and this
(01:58):
is very hypothetical because it's super early days, but how is AI changing the landscape
for your work and the way you're thinking about stuff?
Yeah, so it's probably fair to say it's still quite early days, very early days.
Obviously there's a lot of interest around AI, but that interest level, we've seen in
(02:23):
various other types of technology over some decades.
Every time something is new and that is hyped and there's a lot of excitement, there's always
a lot of interest.
AI is probably next level because of the potential it has, but having said that, it's still a
bit of tie-kicking, a little bit of interest, a lot more curiosity, but how are people applying
(02:50):
it?
Then beyond what individuals are doing in generative AI, asking questions, then it's not massive
levels of adoption.
There is AI increasingly being integrated into some off-the-shelf products and so that
does make it a little bit easier for deployment in certain organisations, but even then it's
(03:14):
quite limited.
There is some use of AI where there's either data or content that is actually being leveraged
to accelerate some of those questions.
For instance, you can apply generative AI to specific documents and get it to interpret
those documents or maybe write parts of those documents or refine them.
(03:38):
There is tools out there that allow you to do that, but I think there's still quite limited
take up of those.
That's probably a nice little pivot into the organisation of documents, the organisation
of content and data.
In many cases, customers need to be careful about what they're providing to the AI engine,
(04:01):
where that AI engine might actually reside, what sort of content and documents they're
providing.
There's a whole data information, records, content management questions here to be answered
to fuel the AI engines.
There's a whole element of capability in infrastructure, business infrastructure, technology infrastructure
needs to be thought about here.
(04:22):
When I say it's early days, that's the type of stuff I'm talking about.
It's quite early days on thinking about how this can work.
It does strike me that there might be an interesting question for you about what should
organisations be doing to get ready for this world of AI that's coming up for us to think
(04:42):
about their infrastructure and their records and all of that stuff.
What are some of the things people should be thinking about?
One of the first things would be use cases.
What are the types of scenarios, the types of business problems that AI might be able
to solve, and then given that working backwards from those to go, well, what data and information
(05:07):
do we have, which actually might be helpful in allowing us to solve that, do we have that
data and information?
Where is it?
How is it organised?
Who has ownership of it?
What is our ethical boundaries and constraints around what we shouldn't be doing with that
(05:27):
along the way?
What should we be applying this new technology?
So thinking about that life cycle from data and records and information through to getting
some sort of business outcome, what are the steps along the way and what are some of the
building blocks we need and the questions we should be asking ourselves?
That's really where people should be going right now.
(05:49):
So what about some of the...
A lot of my IT colleagues are talking about a lot of AI, especially generative AI stuff
that's kind of shadow IT that's happening off on the side and nobody knows about it.
How are some of the ways that you might be able to detect when that's happening?
Well, my personal view is shadow IT definitely, there can be a challenge for big organisations,
(06:15):
well, not so big either.
We've got a lot of IT which is being deployed.
NAS was an accelerator to that of course because it allowed business users to start using NAS
applications with their corporate credit card for instance and all of a sudden you had
(06:35):
little islands of technology popping up across the organisation.
And when those islands of technology hold corporate data or then it's to start integrating
to other systems or maybe that data has some privacy elements to it, then there is challenges
and shadow IT can be a real problem.
(06:57):
In the generative AI sense though, that tool has a pervasiveness to it which in fact you
do want everybody to be using it in a productive way.
The question is how do they use it?
So if they're actually dropping documents in there which are valuable confidential information
(07:19):
that you're holding or maybe on behalf of your clients, that's not such a great thing.
If it's just asking questions, then that's okay.
If it's an accelerator and individual employee's productivity and their performance, then there's
really not too much wrong with that as long as it's appropriately confidential.
But so I think shadow IT elements of generative AI can apply to that shadow IT concept but
(07:45):
there's a whole range of outcomes that are going to be beneficial for organisations which
shouldn't really be classed as shadow IT.
It's more a new set of tools.
