Whining about the IT department

If ever there was a classic example of how business people can become spoilt whining brats when it comes to IT services, it is in a recent article in Forbes online. Clearly, organisations have a stupendous amount of work to do to educate their staff in how to be grown-up about IT as a resource (no it is not IT's job to do this):

It is hard to fathom there are corporations that have locked down I.T. environments like this. There are tools that can easily and securely improve productivity, business execution and collaboration in today’s world. Yet, there are I.T. cultures that constrain a business in this way giving way to the "C.I.No." ...
The CIO’s role is to enable a business, not make it work with one hand tied behind its back. A “C.I.No.” undermines business execution and velocity. The CIO can’t hold back a business because of the threat of occurrences that very likely will never occur.

"tools that can easily and securely... "? That's easy to say when you don't know the first thing about how IT works. You guys just go buy an answer eh? How hard can that be? Apple says the iPhone is industrial strength so it must be true.
The author, Dave Gardner, a sales and marketing guy, cites an extreme case of "IT lock-down" - see the article. Now, I don't know if this is excessive lockdown or not. We can't know without seeing the governance directives given to that IT department by their Board in terms of risk appetite. I bet Dave doesn't know. If IT's reaction is excessive in the context of that organisation, this is not entirely a failure of IT. It takes two to tango. This is at least equally a failure of the organisation's corporate governance of IT to provide proper direction, monitoring and evaluation.

The Forbes author has failed to understand the IT profession, the challenges it deals with, and the priorities it delivers against, and how it should be governed, before slagging it in terms both patronising and smug.

It is not all his fault when vendors pump the hype like this gem from TechCrunch (another source that wouldn't know real industrial IT if it bit them).

It is very hard to find an independent voice in the IT mosh-pit, what with the vendors and their parasitic analysts all talking up business. Please Dave, take the time to talk to someone who actually knows how IT works and what it does. You could do worse than to start with this guy's plaintive appeals for understanding:

Although clients lined up for my help the very day the iPhone was released five years ago, Apple didn't incorporate until summer 2010 any capabilities for enforcing passwords and being able to wipe an iPhone of sensitive company assets if stolen. Still, clients were undeterred by the lack of admin features. Only when managers experienced firsthand the early inability to wipe the device from a terminated employee or my inability to remotely configure their device did they stop to consider what is the bread-and-butter of my everyday existence: I make things work right for us, despite varying circumstances over time. Nearly everything works great out of the box; it is how things hold up over time (particularly during times of stress and challenge) that truly determines greatness.

Do users no longer expect IT to rush to their aid when they have a problem with their device that prevents them from doing their work on time? If they are not relieving IT of that obligation, how could they deny IT a fair opportunity to review and learn how to support a new device, never mind the time to evaluate and judge whether it can meet various core standards?

When the wealthy high-ups with access to so much critical data think they can get away with a weak four-digit numerical device password (the default option on an iPhone), they figure there's no reason to do more than that, nor to accept IT's demand for something better. Worse, they set a poor and dangerous example for the rest of the staff. Many users don't stop to consider what it takes to make device properly secured.

Incidentally Dave, the Microsoft/Accenture joint consultancy Avenade doesn't agree with you:

The study, Dispelling 6 Myths of Consumerization of IT, indicates a fast-moving shift in the use of consumer technologies in the workplace and a surprising level of investment in this trend by IT.

As Galen Gruman said about that survey:

60 percent of companies are now adapting their IT infrastructure to accommodate employees' personal devices, rather than to restrict employee use of personal devices. So much for the fear reaction.
73 percent of C-level executives reported that the growing use of employee-owned technology is a top priority in their organization, and 88 percent said employees are already using personal technology in the business. So much for the notion that IT and business leaders have their heads in the sand about the consumerization phenomenon.

A more reasoned argument than Dave's comes from Simon Morris at ServiceNow

I feel that in the majority of organisations ...IT hold[s] the veto over technology decisions that could enable the business to do more.
When the IT organisation cast the veto on a particular venture that the business wishes to embark on - a topical example would be the use of iPads, tablet devices or BYOD - I'm sure that they are great at considering the risks involved, but cast a blind eye to the potential benefits.

