The Changing World of IT: Q&A with Microsoft’s Tony Scott

Excerpts from a recent episode of Point & Click, the IT Investigators, where Keith “Point” Combs and Matt “Click” Hester chat with Microsoft Chief Information Officer Tony Scott about the evolution of IT technology and how the skills needed to manage that technology are changing

[Listen to the full interview](

Point & Click: How have the general IT skills changed even in the past three years?

Scott: I think there are couple major forces that are driving the change. One is the digitization of business process and the other is the big move we are all anticipating to the cloud. On the digitization side, it will mean that IT people will need to be even more process oriented than they were in the past, because as we digitize, it’s not just automating the existing business process, it’s fundamentally re-engineering it for optimum advantage. So the skills to understand what the business processes are, where the friction is, and how to avoid that friction in the systems we develop is a critically important and somewhat rare skill, unfortunately.

On the cloud side, it’s really doing systems in a different way. We’re used to a world where we procure hardware; we set it up; we configure it; we have a development, test, a pre-production and production environment; we’re used to managing a lot of physical assets. In a world where we’re moving to the cloud and the development environment could potentially be instant-on, when you need it, and you scale your production environments to the size you need, when you need it. It allows you to focus operationally on a different set of things than maybe you’ve been doing in the past.

Point & Click: What is driving this change? Is it the Internet, mobility, security or this move to the cloud?

Scott: Businesses are looking for the next thing beyond ERP and the next thing after going online. It’s fundamentally looking at how we get more productive and more efficient in the way that we do business. We’ve kind of automated all the islands we can, and now it’s time to look beyond sort of linking the islands and some cases rearranging the geography. It’s the next evolution in how business is done.

So the big driver is productivity and efficiency. And, by the way, I think we’re on probably the verge of the next huge wave of productivity. We’ve been kind of flat the last couple of years with the economic downturn. But as companies have emerged out of the downturn, and they’re looking to expand market share, they’re not going to do it by the traditional methods; they’re going to do it through highly leveraged, highly automated, digitized business processes. So, for those that have that kind of skill, there is great opportunity.

Point & Click: What kind of skills do you look for in your team to support the security around the intellectual property and other things we have in the data center today? How has that changed in the past 15 years?

Scott: By analogy, the old security model used to be the moat, and the fortress inside the moat. You had the big corporate firewall and if you the right credentials and got inside the firewall, you could access a bunch of stuff. The emerging story around security is defense in depth. And while the firewall doesn’t go away and access control lists don’t go away, it’s really more of an individual decision that people and companies have to make and the tools are emerging that have very fine grained access control to applications, resources, data and even physical hardware.

For developers and infrastructure people the skill sets required mean embracing these tools and getting them installed in the infrastructure so that others can take advantage of them. It’s kind of like being in charge of security in Manhattan. You can’t just control it at the bridges going into Manhattan; you have to have feet on the street and security in whole bunch of different places. Done right, it still allows people to do what they have to do, but maybe in better ways than the sort brute force ways we did it in the past.

Point & Click: At Microsoft, where you have these datacenters with 300,000 machines in them, what keeps you up at night when you think about IT at Microsoft?

Scott: One of the good news/bad news things about Microsoft is we’re one of the most attacked organizations on the planet. It’s sort of a badge of courage for every hacker to see if they can get in to Microsoft and get at some assets. And that’s been going on for years and years and, like a lot of organizations, when you get attacked a lot, you get pretty good at defending yourself. So I don’t actually worry about that a lot.

At a recent CIO conference I was at, we had an off-the-record discussion with a couple very large company CIOs, and one of the things we became concerned about was the kind of damage a trusted insider can do. There were several examples of people who had been with the organization a long time, and given lots of privileges. These were long-time system administrators and so on, and got upset with their employer or may have been part some staff reduction activity, and went on to do great damage internally. These things don’t make the press a lot, but it’s something, as a CIO, you have to put on your list of things to worry about because the potential for harm could be really big.

Point & Click: What have we learned from the virtualization that we’ve done in the past few years that’s being applied to the process and the technology that we’re using now in the cloud?

Scott: There are a couple of big lessons and maybe even a couple surprises. When we started looking at the business case for virtualization, we found that there was some set of applications that, rather than go through all the engineering effort to move those applications to a virtualized environment, we were better off just leaving them as they were. They were legacy applications and they were designed to go away in a year-and-a-half. So we’re now well down that road and have gotten rid of a lot of those applications. And the applications that we intend to keep have either been virtualized or on the path to be virtualized. We’re about 50 percent of the way there.

So what we discovered is that some of the work we did there, has really helped prepare us for the cloud. So there are some apps where--instead of taking them from a traditional environment, to virtualization, to the cloud—we’ll just go straight to the cloud rather than go through the interim step. And others, where we have done the work already, are well prepared to go into a virtualized container in the cloud right way, and then eventually be cloud enabled in a fuller sense. The bottom line is that it has all contributed to our work and not a waste.

The other big lesson is that we’ve seen our quality in production go way up as a result of virtualization. And we expect we’ll see similar effects as we move applications into the cloud.