S5 E5: Featuring Carol Fineagan

Speaker 1: Tracie Edwards:

Hello everyone and welcome to Traceability podcast. I am your host, Dr. Tracie Edwards. Today my guest is my friend and fractional CIO Carol Fineagan. Carol is a partner and consultant with Blue Monday. For 25 plus years, she has served as a trusted technology solutions advisor and CIO for mid-enterprise companies. During this time, she has led technology teams and implemented technology strategies to move businesses and team members to their next level of growth. She focuses on the financial benefit and value of IT, aligning architected strategies to facilitate rapid business growth and improve customer experience while reducing costs. She has worked with CEOs, CFOs, COOs, and CIOs to solve significant business problems through technology readiness, implementation, change management and business process reengineering. Carol has an associate of ARP from Via Julie College, which is now Stevenson University in paralegal studies, a Bachelor of Arts and Professional Writing Journalism and a Master of Arts in publications designed from the University of Baltimore. In 2023, she attended AC board training and she is a proud former resident of Baltimore and Baltimore in your blood. So thank you so much, Carol, for being with us today.

Speaker 2: Carol Fineagan:

Thank you Dr. Tracie, it's good to be here.

Speaker 1: Tracie Edwards:

Well, you are so busy with so many activities, board memberships and mentoring, and so I'm just really thrilled that you were able to take some time for us today.

Speaker 2: Carol Fineagan:

Sometimes the stars align, right?

Speaker 1: Tracie Edwards:

I wanted to just quickly cover how did you get into IT with your strong background in English and writing and design?

Speaker 2: Carol Fineagan:

Well, I was a graduate assistant at University of Baltimore teaching desktop publishing and computers when there were no manuals for those things. And with my writing and graphics background, I put together student materials, I worked in the graduate lab doing pre-press. And as computers, networks, and administrators evolved. I jumped into Nobel administration, just found that I had a real knack for learning experientially than documenting and training other people. And that training has helped serve me into project management, computer design and architecture, and then also aligning business strategy to technology because a lot of times the business strategy and technology, those value propositions don't align.

Speaker 1: Tracie Edwards:

So true. And I know that has been something that has been on my mind a lot in my career. And so some of my background is in how do we align those strategies and that technology. One of the things that you and I have talked about a little bit over the time that we've known each other is really how to make our technology efficient, how to prove the value of the technology, how to tighten up processes and that kind of thing. So I really wanted to dive into some governance related topics with you today, if that's okay. Governance is a big word these days, and maybe you can give us maybe a little bit of background of how we kind of got to a time of governance.

Speaker 2: Carol Fineagan:

Well, governance is no more than the rules that we have to follow. So I've always worked in highly compliant industries. I worked in the nuclear industry. I've worked with medical device technology industry, global education, so everything from FEC to accounting rules and policies, Sarbanes-Oxley. Now we have GDPR in the U.K., which protects data privacy. We've seen that filter into other countries and the U.S., and now we're heading into AI governance. The U.K. in January issued a very comprehensive AI governance policy with the intent of protecting people. They name people as well as data. So now we have the data side and the people side come together through AI governance.

Speaker 1: Tracie Edwards:

Well, I can remember back to the beginning of the 2000s, and there were a lot of issues with organizations that ended up going under, ended up performing some financial malfeasance. I remember Enron and Worldcom, and I'm sure you do as well. And now we're in the age of social media, which sort of makes governance all the more important.

Speaker 2: Carol Fineagan:

Governance is no more than a partnership. So in the IT world, you have your IT general controls, which are the things that you manage and monitor every day, like access control, what data is going in and out of your company? How are you protecting it? What rules are you adhering to? So generally accepted accounting principles apply to IT as well, especially when you're supporting a financial system. So really governance are the guardrails. I use a bowling analogy. I really suck at bowling, so I always need those little bumper things put up on the side, like the toddlers. So to me, governance is really your guardrails. It's not meant to impede how you run your business. It's meant to set a standard just like ITIL sets a standard for a lot of IT operations. So my best advice to people who are struggling to understand what is governance, talk to your financial team. If you have a compliance officer or a security officer, CISO, meet with them and understand what rules they have to comply with. And then IT should very well nest under that. And also IT is the foundation of data governance. We have to keep data secure, accessible to the people that have the rights to access it, which is different per organization.

Speaker 1: Tracie Edwards:

And with that, there's governmental organizations that have a stake in that as well as the customers and all sorts of people that must be satisfied through that governance.

