Federal CIOs draw many parallels with private sector companies. Both are striving to keep customer and corporate data secure while improving top- and bottom-line performance. And for both, adoption of public cloud services is a top priority tempered by concerns about risk and cost.
At the TBM Council’s recent Public Sector Summit in Washington DC, IT business leaders came together to share how technology business management (TBM) helps CIOs and other stakeholders govern their cloud consumption and take a strategic approach to cloud.
Kirk Trasborg, executive director of finance and shared services for the University of Pennsylvania is in charge of the business functions of a central IT service. That includes finance, purchasing, contracting, vendor management, and also the TBM program. IT in this environment is a vendor, a true shared services organization for 40 schools and centers.
Trasberg’s move to cloud is about relevance, agility, and cost. Cloud isn’t optional—his team has to be engaged to be competitive so he’s taken a three-pronged approach to adoption: cloud-first for new investments, lift and shift for "easy" migrations (which he readily admits hasn’t worked at times), and cloud-native for redesign and for which his application development team has won an award for a mission-critical application that takes advantage of peak storage and processing needs.
Tony Agent, director of technology and business management at Marriott, said cloud helps his organization scale more rapidly, allowing his team to provide more reliable service. “Now with a public cloud, we can do things. We can get good response time wherever we are in the world. In that case, we don't really worry about cost. It's more about the customer experience, and it's about the value we get.”
Chris Blelloch, VP & chief of staff over content and strategy at Dun and Bradstreet, cited M&A (mergers and acquisitions) as a major driver to the cloud, especially if an acquired company was founded within the last eight or so years.
“When you talk about power and space and datacenters, it’s a foreign concept, right? They have a credit card, they enter some numbers, they write code, and they've got a product. And so the worst possible thing in the world to do would be to tell them to get off of public cloud, move into our data centers, move into our server farms, etc.” He says the time it takes to order the gear and get it installed can quickly destroy any value from an acquisition.
Myths about cloud adoption
The panel agreed both government agencies and private sector teams are under pressure to move to the cloud. But there are some common misconceptions about why public cloud is important.
- Myth 1: Public cloud equals DR. Disaster recovery isn’t automatic just because you are using AWS or Azure. Blelloch said, “This is definitely not the case. You still have to have a good plan and you have to execute that regardless of whether it's public or private cloud.”
- Myth 2: Public cloud pricing offers transparency, making costs easier to track and understand. Again, Blelloch weighed in. “When I left AOL in January, we had (let's call it) roughly a third of our compute in public cloud and our invoice from one public cloud provider was 350 million lines long. So just the ephemeral nature of spinning a server up, spinning a server down, and spinning one back up later? That's three line items. You really have to have some structure around how you're going to track that.”
- Myth 3: Public cloud is a technology decision. According to the panelists, it’s really a cultural decision. What gets overlooked is that people who managed infrastructure forever are not necessarily going to jump onboard. They may be threatened by the perceived impact public cloud will have on their roles and responsibilities. The way IT leaders frame their messages around public cloud deployment are key to success.
- Myth 4: Public cloud requires radically less people. Trasborg reported, “We did a lift and shift and thought we'd take all of our development test servers and put them in the cloud. We put our couple hundred of test and dev servers out in the cloud, but we didn't get the level of service or support we thought we would because our contract really wasn't designed with that level of specificity.”
One of the biggest challenges Trasborg’s team encountered was in the development testing environment. “DevOps teams want to be able to tune these things to servers, throttle them, test them, and see performance results, information, and all the stuff that they used to have ready access to in the past but didn't have access to once it was out in the cloud.”
Trasborg ended up pulling it all back in-house. They're looking at a different approach now to put those environments back out in the cloud but he’s feeling a little more cautious. “I think there's a change in skillset,” he said. “What we realized is we need to set and manage the relationships, the expectations, throughout the engagement. We need to help service owners develop that skillset as well. Because you really are partnering with your cloud suppliers. For years, nobody's wanted to partner with you but now it's a marriage. You guys are linked. Your core systems, your mission-critical things are with them and your data is with them. Monitoring their security protocols as well is very critical.”
