Share
Facebook Facebook icon Twitter Twitter icon LinkedIn LinkedIn icon Email

Finance

Mission critical – How the American Cancer Society successfully and securely migrated to the cloud amid the pandemic 

IbyIMD+ Published 13 March 2023 in Finance • 8 min read

As large-scale IT projects notoriously overrun and exceed budgets, Dave Chatterjee explores the factors that made migrating the American Cancer Society’s data to the cloud a rare example of a smooth digital transition.

 

In April 2020, as the COVID-19 pandemic threatened to shutter the global economy, Keith Weller received a phone call. The then Vice President of Enterprise Technology Services at the American Cancer Society was in a team meeting, and the call was from the organization’s head of real estate. “How soon can we get out of the on-premise data center?” she asked.  

The question stunned Weller for its directness but also for what it implied: moving 900 servers out of a 5,000-square-foot area attached to the ACS’s headquarters. The servers held dozens of terabytes worth of sensitive cancer images and data. They also hosted the organization’s online donations system – the beating heart of the ACS’s principal revenue channel. 

For all the risks, the not-for-profit had to find ways of covering a $200m drop in annual revenue as a result of the suspension of fundraising activities; migrating to the cloud was a necessary step in vacating its headquarters, which cost the organization $762,000 a month.  

Amid those cost-saving imperatives, the project would also save them $20m in technology costs over three years. “It was a project that could not fail,” recalled Weller. “We had to find very rapid ways of reducing costs, and the migration was key to getting us out of our lease.”  

Weller and his team rose to the challenge, undertaking their biggest digital transformation in years as he oversaw the migration of its data to the cloud in just eight weeks – a gargantuan undertaking that nevertheless came in on time and under budget.  

This journey holds potentially important lessons for other companies as they look to deepen their digital strategies in an increasingly technologically driven world. For one thing, it provides insight into the invariably complex dynamics of change management – the overarching process of planning and implementing change within an organization.  

For another, it stands out as a rare example of a smooth digital transition: while migrating to the cloud offers potential benefits of cost-effectiveness, efficiency, functionality and scalability, research suggests that as many as one in three such projects fail – with only one in four businesses meeting their migration aspirations. As if that weren’t sufficiently daunting, 90% of Chief Information Officers (CIOs) have experienced either failed or disrupted cloud-migration projects. 

 

There are no IT projects, only business projects 

One pillar of the ACS’s success was that the financial imperatives brought on by COVID-19 illuminated a reality that many corporates and organizations often fail to understand: there are no IT projects, only business projects. If an IT project is worth doing, it will add value to an organization and should therefore be adopted and embraced by everyone in the organization as a business imperative.  

ACS
ACS: American Cancer Society

The top management team understood the business case behind migrating to the cloud and gave Weller and his team their unwavering support, which proved critical to their success. Above all, it instilled a sense of “mission critical” throughout the organization, which galvanized efforts and aligned strategy around a shared goal. While this may sound simple, it isn’t: all too often, IT projects slip down executives’ and departments’ to-do lists, making them susceptible to delays and dramatically increasing the chances of failure. Indeed, when IT projects do fail, it is usually due to political or organizational obstacles or lack of support rather than technological problems related to the project itself.   

All hands on deck 

A second element to the society’s successful cloud migration is that Weller leveraged the shared priority to recruit a cross-functional team to shepherd the project from beginning to end. In addition to the non-profit’s C-suite, the team included people from IT, security, quality assurance, supply chain, and legal.  

Among other things, the team was responsible for providing agile infrastructure for the ACS’s business needs, eliminating physical equipment from the data center, establishing and implementing governance, training and support for the new cloud-based system, and engaging a third party to help accelerate and ensure the project’s success.  

To that end, it performed a wide variety of activities ranging from formulating a strategy to setting timelines, analyzing costs, evaluating risks and security requirements, reviewing implementation options and feasibility, and selecting a third-party vendor.  

“Everyone had to be hands on deck,” said Weller. “We needed different teams to test some of these new applications, and they needed to be readily available – because if, for whatever reason, someone was on vacation and we missed the test window, that would have disrupted the timeline. Being fully collaborative was critical.” 

Limiting goals – and sticking to them 

A third pillar of the ACS’s success was to limit the scope of the project from the outset. Migrating to the cloud typically involves considerable refactoring of applications, using different and less costly IT solutions that provide the same service but at a fraction of the cost of in-house solutions. Yet because the overriding priority was to vacate its headquarters, Weller and his team deliberately left a lot of the iterative improvements that accompany a cloud migration until much later in the year. “We knew that the number one thing we had to do was get out of the data center,” he says. “So we weren’t going to spend a lot of upfront time on the details.”  