Speaker 2: Carol Fineagan:

And as you sign contracts with customers these days, many of them want to know, "What is your security profile? How do you back up data? How do you have business continuity?" How do you protect their data when they give that data to you, whether it's their employees to access a piece of software or you are signing an NDA to work with them, you have to always be aware of your security profile, your company's security profile, and how it impacts customers. There've been so many breaches, right? No one wants their name in the New York Times with a data breach.

Speaker 1: Tracie Edwards:

So true. I actually got a mailing the other day telling me about a data privacy thing that had occurred with former insurer, and that's turning into a class action thing. So you certainly don't want to be sending those mailings out if you can help it. One thing that I think frustrates people who may not have as much insight into the governance process, and maybe it's so we just don't sell it well enough. But I think for analysts in the space, how does governance sort of influence leadership effectiveness?

Speaker 2: Carol Fineagan:

Well, my role has always been to keep executive team and the business leaders informed and up to date on what we have to comply with, why we have to comply with it. But also that goes into the whole security realm of the virus protection, the firewalls, the access. A lot of times, CEOs, CFOs, they're focused on what they need to get done, grow the business, tend to the financial integrity of the company and the financial growth. So a lot of times the governance falls to the IT team and especially analysts have to be aware of what the framework is they're working within. So if you're working for a publicly traded company, you have to know about Sarbanes-Oxley compliance and you have to know about data privacy and really, like I said, their guardrails and frameworks. So as an analyst gathering requirements or writing documentation or putting a plan together, you have to have that framework in mind also because it's part of a puzzle. If you go and build a program or you analyze a business problem and you're doing it without that compliance lens on, then you're only getting part of the story. You should meet with the CISO, you should meet with the CFO and just understand the guardrails.

Speaker 1: Tracie Edwards:

You want to do it in the right way. And I think the ability to remain in business without issue is an effective strategy. So plug for governance there. Can you talk about the impact of governance on innovation? Because I think that's also a question in many people's minds that, "I can't be as innovative as I would like to be because I've got all of these governance rules."

Speaker 2: Carol Fineagan:

I don't think that's true. I'm working with a couple of startups right now. I'm advising one startup who's in the education sector for corporate education. And there are a lot of privacy rules. There are a lot of access control rules, and depending on the company they're selling to, there could be HIPAA rules. But I think at a high level, the framework of data privacy, the framework of IT controls the framework of keeping your data encrypted, keeping your systems architected and configured with security and governance in mind. Those are foundational. The innovation comes about when you are designing a product to meet a niche market. You're coming up with something that doesn't exist, and you see a problem you're solving, that problem is not restricted by governments, and that solution is not restricted by governance. I would say to those people who are innovators, work with someone who has a solid architecture background and a solid governance background so that they've worked in the industries you're looking to innovate for or sell to. So for instance, if I were going to innovate something for the nuclear industry, which by the way, I'm not, but say I was, I would talk to a CISO who's working with the DOE cybersecurity framework. I would meet with customers that are in that space and understand what are their rules of the road. It's more an understanding and a framework to work within. I have never seen governance as a constraint. I've just always seen it as a given. Right? It's a necessity.

Speaker 1: Tracie Edwards:

And I think in this day and age, there are lots of opportunities to innovate within that governance framework. I know there's many companies out there that provide products that address particular governance frameworks and work within them, so startup, innovators, that kind of thing. So it seems that, as you say, it's not necessarily a constraint, but it positioning yourself within that framework.

Speaker 2: Carol Fineagan:

Well, it's doing a risk analysis. So there's cause and effect. Early on with AI, some people brought in the public AI accidentally into their organizations not understanding that their data is going out and becoming part of the collective. So that constraint, that cause and effect, you're sitting down and you're doing a risk profile. If you're working in healthcare, your risk profile includes HIPAA and all the rules and regulations. They're not meant to constrain you. They're meant to protect the consumer and the end user. So you have to think of your target audience, you have to think of your industry, and then you have to just do a risk analysis of, where does your product or your data intersect with those compliance rules? And for business analysts, I think that's a real big part of the work that they do is that risk assessment. Because a lot of times the people who are the geniuses in development, the people who are geniuses with the product, you want that genius focused on whatever they're doing. And then you want that risk analysis, that governance mindset to come in and complement the work that's being done with innovation.