It's a bit like the tool set that your mobile phones has brought us.
It's brought a whole new capability for individuals to be productive and self-sufficient and innovative
(08:06):
in no right.
Same with the internet.
It's very pervasive technology.
And generative AI is different from a lot of other technology because it's very pervasive
and allows individuals to be more fully empowered.
So I mean, everybody's talking about generative AI.
Everywhere I go, they're talking about generative AI.
It's not the only thing in AI.
Like there's machine learning predictive models and stuff that have been around for a long
(08:31):
time and a lot of people are using them really productively.
What are some of the things that you recommend to your clients to look after things like
that and how do you plan for them?
Yeah.
So like firstly, Kate, I probably have to say I'm not really an expert in that.
(08:52):
I will have some team members that are much more knowledgeable in this area than I am.
And so those more sophisticated use of AI, yeah, definitely they fit within the enterprise
IT area as opposed to have me out.
I mean, the usage of them might be out there, but you do want some form of more governed
(09:14):
control.
It doesn't mean centralized, but governed control over the way some of those tools are
used.
And so there can be some organizational decision making around what's used, how they're used,
with what purpose.
And to some degree, you want that with GenoDev AI as well, but it's a much lighter touch
(09:36):
governance for GenoDev AI.
So in terms of categorizing all the different types of AI, yeah, it's probably not something
I can talk too much about.
Oh, no, no, just was thinking about that.
But one thing that you've mentioned a couple of times is like the business decision making
process and the strategy process.
Well, what sort of things do you actually recommend to your customers in that way about
(10:03):
how they might need to evolve their decision making?
Oh, completely.
Yeah.
So governance for some is a bit of a dirty word.
It's like constraints, you're getting roadblocks in the way, just getting work done.
And to some degree, that's true.
But if without governance, it becomes a very messy technology landscape that gets created.
(10:32):
And we know because we've seen customers like that that have had very little governance.
And so decision making gets made in quite a fragmented way across the organization.
And then the technology stack and all their technology related practices, which includes
business process design and data management and so on, they're all fragmented as well.
(10:55):
Now, if you've got an incredibly fragmented environment, it's very hard to do a lot of
things very easily because you'll have the same data residing in multiple places.
Nobody will know what the source of truth is.
The quality of the data isn't well understood.
It's never fixed at source because nobody knows you're responsible for it.
(11:18):
And the processes aren't connected to end to end.
So there's a lot of manual process often.
So there's a whole range of issues that get created in the technology stack and the business
systems if you don't have a coordinated way to make decisions.
And so governance is a way of actually defining what those rules are across the organization.
(11:41):
How do we make decisions?
It doesn't mean that you can't make a choice on your own as an executive of one department.
But there might be certain decisions that you can't make departmental decisions on
or team decisions on.
There might be some you can.
There might be some that you can make some decisions on, but you need to consult with
another group, perhaps an architectural reference group of some kind to do so.
(12:04):
And there might be some standards you've got to follow.
So there's different ways of structuring governance, but it's all with the same objective, which
is actually having some coordinated approach to the way an organization works.
So it's not every man to themselves.
Yeah, I've been in places where it's been like that.
(12:25):
Correct.
And it's very hard to work, isn't it?
Because it's very hard to actually generate some business outcomes.
And often, if we go into a new client and we see a very fragmented technology environment
that isn't very connected and lack of integration, multiple sources of truth, then often the root
(12:47):
cause comes back to some historical governance challenges that they've had or maybe just
lack of governance.
Yeah, a lot of times it's just the organization grows up around it without thinking about
these things.
One thing that does strike me that more organizations are going to need to be doing in the future
is looking at their third party risk as they use more SaaS applications and stuff.
(13:12):
Yeah, definitely.
Yeah, look, for some organizations, particularly organizations with big supply communities,
and of course retailers would be in that, some manufacturers, then they have a lot of
suppliers.
