The aftermath of the 2008-09 economic crisis has created new business models that extend to nearly every organizational segment. For IT executives, the implications are that they must make the IT function more productive while embracing new, disruptive technologies in order to gain competitive advantage.

Close alignment between the business and IT is an essential ingredient in this process. However, in a recent survey of IT and business executives, McKinsey found that while 71 percent believe IT must be tightly integrated with the business, only 27 percent believe this is actually the case in their organizations.¹ Much work obviously remains to be done to “change the game.”

Establishing a joint-governance model is often the most cited strategy that an organization can employ to facilitate collaborative communications between IT and the business. Following his appointment as Symantec’s CIO in 2006, one of the first programs David Thompson implemented was a governance model that created a structure and process for prioritizing and aligning IT projects with the requirements of the business. Based on his previous assignments as CIO at PeopleSoft and then Oracle, Thompson understood the value of using a governance model as the basis for translating business requirements into IT strategies and priorities

In 2008, Thompson was called on again to leverage his experience in business process optimization when his responsibilities were expanded to include the global services organization. Now CIO and group president of Symantec Services Group, Thompson was given the charter to drive greater operational efficiencies while creating closer alignment with customer requirements.

The following is an interview Patrick Spencer, the editor in chief for CIO Digest, conducted with Thompson about some of the “game changing” moves he and his team are leading.

Patrick: You served as senior vice president and CIO at Oracle. What did your role and responsibilities encompass?

David: Oracle’s IT organization is split into two functions: research and development, and global IT. I oversaw the latter, which included the IT infrastructure, on-demand services, and information security. My function encompassed core ERP applications and other ancillary applications.

Patrick: Symantec—like Oracle—is a very acquisitive company. Understanding how to manage the integration of IT assets, infrastructure, and processes into the overall operations of Symantec is critical. What are some of the best practices and approaches that you’ve been able to leverage at Symantec?

David: One of the foremost lessons I adopted was a mergers and acquisitions (M&A playbook that specifies execution strategies and an integration roadmap. Symantec’s M&A approach was not as mature as the one at Oracle, and we—as a cross-functional team—worked to build out a series of M&A playbooks. But as one size doesn’t fit all, we developed different playbooks for different types of acquisitions. For some, we may want rapid integration, for others we may want partial integration, and then for others we may want them to remain as independent business units. In addition, common to any playbook, regardless of an organization’s size, is the need to ensure that value drivers and synergies are captured and understood.

Patrick: You spent seven years at PeopleSoft as CIO. The company experienced a number of very distinct changes during your tenure. One of the initiatives you led was the internal adoption of PeopleSoft technologies. What was this all about?

David: PeopleSoft had grown rapidly over its history, and much of the focus of IT was on meeting immediate business requirements. IT was basically one step ahead of the business. I identified a real opportunity to start using the intranet technologies that we were selling to our customers and become a showcase example. Working in partnership with the business, the IT organization was able to drive substantial operational efficiency gains and cost reductions while improving customer service.

One of the most critical initiatives was around business process enablement and optimization. We looked at our operations and the number of intermediaries involved in a HR process—from the request to transfer, to the employee record moving, to assets transferring, to the employee’s roles and access changing, to financial updates, to expense and procurement management approvals. This included database, directory, and information security updates.The results of this multi-year program were impressive: it saved the company more than $100 million.

Patrick: Any other takeaways from your assignments at Oracle and PeopleSoft?

David: Governance comes immediately to mind. The business must have direct input on what projects are being driven by the IT team. When I started at Symantec, one of the first projects was to institute structures for a governance model. This approach allows us to assess and prioritize projects based on their importance to the business. We’re now at the point where we can conduct more in-depth analysis around ROI and the value to the business. The other takeaway would be the value of enabling a few core technology building blocks. These out-of-the-box business applications deliver enhanced effectiveness and greater operational efficiencies.

Patrick: So how does the governance model work? I assume this is a cross-functional endeavor with all segments of the business?

David: To begin, we have an annual IT investment plan. The governance team also meets quarterly to update the plan based on changes in the business. And every week an IT steering committee, with members from across the business, makes adjustments based on additional capacity or unforeseen business issues. Our governance model has allowed us to operate more efficiently, but we’re always looking for ways to improve. So I keep my eyes and ears open to peers and I’ve learned much from their experiences and insights.

Patrick: What are your peers doing that you’ve found innovative?

David: Many CIOs are automating their governance functions with standard toolsets. The IT segment is at a point now where we can move from largely manual governance processes to a model using industry-standard tools such as portfolio management and ROI frameworks and documentation.

