Digital technologies continue to transform every facet of business. Across industries, CEOs have a consistent top priority—harness technology to jump-start growth, speed time to market, and foster innovation. Several factors are ratcheting up pressure: investors are valuing top-line revenue growth; rising customer expectations for simple cross-channel experiences are compelling companies to systematically tear down silos; and an organization’s ability to respond to market shifts is becoming a core differentiator. Meanwhile, digital leaders across sectors have changed the competitive landscape by demonstrating that agility and velocity can beat scale.
Senior technology leaders are feeling this pressure. In recent McKinsey research, when chief information officers (CIOs) or equivalent tech leaders were asked about their CEO’s top priorities (see sidebar, “About the research”), 71 percent pointed to agility in reacting to changing customer needs and faster time to market, while 88 percent of respondents cited revenue acceleration (Exhibit 1).
These priorities are playing out across every industry, with huge implications for business models.
- A clothing company, for example, traditionally had several weeks between the introduction of a new product line in stores and when competitors could get their cheaper versions to market. That cushion has dropped significantly thanks to digital channels: the company indicates that it now has just 48 hours to launch a new design and gain buyers through digital, direct-to-consumer routes, and rapid (sometimes same-day) delivery.
- A digital-media company regularly saw spikes in viewership upon releasing new content, so its need to ramp up infrastructure in order to accommodate increases in demand has suddenly become critical to satisfy its subscribers.
- In financial services, a line-of-business leader at a large retail bank cited tremendous pressure to shorten product-development cycles. The industry’s average product release time has ranged from nine to 24 months—a glacial pace compared with that of fintech companies, which can deploy code daily and run dozens of A/B tests a month.
The common thread running through these examples is the ongoing, urgent need to gain market advantage through business acceleration.
Role of digital and the ever-increasing reliance on technology leaders
IT strategy has long been part of business strategy, but C-suite executives (CxOs) are increasingly seeking a larger impact from investments in digital technologies. Digital innovation has become central to the full range of business transformation initiatives and is no longer just one category among many.
Since technology is integral to a company’s performance and competitiveness, identifying prudent investments in IT modernization becomes even more critical. CEOs recognize the importance of getting it right: good choices establish a favorable course, and the business soars; however, poor choices will siphon away much-needed organizational energy and resources and undermine competitiveness.
The task of translating ambitious tech-driven strategies into accelerated performance falls to CIOs and chief technology officers (CTOs). Nearly 60 percent of CIOs indicated that their CEO depends on them to achieve the organization’s top three business priorities (Exhibit 2).
As a CTO at a large US insurance company points out, “I think all CEO priorities depend on the office of the CTO. It is all about bringing products to market faster. We have to innovate on new policies and change our business model rapidly.” And the CIO of a retailer indicates that the IT team is mutually accountable with the chief marketing officer (CMO) to achieve the growth objective: “The CIO and CMO will have to work together. We have common metrics to track. If a campaign fails, both of us are on the hook. So to say that the CMO is dependent on me to deliver the objectives is an understatement. It’s our joint responsibility.”
The IT infrastructure modernization imperative
To meet CxO and board expectations, IT modernization is critical. According to our research, CIOs believe that the organization cannot capture agility benefits by simply shifting applications to cloud platforms. Instead, they recognize the need to reassess the infrastructure stack and the way it works.
Emphasizing agility while managing cost and risk
When asked about the principal benefits of infrastructure modernization, CIOs prioritize increased agility and better quality of service to customers. They are also looking to reduce costs and improve their security posture (Exhibit 3).
CIOs see the cloud as a predominant enabler of IT architecture and its modernization. They are increasingly migrating workloads and redirecting a greater share of their infrastructure spending to the cloud. The companies we surveyed currently have around 50 percent of all workloads running on public- and private-cloud platforms. By 2022, that share is projected to rise to 75 percent, with roughly two-thirds of that workload housed in shared public platforms within data centers built out by the major cloud-service providers (Exhibit 4).
While this migration represents a dramatic technology overhaul, astute tech executives also view it as a trigger to reevaluate how the IT function works. One large retail chain’s CIO notes, “I need a forcing device to jolt my organization out of its old ways of working. I see cloud as that catalyst. Our current tools enable the old ways, not the new. Until we implement the tools and data, we can’t reap the full benefits.”
