Align Interview: Former Met Police CIO Richard Thwaite on why digital transformation starts with peopleFred O'Connor | October 30, 2019
The Align interviews offer the perspectives of CIOs and CISOs on technology, leadership, security and digital transformation.
For any digital transformation project to succeed CIOs need to keep in mind the people who will be impacted. That’s the advice from Richard Thwaite, who’s served as CIO of the Metropolitan Police Service, UBS Global Asset Management Division and Ford Motor Company in Europe.
“You’ve got to make sure that the people are coming along with you. [CXOs] get too hung up and focused on the potential benefit or value that can be brought through new technology,” said Thwaite, who’s now a managing partner at the Chaucer Group, a London-based consulting firm.
A firm’s employees need to know how they’ll benefit from the technology. This means helping them understand how data analytics software can be leveraged to find new revenue sources or why biometrics and digital IDs can be used for authentication instead of passwords.
“What behaviors do you want people to exhibit when they are using this new technology? It’s about ensuring that you make it easier for people to access the information they need but in a very secure way,” he said.
This interview has been edited and condensed for clarity.
By definition, digital transformation brings change. But some people are resistant to change. How do you sell change in an organization?
The biggest challenge that organizations face regarding digital transformation is they don’t recognize the people aspect. They get too hung up and focused on the potential benefit or value that can be brought through new technology. They forget that a key component of realizing that benefit is through the people that use that technology, as it’s often people who will enable the benefit from the technology through being able to do their job better. You’ve got to make sure that the people are coming along with you.
You need to help the entire organization see the benefits of the change. Leadership wouldn’t have sanctioned it in the first place if they didn’t sign off on the business case behind it. For the employees, that’s not always as obvious. I think that the key thing is about helping people understand how its going to help them do things better and improve things. People should understand what’s going to be different for them, and why that’s an advantage to both them and the company.
Why do organizations forget about the people and only focus on the technology?
Everybody gets too excited by the technology and what you think you’re going to get from it and the things it’s going to bring to your business rather than thinking about the people because that’s a bit more touchy-feely. It’s a softer side of business. As we know, that is the part of business that doesn’t get as much attention. For me, it’s about what’s easy and, in many ways, it’s easy for people to get excited about new technology. It’s let’s use AI to do this, machine learning to do that or data analytics to solve some complex business problem.
What we need to be thinking about is how can we encourage people to think about what opportunities might be there for them to be able to do things smarter, better and more efficiently through the use of AI or machine learning or how could we encourage them to use data analytics to increase revenues, drive down costs rather than just create some whizzy new report using data analytics and hoping that the results would just automatically happen without thinking through what behaviors do you want people to exhibit when they are using this new technology? How do we think it’s going to impact on the people in the organization? Ultimately, that’s how the results transpire – through the people.
Are there any differences between being an IT executive in the private sector versus the public sector?
There are not large, fundamental differences because all IT executives and CIOs are trying to achieve the same goals, like improving results or increasing customer satisfaction. The difference is more around decision making. One of the things I experienced is that the decision making in the public sector can often be a lot slower than in the private sector. You’re dealing with a lot more inertia. You’re also dealing with quite often more layers of decision making.
In the private sector, you can have more delegated authority and you can make decisions faster, whereas in the public sector, you tend to have very little delegated authority and you have a number of very, very diverse stakeholders. You can have stakeholders who are civil servants or the public sector workers, but you also get the politicians. Whether that’s local politicians or national politicians, they can influence a decision. You tend to have double the number of decision-making forums in the public sector than you do in the private sector. That’s clearly a challenge.
Procurement processes can tend to be a lot more cumbersome in the public sector than in the private sector. You’re dealing with more rules and regulations around procurement to ensure that there is a fair and level playing field. It’s typically quite a different process in terms of getting procurement over the line and the speed at which you can procure in the public sector versus the private sector.
Having said all that and making it sound like it’s a lot more negative on the public sector than the private sector, surprisingly you can often take more risks in the public sector. Amazingly, the public sector sometimes is more open to doing things differently and challenging the norm. The public sector may be willing to make an investment that the private sector just wouldn’t be prepared to take the risk on. In the private sector they might say that looks risky and wait until someone else invests. In the public sector, if you get a politician who has a vision, they can be willing to invest in it.
There can be more innovation in some areas of the public sector than in the private sector. That’s definitely an area where it can be an opportunity. Very often the public sector is really about making a difference in people’s lives, whether it’s in health care, law enforcement or education. The final thing is quite a lot of what’s done in the public sector is on a larger scale than in the private sector.
