Whether you are leading an IT or Cybersecurity organization for one property or multiple properties, the challenges in the gaming and leisure industry seem to grow constantly.
As the challenges grow (data management, compliance, security and trust, third-party risk, cloud adoption, data privacy, etc.), the required solutions often demand new technologies, new tools, new processes, and new skills. There also seems to be a constant requirement to be lean, optimize costs, and limit spending growth. How can we lower costs – and – deal with growing and new demands? The classic management edict of 'do more with less' was not, unfortunately, a casualty of the pandemic. In fact, 'do more with less' continues to be an underlying theme for IT Leaders.
I think dealing with the balance of limited (or reduced) resources versus accomplishing desired outcomes can be framed into the contrast between efficiency versus effectiveness. Efficiency is the ability to produce an intended result with the least waste of time, effort, and resources. Effectiveness is the ability to produce a better result that delivers more value or achieves a better outcome. I think our ongoing challenge of new and expanded demands/requirements is best managed when the current foundation is effective and able to be extended/expanded. Respected Management Scientist Peter Drucker framed it this way: 'Effectiveness is doing the right things, while efficiency is doing things right.' Effective teams:
Focus on doing the right things the right way
Focus on the big picture
Shift priorities as necessary
Let’s take a look at Cybersecurity as an illustration of efficiency and effectiveness. The basic goal for a cybersecurity team is to manage the company’s risk in a way that meets the desired risk profile. You cannot eliminate all risk, and across the various risk vectors, there are points of diminishing returns in adding tools, technologies, and processes.
As the topic of an organization’s security risk has increased in urgency and focus for the business leaders in our industry, there has been the effect of adding security tools to reduce risk. This is not a bad thing except where the result is tool sprawl and potential overlaps, gaps, and complexities. Solutions II created monthly IT Executive Roundtables years ago in which we can understand the thinking of a large group of IT and Cybersecurity Leaders. In one of our recent monthly Roundtables, we polled several dozen IT Leaders and their input was very insightful.
Insights by IT Leadership
“Do you feel that you can reduce complexity and reduce costs by analyzing your IT tools and Cybersecurity tools for overlap, poor performance, and underutilization?”
59% strongly agreed
32% somewhat agreed
Only one respondent disagreed
91% of IT Leaders feel that they can reduce costs and complexity by rationalizing their current technology tools with the objectives of:
Clearly, there is agreement among IT Leaders that they do have the ability to rationalize and optimize their inventory of technology tools. In fact, in that same Roundtable Meeting, we asked about the urgency of actually doing this exercise of analyzing and rationalizing/optimizing:
3% have completed this exercise
30% currently have this exercise in process
41% plan to begin this exercise this year
IT Leaders do not just agree that tool sprawl needs to be solved in their organization – in fact – our polling showed that three-quarters of our group of leaders will finish that exercise this year. This is certainly seen as a worthwhile effort, but the result is typically ‘doing the same with less’. Doing the same with less is not a bad outcome, but it falls short of ‘doing more with less’. Is it impossible to do more with less? Perhaps not. Here is a framework that we have used to combine the tools rationalization with the improvement of the foundational technology fabric. Again, we will use the context of Cybersecurity to illustrate.
Research and understand what the resource requirement is for your team (or paid to an outside team) to operate, administer, and gain actionable information from the tool. Ask the person/people tasked with managing the tool to simply rate the overhead of operating the technology on a 1 to 3 scale?
3 - less than 5 hours per week
2 - more than 50% FTE
1 - one ore more FTE
Let’s begin this step outline by explaining why I am going to keep this complexity analysis extremely simple. Academic research (Atmanspacher, 2007) contends that there are two measures of complexity: Type 1 measures increase linearly with increasing disorder, and Type 2 measures are a convex function, attributing their highest values to systems of intermediate regularity. We need a simple approach.
I am going to go with: ‘you know it when you see it’. Analyze the interface, integration, and automation between each technology tool. Rate each tool on a scale of 1 to 3:
3 - full integration with existing security technology fabric
2 - some interface available
1 - isolated performance
The final part of Step One Analysis is to determine the skills required to manage, administer, and operate each technology tool. The key is to determine how available that skill set is in your team (or ecosystem) and how reusable that skill is in the management and operation of other technology tools in your active environment. Let’s use numbers again:
3 - skill required is widely reusable
2 - skill required is available in more than one resource
1 - skill required is scarce and non-reusable
Now, at the conclusion of Step One: Analyze
You have a high-level and fairly simple overview of which pieces of your technology fabric are high-performing and resource-friendly (and which are not). From here, you can develop action items and remediation to build a better technology foundation. Action items would include activating available features not currently used, additional training, retiring currently deployed tools, and replacing currently deployed tools with new tools that have a wider footprint and less overhead/complexity.
Step Two: Improve
The Improve step does not just deal with the current technology landscape but takes the findings from ‘Step One: Analyze” and helps create a roadmap for improving the effectiveness of your foundation (which means doing more with less).
The key to doing more with less (or more with the same) is to design force multipliers into the Cybersecurity Technology Platform. A cohesive platform with integration capabilities can support a level of automation. A Security Orchestration Automation and Response (SOAR) approach, potentially with a level of Artificial Intelligence, is one part of the spectrum. One day that will be commonplace, but it may be more of an aspiration for most organizations today. An incremental approach of automating a series of playbooks that can be triggered by specific events – or – automated scripts that can be manually launched when desired are still force multipliers. Vendors are starting to include automation features within their product sets and/or product suites as well.
Another approach to implementing force multipliers is to review the skills review done in the Step One Analysis. Tools that require specialized skills should be reviewed for simplification. Simplifying the operation of the technology platform is a best practice that will help act as a force multiplier.
An approach that works well is to take functions that are built into the technology platform and determine if they can be done better and/or at a lower cost if they are the responsibility of an outside Managed Service Provider. One of the common functions successfully outsourced is Managed Detection and Response. The key to this approach is to carefully scope the contract with the Service Provider such that you are contracting for a desired (and defined) outcome. In some cases, this can be done while keeping your current technology tools or it can include other more effective tools.
The goals of the Two-Step Technology Tools Analysis are to: identify performance problems, overlap, underutilization, complexity, and cost. In our Cybersecurity example, the next step is to build a roadmap that will solve what you identified – and – operationalize the future state platform with the desired features, force multipliers, and total cost of ownership that will yield an Effective Platform that aligns with the desired Enterprise Risk Profile.
We used the Cybersecurity Technology Platform for our example to illustrate the process and the result. The same or similar exercise will work for technology tools/ platforms in other areas of Information Technology as well.
Once the platform is 'Effective,' it is possible to achieve more with less.
Source: G&L Magazine Fall Edition 2023
John Wondolowski is the Chief Technology Officer for Solutions II. Solutions II is an Information Technology Services and Solutions Provider with an industry focus in Casino Gaming and Hospitality. John has been an Enterprise IT Executive for many years after earning degrees from the University of California at Berkeley, Haas School of Business, and California State University at Fullerton.