Winning the battle, losing the war

okta identity access single sign on

Veteran CIO and author Mark Settle has published widely on the changing roles of leadership within IT departments. A former CIO at IAM giant Okta, Settle spoke to Pulse Q&A about Single sign-on, the talent debt in IT and how being a CIO is a lot like being an NFL coach. 

*This interview has been edited and condensed for clarity.”

Arjun Harindranath: Welcome to another episode of Ask Me Anything. We’re here with Mark Settle. Thank you for joining us today. I wondered if you could just start off by telling us a little bit about your journey to becoming CIO at Okta.

Mark Settle: I’ve been the CIO of seven companies and I left Okta in July. So I was there for three years, I had the good fortune to be there, about a year before the IPO event occurred and then saw the company expand rapidly. So that was really one of the most exciting jobs that I had.

As you know, you don’t get a degree in college to become a CIO. My formal education is actually in geology. I started my career in the private sector with a large oil and gas company down in Dallas. Oil and gas companies, even at that point in my career, which was many years ago, had Cray computers and Unix workstations, and all kinds of things at the time that were really the most sophisticated technology that was available. So I had the good fortune to be there.

One opportunity led to another. You have to be pretty opportunistic, if you’re willing to move and relocate. I’ve had that good fortune as well. I’ve had a lot of work apartments. I never got myself in a situation where I was just in one metropolitan area and had to limit all my opportunities.

Pulse Q&A: So what was your first CIO role was that in the oil and gas sector?

Settle: That was actually Occidental Petroleum. They’re based in Los Angeles where they had three operating divisions, one was an exploration production company, another one was the natural gas line division. The third division was a chemical processing group. To share an anecdotal story, I replaced the gentleman who had been the VP of corporate IT. And when I interviewed for the job they said, ‘Well, we want you to go out and talk to these divisional CIOs and all three divisions.’ The CEO and CFO thought they were spending too much money. And they said, Well, you know, one of the things we want you to do, is to go out there knock their heads together and find opportunities for some classic intuition that they like. So I said I can help with that.

But then I need the CIO title and they had never had a global CIO before. They were not interested in another C-level person to the executive team. I said ‘Listen, how can I go out to the division and exert this control that you talk about if I don’t have the title to go with it?’ So I look back on it. “I was I was kind of brash and sassy at the time. I was younger and was dealt with the job opportunity but I talked them into making me their first.

Pulse Q&A: What do you think you had that persuaded them?

Settle: I had quite a bit of program management experience in the Air Force. I’d worked at NASA headquarters I had been exposed to a variety of technologies and my experience at that other oil and gas company, some of the big kind of organizational management experience that I had. I think all that was very appealing to them. At the time, I was the right guy for the job.

Pulse Q&A: Do you think when you go into a role and are thrown in the deep end that there a lot of things that are self taught? Or are there a lot of things that you pick up from the people around you?

Settle: That’s a great question. You know, I look back after having done the job seven times. Sometimes I land in jobs and I’ve looked around and thought this is going to be the proverbial ‘duck soup’. Because of the experience that I have, I can see in my own humble estimation what they need here. It’s pretty clear where the problems are, what we need to do now, all that insight and intuition has to get applied to the business model, the unique features of that particular company, where it operates geographically, and what its customer base is like, etc. But there’s a lot of things in it that are immutable. Everybody has to have a financial system and everybody has to have some kind of a CRM capability.

If you’re manufacturing, you gotta have warehouses and distribution. There’s just one category of landings that I’ve been involved in where I looked around and I thought ‘this is going to be great’ because I know I can come in here and start doing some things on day one that are really going to help this place up. And then I’ve gone into other jobs, looked around, and literally have looked in the mirror saying ‘Why did they hire me?. I have no idea what to do.’ In a lot of ways the second kind of scenario is always very rewarding in the long run because you do learn a lot about, about businesses.

