AWS Cloud Enterprise Strategy Blog

Designing a Cloud Center of Excellence (CCOE)

Team Building for finite project

Many companies have found that a cloud center of excellence (CCOE) can accelerate their migrations to the cloud and broader digital transformations. These CCOEs take many forms, which is appropriate because each company has unique challenges to overcome. Nevertheless there are certain patterns and antipatterns for using a CCOE. In this blog post, I’ll try to clarify the purpose of a CCOE, its composition and operation, and the impact you should expect from it.

Why Create a CCOE?

To be clear, a CCOE is not necessary for migrating to the cloud or transforming digitally. Its use is an organizational decision. And like many organizational decisions, it depends on many factors, most importantly what kinds of challenges the company encounters in its transformational journey but also considerations of security strategy, centralization versus decentralization, HR philosophy, available skills, and let’s face it—organizational politics. In speaking with my colleagues who have led successful digital transformations, I’ve found that some of us didn’t have a group we called a CCOE; some had a group of that name, but it was really just a loose group of leaders involved in making cloud decisions.

A CCOE is a (partial) solution to a common set of challenges that companies often face in moving from a data center-based, waterfall-oriented way of working to a cloud-based, nimbler, and digital way of working. As its name suggests, it primarily focuses on the move to the cloud, and not necessarily on broader issues of transformation. The problems it typically addresses are:

1.      Cloud migrations often stall because people in the enterprise are fearful. The cloud is new to them, and the company doesn’t have deep skills in using it. There is widespread misinformation about the cloud that makes people nervous. A CCOE can help by advocating for the cloud, providing accurate information, and supplying the critical skills necessary for a successful migration.

2.      Cloud migrations have trouble gaining traction because everyone in the enterprise is busy with other things. Everyone has their “day job.” Enterprises don’t keep people sitting around with free time. A CCOE helps because it is dedicated to the cloud transition, which is its key priority and success measure.

3.      At the beginning of a cloud migration, many technical, architectural, and business decisions must be made. Most importantly a security posture must be established by creating a “secure landing zone” into which the company’s applications will be deployed. A CCOE has the expertise to make these initial decisions and set the company on the right path.

The CCOE helps the organization get traction in its migration, guides it technically in its initial stages, and reduces its risks. It facilitates technical, cultural, organizational, and process changes that need to occur during transformation. It provides the initial expertise that makes migration possible. It is not a magic bullet. Its goal is to increase the speed and quality of migration.

Temporary or Permanent?

Because its purpose is to facilitate migration to the cloud and migration is a finite task, the CCOE is best thought of as a temporary team. It provides the initial expertise needed, but almost everyone in the IT organization will eventually need cloud skills. The CCOE sets up cloud processes and patterns, but since the cloud is “the new normal” (i.e., the technical foundation for everything the company does in the future), the entire IT organization will eventually be excellent at using the cloud. The CCOE is an enabler for the IT department to become cloud centric.

This can be confusing. People sometimes speak of the CCOE as a permanent unit that manages the cloud platform on behalf of the company, a function that we sometimes call cloud platform engineering. But over time, cloud platform engineering is platform engineering; platform engineering is just folded into the IT organization in whatever way makes sense organizationally. While the CCOE may have a security team representative, cloud security is eventually just part of security and should be located within the IT security team.

The danger, and the antipattern, is creating a separate silo for tasks related to the cloud. But eventually, assuming that most or all the company’s platforms are in the cloud, IT’s purview will simply consist of the cloud and edge devices / end-user devices and the applications and data that involve them.

The long-term organization of IT should simply be whatever organizational structure works best for IT.

Does the CCOE Do Cloud Governance?

Yes, in a sense—and no, in a sense. There are several types of IT governance. One is the governance of investments, priorities, spending, and project oversight. These types of governance are not the business of the CCOE. For the most part, these business priorities do not depend on what technology platform is used to support them, so cloud governance is not separate from IT business governance. Business priorities are business priorities.

Another type of governance pertains to compliance, standards, and security. The CCOE’s role does include creating an initial approach to that type of governance for the cloud. But there’s an interesting twist: In the cloud, most of that governance should be automated and act as an enabler for everyone using the cloud. The CCOE helps develop the architectural patterns useful to the teams building functional capabilities in the cloud. They assemble an initial toolchain for CI/CD, set up monitoring, and put security controls and policy enforcement into the cloud. They help make initial decisions about managing costs in the cloud. They govern by enablement, making it easier for others to use the cloud with confidence that guardrails are in place.

What Doesn’t the CCOE Do?

Or a better question—what are the associated functions that you could theoretically put into the CCOE but probably shouldn’t? When the CCOE is no longer necessary, which functions will continue in other parts of the IT organization?

Most organizations will need a platform engineering team (a team that uses the cloud to make a self-service platform available that delivery teams [DevOps teams] can use to create and deliver their software). The platform engineering team manages policy enforcement and controls in the cloud environment—what will come to be continuous compliance and continuous audit. While the CCOE may do some initial platform engineering, this responsibility will eventually become part of a broader engineering organization.

For very large and complex migrations, there may be a project management office (PMO). I recommend keeping this separate from the CCOE primarily for cultural reasons. The CCOE should consider itself an enabler, not a controller or organizer. The CCOE provides expertise, not taskmastering.

Digital transformations involve coordination at very senior levels of the organization. I’m being careful in my wording here. It is not the cloud migration itself that requires ongoing coordination at that level but the broader transformation that involves reimagining the business as a digital company and making cultural changes across the entire organization. This is not generally the responsibility of the CCOE because it requires the ongoing participation of the senior executive team. It should probably be an informal steering mechanism rather than a COE.

I think there is an interesting area that is up for grabs. Today transformation undoubtedly includes AI-centric and data-centric components. Technology is deeply involved in those activities. And because AI is so new, it might require some kind of a center of excellence. Where in the organization would that expertise sit, and what role would it play in the transformation? Expect more on that in future blog posts.

What Skills are Needed in a CCOE?

A CCOE requires whatever skills are necessary for accomplishing its goals or overcoming the challenges that prompt the formation of the CCOE in the first place. If technical skills are the primary impediment to progress in cloud migration, there are a number of technical roles that are appropriate. If security is a major concern, ensure security skills are there. If the best lever for accelerating migration is technical or business evangelism across the enterprise, those are the critical skills you need on the CCOE. If establishing an initial posture for compliance and reporting is important—well, you get the picture.

Bottom Line on CCOEs

The CCOE is a tool many enterprises use to overcome common impediments to cloud migration. It is best to think of it as a temporary team whose functions will eventually be absorbed into the broader IT organization. How long is temporary? It depends on how big and slow the migration will be. The organizational structure will probably change as the digital transformation proceeds, and the CCOE will help define and advance that change. But since the point of the CCOE is to accelerate the migration, it’s best not to overcomplicate it or spend too long trying to stock it with all the skills that will be needed for cloud operations in the long term. I suggest taking a practical approach. What are the challenges facing migration? What skills and scope of responsibility must the CCOE have to solve these challenges? How can overcoming those challenges help you get faster business results from the migration? That’s how you define your CCOE.