Firstly - I don't think there are such things as "IT risks". There are business risks owned by the IT organisation, but to claim a risk as an IT risk is to put ourselves in a self-serving role.

Yes and no. Accountability for all risks flows back to the organisation's governors. Those governors delegate responsibility for managing and reporting IT-related risks to IT. it is an oversimplification but I think that very roughly IT Solutions is responsible for facilitating the creation of new organisational means to deliver value, and IT Operations exists to facilitate the creation of value by operating IT-related value mechanisms, and to protect that accrued value (the organisation's assets) by managing IT-related risks. That is long-winded but it is more useful than "Solutions build stuff and Operations run it".

The benefits of technology enabling the business are benefits owned by the business. The risks of technology enabling the business are also risks owned by the business.

IT should be in a position to protect it's users, but not by owning the risk and casting a veto, rather than providing mitigations to lessen the impact of that risk.

IT can have a veto if organisational policy (from the governors) gives them one. Architecture is an important example. Architectural standards exist to drive efficiency, future-proof the organisation, and reduce risk. Exemptions to standards should be escalated to the governors, usually the Board. We built those standards out of the pain of past experience. New technologies don't justify throwing them away - in fact the need becomes more desperate.

More from Simon:

And anyway - if the venture that the business is proposing is SO risky we [in IT] should be confident in our arguments, and the delivery of the arguments that the business would evaluate it and decide against it on their own.

The definition of risk is a balance between potential harm and potential benefit. When the IT organisation claims a particular idea is "too risky" I often wonder what they are comparing it against in terms of value.

All that I have said refers to governance theory. In practice, the Board are often the worst offenders in ignoring IT risks, usually because they are inexcusably ignorant of IT considerations and don't respect IT enough to take their advice.

So in the real world, IT often stands as the thin blue line between uncontrolled business units and potential losses or disaster. I wonder what the security guys at Sony were begging for before the user data got hacked. And I bet the IT Risk Manager for Google or Amazon gets heard loud and clear at the highest levels, because the Cloud providers live or die on their reputation for impregnability and reliability.

Sure, I accept that sometimes the problem is just the IT people being pig-headed. I've said so myself. Rob Stroud said "The harsh reality here is that the CIO and IT will need to recognise that total control, perceived or real, will be lost and their role will transform to be strategists and aggregators who will foster and drive innovation in their organisations".

Burt hang on! Just about everybody talks about how IT has to change. Few talk about how the organisation has to change; to grow up in its understanding and use of IT. The very fact that most IT departments need to closely manage the risk-taking behaviours of the rest of the organisation just demonstrates the immaturity of that behaviour. One day business will grow up and start using IT like adults, instead of treating it like a toy and throwing a tantrum when they can't have the shiniest new gadget.


Re: Enterprise Security and other things

Let me state that I work for a Forbes 500 company, as an IT person. I'm not a contractor, I'm actually an employee of that company, and so I see the IT situation from the inside. Having said that, the company does a lot of the actions that the Forbes article lists, and a few others that they don't. For example, iPhones are no longer being considered as a standard for company use. iPads are allowed for company business, but the can't be hooked into the company network. Personal equipment is not to be used on the network, nor is personal equipment to be used form home for company work. The list goes on for a little while here, you get the gist.

But at the same time, you have to consider that we maintain company data, but government data (many governments, to be honest), along with in some cases competitor data. You can't be lax about this stuff, and there's always an active push to protect the data. This of course, flies in the face of the Avenade survey, as the company I work for would never move in those directions suggested.

Admittedly, the company I work for may be more of an outlier here, but it wouldn't be the first time.

Stand firm

As I said in the post we

don't know if this is excessive lockdown or not. We can't know without seeing the governance directives given to that IT department by their Board in terms of risk appetite... If IT's reaction is excessive in the context of that organisation, this is not entirely a failure of IT. It takes two to tango. This is at least equally a failure of the organisation's corporate governance of IT to provide proper direction, monitoring and evaluation.