And so your supplier risk and third party risk in that context, depending on where they
(13:37):
are in the value chain or supply chain, then they could have downstream customers as well
that they might interact with digitally and exchange data with.
And so yeah, that third party risk is massive.
It's also the one from a cybersecurity perspective that it's probably been a little bit of a
(13:59):
laggard.
It's probably one of the highest risks.
But not every organization is actually dealing with that.
Some are.
And so there's definitely some size-says who are aware of it and some organizations that
are educating their boards and executive team that they need to address it.
But it's been probably one of the slower adoption of good practice.
(14:24):
And are you starting to see a shift in the board directors taking a different attitude
to risk and data in recent times?
Definitely.
Yeah, definitely.
It varies a lot as would be the nature of us humans.
(14:44):
Some are very advanced on thinking about cyber risk.
Well, let's call it business risk, firstly, because that's what cyber risk is.
And then how that links into data management practices, how that links into supplier practices
and supplier risk, how it links across the organization.
(15:05):
Yeah, there's various levels of appreciation, motivation, interest, but it's all moving
in the right direction.
It has been technology knowledge as well.
If we go back five to 10 years ago, then even technology and digital transformation type
knowledge at the board level was a little bit scant for many organizations.
(15:28):
So they're coming a long way.
And a few years ago, we did track on the Australian Institute of Company Directors.
They have an annual briefing, and they used to put out a booklet.
They now don't put out a booklet, they just do a video presentation.
And you can watch the video, you can watch it live.
(15:48):
But when they put the book out, we actually kept the metrics on how many pages of their
briefing used to cover digital topics.
Over the course of about five or six years, it went from being next to nothing to ramping
up to being, say, 20, 30% of that booklet.
(16:11):
So it dramatically shifted.
And so it was a useful metric to look at to see the extent to which the Peekbody for
directors is actually taking digital topics seriously.
And cyber has followed suit with that.
They've been very strong at promoting it.
Again, it doesn't mean that every director listens and takes aware of it, but there is
(16:31):
every opportunity for directors to be more educated now than they were five years ago.
I think it's really interesting what you've said, because you've kind of touched on all
of the points in sort of the IT value chain.
And one thing we haven't really touched on is the testing of stuff.
(16:56):
And that seems to me to be something that's starting to evolve a bit too.
Yeah.
Yeah, so I will have one of my team in particular, who is very, very passionate about the whole
concept of DevSecOps.
(17:16):
And so when it comes to custom software development in particular, then being able to integrate
security testing protocols and secure by design approach into the software development life
cycle.
But I would say, based on what I've seen and what we've seen, we probably still see a very
(17:38):
slow take up in that.
Oh yeah.
Like we're talking about it at work now.
We're talking about privacy by design, security by design.
But I've been trying to have those conversations for a decade.
Only now are people starting to say, maybe we should do that.
(18:00):
Yeah.
I would argue that even automated testing, automated regression testing, yeah, has had
a very slow take up over the last decade or two.
So there's been tool sets in there which can allow automatic regression testing.
But look, even with our clients and particular clients that we're running major transformation
programs for, they've got a massive investment they're doing in the transformation agenda
(18:27):
they're pursuing in the technology to support that.
And then automated testing tool sets do take another investment.
And they do have a payback period.
But it's an investment in the payback period on top of an existing investment in payback
period and it can be very challenging for them to justify.
So that's where I've seen the difficulty for clients.
(18:51):
Now I think DevSecOps brings a different proposition to it, particularly if you're doing custom
software development.
And so you're really standing up an ongoing capability which is going to be developing
for some time.
I think there is a much stronger argument to deploying that.
But as you say, we're still saying very limited take up.
(19:14):
I think even in developers, I mean, if we talk about digital transformation for a little
bit, Kate, I mean, one of the big challenges in digital transformation which can be effectively
dealt with is the organizational change aspect.
And we're not talking here about, obviously, communication and making people feel good
about that change is an important thing.
(19:37):
But just as important is, well, what's materially going to change in my day to day job?