The third kind of situation is (I worked at visa for three years) where I was naive going into the company and I just kind of presumed that it would be easy to master the business model, like equipment. And so with respect to Visa I thought ‘how hard can this be if you swipe the card during the day and then at night the banks settle up between the merchant banks?’. How hard can this thing actually be? Of course, like so many things in business, the minute you scratch back the surface or pick up the rug and look under the covers, the nuances and idiosyncrasies and all the historical one-off processes that have been implemented to make the business run. It’s kind of mind boggling many cases. So even businesses that from the outside might look pretty simple and straightforward, once you get on the inside, you find out that they’re very complex. So you always learn every job you learn. Sometimes you learn because you’re scared. Other times you learn you’re taking the knowledge from the past.

Pulse Q&A: It was never a case of ‘I know exactly what I’m doing’ at Okta? You always feel like you’re in the deep end?

Settle: Okta was an interesting case, where they were growing so rapidly. So I joined the company in 2016 with around 800 employees. And when I left this last summer, they were closer to 2,500 employees. I had never worked in a company that was growing that rapidly. That was a great learning experience.

Pulse Q&A: What were some of the major challenges of the company that grows so quickly?

Settle: Talent. Every company I’ve ever worked for has a mantra about how they’re outgrowing their talent, right? Every organization always talks about raising the performance bar. What got you to be principal, senior engineer two years ago, well, everything’s tougher and more sophisticated. And so our expectations have risen.

But when you grow as rapidly as Okta was, you really do outgrow people and the skill set. Here’s a good example. So the skill set that would have been perfectly satisfactory to run a service desk operation for a company with 500 employees, most likely is not adaptable to a 3,000 person organization. Or the 3000th person, probably isn’t the right person to run up when the company has to be 10,000 and has operations in Asia, Europe and North America. Talent was a big challenge.

Preparing for public company operations was the other part of the principal business systems challenge that we had to get ready to support SOPs regulations. Okta is a security company so we had a number of certifications like HIPAA, and PCI, PII, GDPR, some ISO certifications as well. So there are a lot of operational controls that needed to be, you know, managed pretty, pretty strictly within the IT organization.

Pulse Q&A: I wanted to get onto the topic of talent in just a second, but would we be able to talk just a little bit about Okta first and their expertise in the IAM space. What did you see in that growing area in the time that you were there?

Settle: There’s a couple of drivers here. One of the biggest single ones in my estimation is the proliferation of SaaS applications. Single sign-on, which is the core capability, and MFA kind of tools were less business critical. When end users were spending maybe 50-75% of their workday accessing on-prem applications that were in the data center. So the way the world used to work is you’d literally come in in the morning and open up a couple of those key internal applications and you’d minimize them and they’d be on your toolbar and then you jumped in on these applications over time. As we all know there’s been this explosion of best-to-breed applications that are up in the cloud.

The rules of engagement have changed. By that I mean the functional departments can now go out and use their own budget money to bring on board a lot of tools.But you still end up with this problem of somebody’s got to be the enterprise-wide gatekeeper of regulating access to and from that particular portfolio that they’ve assembled.

Okta were in the right place at the right time. The company was founded in 2009 so wasn’t really even a category, so to speak. There were a couple of companies that had some on-premise capabilities but it was a combination, I think of the explosion of SaaS and the chance to offer this kind of a service through a cloud-based solution that were the key drivers for the for Okta.

Pulse Q&A: When we did a survey related to this, most of the execs in response to the survey mentioned that they would still want some sort of IAM technology on top of Single Sign-on, particularly for customer facing applications. Is that consistent with what you’ve seen?

Settle: Yes. I am into infrastructure, using user identity to authenticate your access to a server or to a storage device. People like that, a lot of times developers, are notoriously informal. That’s a polite way of saying it. In terms of sharing credentials to infrastructure. So they’ll share files and say, ‘here’s the password for that device’, just copy it and put it in your code. And so when you go to run this, it’ll be able to access the thing. There’ll be a lot of investment in that area and then machine to machine authentication as well.