Speaker 1: Tracie Edwards:

Yeah. Well, there's two ways of looking at it sometimes. You can either look at it from a position of fear or you can look at it from a position of growth opportunity. And I think so many organizations and people miss the boat when they're thinking of governance in terms of fear. But when you're using that strategic risk management to help you grow in new and interesting ways within the bounds of specific compliance and governance frameworks, that's where I think that risk management becomes really powerful.

Speaker 2: Carol Fineagan:

Well, you don't want to aim too high either. I've been in some companies where, "Oh, we need millions of dollars to manage risk," which whether it's external actors or there's data breach risk, you want to right size it, make it appropriate to a solution, make it appropriate to the size of the company, really analyze that risk profile. And not every company is facing risk up here. Some are lower level, but until you actually analyze that risk profile, where are your risks coming from? Is it outside-in, inside-out? It's probably a little bit of both, but what is the right product, the right tool, the right solution for your company? It may not be a $10 million solution if you're a $10 million company, that'd kind of put them out of business. And I had that conversation with some CISOs that I've worked with and some security people and governance people. You have to look at the right solution for the company and their profile and their budget.

Speaker 1: Tracie Edwards:

Very good point there. Something else that I know is on the minds of many technology workers in today's world is the concept of agility. We're working in terms of [inaudible 00:15:18] or we're working in terms of space, some of these quote unquote agile methodologies. How does governance sort of impact the ability to do things with flexibility and speed?

Speaker 2: Carol Fineagan:

So there's a lot of products on the market like your pipelines, your code release pipelines, your checks. As you're doing agile development, I mean you want to set up a really strong and secure code release pipeline, something that checks for OWASP top 10 threats. You don't want to be the group introducing risk into your organization. So there are a lot of best practices for agile development, a lot of practices that are global and industry standard. And so you want to be familiar with those. You want to look at OWASP, you want to look at the cloud providers like the big guys, like the Googles and the AWS and the Azures. They have tools and pipeline tools for you that have a lot of those checks in there, so you don't have to start from ground zero. So I'd say leverage what's already built for your specific industry, the risk you're looking to mitigate, but certainly for code development and release, have to have tools that are going to automate that. There's really not a lot of humans who can do that on their own, and that's why the tools have been developed. But make sure you have really strong pipeline tools for release and multi-tiered processes for testing. It's all about risk mitigation and risk identification.

Speaker 1: Tracie Edwards:

You bring up a really good point that we really live in a product world these days. So many organizations actually provide us with products that do the work of risk management, security compliance. So a lot of it is how do we make use of those so that we don't feel anymore like we have to build things from the ground up?

Speaker 2: Carol Fineagan:

So the main thing when you're looking at products is start with requirements. What is your goal? What are you looking to achieve? Are you looking for simply code checker, code release? Are you looking for risk mitigation in certain areas? Always start with written requests. Never start with a salesperson and a demo because everything will meet your requirements during a demo. But then as you go through and you refine your requirements, you want to do that before you sign a contract for a product not after, and really written requirements while they take a little bit of time, and that's a great role for an analyst is to gather those requirements comprehensively by function and then submit them to vendors and let that prove to you how their product meets your requirement. It keeps everyone honest and actually software providers like to get written requirements because they can shine. If their product meets all the requirements and they can give you a demo to prove that, that's a win for them. And also, you're in the knowledge position, right? You're in the driver's seat. It's your money, it's your company, it's your product. The people with the software should have to prove to you that they can meet your requirements, whether it's governance software, any software, actually. Anything you're buying, you should have written requirements for, whether it's a truck or a piece of software. I actually bought a car with a list of requirements. I walked in and I said, "Here's everything I need." And they're like, "We have one that has nine out of 10." So I had to give on one, but I had a complete list of really what I needed to have.

Speaker 1: Tracie Edwards:

That's a terrific example. As organizations are going through sales processes, the requirements are really key in how you're going to both purchase and also how you're going to integrate and how that's going to help drive flexibility and speed within your organization. So sounds like you got the car of your dreams.

Speaker 2: Carol Fineagan:

I did during COVID even. That was really hard. But yeah.

Speaker 1: Tracie Edwards:

Nice. You've mentioned a few already, but any specific governance models or frameworks that you think would be useful with agile transformation or those types of initiative?

