How the Pension Protection Fund is using the cloud to transform IT provision

Simon Liste, chief information technology officer (CITO) at The Pension Protection Fund (PPF), is using the cloud to help his organisation cope with the new way of working required by social distancing - and he has advice for other CIOs who are looking to implement on-demand IT: focus on purpose and classify what's critical to the organisation.

Set up by the Pensions Act 2004, the PPF protects millions of people throughout the United Kingdom who belong to defined benefit pension schemes. If their employers go bust, and their pension schemes cannot afford to pay what they promised, the PPF pays compensation for their lost pensions.

Liste joined the PPF as director of IT and change in February 2018. He was promoted to his current role in December 2018. With the backing of chief executive Oliver Morley, Liste is now halfway through a 36-month strategy to transform the organisation's operational processes through the effective use of digital services and systems.

Moving to the cloud

The PPF's IT was previously outsourced to a managed services provider, including all aspects of governance, security, architecture and service delivery. Liste says he has brought IT management back in-house and disaggregated the support model to spread provision across a series of suppliers, reducing the level of potential risk from being over-reliant on one firm.

As part of his re-evaluation of service provision, Liste made an associated decision to take a cloud-first approach to IT implementation. While he had already made some progress around introducing cloud services, Liste says the coronavirus pandemic has helped to intensify the pace of IT-led change:

"We had the roadmap and the strategy and I think we've probably had to bring some of that forward. We've had to be diligent and we've used three governance checks around projects, architecture and security to make sure that we're adhering to our principles when it comes to the delivery of change. We've done a complete reprioritisation and review of our change portfolio, where we're maximising some of the services we provide and making working from home easier for people."

Liste says the PPF already had an Azure presence and he has helped the rest of the business to make the most of that provision. Where possible, the organisation has expanded its use of cloud services, such as video-conferencing technology Zoom. Liste says the implementation of Zoom was completed after a thorough security evaluation - and the technology is helping to bring a socially distanced workforce closer together, at least virtually:

In the media, Zoom is getting a bit of a pasting, but you've got to be pragmatic, classify the tools and be clear on the purpose. We're using Zoom a lot for team facilitation. We're very concerned about our people's mental-health situation, so we encourage virtual coffees and social meetings. Technology departments can be seen as blockers - we wanted to facilitate change.

Liste says the PPF has also made use of key collaborative tools from Microsoft, such as Office 365 and Teams. While the PPF's strategy is far from pioneering, it is a significant break for an organisation that had only recently switched from outsourced to insourced IT management. Across all forms of cloud implementation, data protection remains absolutely critical:

When it comes to our wider strategy, I wouldn't say that I'm ‘reinventing the wheel' because that's not the case, but Office 365 and Teams have always been on our roadmap. There's a few other cloud-based tools that we're using that I won't reference, but these have been added to allow secure and collaborative interactions.

Making the most of external service provision

Liste says all CIOs thinking of moving to on-demand IT should evaluate the appropriateness of what goes to the cloud and what doesn't. While some reticent executives would rather most information is kept on-premise in a data centre, Liste says CIOs will discover that the cloud is a lot more secure than the naysayers think - and there are a lot of options:

Where we can move things to the cloud, it's going to be a combination - so that might include infrastructure as a service, public cloud service or the private cloud. We've had a private cloud for a while anyway because we've implemented VMware. We like the concepts of portability, high availability and resiliency that come with the cloud. We're looking at back-ups and disaster recovery as a service to really take advantage of the cloud as much as we can.

Liste says other public sector CIOs looking to use on-demand IT should classify what's critical to their organisations in terms of technology, business requirements and potential financial costs. Understand the stack and the technical debt, and then focus on the challenges that the business faces. He says CIOs must work collaboratively with line-of-business departments, not as an external party - which has sometimes been the way for IT departments:

Moving to the cloud on its own is just part of the transformation. Understanding the business means you can provide the service and solution that is cost-appropriate. Going to the cloud isn't about cost efficiencies, it's always about cost-appropriateness. Any technology we procure has to be financially intelligent and it has to deliver against our objectives as an organisation.

Liste believes that he's in a privileged position as his role allows him to sit on the PPF executive committee. That elevated role means his IT procurement decisions receive buy-in from the top of the organisation. Looking back on the decisions he's made in the past 18 months, he believes embracing insourcing and the cloud has been a game-changing combination:

I do think that you need to have some element of ownership internally, so that you actually own your business requirements. And the external partners you choose do need to compliment your internal culture, which means you might want your architecture partner to be much more agile and diverse in the way they approach things, or you might want an expert partner in security that goes heavy on governance and checks. I think that business engagement, and talking and communicating, is fundamentally critical to success.