Identifying key challenges
Thus far, modernization efforts have largely failed to generate the expected benefits. Despite migrating a portion of workloads to the cloud, around 80 percent of CIOs report that they have not attained the level of agility and business benefits that they sought through modernization. Further analysis indicates that companies are falling short of their IT agility expectations, regardless of their level of cloud migration (Exhibit 5). Even organizations that have transitioned the majority of workloads to the cloud remain within the same range of IT agility as their slower-moving counterparts.
Our research found that CIOs face several entrenched challenges when pursuing IT modernization: survey respondents indicated talent gaps were their top barrier, followed by security and compliance requirements (Exhibit 6).
The CIO of an automaker reflects on the struggle of hiring candidates with the requisite cloud expertise: “Finding someone with skills similar to engineers who are attracted by large cloud providers and software as a service (SaaS) companies is too difficult.”
Notably, 28 percent of respondents cited the complexity of their current environment. The technology leader in financial services notes, “We were surprised by the hidden complexity, dependencies and hard-coding of legacy applications, and slow migration speed.” Thus, it becomes critical for many applications to refactor for modern architecture. This approach—characterized by microservices and containerization—enables companies to balance the projected cost to run against cost to modernize, focus on the pace of innovation and enhancements, and improve responsiveness to fast-changing needs and dynamic markets. We have seen CEOs seek this guidance from their IT leaders and teams.
Managing trade-offs on the IT modernization journey
The inability of CIOs to achieve greater agility is in part due to valid constraints (such as gaps in skills and training), but our research finds that avoidable compromises also hinder progress. Few organizations have the luxury of starting with a clean-sheet approach to IT infrastructure, and so CIOs are making trade-offs in the name of balancing the ideal with the practical. Our analysis identified five common compromises that IT leaders feel they are frequently forced into and that negatively affect agility (Exhibit 7). Furthermore, some CIOs debate whether such compromises are valid or not. Some say these responses reflect real constraints, while others say that adopting new technology and operating-model innovations can easily address these constraints—hence, these are not trade-offs at all.
While a majority of CIOs indicate that they are living with these suboptimal choices, deeper analysis of companies that have successfully navigated these trade-offs highlights best practices to avoid these compromises and, in turn, increase business agility.
Giving up developer agility for the sake of control and governance. One of the top benefits of transitioning operations from legacy infrastructure to cloud-native solutions is the speed at which developers can work. However, 69 percent of organizations indicate that implementing stringent security guidelines and code review processes can slow developers significantly. According to the chief information security officer of a multinational cloud-based solutions provider, “In the old world, when a developer checks in bad code, I can find it and control the blast radius. But in cloud, it happens too fast—I still have those codes go through manual reviews and sign-offs.” Some leaders have found a way to work around this compromise through the following approaches:
- Acquiring and upgrading talent. Leading companies hire developers with security architecture expertise and entrust them to design secure architectures from a project’s inception.
- Provisioning process improvements. DevOps engineers use application programming interfaces (APIs) for environment creation, which include functions that specify secure configuration.
- Changing development processes. By bringing security teams more deeply into agile development and DevOps processes, companies have avoided the added complexity of cross-team coordination and alignment across development and security teams.
- Investing in toolchain and technology. CIOs are integrating the right set of DevOps toolchains that can automate security policies.
- Automating code reviews. Security-code scanners are used to conduct automated code reviews for common vulnerability.
- Automating test suites for code elevation. Development teams are investing in test-driven development, and test suites are foundational to automate the elevation of code from development to test, sandbox, and production environments.
- Implementing developer self-service. Standardizing the service catalog for infrastructure, implementing cost guardrails, and enabling self-service can speed infrastructure procurement approval processes for developers.
Forgoing single-vendor benefits in the name of avoiding vendor lock-in. Companies can realize economies of scale and build deeper expertise (especially given the cited talent shortages) if they use fewer vendors or deploy technology to allow them to scale across multiple vendors with common controls. For 83 percent of CIOs, the potential loss of flexibility from vendor lock-in can loom large, forcing them to choose multiple vendors and thereby split their focus, divide their talent to learn and work on different vendor solutions, and reduce their speed of execution. The CIO of a North American retailer notes that when it comes to picking public-cloud providers to migrate applications, “This is a true debate. Without multiple vendors, you run into technical and financial lock-in.”