The same applies to every organisation. Such blocking is not automatically wrong. And a wide open, loving, sharing, sunny IT policy is not automatically right. People aren't all stupid.

Well-timed rebuttal

Consumerization: The view from IT you may not like but need to hear


I came across this article shortly after finding the insane Forbes article. It's the perfect antidote.

But get this from the trenches

We had a business exec demand that they take their shiny new iPAD roaming with them on an o/s vacation so they could "keep in touch". (given out because the exec was envy when they attended a board meeting and was the only one who didn't have one)

They ran up $25,000 in telco bills whilst away within just a couple of weeks. That's real dollars - Aussie ones. This person was given a laminated cheat-sheet to keep consumption down (log in, send/receive your email then disconnect and work away).

Then had the gall to blame IT for not locking down the device - it turns out that their snot-nosed teenage spawn was a big NBA & NFL fan and was streaming game after game. No, we hadn't blacklisted any non-work sites, as our definition of keeping in touch was based on common sense.

Initially refused to pay the bill and this got escalated up high enough for IT to have a new enemy.

Budget or Billing - I know which I prefer!

But if IT was in a position to bill that exec for his usage - where is the problem then? That is the place IT should be going to - like Cary has mentioned, Away from being an overhead.

(IT) Budgets create limitations while the business is requiring more flexibility. Going back to basics - if you demand more of something you should pay for it. That exec demanded a new toy and used it a lot (he was responsible for its use as long as he had it) and should have been charged for the usage or his department charged. Until then the business will demand this of IT and expect IT to pay from their budgets.

What happened here, dealing with business demand IT has now made an enemy. That is what happens but until change of behaviours cone - what else can be expected?

Over their heads

Financial models can help, but charging policy is only one way of managing such demand, of course. In the specific example I wonder if there was a technical solution to prevent streaming services that might have been deployed, for example. But back to charging, even a by-usage charging policy might not change perceptions of IT - they just become an expensive necessary evil rather than one the company used to pay for. It might influence some decisions, but it might make IT's life all the harder and more costly. We're back to strategy alignment and governance really.

In truth, even if the Exec was charged he's an overhead as well, it's wooden dollars and would he care? I suspect not.

Of course it doesn't help when the business leaders don't lead by example. At a former client, the MD refused to be treated any differently to anyone else - went through the IT processes, waited for lead times; this made it all the easier to help him when he needed something unusual, because it was exceptional and IT recognised that fact. More importantly it gave the mandate to IT to manage their support services properly, which led to better service quality, response times, etc. If only all were like this.

People like Dave will never get it because they blur the lines between business and personal enablement too far. Everything IT does that isn't personally convenient makes IT the devil. So quotaing of his email or storage would be wrong because 'disks are cheap', restrictions on international data roaming would damage his ability to get the football scores, etc etc.

But Dave isn't the guy who needs convincing - he's an end user with a chip on his shoulder. C-level people will be convinced only by the cost-effective delivery of their strategy, and where IT enables that IT needs to make sure it's visible. That is to say, ultimately it's a question of visible value.

Rich Pemberton

front lines

Thanks for dispatches from the front lines.
There are real reasons why IT have evolved the controls we have.

Champagne Dreams on a beer budget

I conceive that as long as IT is an overhead department for which the company gives x (5%) of the total revenue to receive unlimited services (or to many that's the perception) and IT remains the "bad guy" gatekeepers, this is going to continue.

When IT decides that they want to build investment-based budgets, collect costs for services, make those costs tranparent to business management, base those costs upon business-describable levels of service - then this unfortunate cycle of unlimited expectations and budget constraints will continue.

IT can build trust with the "rest of the business" by making the services and their costs transparent - or not.

IT can have regular discussions about business risks, IT capabilities to respond to them, and the costs involved - or not.

IT can shift the management of the budget to the "rest of the business" to get their collaboration with controlling costs - or not.

As I see it now, IT's customers (the rest of the business) is being marketed to by all sorts of "Cloud" and outsourcing providers - the biggest disintermediation play in history. IT can either step up and start acting like a Prime Contractor that provides services and demonstrates value - or the can watch as pieces of their portfolio are picked up by suppliers and their influence wanes. Soon IT will be left with the legacy app dogs.

