As the winner of the Orbie 2022 Leadership and 2019 CIO SuperGlobal Award, Al Lindseth has been a thought leader within the energy sector and IT profession for many years. He left a 22-year executive career at Fortune 100 company Plains All American two and a half years ago to make a difference in areas that he feels are critical and where progress is not as rapid or effective as it could and should be.

Al has devoted himself to the community in Houston (and expanding to Dallas and elsewhere in Texas) professionally and personally. He and his wife Stacey are also active supporters and chairs of many area charities, particularly women and children’s causes. We were very happy to be able to interview him and feature on our Cover Story as one of the Top 10 Influential Business Leaders Transforming the Future in 2024.

Can you tell us a little about your business now, CI5O Advisory Services?

I advise companies in all areas. I had responsibilities in, primarily the fields of risk management, technology, transformation and cybersecurity. What I address in that side of my business comes and goes based on client needs and is really driven by their priorities.

There’s another side of my advisory that is strategically more intentional – managing wide-spread risk and change and identifying and leveraging effective innovation. I also advise technology companies which offer the greatest real benefit to our top challenges.

Can you tell us more about that side of the business?

My background, before technology, was in risk management. I was brought in to Plains from PwC because they had a $180MM headline-making rogue trading loss. Corporate risk management is top of mind for Boards and management teams. The average tenure of an S&P 500 company hit a high of nearly 40 years in 1977, and now has shrunk to 10-12 years. Only a third of small businesses are expected to survive past 10 years.

The failure rate and risks are only speeding up, mainly due to technological advances. Heading into 2020, a number of elements were set up perfectly – cloud, big data, infrastructure – for applications to exponentially improve, which they did. For the first time in 2020, as a share of overall US business investment, digital surpassed physical investment, a big watershed milestone.

This has increased risk, particularly for companies not focusing on strengthening their digital strategies and capabilities. Think about what happened last month with the Microsoft outage, what happened in healthcare before that, automotive before that… It’s not just arising from cyber and concentration on the same technology platforms. Businesses are accelerating the digitization of many parts of their operations and can reach millions of users overnight, disrupting their competitors. When technology or business design shifts transform an industry, as many as 80% of incumbent firms can fail to survive the transition.

Often in the CIO/CISO functions, there is such a focus on keeping the lights on, on ‘run and maintain. Many in the field perceive innovation as spending time, talent and effort on something that won’t likely work, will contribute to you having more tools and being more scattered.

I have a different view. There have been so many waves of technological advancements and major changes in our environment that those with their heads down, focused so much on running and maintaining, are contributing to their own mess and increasing their risk. Innovation, creating value in the future, requires taking and managing risks. One’s ability to do that well determines his/her success. We need CIOs, CISOs and the leaders of change to be better risk managers. Coaching them on how to become that is my passion and specialty.

How Does Risk Management Fit in with your Focus on Change?

This incredible risk and disruption are resulting in a lot of transformational and change efforts. However, the track record and return on these investments are horrible. A lot of this has to do with whether you have the right change leadership – at multiple levels.

Resistance to change is a huge impediment. You can’t just walk in and tell folks they’re bad at managing change. In U.S. oil and gas, the basins where the oil comes from are different, the direction oil flows reversed 180 degrees, turning us from importer to exporter. Management teams should be proud of navigating this, but are they good at digital change? Technology is of course more important to them than it was before. Cybersecurity, analytics, modern tools … But it’s still a selection process to much of the business, like it always has been – just now a higher priority. Just select which systems to buy, approaches to follow, consultants to hire or older applications to rationalize.

The process to change from within using modern technology requires a different approach, including honest and transparent self-assessment to target opportunities around your organization’s blind spots – where your competition could disrupt you and you are failing your customers. If you could solve these challenges without digital, you would have by now. Do that before someone else does.

Also the bulk of the opportunities, these blind spots are on change involving the business leadership side, not on the CIO which is where most of the attention is. Dealing with the challenges of risk and change in this environment requires different skill-sets. Traditional approaches are not transformative or agile enough. You also need skills in what you are trying to do with the technology – like standardizing and optimizing processes or taking the people in cross-functional groups and individuals and turning them into high performing teams.

How do you tackle this specifically?

Focusing on technology-driven disruption or change efforts, I will come into a client and immediately posit a handful of specific reasons why these larger efforts and general attempts to wrestle with change and risk fail. I speak on this a lot also, with a goal for attendees to learn how to avoid and manage these issues with the right approach.

Success requires true change agents willing to tell it like it is, with skills to provide the right guidance and facilitation. My small engagement model and advisory-level focus is not a ton of revenue per client, so I care more about achieving change than making money off them. Misaligned incentives are a big reason why the large consulting firms have failed so miserably at this.

I am also continuously trying to identify the technology that will best enable them to change effectively. Recent innovation has opened up completely new and more effective paths and solutions compared to what we had in the past.

What are some examples of technologies that you have targeted and worked with in this manner?

I’ve been investing in AI for over a decade. Management teams have been thrown for a loop around AI since the release of Chat-GPT. Alarmist, existential questions, knee jerk reactions to generally ‘ban it,’ and other distractions abounded initially. Now we’ve moved past the initial ‘spinning’ and most companies realize security (data leakage) and foundational data readiness should be at the top of their priority list. Strong use cases are materializing, many with compelling ROI.

Applying a solid risk planning and management approach to what this technology truly means at your organization, in a manner consistent with how you might approach other enterprise level and technology risks, helps frame these discussions in a structured and efficient way. There are a number of complex issues – for example AI relies heavily on cloud providers and many organizations are already struggling with cloud costs, sub-optimal migration efforts and other readiness issues like the state of their data.  One of the most fun discussions I have is to come in and try to get management teams more educated and focused.