CIOs can also accelerate application development by using native services offered by providers. However, in some cases developers are being discouraged from creating new dependencies on native services because of concerns that it will be harder to move away from the platform if needs evolve in the future. As a CIO for a professional services company explains, “We don’t see concerns of vendor lock-in with public-cloud providers by betting on a single vendor. This is not a new concept for us. However, some of our stakeholders take a different view. They hear about outages and want us to source from two or more providers.” Help is coming in the form of emerging solutions that work across cloud-service-provider platforms, enabling enterprises to avoid this compromise. In the meantime, leaders are working around vendor lock-in through the following methods:
- Abstracting infrastructure. Seasoned architects are choosing technologies such as containerization to abstract infrastructure and to enable portability across disparate environments.
- Minimizing dependencies on infrastructure or platforms as a service (IaaS or PaaS). Developers at leading companies build applications that are not tied to platforms by avoiding using proprietary cloud services offered in the PaaS layer. And in cases that necessitate dependencies, developing modular code enables services to be easily swapped out when companies move from one cloud provider to another.
- Safeguarding contracts. Companies concerned about future price increases from cloud providers draft and negotiate contracts that both set boundaries and offer downside protection from escalation of costs.
- Educating executives and the board on vendor strategy. CIOs and CTOs who prefer using a single cloud provider are making the effort to educate board members and collaborate with them to come up with solutions for vendor lock-in or service disruptions.
Missing out on the benefits of best-of-breed tool kits for the sake of standardization and familiarity. Toolchains optimized for different environments— and those with which developers and operators are most familiar—help boost productivity. In our research, 77 percent of CIOs expressed concern over having to standardize a lowest-common-denominator solution. Consequently, this trade-off means accepting reduced functionality and fit for the work at hand. Modern developers need to be free to choose combinations of languages, libraries, and frameworks that enable accelerated delivery. Leading companies are working around this trade-off in the following ways:
- Adopting open, vendor-agnostic solutions. Emerging cross-platform open-architecture and open-source solutions provide coverage for hybrid and multicloud environments.
- Continuously upskilling talent. IT organizations are adopting best-of-breed tools and investing in upskilling for developers and operators on multiple solutions.
Trading customer and employee experience for the sake of security. Providing reliable “anytime-anywhere access” of applications to users (developers or agile teams in marketing, for example) allows organizations to rapidly innovate, respond to customer needs, and scale up tests and experiments. It also enables employees to be more productive and complete tasks from anywhere. In our research, we observed leaders pursuing the following strategies to improve customer experience without compromising security:
- Adopting a DevSecOps approach. IT organizations are pursuing a DevSecOps style of management for high-velocity code and model-development pipelines. Doing so not only combines the security and DevOps functions—it also blurs lines across formerly distinct roles in “waterfall” software development life cycles, simplifying the end-to-end application development and delivery process.
- Adding layers of security. Leaders are implementing multiple layers of security, especially for identity and access management. They are using multifactor authentication and refreshing end-point security for applications that are accessed remotely or use mobile devices.
- Investing in data security. IT organizations are investing to not only secure their data, the perimeter, and applications, but also to encrypt at-rest and in-motion data.
- Remediating applications. Companies are remediating applications opened up for external access to employees and end users.
- Assessing security automatically and more frequently. Leaders have increased the frequency of application scanning and penetration testing (against apps and source code).
- Ensuring application version compliance. Automating patch scheduling for external-facing apps ensures compliance with the latest, most secure versions.
Delaying talent development and upskilling and augmenting talent with contractors. A shortfall of tech talent is a recurring challenge for CIOs. Companies often feel they face two options: develop in-house capabilities slowly or rely on external vendors to get initiatives done quickly. Despite the best intentions to build capabilities, IT teams often compromise by outsourcing projects to contractors or partners to patch holes in their talent pipelines. The challenge is that a short-term solution often leads to long-term dependence—without a parallel focus on promoting skills transfer, retraining current staff, and systematically backfilling contractors. Leading companies tackle this issue in several ways:
- Hiring new talent. IT functions are investing in the cloud operations talent and developers who bring modern full-stack skills and mindsets. These workers represent a truly strategic resource, assuring that any cloud modernization effort accounts for skill building—even if organizations need a boost from contractors to get rolling quickly.