To mandate TBM or not?
A compliance mandate for TBM can be a powerful motivator. Said Blelloch, “If we had had a compliance requirement at AOL to roll out TBM? We would've been jumping and down for joy. Versus trying to create a ground effort upwards and having to convince everybody to do it? I would have loved to have somebody say ‘You've got to do this.’”
Agent started out from a compliance perspective at Marriott. “We don't have a government entity, obviously. But our hotel owners can at any point call and say, ‘What does this bill mean?’ We have the ability to do that. We've had it for years. But this made it easier.”
The ability to answer questions with TBM helps Agent’s team proactively pursue solutions today. “It's gone from, 'Oh, cool I can see the P&L' to now, 'I see how this thing over here affects this thing over there that seemed unrelated. But if you change this, it fixes this problem.'”
Agent’s team has added new things like incident data and initiatives from their project and portfolio management system. Today, they have transparency into what they’re spending on cloud and they have a better sense of the impact. They aren't waiting three months to get a new server built, and as a result, they have higher customer satisfaction and are able to get to market quicker.
There’s no mandate to use TBM at the University of Pennsylvania. Instead, Trasborg said, “It truly is a choice that we made. And we do it to really understand the business.”
Building confidence is a key motivator. “The trust piece was huge for us. The first driver for us wasn't cost optimization, it really was about establishing trust with our stakeholders. We're a shared services environment and we are almost 100% charged out. And [in the past], our internal stakeholders, our 40 schools and centers, would regularly pepper us with questions about what we were spending their money on.”
“With TBM, we started understanding what our costs were, and we defined a service layer that actually communicated some understandable value to our clients and our internal stakeholders. And then we started meeting with each of those stakeholder groups (and this is the business relationship manager piece of TBM), walking through their bill of IT, having the conversation about where the money goes and involving them in things like costing. We had all the information about what each service cost and the rate-setting piece as well. And we built a lot of trust over the past few years with that.”
He added, “Now the conversations are at the multimillions mark, as we're getting to a more strategic level. We're well beyond a couple dollars on a bill for an individual department.”
One of the biggest challenges is getting your client base to move beyond questioning small dollar charges. “We weren't really positioning the central IT unit in a place to be strategic and help the overall university move its mission forward. What we were doing was moving dollars and cents around and we weren't giving very good answers to questions like ‘Why did you charge me this?’ Often it was, I don't know. Here's some money back. And, really, all we were doing was moving money between departments. We spent a ton of time doing that.”
Once IT directors and CFOs in the local units got comfortable, the conversations focused on things like cloud and information security. "What are core services for the university that we need to make sure we provide? Is there an investment fund or should we be doing more in the innovation space? We're having those bigger multimillion-dollar instead of single-dollar conversations about what's really going to differentiate the university and allow Penn to stay in its premier space.”
Added Agent, “I think the conversation shift is really about how you measure the trust. When our finance team stopped saying, ‘I don't think this is right. Can you look at it?’, they started asking, ‘Can you add this? Can you do this calculation for me?’ That's when I knew they understood what's going on.”
TBM-driven decision-making for cloud
TBM provides a before and after view of cloud that benefits both the public and private sector. For Blelloch, this was particularly helpful to determine where cloud makes the most sense. “TBM really opened the door relative to how many people you have dedicated to a specific product. In many cases, that's super eye-opening for folks because product owners don't realize that they only have two people managing a specific product or that it's not a one-to-one mapping and their one developer also may be doing other products. You can look at the costs and you can very quickly identify which of those applications should be targeted for cloud.”
Does the business, public or private, generally save money migrating to the cloud? Trasborg says no, not always. “You have to weigh a variety of factors, as far as ability, speed, innovation, things like that. What are you missing? If you try to do it in-house, can you stay on top of the technology and the information security? And I think it's very unique to each person.”
According to Trasborg, “One thing that's great about TBM is it's standard across all kind of things. So if you have your mapping set up properly, you can tell the difference how much these applications cost when they were on-prem versus how much they cost when you were off-prem.”