IT can act as trusted advisor and expert management of services, or it can act as the overhead IT department.

IT Management and Business Management can openly discuss the risks (pros and cons) of thes different technologies only when IT gains the trust of business to have these discussions and can do so by combining the price of choices into the discussion. Few IT organizations can do that.

Stop turning the blame and responsibility back onto IT


I think you've been on the frontline too long :) Victims of violence can end up blaming themselves for it. Stop turning the blame and responsibility back onto IT. How about the Boards that have never taken the time to understand their obligations and accountability with regards to IT? How about the Executives who have found it convenient to let IT take the rap for their own failure to understand that aspect of their business, or to resource it properly? How about all the staff who think that because they can plug in a router and install antivirus, IT must be easy? All the people who think they should be able to have anything they want regardless of the broader implications for their employer?

This isn't IT's fault. Oh sure we have to accept a component of the blame. But I'm sick of being told to take all of it. I'm proud of what we achieve as an industry, and those who want to see us all as The IT Crowd can go mono-procreate. It's time we redirected some of the crap back.

Poor old Dave, IT just

Poor old Dave, IT just aren't giving him what he wants (for his is a protestation on personal constraints not business risk).

If that list is true in its entirety I think it's fair to say the business - in partnership with IT - recognises data and information as critical to their business. Port 25 was clamped down upon in my last client organisation by the anti-virus solution, to help prevent the malware bring SMTP servers into effect throughout the organisation. An earlier client had no external devices - USB, DVD, etc - permitted whatsoever. Another regularly told IT to 'throw disk space at the capacity problem because storage is cheap' - well it might be, but the cost [to IT and the business] of managing storage in that way...

It's growing pains though. IT is beginning to mature in its management of risk, and now more regularly defers to the board's risk appetite in its plans rather than take the 'computer says no' stance. I wonder how clearly the board are communicating that it's a business decision rather than an IT decision to restrict USB access?

I use USB access specifically because very recently I was involved in an information security project where this became a very hot topic indeed. What made sure it happened was that the management board visibly owned the decision, they communicated it to all through a board-appointed Infosec Officer and supported it with a clear statement on how circumvention would be handled.

I think the prime key to its success though was that a solution was offered, in that pre-prepared [by IT] secure USBs were made freely available to anyone who asked. Thus IT were positioned - and communicated - to be providing a solution, not just the constraint.

Dave Gardner doesn't mention what alternative solutions were available, but I've experienced them in every one of his bullet points. Quick examples:
- Facebook/Skype/home email: availability of unrestricted internet PCs in communal areas
- BYOD: guest internet access to web-published services
- No chat: Lync, Cisco WebEx connect are increasingly provided.

I think Dave's lost sight of the fact that as a consultant he might have a greater personal business need to access services outside of his client - but this isn't his client's responsibility, it's that of his own business. Conversely if he spots a need in his client, such as responding to the email-centric nature of a business by equipping employees with Blackberries, he can influence or make a proposal - perhaps it's not as cheap to run as he thinks from the outside.

It's gusto from someone so ill-informed and self-involved as to make it almost irrelevant. It will stoke those who think grown-up business will enable its departments to do their own thing rather than come in line with the business and IT strategies, of course, but I dunno - sounds to me like someone's taken the jam out of Dave's doughnut very recently. Anyone who's had to deal with a security breach with real business impact won't give him the time of day.

Rich Pemberton


I worked in a hospital long ago where the management (read: administration department) decided they couldn't pay the outsourced (but wholy owned) IT service provider for 24x7 support. so the service desk staff were on an unpaid roster to provide emergency support out of business hours.
Even the head of clinical services didn't know this until I told her. Heck she didnt even know we weren't there 24x7. I was with her to explain why non-critical things weren't being fixed until next day. When I told her that she and her staff were in fact calling us at home in the middle of the night she was horrified. Initially she was abusing me because she thought it was the service provider's idea not to have anyone there at night.

So your point about governors and executive communicating and visibly supporting decisions is a key one.

Syndicate content