But Germanow agrees with Hitachi Consulting's Jim Cole that a willingness to embrace SaaS is essential if a CIO is to remain relevant. "The reason that many companies subscribed to Salesforce was that their IT departments couldn't make a CRM system. There's been a long history of going around the CIO, but smart ones shouldn't fight it, they should embrace it."
From control to trust
An obvious question to ask then is whether the modern CIO's role really comes down to one of keeping an eye on SaaS services that business units subscribe to, and ensuring that they are used in a secure fashion – perhaps, ironically, by subscribing to a Cloud Access Security Broker (CASB) service?
Germanow believes there is some truth in that, but also that there's a need to move from control-based to trust-based security. “The trend in security is a shift from ‘I control and secure everything myself’ to ‘When I use Azure I now use modern technologies and a shared responsibility model with cloud providers,’” he says. “The focus is on business risk, not technology risk."
Cole says there is more to it than that. To stay relevant a CIO has to orchestrate a complex blend of "best of" applications, technologies, and platforms – as well as providing "reasonable guardrails" when it comes to security, risk, and consistency, he says.
That means working with business units or individuals who want to subscribe to SaaS and building it into an overall IT plan. "The successful CIO engages, embraces, seeks to understand, partners to develop roadmaps, brings a mix of facilitating policies and enabling support services," Cole explains.
"By engaging they help to establish a culture of accountability, approvals, audits, and awareness so the company leaders never wake up in the morning wondering where their data is and is it secure," he adds.
Some CIOs may baulk at the idea of handing over much of the responsibility for running applications and securing data to cloud providers and effectively allowing business units to decide what's best for their needs, but CIOs that can't adapt to the changing face of enterprise computing are doomed to sink into irrelevance, he warns.
"For those CIOs who remain in the traditional "command and control" operating models, their relevance as a business partner will shrink as they continue to try to enforce isolationist policies that, like in geopolitics, never seem to end well," Cole says.
Sign up for CIO Asia eNewsletters.