So as the whole IoT phenomena grows, sensors and different kinds of machines will authenticate to each other. A good example might be if you’re constructing drugs and the raw materials that are going to a drug or be delivered to you or me as a patient, the machine that’s delivering some of that raw material may have some certifications that have been applied to it, and the machine that’s going to be downstream and take possession of those materials and do whatever it’s going to do heat and mix them into the final drug, wants to start to have this electronic handshake so to speak. It says ‘I know that I’m taking raw material from a machine that’s gone through all the right FDA certifications etc’ So I think the explosion of identity-related capabilities to both think about authenticating those two scenarios are going to become more and more critical over time.

Pulse Q&A: You mentioned as well that talent was crucial to the enterprise and you’ve used some interesting concepts to that end The first was ‘talent debt’. Would you be able to describe what ‘talent debt’ is?

Settle: This is one of my favorite topics to talk about. You know how easy and popular it is for IT leaders to talk about technical debt? Technical debt is like Original Sin. We all carry it around. And if we said the right number of prayers, we could make it go away in some way. It’s a widely recognized evil, for all the obvious reasons. It ties down dollars in your budget because you’re upgrading things with no net business value. It introduces a lot of operational complexity. It forces you to defer some more innovative activities as well. It’s a boat anchor that everybody calls around. And in my experience, I think a lot of times, it’s pretty much ignored. Until you have a situation that requires major surgery.

A good example is Salesforce instances these days. People that want to migrate from the classic version of Salesforce up to the lightning instance and many times take that as an opportunity to really clean up their instance before they make the migration. And then they discover this isn’t just a project that we get three people to work on for six weeks. This is sort of like a Manhattan Project, ‘I’m going to need a couple dozen people, and I’m going to need a couple quarters to get into this and really clean things up.

So everybody’s very comfortable thinking and talking about the depth of within our systems. Then if you look at like the staff within an IT organization well, guess what, they were all hired to support these aging and obsolete systems. Almost by definition you’ll always have talent on the staff, because there’ll always be new technologies that are coming along, the kind that exceed your grasp of whatever those things are. Sure there’s conventional ways of reskilling people but adjusting the skill mix that you have in a staff, you may take somebody who’s shown tremendous performance in one area, and give them the opportunity to develop new skills but there are just some areas where I think it’s foolhardy.

Take DevOps as an example. We could bring in consultants, we could educate the staff about DevOps, etc. But when you really get down to day-to-day, how are we going to implement this thing in practice?You’ve got to go find some people that have done it. You need to have new talent that, people can model. Devil’s in the details. You can sit in the classrooms and get the concepts. That’s not the hard part. The hard part is translating that into work procedures and practices that we’re going to all follow on a day-to-day basis.

I don’t think that IT leaders in general really step back and look strategically at where am I over invested in terms of aging skills and where my opportunity areas are going forward. Partly that happens because of budget limitations. It’s not at all uncommon for people to say ‘I’d really like to build up some DevOps capability, I think that’d be incredibly beneficial. And now I just kind of have to wait for a business project to come along, I can hop on that bandwagon. We’re going to completely redesign our proprietary order to cash application, my e commerce platform, we’re going to do a complete renovation of that thing. And I want to start introducing some DevOps concepts.’

You use that major project as kind of a funding pretext for it to happen. But I think any kind of annual budgeting exercise, you really should step back and look at where those strategic deficiencies are. Frankly, on your management team, everybody should realize that when an attrition occurs and somebody leaves from Team A, that the open headcount really does get redeployed on a strategic basis for the good of the overall IT organization.

In many cases more senior people, CIOs, are maybe a little too forgiving or laidback. They just say ‘If Joe left the storage team, then the storage team can open headcount, go find another person with the same skills as Joe. Maybe that particular job, or work slot needs to be repurposed for the DevOps team. Maybe that’s a much more strategic use of that available slot.