Data Management:

Many current efforts to manage our situation with data are not effective, efficient, or getting companies to where they need to be. Companies continue to build more layers around designs which are costly, siloed, complex, difficult to support and ignore the inherent limitations of traditional approaches. They are moving and transforming data to centralize it, and trying to fit that architecture around AI and cloud. When you project out 3-10 years, continuing with the status quo really does not work. By 2025, projections put us at 175 zettabytes, mostly unstructured, 80 billion devices connected to the internet (IoT) and data scientists and analysts wasting much more than the 75% of time they do now looking through data.

Most don’t know that modern technology has a solution to this. I’m talking about data fabric/mesh. This is an area that is widely misunderstood, and vendors are creating even more confusion, but applied the right way, it offers a massive improvement and ROI.

Supply Chain Risk:

Historically companies sought out the lowest cost supplier and kept inventory low. The supply chain function was very transactional, focused on negotiating around capital programs and delivering 10X plus in cost savings, which meant keeping their direct costs and headcount low.

When we first got into covid, there were a lot of supply-oriented issues, followed by the emergence of problems on the distribution side, with the physical, market and legal mechanisms that get product from one place to another (e.g. war, sanctions). The landscape has changed, geopolitically, economically and functionally. Capital programs are lower, the function is way more operational and its focus is more on risk management and greater resiliency.

The data is all over, in multiple systems, transactional, and not focused on risk so you have to cobble that view together, often in spreadsheets. SCM groups are small and barely able to manage a small group of tier 1 partners/suppliers, leaving the risks of the huge number of companies that supply that tier 1 out of their direct line of sight and control.

Supply chain functions are struggling. The incentives for SCM heads and teams still are out-dated. When companies go out and get management consultants, it involves point-in-time assessments, big work efforts and usually tells them what they already suspected.

A better enabler to help them improve is emerging technology and new models over the last handful of years. These actually fit in great, help groups to do work that is not being done now or at least not effectively, solve resource and manpower issues, get better data to make better decisions. I have clients that provide real time and continuous monitoring of all sorts of supply chain risks. Even though inflation is softening, structurally there are still major issues. The winners will be the most tech-savvy. Technology is the only thing that allows this continuous monitoring of supply chain risks which facilitates more proactive risk management.

Cybersecurity

I spend most of my time and attention on cybersecurity. I focus on areas where current efforts to manage these risks are not effective, efficient, or getting companies to where they need to be.

For example, if we can’t continuously monitor out of sight supply chains, it has huge implications. Think about Solarwinds and Log4j where malware was introduced via valid patches and releases. Imagine a world where we have to validate every valid patch or release that comes in from Microsoft or any one of our hundreds of software vendors. The whole goal of a vulnerability management program is to get those out as quickly as possible. One client identifies vulnerabilities around hardware and equipment, which is important to critical infrastructure risk. An attacker can circumvent software controls with a hardware-based attack, but 90%+ assessments are focused on software.

In the cyber arena regarding supply chain, remediation is also a huge deal. Companies’ security teams are getting flooded with vulnerabilities from their third parties, including many false positives, but it is difficult to remediate these. I’m working with entities which produce fewer false positives, have better platforms and are more effective at directing remediation.

OT (Operational Technology) Cybersecurity

In many organizations, OT cyber is where IT cyber was 20 years ago. Many of these OT systems were designed at a time when cybersecurity was not deemed to be necessary due to isolation and segmentation. The strategy was to protect, to wall off and isolate, until the last probably 8 years when our government went over to Ukraine and after the utilities there were breached, came back saying that can’t happen here right? Knowledgeable people said absolutely it could, we don’t have visibility into these environments, therefore we can’t detect, which means we can’t respond and we sure as heck can’t get ahead of those threats. Progress is being made, but this is where most companies are still at now and 10 of the 16 critical infrastructure sectors have heavy OT.

The most common and sophisticated attacks are targeting OT. OT/IT networks are converging, increasing the attack surface. Many approaches to roll out these programs are ineffective. What we are trying to do is very transformative and heads of operations are not owning this and trying to integrate cyber into their management frameworks around safety, integrity and other elements. IT and OT teams are having a massive culture clash. The worst thing you can do when people feel threatened is pull them all together into big workshops, which is exactly what a project manager will do. Some efforts are driven by too prescriptive regulatory requirements, and need to be balanced with a top down risk based approach.

They need more exercises designed to create a high performing, cross-functional team across Operations and cyber/IT. The big enabler to them to accomplish this is emerging technology and new models over the last couple years. These actually fit in great, help groups to do work that is not being done now or at least not effectively, solve resource and manpower issues, get better data to make better decisions.

Cloud/Zero Trust/etc

I try to demystify and educate in these areas. Companies continue to build more layers around designs which are costly, static, complex, difficult to support and ignore the inherent limitations of flat internal networks.  Most architectures are designed as though all the IT assets and data reside in your data center, and honestly don’t even work for distributed offices, much less cloud platforms, which is where most attacks are emerging.

Poor designs which have not adapted to cloud and other shifts are a big reason why we see attacks every 11 seconds.  They certainly do not work when you project where we’ll be in 3-5 years.  There are better approaches which reduce the exploitable attack surface and limit impact.  It has also gotten easier, less risky to implement these and less expensive than in the past.

Final thoughts?

These are just a few examples of many. I probably find 3-4 new of these areas of focus to add to my portfolio each season. I’m really excited to have picked up the CEO of a new international AI healthcare startup as an advisory client, who I think has an incredible model. By the end of 2024, I will have advised many operators and tech firms, held 20 collaboration dinners attended by hundreds and spoken over 30 times since I left Plains. I had career and personal success there. This phase of my life is about making a positive impact.