Metrics don’t lie, but they can be misleading when they only tell IT’s side of the story

In this Help Net Security interview, Rik Mistry, Managing Partner at Interval Group, discusses how to align IT strategy with business goals. He explains how security, governance, and orchestration shape IT operations and why early collaboration between IT and security leaders leads to better outcomes. Mistry also shares his perspective on automation and emerging technologies.

When you assess an organization’s IT strategy, what’s the signal that the strategy is genuinely aligned with business outcomes, not just labeled that way on paper?

One of the first things we look at is how an organisation’s IT defines success. IT KPIs, metrics and targets that closely match their business counterparts are a sign that IT and business are pulling in the same direction. Depending on the industry, examples of these might be customer retention, website conversion rates or order-to-cash cycle time.

If a CIO is focused only on uptime and IT project delivery, the strategy isn’t fully aligned, as although these are important IT metrics, they’re not what the business is concentrating on. We design target operating and governance models where business and technology priorities are reviewed in the same forum and where product teams have both IT and business accountability.

A useful test is to ask business leaders how clearly they can describe the IT roadmap and vice versa. In well-aligned organisations, both sides can explain not just what is being delivered, but why it matters commercially. Where that connection is missing, our work often involves redefining value streams, clarifying ownership and reshaping incentives so that business outcomes drive technology priorities, not the other way around.

Many organizations are shifting from “owning” infrastructure to “orchestrating” it across cloud, on-prem, and SaaS ecosystems. What competencies do you see becoming non-negotiable for IT teams in that transition?

We’re seeing an increased shift of requests for infrastructure “owners” to “orchestrators”, requiring a different mix of competencies. Skills in platform and integration architecture, API governance, automation and cloud security have become non-negotiable alongside the ability to manage multi-cloud suppliers and service-level accountability across an often-fragmented ecosystem.

Successful orchestration also depends on financial and operational literacy, teams need to understand cost optimisation, compliance-by-design and how to maintain performance and resilience without direct ownership. That shift demands both technical breadth and strategic coordination.

While many organisations can embrace orchestration, those in critical infrastructure or highly regulated sectors still need to retain ownership of certain components, as the recent AWS outage reminded everyone, resilience and control are not optional.

CISOs and CIOs are often aligned in theory but misaligned in execution. What practical patterns distinguish organizations where security and IT operate as strategic partners rather than friction points?

The best partnerships happen when security is built into the approach, rather than added for compliance later. In practice, this means embedding security architects into product, project and infrastructure teams and treating security KPIs (e.g. time to patch or zero-trust coverage) as shared metrics across the CISO and CIO desks.

A few years ago, I led a global programme at one of the world’s largest enterprises to migrate to a cloud productivity platform. Bringing the CISO into the planning early was absolutely critical to its success. Those transparent discussions between the programme and security teams not only accelerated internal approval but also prompted the vendor to implement several product changes to meet the stringent compliance requirements of the DACH region. It was a great example of how involving security leaders early transforms them from “gatekeepers” into enablers of innovation.

Infrastructure automation promises efficiency but can also accelerate mistakes. How do you recommend organizations strike the right balance between automated workflows and human oversight?

We recommend automating repeatable, low-risk activities (e.g. provisioning, monitoring, compliance checks) but keeping human validation in high-impact workflows like production changes or incident response. Mature organisations combine automated enforcement with human review of exceptions. The goal is to use automation to surface decisions faster, not to remove decision-making entirely.

On infrastructure automation projects, we use an automation assessment model that classifies each process by risk, recurrence, and reversibility. If a task is high-risk or hard to reverse, we build in human approval checkpoints, while low-risk, high-frequency tasks move into automated workflows. This provides efficiency gains without eroding accountability or control.

When evaluating emerging technologies, what’s your framework for distinguishing between durable strategic value and short-term hype?

To evaluate emerging technologies, we focus on three key areas: business relevance, ecosystem maturity and organisational readiness. A technology has durable value when it improves core business outcomes, integrates well into existing processes and the organisation has the capability to adopt it responsibly. Hype technologies usually score high on optics / UX but low on operational readiness or proven return on investment. 

Personally, I like to look at whether it solves a recurring pain point or just adds novelty. I also factor in organisational size and maturity (what’s viable for a startup isn’t always realistic for a global enterprise) and I generally start from a position of scepticism, as most new technologies need several years of evolution before they’re enterprise ready.