And how do people need to be getting ready for that?
Obviously, training is a part of it.
But just accepting the fact that needs to change, why it needs to change.
And just changing the process.
Like many NERP implementation is founded on like a process redesign.
(19:58):
Yeah, correct.
And all the acceptance of business users that this is a good process and you'll need some
combination of you'll need to follow it, complies using the stick.
And this is a better way of us working because you'll get these benefits and the carrot.
(20:20):
But it is a big challenge.
Now, if you look at the FSECOps, well, senior developers, development leads, technical leads,
they can get a bit fixed in their ways.
And so if they've grown up under a more traditional waterfall development or even DevOps environment,
then how ready are they for their FSECOps?
(20:42):
I think that's not very much.
I've met two people.
There's a change process here, right?
Yeah.
But somebody needs to take them through.
It does sound like there's a lot of this.
One of the interesting things in this conversation is there's been so many moving parts we've
kind of touched on that people need to take account of.
(21:06):
Is there one thing that you want to tell people to sum up?
Well, I think that's true of this industry.
It is always evolving.
Yeah, there is always new techniques coming along.
There's always new tool sets.
There's always new business problems to be solved and business outcomes to be generated.
(21:29):
So it's an industry, and even an industry, but that section or that capability within
your organization, it's a capability that needs to be evolving.
It's never going to be standing still.
And so even that concept of doing a project.
(21:52):
And so there is a view when you're making a major project implementation, people get
to the end of a major transformation and they think, oh, it's all done.
Well, our view is when you get to the end of a transformation, that's the start of the
journey with this new capability that you've stood up.
And so you need to be thinking about what the life cycle of that project looks like
(22:14):
to get ready for that new capability and how leverage from that capability.
And it's really like a fractal based view of what that larger industry view of the capability
needs to be there, needs to be getting built and evolve continuously because your needs
will change.
But the one thing that will always be the same is you want to be running a successful
(22:37):
business and you want to be keeping your customers happy.
They're getting more digitally savvy.
They get more expectations.
And you want to be attracting staff, they've got emerging views about what they need to
be happy in their jobs.
Your IT staff want to be working with your modern techniques and systems as well.
(22:57):
And so your whole context, your environment is shifting and so your capability set needs
to be shifting.
And so I think that's a great summary.
Never stand still.
You can't stand still.
And look, this is a danger for some government departments but also some companies have actually
(23:18):
just completely eroding capability where they're short term cost saving, which understandable,
we all have priorities in terms of costs.
But when we're eroding capability and then we want to then deal with the challenges we've
got from a technology point of view, that capability doesn't get switched back on at
(23:41):
the moment.
No, no, no.
It's a very long ramp up.
Rebuild.
Yeah.
And all that capability is unique to that organization.
Particularly how does this business processes work?
Why are we doing this this way?
What is the data that we've got?
Where does that reside?
And why is it stored this way?
All that type of knowledge is all resonant within organizations.
(24:03):
And they know how to make the improvements.
And if you start slicing away into that capability, it can be very difficult to then rebuild.
Yeah.
And that is a very good spot to end.
Thank you so much, Mark.
All right.
Thanks, Kate.
And that is it for another episode of the Data Revolution podcast.
(24:24):
I'm Kate Carothers.
Thank you so much for listening.
Please don't forget to give the show a nice review and a like on your podcast app of choice.
See you next time.
Hello and welcome to another episode of the Data Revolution podcast.
(00:18):
This time my guest is Mark Nichols who is the consulting partner and chief executive
for the Information Professionals Group.
Hi Mark.
It's really great to have you join me and can you tell me a bit about what you do?
Okay, well our company does a range of things which is all helping digital leaders or I
(00:44):
should say business leaders actually leverage digital technology in the best way that they
can.
And so it covers a range of things like development and strategy, how they make decisions around
technology, how they decide whether or not something is a good investment, with what
business purpose they try to apply technology and then how to deliver a business outcome
(01:07):
with technology which of course includes the technology elements but often includes other
things around the outside of that.