Speaker 2: Carol Fineagan:

I'm not going to plug one over another, but I would tell the people who are looking at governance requirements, once you write up your requirements and your specifications of what you need to adhere to, say it's GDPR, Sarbanes-Oxley, I have worked with some incredible consultancies who have helped me put together, like, you don't have to do this all by yourself and not for a very high cost, either. A 40-hour engagement to put everything together with professionals because you're managing risk. What you don't want to do is introduce risk while you're trying to manage risk. I think if it's your first time doing this or there's a new regulation you need to comply with, I always rely on auditors. Any company that audits your financials most likely will have an IT governance or IT risk organization because every company runs on IT right now. That's honestly where I would start. I wouldn't advise people to go out and just learn frameworks and try to apply them the first time. But there are courses online. You can go to Udemy. There's a lot of different organizations that offer courses, and I would look at courses that apply to your industry, to your type of compliance, if it's publicly traded, if it's medical, if it's government compliance, you have to adhere to, like cybersecurity rules, find the training that applies to your specific industry and your level of compliance. But barring that, I know that any accounting firm that you work with would take a one-hour call to help you and say, "Hey, here's what we're introducing to the organization." Either as a process, an application, a line of business that you're asked to help support. My best friend at every company I've ever worked with has been the financial team because we work lockstep, their compliance and IT compliance go hand in hand. I have to certify the systems so that the financials can be certified. So I know that's not an exact framework in answer to your question, but I truly rely on the expertise within the organization with the partners that have already been in the organization or with consultancies. E-consultancies. I've worked with many. I can't even say I've had a bad experience because every consultancy I've worked with has been specific to the company I was working with at that time.

Speaker 1: Tracie Edwards:

That's a great point. I think on occasion, auditors can kind of be the unsung heroes of an organization and a process. So I like that it's not necessarily a framework, but an approach. As you're going to dive into this, let's maybe do some homework up front with our auditing team or partner.

Speaker 2: Carol Fineagan:

Great. And is the company under ISO standards? What are the standards established or what are you trying... Are you trying to get to a SOC 2 framework for your IT? So having your audit partners and your financial executive in lockstep with you, not only does it build that relationship and build the partnership, but you're working into the same channel. You're working to the same purpose. You don't want IT working in one area and finance working in another and audit working here. You should all be working together.

Speaker 1: Tracie Edwards:

So true. Well, I'd like to spin off a little bit from where we've been talking about governance and organizations. Something that I am super passionate about is really my own career governance and helping individuals through personal risk management and governance sort of level up in their careers. So I wanted to sort of ask you about your career, your approach to governance as you've worked to evolve and grow in your career.

Speaker 2: Carol Fineagan:

So this is going to sound unprofessional, but my career has been a series of saying yes to opportunities. Come out of school with a Master's in Publications Design, which was marketing, advertising and graphics, had the opportunity to become a network administrator. Yes. I went off and at the time learned Novell. We needed formal project management in another job, and no one knew project management. I adopted Microsoft Project, took classes, wrote an instructional manual, said yes. So I think taking every learning opportunity when someone asks, "Can you do something?" Even if you don't think you can do it at the time, just say, "Not right this second, but I'm going to go learn how to do that." Being in a continuous learning mode. I've been in my career a long time and it changes every year. Governance changes every year, laws change every year, software changes. I love middleware and cloud technology. We're out of the whole API land now. So I would say the best advice in roadmapping your own career is to keep moving forward. Learning what's coming out. AI is huge now, but AI is like this big, so you have to pick your path and how can AI help you where you are now and then where's it going? There's so many different channels to log into. So I would say interest and also what benefits where you are now, whether you're working for a company or you aspire to work with a company, and you want to get there. How do you move your path to be on their trajectory? So learn. Research. If you want to be with a certain company and that's your dream job, go meet someone who works there, connect with them on LinkedIn, get a mentor that works at that company, study what they do, and you learn along. Right? It may not be inside that company, but there's parallel paths. That's really what I've done my whole career is put myself in that next place and learn as I go. Seriously learn, apply the learning. I think being in an IT career is just amazing as a liberal arts major because the sky's the limit, and I've been a single mom and raised my son in IT. I am a Nana-Mommy now raising two grandchildren and two Yorkipoos and the flexibility and just the constant pivots in the career and with what's going on at technology has been very energizing. I've never had a dull moment.

Speaker 1: Tracie Edwards:

Well, I agree that pivoting has definitely brought energy to my career and taking those opportunities, even the ones that may not necessarily work out, they actually led me to other opportunities. I also, single and I have accountability for my own career and I have goals as far as that goes, and organizations align with that better than others. For me, the governance is really in, let's be accountable, let's be transparent. Let's align with our values and with our professional goals.