“And then when you add other data into that? You can say, okay, yeah, we saved a million dollars but our customer service went way down because we have more tickets for XYZ. Maybe the response time isn’t what it used to be. Maybe the application slowed down. So, it lets you make those informed decisions that are based on data that says, ‘Oh, yeah, cloud was the right decision here. Maybe it wasn't the right decision there.’ It takes all the emotion out of it. You can say go cloud there, but it's the wrong decision here, so let's not do that.”
TBM also helps IT leaders manage the incredible amount of detail contained within the cloud bill. Cloud providers provide the level of granularity needed to do good cost analysis but managing the data can be overwhelming. AWS, Azure, and others provide down to the minute data, but the tools and the maturity to analyze that data is not there.
“350 million lines. We had one person whose sole purpose was to basically vet and check that. When you get into reserve instances for AWS and other variations of that for Google, the accounting and how that all translates into the bill is a whole other ecosystem,” said Blelloch.
Not everything should move to the cloud
Plenty of private companies are making judicial decisions about what to move and what to keep on-premises. This is certainly true in the hospitality business. Said Agent, “All of your credit card data is not in the public cloud. We have it. Because if you're a [criminal] that's looking for credit card information, you're going to go after hospitality. Every hotel has a front desk, a coffee shop, a gift shop and all those are points of entry so we're never going to put that in [the cloud] even if it's cost-efficient. Even if we get all the assurances that it's secure. That's not something we'll look at.” Trasborg agreed. “We look at it service-by-service and we look at the data. How risky is it? We're getting more comfortable with the cloud and we have some business associate agreements [AWS, Azure, and others], so additional language contractually and protections. But there is still some stuff we hold back that we consider too critical. There are also some things like government contracts that we're not necessarily going to move or [instances] where there has to be US-based data center storage. So we really are looking at the criticality or the sensitivity of the data.”
“Anything that's a front-end web application, there's probably almost zero arguments that that should move,” said Blelloch. “There probably are a few arguments but I just don't know if I would believe them. There's tons of value in focusing on those things that are fairly lightweight, they're fairly easy. But if you have something in your mothership, like in your own data center, and you move something up here in public cloud that needs to talk to it frequently? That's usually not a great result, just from the pure cost of having those things go back and forth.”
Lessons learned in the private sector
Panelists at the summit offered valuable reflections on their cloud cost management experiences.
- Find a balance. “If you're going to adopt public cloud, you're giving away the keys to the kingdom, relative to how you used to have to go through the gate,” said Blelloch. “Whether you're turning it over to the application team or the dev team, they have a little bit more freedom to spin things up, spinning up cost. You've got to find the balance of allowing that freedom and getting people used to it but at the same time, you've got to have some governance around security and some of the other components that have to layer across. That's a challenge.”
- Proactively build the case for cloud (or folks will go around you). “[Your customers] will go to the AWS or Azure pricing calculators, and they're going to come up with a number. They're going to come to you and say, ‘You're charging me $100,000. I can do it for $70,000.’ And 99% of the time they're wrong, because they're not taking into account your network operation center, your monitoring, your people. So you have to get in front of that. Otherwise, they're going to come at you from the bottom end and you're in a defensive position,” said Blelloch.
- Strong executive sponsorship is key. “[This represents a] huge cultural change in our very distributed environment,” says Trasborg. “We’re a university that's been around for hundreds of years, one that is top of its class in many areas. It's going to proceed cautiously. A lot of really smart folks are going to want to know a lot about what you have in mind for TBM and the cloud space. We spent a lot of time building awareness and then providing the knowledge, walking through all the stages of change management.”
- Be thoughtful. Agent cautions that IT leaders need to consider all the use cases around cloud and how you’ll implement them. “What do you do around security? What do you do around who is allowed to use it and not? If you don't do that, then you get the person who forgets his password every day and he keeps spinning up a new server every day because he doesn't know what the old one was. And then the list of servers comes in and out of 37 pages that come in, 36 are tied to one person. Get all those use cases together. Figure out what you're going to do with it before you go live because you don't want to get on the other side of that and say, ‘I just spent a million dollars this month on Jeff.’”
Agent added, “We love Jeff.”