Some people might call them more central which would be business process design, data, organizational
change and then good project delivery practices and then we also cover the risk and cyber
elements of protecting people's presence so that they are using digital technology but
(01:33):
they're using digital technology in a way which doesn't undermine their business because
of poor cyber practices.
So that's kind of what we do and that's what I do.
I talk to a lot of clients, I lead a lot of our engagements, plus I've got a great team
of diverse expertise that we work with.
That sounds like a full dance card for you.
So one of the things I was thinking that we could have a bit of a chat about is, and this
(01:58):
is very hypothetical because it's super early days, but how is AI changing the landscape
for your work and the way you're thinking about stuff?
Yeah, so it's probably fair to say it's still quite early days, very early days.
Obviously there's a lot of interest around AI, but that interest level, we've seen in
(02:23):
various other types of technology over some decades.
Every time something is new and that is hyped and there's a lot of excitement, there's always
a lot of interest.
AI is probably next level because of the potential it has, but having said that, it's still a
bit of tie-kicking, a little bit of interest, a lot more curiosity, but how are people applying
(02:50):
it?
Then beyond what individuals are doing in generative AI, asking questions, then it's not massive
levels of adoption.
There is AI increasingly being integrated into some off-the-shelf products and so that
does make it a little bit easier for deployment in certain organisations, but even then it's
(03:14):
quite limited.
There is some use of AI where there's either data or content that is actually being leveraged
to accelerate some of those questions.
For instance, you can apply generative AI to specific documents and get it to interpret
those documents or maybe write parts of those documents or refine them.
(03:38):
There is tools out there that allow you to do that, but I think there's still quite limited
take up of those.
That's probably a nice little pivot into the organisation of documents, the organisation
of content and data.
In many cases, customers need to be careful about what they're providing to the AI engine,
(04:01):
where that AI engine might actually reside, what sort of content and documents they're
providing.
There's a whole data information, records, content management questions here to be answered
to fuel the AI engines.
There's a whole element of capability in infrastructure, business infrastructure, technology infrastructure
needs to be thought about here.
(04:22):
When I say it's early days, that's the type of stuff I'm talking about.
It's quite early days on thinking about how this can work.
It does strike me that there might be an interesting question for you about what should
organisations be doing to get ready for this world of AI that's coming up for us to think
(04:42):
about their infrastructure and their records and all of that stuff.
What are some of the things people should be thinking about?
One of the first things would be use cases.
What are the types of scenarios, the types of business problems that AI might be able
to solve, and then given that working backwards from those to go, well, what data and information
(05:07):
do we have, which actually might be helpful in allowing us to solve that, do we have that
data and information?
Where is it?
How is it organised?
Who has ownership of it?
What is our ethical boundaries and constraints around what we shouldn't be doing with that
(05:27):
along the way?
What should we be applying this new technology?
So thinking about that life cycle from data and records and information through to getting
some sort of business outcome, what are the steps along the way and what are some of the
building blocks we need and the questions we should be asking ourselves?
That's really where people should be going right now.
(05:49):
So what about some of the...
A lot of my IT colleagues are talking about a lot of AI, especially generative AI stuff
that's kind of shadow IT that's happening off on the side and nobody knows about it.
How are some of the ways that you might be able to detect when that's happening?
Well, my personal view is shadow IT definitely, there can be a challenge for big organisations,
(06:15):
well, not so big either.
We've got a lot of IT which is being deployed.
NAS was an accelerator to that of course because it allowed business users to start using NAS
applications with their corporate credit card for instance and all of a sudden you had
(06:35):
little islands of technology popping up across the organisation.
And when those islands of technology hold corporate data or then it's to start integrating
to other systems or maybe that data has some privacy elements to it, then there is challenges
and shadow IT can be a real problem.
(06:57):
In the generative AI sense though, that tool has a pervasiveness to it which in fact you
do want everybody to be using it in a productive way.
