Strong CIO-CISO relations fuel success at Ally

Technology has enabled Ally Financial to move at the speed of customers, embrace and drive disruptions, and see around corners to anticipate and stay ahead of trends. Helping lead the continual evolution of the nation’s largest all-digital bank are two award-winning technology executives: Sathish Muthukrishnan, Ally’s chief information, data, and digital officer, and Donna Hart, the company’s CISO.

For a recent episode of the Tech Whisperers podcast, I visited Muthukrishnan and Hart at their offices, where we had a chance to talk about the work they’re doing to advance Ally’s mission and to create new value propositions for customers and communities. We also explored their leadership philosophies and the unique power and benefits that come from a strong CIO-CISO relationship.

After the show, we spent some more time discussing the present-day realities of a volatile, uncertain, complex, and ambiguous (VUCA) world and its potential to paralyze people and entire companies. I was interested to hear what they’re doing to set people up for success and turn VUCA into an opportunity for growth and differentiation. What follows is that conversation, edited for length and clarity.

Dan Roberts: Sathish, great leaders communicate a compelling vision that energizes people around their external ‘big C’ customers, what many companies refer to as the North Star. What have you done to provide clarity for those 11 million customers you partner with?

Muthukrishnan: I believe it is part of a tech leader’s responsibility to think about the big C customers all the time, in addition to customers who are internal. Our goal has always been to partner with our business to understand what they’re trying to do for their customers and use the best technology to enable it.

Ally

The vision we have communicated is: We will give customers a digital experience that is differentiated from other institutions and that shows we are the best financial partner for all their financial needs and wants. We have done that by simplifying our digital experiences, whether it is consolidating the number of apps we had down to one or being able to open a new account with one click. And if you’re already a bank customer and want to open an account as an investment customer, we don’t take you through the rigamarole. Rather, we allow you to open an account by using the minimum number of clicks.

Donna, can you build on that and talk about how you provide clarity for 11,000 teammates, especially in the area of cybersecurity?

Hart: Human error and phishing are still the major cyber risks to a corporation. Ransomware is our No. 1 threat, and it really is stemming from a team member clicking on the wrong thing. So, No. 1 is security awareness and training.

Ally

No. 2 is we take our phishing test very seriously, and we’re expanding that to vishing, to QR codes, to spear phishing to focus on different groups and functions. And we have required training associated with it.

We’re big believers in communicating when something’s happening on the network. If it seems odd or different, if we’re seeing an attack, we communicate that well. From a fraud perspective, we also partner heavily with our fraud teams to make sure that we’re keeping team members engaged on that conversation. They are our first line of defense.

Many struggle to communicate the business value of technology. Sathish, what do you do to provide clarity and articulate that?

Muthukrishnan: We have made it part of the process. We identify the value we are creating and capturing before we kick off a technology project, and it’s a joint conversation with the business. I don’t think it’s just the business responsibility to say my customer acquisition is going to go up, or my revenue is going to go up by X. There is a technology component to it, which is extremely critical, especially as a full-scale digital-only organization. What does it take for you to build the capability? How long will it take? How much does it cost and what does it cost to run it?

All of that has to be part of the value creation and the value capture story, so we make that a joint conversation around how much value we are creating, and that leads us to prioritizing the initiatives that technology works on. And it’s a collective effort across the company.

Can you talk about what has happened to your organization since you’ve been here, in terms of size, scope, and investment?

Muthukrishnan: When I started less than four years ago, we were at about 1,300 employees. We have now almost doubled it, but 85% of the new employees are hands-on engineers. Our budget has doubled over the last four years. The cost of running technology, you measure in terms of how much money does it take for you to run your application versus how much do you invest in growing, and 75/25 is sort of the average. Now we are down to 50/50. So not only have we driven efficiency in terms of maintaining the applications that we have, we are now stretching the dollar invested in technology, which has doubled, which ultimately leads to us doing new capabilities, building new capabilities for our customers, and adding to the daily value that we generate for them.

Donna, you don’t see that 50/50 split in many places, and I would imagine that 50% really allows for innovation.

Hart: Absolutely. In fact, Ally was just named to Fortune’s America’s Most Innovative Companies list, ranking 132 out of 200. Innovation is critical to the success of a good cybersecurity program, the attackers are smart and effective, our systems need to be strong and layered to beat them.

Sathish, you are highly regarded for creating a culture of ‘radical candor.’ Why is this important and what are the benefits?