I’m pretty passionate about talent. I think people should think about it more and in lot more strategic terms. You really should get more of a long range plan about what you want the work to look like, say 12, 18 or 24 months from now.

Pulse Q&A: How much of the challenge of addressing talent is internal? In terms of budgets or the desire to expand, how much of it is external, like the sheer number of people who are available, who can do the job in a specific area?

Settle: You’ve put your finger on it. Obviously, with the collaboration tools that we all have today, we don’t necessarily need to be physically co-located. But there’s still some obvious benefits for doing that as well. There really is a significant talent deficiency. Especially outside the coasts. As you well know, there are deep pools of talent in places like San Francisco and Seattle and Boston and Austin. But then you get into some second-tier tech markets; Houston, Denver, Minneapolis to a degree. To your second point if you’re looking for somebody with three years of NetSuite expertise, or somebody who has managed a hybrid cloud environment on-prem in Azure, or a dual provider cloud environment, Azure and AWS, for more than two years you’d be you’d be hard pressed in many cases to find a good flow. It’s a problem.

Pulse Q&A: You’ve also written about managing talent. You said earlier that you had a bit of a mantra. Was that in relation to managing talent or talent in general?

Settle: It’s about managing managing talent. I don’t know where you want to go with that one, because there’s a couple of views on topic. I encourage people from a developmental point of view to keep score on three different dimensions. And so I think a lot of people when they look at their own career advancement or development, they look at things like ‘was I getting to go to the conference that I wanted to go to this year?’, and ‘did they send me to the training that I requested?’, or ‘is there a mentor program within the company? Did I get selected for that?’ Those are the ways people keep score.

Really, those are just a means to an end. So the dimensions I’m talking about our technical expertise and so you can, at the end of the year, the company’s going to do an evaluation of your performance, you should be evaluating the company’s performance relative to your career development. So this technical expertise dimension you can look at and ask yourself the question ‘were my technical knowledge and skills broadened in some way?’. Or maybe they were deepened in a particular area.

The second dimension is around business knowledge. So in the course of the work that I did, I learned to develop new insights into the way the business processes actually operate. And then the third dimension is people interactions and people skills. I think IT people have a strong tendency to kind of knee-jerk and look at that first dimension about technical expertise. You know, “did we upgrade the platform this year? And did I get exposed to the next generation of XYZ? Or did we substitute something else to remove Tableau and and now I know how to manipulate tableau” They tend to discount the business knowledge and the people skills. And that’s incredibly short sighted. Because, over the course of a career, your technical skills atrophy over time. Nobody can keep up with all the changes in technology over a four-year career in the industry.

So those other two dimensions, your knowledge of business processes and your ability to work with people really, become a big part of your professional equity and shouldn’t really be discounted. At the end of every year, if you pick a scale you like 1-3, 1-4, 1-10 and you take those three dimensions, kind of keep score. Some people need to do that to get nudged out of their comfort zone. And some people cling to the false hope that it’ll get better next year, we’re growing right now and something’s going to change next year to make it better. It doesn’t always get better. After a couple of years, two or three years of it feels like they’re benefiting more from extracting the value from your skills and they’re not seeing a reinvestment expanding on those three dimensions and it’s time to start looking around.

Pulse Q&A: You use this analogy in one of your articles about how a CIO is a bit like an NFL coach. For guy who knows nothing about American football, could you could you tell me why? 

Settle: I blog about this and this is actually one of my most recent topics. So a couple years ago, literally like 18 months or so ago, McKinsey put out a report on the average tenure of CIOs. So I kidded the audience earlier this week. I said if you’re a CIO and you see that there’s a report about that, you’ve got to get that article, you want to see that immediately. Because you want to know how the hell am I doing relative to the average. Am I staying longer, staying shorter, things like that.