The question is how do they use it?
So if they're actually dropping documents in there which are valuable confidential information
(07:19):
that you're holding or maybe on behalf of your clients, that's not such a great thing.
If it's just asking questions, then that's okay.
If it's an accelerator and individual employee's productivity and their performance, then there's
really not too much wrong with that as long as it's appropriately confidential.
But so I think shadow IT elements of generative AI can apply to that shadow IT concept but
(07:45):
there's a whole range of outcomes that are going to be beneficial for organisations which
shouldn't really be classed as shadow IT.
It's more a new set of tools.
It's a bit like the tool set that your mobile phones has brought us.
It's brought a whole new capability for individuals to be productive and self-sufficient and innovative
(08:06):
in no right.
Same with the internet.
It's very pervasive technology.
And generative AI is different from a lot of other technology because it's very pervasive
and allows individuals to be more fully empowered.
So I mean, everybody's talking about generative AI.
Everywhere I go, they're talking about generative AI.
It's not the only thing in AI.
Like there's machine learning predictive models and stuff that have been around for a long
(08:31):
time and a lot of people are using them really productively.
What are some of the things that you recommend to your clients to look after things like
that and how do you plan for them?
Yeah.
So like firstly, Kate, I probably have to say I'm not really an expert in that.
(08:52):
I will have some team members that are much more knowledgeable in this area than I am.
And so those more sophisticated use of AI, yeah, definitely they fit within the enterprise
IT area as opposed to have me out.
I mean, the usage of them might be out there, but you do want some form of more governed
(09:14):
control.
It doesn't mean centralized, but governed control over the way some of those tools are
used.
And so there can be some organizational decision making around what's used, how they're used,
with what purpose.
And to some degree, you want that with GenoDev AI as well, but it's a much lighter touch
(09:36):
governance for GenoDev AI.
So in terms of categorizing all the different types of AI, yeah, it's probably not something
I can talk too much about.
Oh, no, no, just was thinking about that.
But one thing that you've mentioned a couple of times is like the business decision making
process and the strategy process.
Well, what sort of things do you actually recommend to your customers in that way about
(10:03):
how they might need to evolve their decision making?
Oh, completely.
Yeah.
So governance for some is a bit of a dirty word.
It's like constraints, you're getting roadblocks in the way, just getting work done.
And to some degree, that's true.
But if without governance, it becomes a very messy technology landscape that gets created.
(10:32):
And we know because we've seen customers like that that have had very little governance.
And so decision making gets made in quite a fragmented way across the organization.
And then the technology stack and all their technology related practices, which includes
business process design and data management and so on, they're all fragmented as well.
(10:55):
Now, if you've got an incredibly fragmented environment, it's very hard to do a lot of
things very easily because you'll have the same data residing in multiple places.
Nobody will know what the source of truth is.
The quality of the data isn't well understood.
It's never fixed at source because nobody knows you're responsible for it.
(11:18):
And the processes aren't connected to end to end.
So there's a lot of manual process often.
So there's a whole range of issues that get created in the technology stack and the business
systems if you don't have a coordinated way to make decisions.
And so governance is a way of actually defining what those rules are across the organization.
(11:41):
How do we make decisions?
It doesn't mean that you can't make a choice on your own as an executive of one department.
But there might be certain decisions that you can't make departmental decisions on
or team decisions on.
There might be some you can.
There might be some that you can make some decisions on, but you need to consult with
another group, perhaps an architectural reference group of some kind to do so.
(12:04):
And there might be some standards you've got to follow.
So there's different ways of structuring governance, but it's all with the same objective, which
is actually having some coordinated approach to the way an organization works.
So it's not every man to themselves.
Yeah, I've been in places where it's been like that.
(12:25):
Correct.
And it's very hard to work, isn't it?
Because it's very hard to actually generate some business outcomes.