Speaker 2: Carol Fineagan:

Agree. If you're true to your own principles and the values that you sign up for when you sign up for a job or you sign up for a responsibility, there is a value proposition financially and a value proposition to the company, there's a greater good that you're signing up for. Otherwise, you probably wouldn't be working with that company. So I agree, being true to all those things and keeping them in mind.

Speaker 1: Tracie Edwards:

So you have had a long tenured career in technology and you've seen some high-performing technology leaders and you've seen maybe some not high-performing technology leaders. Are there governance-type habits or mindsets that you think distinguish the high-performing leaders from the others?

Speaker 2: Carol Fineagan:

The most influential leader in my career was a gentleman who just recently passed away named Bob Prince, and he was the president of DuraTech in Maryland, which was bought by Energy Solutions and brought me to Utah. And Bob believed that everyone in the company was a leader. You took that responsibility. If you saw something that wasn't going right or you thought something could be better, you brought that idea forward, but the solution, not to vent. And safety was everyone's business. We worked in the nuclear industry and at the end of every meeting, Bob would go around the table and everyone who was in that meeting, he asked them a concluding statement, "Share a thought." Or, "How did this meeting go for you?" Or, "What did we leave out?" And not if it was a hundred person meeting, obviously, but if you were at the table and he didn't speak last, he started to go around the table and give your comments. And also, we worked in an environment where there were no closed doors. He was the CEO. He had no door on his office if he wanted to have a closed meeting, we had these glass conference rooms called the Cones of Silence, and it was great. There were no secret meetings. It was a transparent environment. I knew that at any point I could go into his office and have a conversation, anyone could knock on the frame of the door. And it was just truly not just an open door policy, it was a no door policy. And to me, that transparency, that collective leadership where whether you were the person vacuuming at night or you were the head of IT, everyone was a leader and everyone was considered to be equal, which I really adored that and I've carried that with me my entire career.

Speaker 1: Tracie Edwards:

That is a really great example because I have seen leaders like that and I have seen leaders not as like that. And so that's a terrific example of how you can build goodwill, how you can build loyalty, how you can build high-performing companies through governance principles like leadership and transparency. Thank you for sharing that example. So as we wrap up our conversation today, because sadly we do have to wrap it up, can you maybe speak to some future-facing things that you might be seeing in governance, things that organizations and individuals should maybe be preparing for?

Speaker 2: Carol Fineagan:

Keep abreast of AI governance. I would advise everyone. I've been attending some online seminars and also reading up on the U.K.'s AI governance laws. They're ahead of us. I would study those and keep up with that because AI is an amazing, wonderful technology, but it has to solve a specific problem. I always tell people it's like when BI first hit, like business intelligence and data was everywhere and they wanted to gain intelligence. Well, you have to point it to stuff and you have to allow it to solve problems for you. The same is true with AI. You can't just splat AI into your organization and expect it to miraculously solve problems. And I would say that it requires governance. Every solution you bring into an organization requires some level of understanding and control. You don't let a toddler loose in a China shop, so you can't... And I'm not saying AI is a toddler, but it's new. It has many purposes, many facets. I would keep up right now with the U.K. AI governance rules that are coming out and guidelines, and it's a great framework. It's an awesome framework. It may be a bit too much for your organization, but it really gives a lot of great explanations, definitions, understanding of why you need the governance on AI, and it is very people centered. The goal of it is to protect the individuals and also allow AI to do its job.

Speaker 1: Tracie Edwards:

Right. That's the perfect note to really end on. Utilize the governance, control governance, especially within AI before it kind of controls you. I think that is a perfect note to wrap up on. Carol, thank you so very, very much. I'm so glad we were able to make this happen and get this chance to visit today.

Speaker 2: Carol Fineagan:

Thank you, Dr. Tracie, and if people have questions, I'm on LinkedIn. I'm the only Fineagan spelled the way I am, so I respond back to people.

Speaker 1: Tracie Edwards:

Great. We appreciate that. And for our listeners, we hope you enjoyed our conversation today and we have a call to action for you. We are on Spotify and on Apple, and if you enjoyed today's discussion, we hope that you'll leave it through review on one of those two platforms and let us know how we're doing. Thanks so much.

Speaker 2: Carol Fineagan:

Thank you.