Muthukrishnan: Most people appreciate the why more than the what. Leaders can say, ‘This is what I want to achieve,’ but when you say this is why we want to achieve these results, that becomes a lesson, that becomes a mission, that becomes a shared dream, and people then feed into the dream and will contribute to that to build it.

You have to have radical candor to have those conversations, but also to say, this is not working for us to achieve our dream — how can we change it? More than pointing out our opportunities, standing by the side of your teammates to help solve for it and help achieve the dream together is critically important. And we can say, ‘Here is where I can help; here is where I cannot help.’

Also, someone having that conversation doesn’t walk away guessing what you just said; they clearly understand it. And most people appreciate the truth. They may not accept it. They may not agree with it. But they walk away and they appreciate: This is why this happened. And then they come to peace with it. Radical candor helps with all of that.

Donna, I’d like to talk talent with you because Ally has built the A-team. Can you talk a bit about the focus you and Sathish and your entire digital leadership team put on the human side of the equation?

Hart: When I first joined Ally, we had a lot of work to do, and Sathish was kind enough to help us get the funding for that. That was important, because we had an A-team in place when I walked in the door, but what they were missing is that underlying funding to go do what they needed to do. Sathish went and got that for us.

Once we got that in place, we put several people in the right positions to go as fast as we could at the same time, which was a lot. It was also a big load on my peers, including the other CIOs, and mainly my peer who runs enterprise infrastructure. They had patience with us and tolerance for what we had to do — we overrode a lot of innovation they wanted to do for their partners and for themselves to go do the security infrastructure work that had to be done. It was a tough conversation.

Our security team executed really well in taking the organization forward. We had probably eight work streams all going at the same time, and the impact on the rest of the technology org was pretty intense. But they were all fantastic at accepting it and understanding that it was doing the right thing for Ally and aligned with our ‘Do it right’ mission statement.

Dan Lemont, Ally’s divisional CIO overseeing technology, strategy, and enterprise technology, notes that the relationship between a chief information, data, and digital officer and the CISO is a special one that requires immense trust and a delicate balance of risk management. How would you describe this balance and what have you done to develop that over time?

Muthukrishnan: I truly feel like it’s a differentiator. I can show you the battle scars.

Hart: I was going to say the same thing. My peers will say to us periodically, ‘We’ll step away while you and Sathish work through this.’ I think it’s the respect of the role that Sathish has and the struggle he has, because for the entire first year, I took over his technology vision and strategy just for cyber. And he had to go defend that. I think that was a tough one to take. Then we had to continue to make sure that we’re really doing what we need to do, without impacting so much of the organization but still moving product forward — he and I consistently have good conversations. Crucial conversations are part of our skillset. It takes work, and it takes us liking one another, because we’re going to disagree. I think it also helps that we’re both very direct. It doesn’t hurt the conversation.

Everyone has to be on the same page, and the culture at Ally is what makes that possible. The secret sauce is that we all are in it together and we all see each other’s challenges, and sometimes we’ll say, ‘Okay, I will move this so you’re successful.’ Dan is a great example. He came to me and said, ‘I have this huge project,’ and I was going to have to delay some things I wanted to do in identity and access management to do the project. And we both said in the end, it’s the right thing to do for identity and access management. So we moved what we needed to do so he could be successful. And he has done it multiple times for me. We see that throughout all of technology and Ally. You see it with Sathish and his peers. They’re constantly having a conversation about what is the right priority. It’s a teamwork situation.

As you grow your organization, Sathish, how do you protect that culture?

Muthukrishnan: Building a strong leadership team is critical. Empowering them is even more critical. When people talk about empowerment, they think it means I leave my leaders alone and they go do whatever they want. It’s actually the opposite. We have sensitive and conflict-filled conversations, and the intent of that is to make each other better. If I don’t understand how my leaders are executing, I won’t be able to connect the dots. It is not questioning what they’re doing; it’s asking questions for my learning so I can connect and share learnings from what other leaders are doing. That’s what leads us to preserving that culture.

I have always been apprehensive about the volume, the breadth, and the velocity of change that we have rolled out in tech. This team has weathered all of it, embraced all of it, and delivered on most of it. And when it didn’t work, it was my mistake. I rolled that change at the wrong time and to the wrong group or on top of other things that were going on. We have learned. We have stopped some projects because they stopped giving us the value. But everything has been successful. I can’t point to one thing where we said, ‘This didn’t work well.’ That speaks to the talent this organization has.

To learn more about the Ally story and the leadership philosophies and lessons that have served these technology executives so well over the course of their careers, tune in to the Tech Whisperers.