- Building capabilities with external help. Companies are bringing in external expertise for skill building (such as agile team facilitators, DevOps coaches, and analytics and data science practitioners) to augment in-house talent.
- Offering employee-education programs. Companies are providing their employees with tuition and external-training expenses for selected continuing education, such as AI and machine-learning programs, accelerated software engineering reskilling programs, and DevOps training.
- Partnering with technology vendors. IT collaborates with vendors such as cloud service providers and other partners to gain expertise and educate in-house talent.
- Freeing up capacity to invest in new skills. Automating routine monitoring, reporting, and troubleshooting tasks can create capacity for operators to develop new skills and take on additional responsibilities.
Unlocking the full range of business benefits through an operating-model transformation
Technology leaders can avoid making these trade-offs by harnessing the right combination of IT solutions in their hybrid environment—ranging from on-premise platforms, edge nodes, and cloud services. But no matter how powerful, technology on its own is insufficient to achieve acceleration. So CIOs must transform their operating model to see material benefits, including shorter time to value, improved business agility, and reduced business risk. Business acceleration is best achieved by extending IT modernization efforts to encompass far-reaching changes in the operating model along three dimensions: people, processes, and policies.
Many enterprises have IT workforces with specialized skill sets and knowledge developed over years (for example, about custom legacy systems and platform configurations). But this expertise is increasingly outdated—even if the knowledge of a business or functional domain is not. In such cases, organizations must make significant investments to retrain, upskill, or reskill their employees. In addition, the IT function typically covers a range of roles: networking engineers, capacity planners, system administrators and operators, data storage and security specialists, analysts, developers, quality-assurance engineers, database administrators, data architects, and many more.
We see an opportunity for organizations to radically simplify their IT team structures. Specifically, they can consolidate positions to a smaller set of critical roles that bring together skills formerly divided across jobs. These roles will move from structured tasks (likely to be replaced by increasingly powerful IT-management tools) toward more fulfilling ones (adapted to a world of increasing automation). Instead of supplying more resources or convening cumbersome investigations over a system instability, the best companies will develop the talent to address root problems (for example, going under the hood and changing how code consumes infrastructure resources).
Many organizations depend on ad hoc manual operations and adopt a reactive stance, building excess capacity to provide reliability. Design decisions are marked by a lack of transparency and coordination across different functions in IT, resulting in more expensive custom solutions that still underperform. And when incidents arise, they are often funneled to technology silos. These functions either are slow to respond or depend on orchestrating numerous internal and vendor resources to manage escalated incidents and resolve problems.
The ideal organization does little to no infrastructure planning and instead uses a DevOps approach and self-service to expedite the development and implementation of solutions. In other words, rather than estimating demand and planning for worst-case scenarios, a company can simply be agile in ramping up resources as needed. The IT function focuses on customer-centric journeys rather than product- or service-centered processes. After setting a course, IT automation delivers the necessary service levels to optimize the user experience despite changing conditions and surprises. For example, self-driving cars hold the potential to automate travel on even chaotic roads; however, no “IT drivers” are ready to take their hands off the wheel just yet. So the tremendous potential of process automation must be designed to complement judgment and the uniquely human capabilities needed to assure reliability, scalability, and security.
Typical organizations have policies for a wide range of issues—such as security, information access, and data management. These are often manually enforced, increasing the cost of compliance and reducing effectiveness. As such, companies can struggle to maintain consistency across existing environments and extend established policies to new environments. Slow response times to evolving internal rules and external regulations result in increased business risk. Furthermore, many of these policies were developed for older IT paradigms, serving to reinforce legacy ways of working and hindering agility and speed.
Leading organizations are characterized by policies that engage technology for automatic distribution of change as well as for monitoring and enforcement. Standard policies across hybrid environments (for example, on-premise and cloud) lead to better compliance at lower cost. These companies can quickly respond to and mitigate emerging business risks by consistently pushing policy changes out across their hybrid operating environments.