So the average according to McKinsey was 4.3 years. For those who are watching and are interested, I’m pretty close to the average. And almost within the same month, or the month later, I came across this sports magazine that had some sports group and had done a similar analysis of NFL coaches. And it was the same exact number: it was 4.3 years. I think this is going into the 2018 NFL season. And I thought, that’s really interesting, because I’m a bit of a follower of football and I listen to a lot of sports talkshows where the NFL coaches get fired. One is they do a poor job of managing the talent that they’ve been given. So the people that own the team, the managers go out and they make trades and they get draft picks and they got these contracts. So they’re trying to assemble the best pool of talent that they can afford. They kind of give it to the coaches, right? ‘There you go, do something with this.’ All too often that doesn’t really click or work out all that well.

The second thing that many times leads to failure is the inability to innovate. Coaches get locked into a kind of a rut in terms of the place they like to call or the way they want to approach the game. So an example would be how there are some teams that are all about ball control–we want to run the ball as much as possible, we’re going to find every possible way to hang on to the ball and not have the other guys on the field score any points. The current version of the NFL has people just throwing the ball all over the place. There are some teams that jumped on that kind of new concept earlier than others.

The third is a failure to intervene when things go wrong. There are a lot of teams, especially going into the middle of the season, where it’s clear that things are not working. Your play calling is becoming too predictable. The quarterback and his receivers are not doing it. Do you have the gumption to wait in as the coach and maybe pull the quarterback? Or change the offensive coordinator? Or do you let the whole thing kind of play out? I think as hard as it is to disrupt the plan in the middle of a season, some of the better coaches are prepared to take the heat and do those kinds of things.

Then the last historical way I’ve seen a lot of NFL coaches get fired, is around the relationships that they have with the owner of the team. Those kind of sour over time because they’re not winning enough. There are many situations where the coach may be popular with the local fan base or with some of the key players on the team. And the management doesn’t really have a good pretext. They’re good enough to get into the early rounds of playoffs but they can never get beyond that and the owner gets frustrated. But the guy hasn’t failed, but he really hasn’t succeeded either. So they’re just kind of looking for some opportunity to make a change.

So when you look at those four dimensions: talent, innovation, intervention, and relationships with the business side, I looked at that and I thought that’s pretty much what happens. If you can’t really leverage the talent that you’re able to purchase, and you don’t innovate and enter the right points in time and fail to cultivate those relationships with your business partners, your 10 years going to come to an end sooner rather than later.

Pulse Q&A: One last question and one that’s related to how the role of the CIO has transformed. You started off in the petroleum industry and you ended up at Okta. More recently, what do you think are the biggest changes or expectations on a CIO? Have they changed over time?

Settle: That’s a that’s a good question. So you know, some people answer that question somewhat superficially. I’ve seen the CIO role be modified or adapted in different companies when given additional responsibilities. In some cases, the CIO is also the chief information security officer.

I’ve seen other ones where that individual is also the chief data officer. Potentially, I’ve seen somewhere that the CEO is also responsible for all the supply chain activities, like in a large manufacturing organization, but that’s so key and critical. They want the CEO to take on operational responsibilities. So the first thing I see in your question is, if you get into a particular company, there may be some reason for the CIO role to be a little bit different take on some broader business responsibilities. That’s not uncommon. In part, that’s a function of the perspective that a CIO should have, which is more of an end-to-end view of an enterprise and how the enterprise is generating true business value, like how the pieces fit together.

That’s the first answer. The second answer is around the activities that go on within it. So I think there’s been a huge revolution that’s happened with respect to those 10 in a command-and-control culture, where we have the budget for every application team. We were involved in selecting what they were going to use and making the business case. So those days are gone, obviously. In the SaaS world, where companies may own hundreds, literally hundreds of SaaS applications and maybe have money for 20% of the SaaS tools, or maybe even say 50% is flowing through IT. More than half the SaaS spending is being done out in the functional groups with no real, direct responsibility within it.

