Tom Sweet, CIO of Industrial Refrigeration Pros, reflects on the initial three months of his first job as head of technology and security.
The Right Opportunity
I set my career sights on becoming a CIO or a CTO many years ago. In 2019, I was a finalist for two C-level opportunities but was selected for neither one. I learned a lot from the experiences and am grateful for them. Though rejection feels lousy, it can also be a blessing. It is far worse to be selected for a role and then not fit in with the company culture or values.
Ultimately in 2022, a referral led to my first CIO opportunity at a private equity-backed venture. New to the Dallas-Fort Worth area and in need of an IT leader for this growing firm, the CEO reached out to an ERP consultant for some referrals. The consultant put him in touch with a CIO who was happy in his role, but who then recommended me. I sent my resume over and met the CEO on a Saturday at 7:00 AM. As a result of that recommendation, my demonstrated IT community engagement, and our interview, I received a verbal offer on the spot.
Before accepting I asked eight different CIOs in my network for their advice and they all recommended that I take the job. Two of them told me that these PE roles are a lot of fun, and after four months, I agree!
Now, more than three months into the role, here my observations.
When I came on board, this PE-owned consisted of two partner companies and a third company under agreement. The larger part of my role would be leading current and future mergers and acquisitions, and executing IT due diligence of potential purchases. Additionally, I would create and execute the short- and long-term IT and cybersecurity strategies.
As these companies did not yet have formal IT, I would be building the whole program from scratch. This included rolling up my sleeves while I built out an IT team over time and leveraged third-party vendors where applicable.
I had a template of a 90-day plan that I started years ago and had kept updated over the years. My new plan, however, needed to cover both cybersecurity and IT, and there was a lot more than could be done in 90 days. I was fortunate to be coming from a 1,200+ person IT/Cyber organization where I had made it a point to learn as many areas as I could, despite not being directly responsible for all of them.
A small company and a large company often have similar needs. They have websites that need to keep running, computers that need to work securely, employees to be paid, HR, marketing, and sales systems, ERPs, GRC, etc. Plus, not only am I vetting other companies’ IT and cyber programs in my CIO role, I am determined to build our new IT organization and tech infrastructure correctly, avoiding technical debt at all costs.
What Is Going Well
Partnering with the business
Many things have been going well from the start – even better than I expected! Early on, prior to my first day, I made my case for specific tooling licensing that was counter to what had already been decided before I arrived. But I made my case clearly and everyone agreed. I have built a great relationship with the CEO and my peers in HR and Finance. As a smaller team, we trust each other and I am happy to report that we don’t have the “IT and the business” conflict that some companies have.
Entering into this role with enterprise experience with cloud cybersecurity, it should not be surprising that I wanted to review security and add a number of new controls. Every book I have read related to starting a new role has cautioned about introducing changes too quickly to an organization. But many cybersecurity initiatives, such as multi-factor authentication or disk encryption don’t require consensus, are not negotiable in today’s world, and need to be implemented quickly. Anything missing from my list had to be added, along with appropriate organizational change management and training for the staff. Not everyone was in love with the changes we made, but putting on my CISO hat I can say I am happy with where we are.
Speed of execution
Currently, many items are handled in house without the need for consultants or third parties. In fact, when we do the work ourselves, many times it gets done faster than if we were to hire a vendor. For example, we onboarded two companies into an existing Microsoft 365 tenant. This was all done in house with no computer resets, no lost data and a relatively smooth transition. This may not always be the case, but for now, we are saving both time and money with this approach.
Interview by Steve Rovniak
If I Could Do the First 90 Days Over Again
Speaking the language of business
I could have simplified explanations of technology in my roadmaps and presentations. I have known this about myself for years and have even joked about executives not ever wanting to hear the word “Kubernetes” again. Knowing this is far easier than practicing it, however, at least for me. A lot of this is reminding myself that not everyone loves technology as much as I do.
Though a technical audience may understand changes to domain name servers (DNS) or Security Information and Event Management (SIEM), and know the value, I should have kept my communication to the wider team focused on the value provided, such as, “we can maintain cybersecurity insurance”, “you can change your bank account for direct deposit on your phone”, “if you damage your laptop, we have your data already backed up.” Instead of a discussion about adopting prebuilt AI models, I should have had a conversation about “reducing the need to hire another employee for data entry.”
Though much of IT for a cloud-first company can be done remotely, boots-on-the-ground support is always needed. My previous roles had always been at companies where the product sold was technology, and therefore, most IT work was done in-house. Though I had many vendor relationships, I didn’t have enough of them, especially in some regions of the country where we had acquired companies. Finding local vendors to provide IT support to the regional remote offices, including occasional on-site work, was harder than I thought.
Many of these MSPs will only support you if you commit to their preferred technology stack. They expect you to change your endpoint software, for example, replacing yours with theirs. This does not work well when you have a portfolio of several companies and several MSPs. It is better to have a single view of endpoint and cybersecurity reporting across your whole organization instead of disparate tools for Company A, B, and C, and expect your IT team to assemble all that data.
Mobile phone management
The third item that hit me harder than expected was mobile phone management. I had never had responsibility for mobile phones in previous companies. Three companies with four mobile accounts and approximately 12 different device types added complexity. When we performed a mail migration to Microsoft 365 for one of the companies, some of their phones were so old they would not run Outlook 365 or Microsoft Authenticator. There are third parties that do a great job with mobile-devices-as-service, and that may be a consideration for the future, but several of the offices made recent and substantial phone purchases with contracts, and we needed to resolve and standardize on a platform before our ERP conversion.
I also need to be mindful of company culture and past agreements with employees about phones, especially if they were told they could surrender their personal phone and use the company phone exclusively. In these cases, changes needed to be made incrementally and with ample communication in order to help win the hearts and minds of the wider team, and build one company.
My journey to CIO has been a long one. Now that I am here, you might ask, "Is it what you expected?" My answer is yes, it is everything I thought it would be. I look forward to continued execution of my roadmap and delivering value through technology. Thank you to all my mentors and former bosses and colleagues who have helped me along the way.