An IT modernization journey will vary, depending on an organization’s starting point and its aspirations for agility. Companies may seek to shift the bulk of their operations into hybrid or public-cloud operating environments, move discrete parts of their application portfolio, or eliminate particular legacy infrastructure platforms. Some prefer building applications based on their skills and competitive context over buying them, while others are highly selective in their build strategies and focus on integrating third-party SaaS solutions. Additional factors include a company’s industry, level of maturity, tolerance for risk, and organizational readiness for pursuing agility.
Overall, we see tremendous opportunities to accelerate progress on business agility—if organizations are ready to take the right steps across all these elements to transform the way they work.
Central questions for IT leaders to consider as they plan their journey
Chief information officers can overcome the perceived trade-offs in modernization efforts and maximize the business acceleration from these investments. No matter where they start, a few primary issues must be addressed. To set the best path forward, IT leaders should consider five central questions:
1. Do we have the right talent to support the technology transformation and needed operating-model shifts?
Exemplary organizations view IT as a business-acceleration partner that proactively identifies opportunities—such as those from digital, data-driven decision making, and AI—to encourage growth. These IT functions have shifted skill profiles: from project managers to product managers, from operations engineers to automation engineers. They have upskilled developers with security expertise and recruited cloud architects, security engineers, and full-stack engineers. More advanced organizations have in-house DevOps or site reliability engineer (SRE) talent. Organizations are beginning to add data scientists and AI or machine-learning specialists to integrate more data-driven intelligence into IT operations.
2. Have we implemented the right metrics tied to business strategy so that IT can prioritize business building over just keeping the lights on?
IT organizations with an effective talent engine have successfully created performance metrics and commitments aligned with business targets rather than technical objectives. Objectives and key results (objectives and key results) methodology has proven effective in conjunction with agile teams, and these metrics need to be leading indicators that link to the key objectives of modernization. Organizations are increasingly using metrics such as APIs published, test scripts created, and configuration scripts automated as metrics to improve automation. They are also implementing metrics to track how much time is spent by individuals in building new features as opposed to routine monitoring and troubleshooting tasks.
3. Are we automating IT to the fullest?
Leaders that have achieved agility differ dramatically from laggards in their rate of automation. The most successful companies are increasingly adopting DevOps or SREs as part of their operations approach. As a foundation, companies are implementing test-driven development and aiming to achieve full automation of unit and integration tests. They are also baking in standardized configurations as part of deployment automation. They are then providing the setup of develop-and-test environments to developers through self-service mechanisms, eliminating wait times and enabling “one-click” deployments. Application performance tracking and troubleshooting are supported by heavily instrumented code and telemetry. Furthermore, these organizations are incorporating automation into service-request management and incidence response. They are also beginning to use machine learning and data to inform and accelerate decision making, ultimately leading with policy-based operations and control.
4. How are we building security by design?
Leading IT organizations have integrated security into every aspect of planning, building, and operating. They have managed to incorporate secure thinking and design earlier in the process and automated security enforcement based on policy. DevSecOps and API-based security are core enablers in such organizations. This effort starts with hiring developers with knowledge of security architecture. In the implementation phase, developers create modular security components that can be easily reused, thereby eliminating the need for separate design and implementation. During the review phase, automatic code scanners are used for code reviews to detect vulnerabilities. In the testing phase, security tests are automated and integrated into the functional testing process. Last, during the deployment phase, APIs for environment creation include functions to enforce secure configurations. By taking this approach, leading organizations have accelerated—rather than slowed—developer agility and innovation. In parallel, they have also created delightful customer and employee experiences.
5. What architectural approaches are we implementing to dramatically accelerate time-to-release features?
Approaches that increase flexibility, abstract the infrastructure, and let organizations focus on applications in line with business use cases are the hallmarks of leading IT organizations. They have adopted containerized and serverless architectures and built applications dependent on open standards. When using proprietary platforms, decisions are based on the clear time-to-market advantage and technical superiority. Fast-moving IT organizations have heavily invested in API-based approaches and meticulously plan for code reuse. They also have a clear migration path in mind should a superior platform emerge.
We see exciting innovations coming faster and faster from technology providers. These innovations hold the potential to overcome the compromises and constraints that have held back enterprise IT. The pace by which organizations can accelerate business change through these cloud platform capabilities will be set by the pace at which they can change the way they work.