And often, if we go into a new client and we see a very fragmented technology environment
that isn't very connected and lack of integration, multiple sources of truth, then often the root
(12:47):
cause comes back to some historical governance challenges that they've had or maybe just
lack of governance.
Yeah, a lot of times it's just the organization grows up around it without thinking about
these things.
One thing that does strike me that more organizations are going to need to be doing in the future
is looking at their third party risk as they use more SaaS applications and stuff.
(13:12):
Yeah, definitely.
Yeah, look, for some organizations, particularly organizations with big supply communities,
and of course retailers would be in that, some manufacturers, then they have a lot of
suppliers.
And so your supplier risk and third party risk in that context, depending on where they
(13:37):
are in the value chain or supply chain, then they could have downstream customers as well
that they might interact with digitally and exchange data with.
And so yeah, that third party risk is massive.
It's also the one from a cybersecurity perspective that it's probably been a little bit of a
(13:59):
laggard.
It's probably one of the highest risks.
But not every organization is actually dealing with that.
Some are.
And so there's definitely some size-says who are aware of it and some organizations that
are educating their boards and executive team that they need to address it.
But it's been probably one of the slower adoption of good practice.
(14:24):
And are you starting to see a shift in the board directors taking a different attitude
to risk and data in recent times?
Definitely.
Yeah, definitely.
It varies a lot as would be the nature of us humans.
(14:44):
Some are very advanced on thinking about cyber risk.
Well, let's call it business risk, firstly, because that's what cyber risk is.
And then how that links into data management practices, how that links into supplier practices
and supplier risk, how it links across the organization.
(15:05):
Yeah, there's various levels of appreciation, motivation, interest, but it's all moving
in the right direction.
It has been technology knowledge as well.
If we go back five to 10 years ago, then even technology and digital transformation type
knowledge at the board level was a little bit scant for many organizations.
(15:28):
So they're coming a long way.
And a few years ago, we did track on the Australian Institute of Company Directors.
They have an annual briefing, and they used to put out a booklet.
They now don't put out a booklet, they just do a video presentation.
And you can watch the video, you can watch it live.
(15:48):
But when they put the book out, we actually kept the metrics on how many pages of their
briefing used to cover digital topics.
Over the course of about five or six years, it went from being next to nothing to ramping
up to being, say, 20, 30% of that booklet.
(16:11):
So it dramatically shifted.
And so it was a useful metric to look at to see the extent to which the Peekbody for
directors is actually taking digital topics seriously.
And cyber has followed suit with that.
They've been very strong at promoting it.
Again, it doesn't mean that every director listens and takes aware of it, but there is
(16:31):
every opportunity for directors to be more educated now than they were five years ago.
I think it's really interesting what you've said, because you've kind of touched on all
of the points in sort of the IT value chain.
And one thing we haven't really touched on is the testing of stuff.
(16:56):
And that seems to me to be something that's starting to evolve a bit too.
Yeah.
Yeah, so I will have one of my team in particular, who is very, very passionate about the whole
concept of DevSecOps.
(17:16):
And so when it comes to custom software development in particular, then being able to integrate
security testing protocols and secure by design approach into the software development life
cycle.
But I would say, based on what I've seen and what we've seen, we probably still see a very
(17:38):
slow take up in that.
Oh yeah.
Like we're talking about it at work now.
We're talking about privacy by design, security by design.
But I've been trying to have those conversations for a decade.
Only now are people starting to say, maybe we should do that.
(18:00):
Yeah.
I would argue that even automated testing, automated regression testing, yeah, has had
a very slow take up over the last decade or two.
So there's been tool sets in there which can allow automatic regression testing.
But look, even with our clients and particular clients that we're running major transformation
programs for, they've got a massive investment they're doing in the transformation agenda
(18:27):
they're pursuing in the technology to support that.
And then automated testing tool sets do take another investment.
And they do have a payback period.
But it's an investment in the payback period on top of an existing investment in payback
period and it can be very challenging for them to justify.
So that's where I've seen the difficulty for clients.
