Get Your Complimentary Copy of the Gartner Market Guide For Email Security 2021 – Don’t miss out on the recommendations here
Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
Craig Walker has nearly 30 years of experience with Shell spanning locations such as the US, Colombia, South Africa, Saudi Arabia, UAE and the UK. Originally joining Shell as a programmer in 1981, and after a 6-year stint at KPMG in the early 2000s, Craig is now the global CIO for the Shell Downstream business. This includes trading, manufacturing and refinery as well as the B2B businesses such as marine, aviation and retail.
I was originally brought in to put the IT processes right as Shell was not doing the best it could have been at the time, it wasn’t moving quickly enough or being very agile. I managed to cut down my budget by 44% by the end of 2018 all at a time when digital transformation is one of the hottest topics in the board room. It was a difficult process, but we ultimately managed to do this through various initiatives to increase talent and reduce the number of outsourced employees. I also restructured my team to make sure that everyone had the skills, such as agility and speed, to thrive in a modern IT department.
Another key action I did when I arrived was to outline the 3 themes that my team would cover:
1. We focused on commerciality. If you don’t understand how the business makes money, then you cannot be an effective IT person. You have no accurate framework of how to prioritise your work. Everyone at Shell is a business person, it just so happens that IT people come to work with an IT toolkit.
2. We established one true team. You cannot have a high performing team if people cannot work effectively with each other.
3. The team became very results-oriented. It’s all about putting a dollar on the bottom line of the business ultimately, that’s why you are doing it.
Another challenge is keeping up-to-date with all of the tech nowadays which, as an IT leader, you absolutely must do. You have to have the 101 knowledge to engage the business effectively and understand the possibilities of the tech. Ideally, 10% of your time should be spent learning about new topics.
The CIO has to use the same business speak as anyone else does, you have to take your speciality up to a level that colleagues understand why it is relevant to them and their bottom line. Otherwise, it will not have an impact. Another very important aspect is having the ability to tell a story and bring a vision to life. For example, I use clips from JFK’s Moonshot speech a lot and, at one point, he says that they are going to build a rocket out of material that hasn’t been invented yet. Well, I’m trying to build a business model with technology that people are just beginning to understand. You have to be able to convey all of this in a convincing way and show the rest of the board the art of the possible without overselling. You have to show up as a business person which is not easy for a lot of CIOs as they come from a highly technical background. This is why I say that one of my greatest learnings at KPMG was the ability to tell an engaging story to a client.
One of the largest issues right now is that many organizations are swamped with data. For us, the amount of data coming from plants etc. is immense. However, it is important to capture and use as much of that data as possible. In essence, the change in strategy nowadays is that, because nobody knows what the data will be used for yet, you better make sure to capture as much of it as possible. It used to be very prescriptive whereas now, companies such as ours, are much more open-minded.
There seem to be two levels of threat nowadays: you have people who want your data because it costs a lot to get and then you have people who want to do you harm. Because of the new regulations in place (e.g. GDPR), information security now has to be much more encompassing in protecting the consumers and the brand. The main threat is damage to the brand because any company that has a high level of trust and then suffers something like a data breach will immediately lose that trust. This will affect your business. At the same time, the amount of data is growing, so it is now becoming much more difficult to keep it safe. Ultimately, nobody can create a perfectly safe environment but you have to do your best and this is not unique to our industry.
Whenever I am in a new position, I always write myself a 30-, 60- and 90-day plan. In the first 30 days, you should just listen to everyone and build up your own picture of what is going on. Be sure to test your opinions by playing it back to people constantly and listen to the business team a lot. You need to understand what they want to achieve. Once you have a picture of the business, don’t be afraid to make difficult decisions about people. Have a vision in place and see who fundamentally buys into it and who doesn’t. Whenever I delayed decisions about people, I almost always regretted it. Somewhere within those 90 days, you should set out your plan of action and learn who is going to give you unbiased feedback. Finally, try to network with your fellow CIOs in your and other industries to keep exchanging knowledge.