Selecting the migration partner  

A fourth factor in the society’s successful cloud migration was choosing its partners carefully. Migrating to the cloud is not as simple as flicking a switch, and there are many complex pieces to the puzzle. These include architecting a new cloud footprint to export the in-house technological infrastructure, improving the security posture, and establishing and implementing governance, training, and support.  

Everyone had to be hands on deck.
- Keith Weller

To achieve all of this, they hired an end-to-end cloud solutions provider to help guide the process. This included a cloud engineer as well as a knowledgeable architect to build a robust framework. Weller said this was a critical decision because it helped keep the project on track while harnessing invaluable expertise and knowledge from a provider specializing in cloud migration. “You have to ensure that your foundations are in place,” he explained. “A lot of that is working with architecture. Choosing the right external partner helped us avoid mistakes with configurations, firewalls, and security groups.”  

Careful attention to security details

It also helped establish a rigorous and thorough timeline and checklist for security, which is not only essential but also something that companies repeatedly overlook, particularly when they try to execute a project quickly, as in ACS’s case. “You have to make sure that your applications and data flows are fully documented, and that when you are moving, you are properly securing aspects of that data flow,” said Weller.  

External partners are invaluable in helping to put the right security steps in place. Yet organizations carrying out a cloud migration are ultimately responsible for any lapse or breach. With that in mind, Weller and his team adhered to the highest benchmarks of security protocol, using the US government’s National Institute of Standards and Technology framework to ensure that all the relevant controls were in place.  

They also partnered with Microsoft, choosing Azure as its new cloud platform. Part of the reason, explained Weller, was that the software provider offered non-profits such as the ACS generous terms and significant discounts compared with the alternatives it explored at the time. But the ACS also partnered with Microsoft because it already had its identity and access management solution on the software provider’s Azure platform, and the resulting familiarity with some aspects of the environment eased the learning curve.   

One obvious question is why they had not migrated to the cloud earlier. Beyond the implied cost savings, their on-premise data solutions were less agile than cloud computing when it came to adding new features. “When you are dealing with legacy systems, the barriers to innovation are much higher,” said Weller. On top of that, the cloud’s additional security was a clear advantage compared with what they had on the premises. “As a security person, I’m pragmatic,” added Weller. “I know that Microsoft, with a billion-dollar budget, can do security better than I can with a staff of five.”  

As it turns out, they had carried out a partial digital transformation two years prior to the pandemic, offloading its customer relationship management to Salesforce, the Californian cloud-based software company. In stark contrast to its 2020 cloud migration, however, that project took two years to complete. It was also dogged by the business team changing its requirements throughout the project, partly as a consequence of gaining more knowledge as the process went on.   

For Weller, who was not leading that development team, the lesson from comparing the two experiences is crystal clear. “When you have competing interests and IT projects are just one of a bunch of competing priorities, there is every chance that things will drift,” he said. “But when you set clear goals, and when the entire organization is all hands on deck, you can execute with great precision and consistency.” 

Authors

Dave Chatterjee

Associate Professor in the Department of Management Information Systems at the Terry College of Business, The University of Georgia.

Dave Chatterjee, Ph.D. is tenured (Associate) Professor in the Department of Management Information Systems at the Terry College of Business, The University of Georgia. As a Duke University Visiting Scholar, Dr Chatterjee has taught in the Master of Engineering in Cybersecurity Program at the Pratt School of Engineering. His book, Cybersecurity Readiness: A Holistic and High-Performance Approach, was published by SAGE Publishing in March 2021. Dr Chatterjee is also the host of the Cybersecurity Readiness Podcast Series.

Expert

Keith Weller

Keith Weller

Chief Information Security Officer (CISO) at International Market Centers (IMC)

For over 20 years Keith has held executive roles in Information Security and IT Operations. For 12 years he was head of Security and IT Operations at Ebix, a Financial Technology SaaS provider that grew rapidly through acquisitions. Ebix is an exchange for the Financial and Insurance markets that had over $1 Trillion of transactions go through its systems per year. Before IMC he was head of IT Operations including Security Operations at the American Cancer Society overseeing Digital and Cloud Transformations and responsible for the protection of sensitive HIPAA and Credit Card data.  

Related

Learn Brain Circuits

Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
 
Read more 

Explore Leadership

What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
 
Read more

Join Membership

Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.
 
Sign up
X

Log in or register to enjoy the full experience

Explore first person business intelligence from top minds curated for a global executive audience