(18:51):
Now I think DevSecOps brings a different proposition to it, particularly if you're doing custom
software development.
And so you're really standing up an ongoing capability which is going to be developing
for some time.
I think there is a much stronger argument to deploying that.
But as you say, we're still saying very limited take up.
(19:14):
I think even in developers, I mean, if we talk about digital transformation for a little
bit, Kate, I mean, one of the big challenges in digital transformation which can be effectively
dealt with is the organizational change aspect.
And we're not talking here about, obviously, communication and making people feel good
about that change is an important thing.
(19:37):
But just as important is, well, what's materially going to change in my day to day job?
And how do people need to be getting ready for that?
Obviously, training is a part of it.
But just accepting the fact that needs to change, why it needs to change.
And just changing the process.
Like many NERP implementation is founded on like a process redesign.
(19:58):
Yeah, correct.
And all the acceptance of business users that this is a good process and you'll need some
combination of you'll need to follow it, complies using the stick.
And this is a better way of us working because you'll get these benefits and the carrot.
(20:20):
But it is a big challenge.
Now, if you look at the FSECOps, well, senior developers, development leads, technical leads,
they can get a bit fixed in their ways.
And so if they've grown up under a more traditional waterfall development or even DevOps environment,
then how ready are they for their FSECOps?
(20:42):
I think that's not very much.
I've met two people.
There's a change process here, right?
Yeah.
But somebody needs to take them through.
It does sound like there's a lot of this.
One of the interesting things in this conversation is there's been so many moving parts we've
kind of touched on that people need to take account of.
(21:06):
Is there one thing that you want to tell people to sum up?
Well, I think that's true of this industry.
It is always evolving.
Yeah, there is always new techniques coming along.
There's always new tool sets.
There's always new business problems to be solved and business outcomes to be generated.
(21:29):
So it's an industry, and even an industry, but that section or that capability within
your organization, it's a capability that needs to be evolving.
It's never going to be standing still.
And so even that concept of doing a project.
(21:52):
And so there is a view when you're making a major project implementation, people get
to the end of a major transformation and they think, oh, it's all done.
Well, our view is when you get to the end of a transformation, that's the start of the
journey with this new capability that you've stood up.
And so you need to be thinking about what the life cycle of that project looks like
(22:14):
to get ready for that new capability and how leverage from that capability.
And it's really like a fractal based view of what that larger industry view of the capability
needs to be there, needs to be getting built and evolve continuously because your needs
will change.
But the one thing that will always be the same is you want to be running a successful
(22:37):
business and you want to be keeping your customers happy.
They're getting more digitally savvy.
They get more expectations.
And you want to be attracting staff, they've got emerging views about what they need to
be happy in their jobs.
Your IT staff want to be working with your modern techniques and systems as well.
(22:57):
And so your whole context, your environment is shifting and so your capability set needs
to be shifting.
And so I think that's a great summary.
Never stand still.
You can't stand still.
And look, this is a danger for some government departments but also some companies have actually
(23:18):
just completely eroding capability where they're short term cost saving, which understandable,
we all have priorities in terms of costs.
But when we're eroding capability and then we want to then deal with the challenges we've
got from a technology point of view, that capability doesn't get switched back on at
(23:41):
the moment.
No, no, no.
It's a very long ramp up.
Rebuild.
Yeah.
And all that capability is unique to that organization.
Particularly how does this business processes work?
Why are we doing this this way?
What is the data that we've got?
Where does that reside?
And why is it stored this way?
All that type of knowledge is all resonant within organizations.
(24:03):
And they know how to make the improvements.
And if you start slicing away into that capability, it can be very difficult to then rebuild.
Yeah.
And that is a very good spot to end.
Thank you so much, Mark.
All right.
Thanks, Kate.
And that is it for another episode of the Data Revolution podcast.
(24:24):
I'm Kate Carothers.
Thank you so much for listening.
Please don't forget to give the show a nice review and a like on your podcast app of choice.
See you next time.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.