Patrick: You bring up an interesting point regarding ROI—or business value. Do you look at it from a pre- or post-implementation standpoint? Or both?

David: When we begin to look at IT investments, we always look at the business value proposition and vet it through finance and the IT governance team. Everyone signs off on the anticipated business value. And as with any corporate investment, we are building the discipline, including documentation, to go back and look at the initiative through a business value lens, pinpointing cost reduction, revenue gains, and operational efficiencies. These are evaluated against the initial projections set forth during the project evaluation phase. We then take the outcomes of these post-implementation business value assessments and use them as a factor when considering future investments.

Patrick: You launched a program, “Eating Our Own Cooking,” shortly after your arrival at Symantec. What is this program about?

David: When I meet with customers, one of the first questions is how we’re using Symantec technologies internally. Seeking to establish Symantec’s IT organization as a technology showcase for our customers, I launched an initiative in 2006 called “Eating Our Own Cooking.” The focus is on increasing product quality, enhancing customer satisfaction with the end product, and delivering value to Symantec.

One of the first initiatives actually came from a conversation I had with our general counsel about the different pain points associated with legal discovery. We subsequently implemented Symantec Enterprise Vault for email archiving and e-discovery with a substantial resulting business value. On the security front, we rolled out Symantec Endpoint Protection across nearly 20,000 endpoints and more recently added Symantec Data Loss Prevention for monitoring, managing, and enforcing data loss prevention policies on our network. Then, in line with the company’s “Stop Buying Storage” campaign, we are leveraging various storage management and deduplication technologies such as Veritas CommandCentral Storage, Veritas NetBackup PureDisk, and Veritas Storage Foundation to optimize our storage infrastructure. And as governance and compliance are critical factors for the organization, we have Symantec Control Compliance Suite integrated for IT policy compliance tracking, reporting, and management. These are some of the most significant initiatives that form our “Eating Our Own Cooking” program.

Patrick: Last year, you oversaw an effort to transform Symantec’s IT operations by moving from a largely in-sourced model to one that is outsourced. What was the business justification behind the decision?

David: We began with an organizational assessment that evaluated our operations against industry standards. I concluded that we needed a global strategy focused on core processes and functions that would add value to the business. We determined there were a number of providers in the marketplace that could deliver certain functions less expensively and more efficiently than we were doing in-house. We decided to retain certain functions in-house, such as e-commerce, information security, governance, and compliance, among others, while outsourcing other IT operations that are not core business competencies.

Patrick: When you speak to your peers and they ask if they should think about an outsourced—or even out-tasked—model, what advice do you give them?

David: They need to understand their current capabilities. Conducting an organizational assessment that compares their current state against industry benchmarks and metrics will provide useful insight. This step is a requisite and really needs to be conducted by a third party; otherwise, you’ll go into the decision blind or make a decision based on emotion or subjectivity, sometimes without even knowing it. Indeed, every IT organization—regardless of whether operations are outsourced—should conduct an organizational assessment about every two years to gauge where you’re at.

Patrick: You’ve led Symantec Global Services for the past two years. What are some of the changes you’ve brought to the organization?

David: I would like to highlight three initiatives. The first is in the area of Symantec Consulting Services, focusing our skills and resources around being product experts. And we want to be the center of excellence when it comes to using our products. The second is in our managed services business. Out-tasking is becoming prevalent, and our Managed Security Services organization is a world-class leader. And we extended our managed services model to cover additional areas such as endpoint security and backup services. The addition of these offerings has allowed us to work with our customers to determine the managed outcome of the service based on their requirements in the form of service level agreements. Our third initiative is on Education Services and the delivery of online training. Our customers simply don’t have the budget to travel for training, and we want to provide them with anytime, anywhere training modules.

Patrick: Enrique Salem, Symantec’s president and CEO, speaks about the importance of product integration and ease of doing business. How are these encapsulated in the efforts of the IT and services’ organizations?

David: For the IT organization, the foci are twofold. In the case of ease of doing business, we want to make it easier for customers to get access to Symantec by streamlining transactions and customer service interactions. On the innovation side, by testing out products before they are made available to customers, we intend to assist the engineering teams to begin thinking like an IT organization and helping them to design products that address the requirements of our customers. For the services organization, we accumulate feedback from customers and gain valuable information on how our products react in production environments and what our customers will find useful in future releases.

¹ Michael Chui, James Manyika, and Pär Edin, “Time to raise the CIO’s game,” McKinsey on Business Technology 17 (Autumn 2009).

Patrick E. Spencer (Ph.D.) is the editor in chief for CIO Digest and The Confident SMB and the author of a book and various articles and reviews published by Continuum Books and Sage Publications, among others.