The challenge going forward is to not advocate the leadership role that we should have. What I mean by that is we should know what people are using. We should know how much we’re spending. We should be able to look at license allocation and decide if we’re wasting money. We should be looking for opportunities to do some data integration platform to platform. If you’re in manufacturing, you don’t really care a lot about distribution, but maybe there’s some form of information that’s being managed within your manufacturing systems that would be very valuable to the distribution function or upstream to the supply chain group. When the functional groups start buying their own applications, they’re going to pursue integrations that benefit their interest.

Finally, safeguarding the corporation, because there’ll be these compliance issues around regulations or industry. Best practices are managing intellectual property. But again an individual individual function may not really be thought of as a top of mind concern. So you’ve got all these dimensions of responsibility and it would be all too easy for IT leaders to step back and wash their hands and say ‘they never came to me and asked me about whether they should buy this. They found their own money. They only come to me when I got to do that.’

The word I like to use is we’ve got to become stewards of this application portfolio–this cloud based collection of tools. It’s a stewardship responsibility for the good of the corporation. If you were to take that myopic perspective and just say that’s not my business, that’s career limiting. That’s an educational leadership that the organization should show.

The other thing that’s going on, which is obvious to everybody, is infrastructure abstraction. So when you when you think back in the world in which people have large on-premise data centers–and many people still do–more than half of the IT budget was dedicated to the data center operations. We bought hardware, we have labor, we have monitoring systems, we have to worry about electricity and cooling and water and other crazy stuff.

So those areas of responsibility are fading rapidly. As you well know there’s software engineers today that can assemble customized stacks of servers, network connections, and storage devices at literally the touch of a button. They can run a simulation model across four different Azure data centers that solve the same problem. They can discard that whole assembly of computing resources at a touch of a button and hit a button again three days later and run the simulation all over again. A lot of that skill mix that we have to worry and think about, operating on.prem is going to become a lot more different. So now it’s all going to be about how you can leverage those cloud resources. Frankly, there’s so much automation that’s going on today, it’s not going to require the same staffing levels, and certainly not the same investment.

One final note about this, because this is kind of bugs me a little bit. I’ve still got a lot of meetings where people get up and talk about shadow IT. I don’t really believe that shadow IT exists anymore in the way it was described. In the command and control era if anybody did anything without our knowledge, it was shadow IT like how did you go do that? Well, anybody that talks to us, they haven’t really woken up to the new reality. In fact, ironically, IT has almost become shadow IT. If you think about it, the things we manage :the laptops, the Wi Fi network, you know, make sure the security things are taken care of in the background. You know, these are not at all top of my concerns or most people that worry about out day-to-day business operations. They’re worried about our gainsight application or whatever. They purchased it to work in their particular functional area.

What happened was we all thought, as technologists, that information technology should be used much more pervasively and was deeply ingrained into the day to day operations of the company for years. We would say we’re really missing an opportunity here but it’s innovating so fast. There’s so many ways of getting more benefit out of technology. And then we kind of woke up and realized that functions went off and did what we said out loud. They’re using technology in ways that meet their immediate interest.

It kind of reminds me a little bit of what happened in World War Two (I’m a bit of a historian on the side). If you remember after the war was over the United Kingdom, England, which kind of led a big part of the successful allies to victory. After, they were like a shadow of their former selves. They didn’t really go back to the world where they ran everything in the world. Where they were capitalist leaders and they had all the colonies and their industries were the preeminent industries in many different fields. The analogy here is that shadow IT is: the technology was important, the functions went off and are using every opportunity to leverage technology. We kind of won but then we looked around and realized the implication is we’re not in charge anymore. And that’s what you’ve got to really come to terms with in this new world.

Pulse Q&A: That’s a great note on which to end our conversation as well. So thank you very much for joining us today, Mike. I really appreciate it.

1 comment

Leave a Reply

You May Also Like
Read More

Building a panoramic vision

Currently the CIO at Moveworks, Yousuf Khan is also an advisor to numerous startups, including Pulse. Speaking to…
Read More

The CISO as evangelist

Clarify Health CISO Fred Bret-Mounet has given much thought to the tension between securing a business and growing…