Now if you’re talking a big global organization, then there’s probably similarities. But for a lot of companies, the public sector is actually a lot bigger than in the private sector in terms of the potential scale. For example in social care, you’re dealing with millions of people and organizations.
Some CIOs also handle information security. What should they know about protecting a company from threat actors?
Clearly information security is absolutely critical and essential because the data and technology are the lifeblood of a company. You’ve got to make sure that data and the technology environment is secure. You must be constantly alert to what’s happening, to what the threats are and ensure that information security is seen as everyone’s job, not just the IT organization.
From the secretary who clicks on a phishing email to the sales executive who plugs a USB stick into the computer, cyber threats exist all around the company. Everybody in the company has to be alert to it because as we know, you’re only as secure as your weakest link.
It’s about ensuring that you make it easier for people to access the information they need but in a very secure way. You’re really protecting that information and that data, but at the same time, you’re making it easy for people. If you make it complicated and difficult for people, then people will find shortcuts or ways around it. If you make people have a 300-character password, then they will have to write it down somewhere and they’ll have to stick it on their screens or laptops because they cannot remember them.
You may have made the organization secure in theory, but actually you’ve made it less secure. It’s thinking about how people handle these kinds of situations. If you provide a simple yet secure way for people to access their applications and their data, they’re more likely to use it. That’s where things like visual identification comes in and the ability to use fingerprints or facial recognition or other biometric techniques for people to access their systems and their data. That’s an easy and simple way of doing it. You don’t need to remember 10 or 20 passwords. You’re going to be more secure just because you’ve made it simpler for people to use.
How do you get people to realize that there are alternatives to password-based authentication?
I think most people accept that passwords are not a secure or effective way of accessing data. I think using fingerprints or facial recognition for gaining access is widely accepted now. Consumer technology clearly plays a role in this because people are using fingerprint technology or facial recognition technology to get access to their mobile devices. That makes them ask the obvious question, “Why can’t I use this for work as well?”
I think the move is already happening. I don’t know of anyone who, given the choice of either a fingerprint or a facial recognition identification instead of a password chooses a password. Unless there’s some physical reason why they can’t, 99.9999 percent of people will use biometrics because it’s easier, faster and they know it’s secure. I don’t see it as being a challenge to help people move to that authentication approach.
I genuinely believe that technology can be used for a greater good for organizations and society, but it’s got to be handled in the right way. That means CIOs have to be thoughtful about what they’re doing and thinking about the end user and customer experience and making the technology easy to use.
That’s why for me, digital identification is so critical because it’s so important from a security perspective that you identify the right person who’s accessing your data, who’s accessing applications, who’s authorizing transactions. Protecting that data is critical for an organization, but at the same time, you need to make the process simple and easy to use. For me, biometric authentication and shared identification across applications and platforms enables you to do that. It not only protects the organization but does it in a modern way.
IT is now viewed as a critical business component that helps organizations achieve their goals. How can CIOs better align themselves with those goals?
My mantra has always been that a CIO is a business executive and the IT organization is a part of the business. You run IT very much as a business and you make sure that you are delivering the goals and objectives of the organization. You have to make sure that you are part of the management team. You have to be closely aligned with your company’s business objectives. You need to be able to dialogue with the CEO. You need to be seen as an equal partner to the COO, CFO. The CIO and IT executives have to be really engaged with the other business leaders. I don’t think there’s any CIO now that can survive unless they are totally engaged in the company’s business objectives and business strategy because IT is a critical business component.
You have to be at the front and center of where your business is going. If the CIO is not fully aligned with the business and isn’t actually helping to drive it forward, then they are in declining organizations. They will not survive. The CIO needs to help define and drive the organization’s goals. Easier said than done of course.
Keeping the email running is no longer a CIO’s primary job.
CIOs are operating almost in a different world to that of the CEO’s. It’s bringing those two together and recognizing that as a CIO, you need to be part of the business and find a way of connecting with the CEO and make sure you’re joined at the hip. The role of the CIO is one of the most difficult jobs in the company because you are very operationally engaged around the running of the IT operations, but you’re also critical for business strategy.
Typically, IT functions across departments. It enables all parts of the business whether it’s sales and marketing or fulfillment. That’s why the CIO and the CEO need to be very, very closely aligned because the CIO can enable what the CEO wants to achieve with their business.