Last fall I had the pleasure of engaging Jeff Sussna, Christian Verstraete and Christian Reilly in a multi-day discussion on Twitter regarding IT’s relationship with cloud providers. As it developed, the conversation morphed into a discussion of potential metaphors for IT.
At the mention of “metaphor”, I’d imagine that eyes are glazing over, but bear with me while I establish its relevance to IT. Now Merriam-Webster tells us that “metaphor” is “a figure of speech in which a word or phrase literally denoting one kind of object or idea is used in place of another to suggest a likeness or analogy between them”. We find this same type of analogy used with patterns, the concept of which came out of Christopher Alexander’s A Pattern Language. In essence, these metaphors are patterns, communicating a potential solution to problems of enterprise IT architecture in the same way that “bridge” and “factory” communicate potential solutions to software design problems. As such, they provide a frame of reference to those of us within IT as well as those we serve. Their importance lies in the message they convey to both sides of the table.
Two candidate metaphors emerged from the discussion. Christian Reilly took the view that an IT department’s role should become like that of a concierge, a service aggregator. While agreeing in principle, I took the position that a better analogy was that of a general contractor. A general contractor works to meet the client’s needs, performing some services while subcontracting others out, in a manner similar to the concierge. The difference is that the contractor possesses a set of domain expertise useful for advising the client. The contractor is also bound by building codes that constrain him/her in delivering the customer’s requests. This describes what, in my opinion, the role of IT should be.
The dysfunctional situation described in the first post of this series, “Fixing IT – How to Make a Monster (Customer)”, defines the antithesis of an effective IT operation. “Fixing IT – Taming the (Customer) Beast”, the second post in the series, discusses some of the mindset changes needed to repair the relationship between IT and the business and why that relationship is so important. The third post, “Fixing IT – Products, Not Projects Revisited”, outlines the way delivery processes can affect IT’s relationship with the business. “Fixing IT – The Importance of Ownership”, the fourth post in the series, takes on how the issues of budget and ownership can affect the relationship. This post, will wrap up the series by bringing those issues together to outline my opinion on how IT can move forward in spite of the challenges it faces today.
The ZDNet post that inspired the discussion I mentioned above, “4 ways IT can rise above outside cloud competitors”, is an excellent example of how IT can turn things around by providing additional value to cloud services. This can be done by acting as a pseudo-VAR in place of acting as a competitor as the ZDNet article proposed. In either case, IT provides real value to the business via its specific knowledge of both the business domain and the in-house technical environment. This approach, advocated by Christian Verstraete in his HP Blogs post “Respond to Shadow-IT, source services from external providers”, is becoming more and more necessary because 7 out of 10 organizations are using unapproved cloud applications (according to a study from January, 2013).
IT has been in this position before. Thirty years ago the disruptive, security challenging technology that IT had no time and budget for was the PC. History teaches that that genie is not going back in the bottle. Instead, the winning approach is to enable the use of technology that furthers the goals of the business (which is all the business wants, anyway) in a safe manner.
The words “in a safe manner” above is what makes the general contractor metaphor appropriate. IT serves two sets of masters, the individual business units and the enterprise as a whole. Sometimes, the interests of a business unit can conflict with those of the organization as a whole. In these situations, IT has a valid reason to refuse to break the rules (although finding a way to achieve the desired outcome and stay within the rules is better than a flat refusal). What is important is that the rules, as such, are not owned by IT, but by the organization. IT is well placed to advise the enterprise about the technical capabilities and trade-offs around decisions regarding security, business processes, etc. It is inappropriate, however, for IT to attempt to dictate these decisions (this is actually an example of a business unit’s interests potentially conflicting with those of the enterprise). Steve Jones illustrated how counter-productive this usurpation can be in his post “Why your IT strategy failed or why the business hates IT”:
IT Guy: “The new systems have new processes and we need to tell you what they are so you can change.”
Business Guy: “Have you done an impact analysis against our current processes?”
IT Guy: “No we’ve just defined the Best Practice To-Be processes, you need to do the impact and change management. We need the meeting so we can tell you what the To-Be processes are”
Business Guy in a voice so dripping with sarcasm I thought we’d have a flood: “I look forward to our IT department telling the business what Best Practice is for our industry.”
IT Guy, completely failing to read the sarcasm: “Great we’ll get it organised”
Some take exception to referring to “the business”, observing that IT is part of the business. This, of course, is true. However, the best way to demonstrate that is not via the terms used in conversations, but via the support given to executing the enterprise’s strategy. Making things happen is the way show that support.
Form Follows Function 
“What is important is that the rules, as such, are not owned by IT, but by the organization. IT is well placed to advise the enterprise about the technical capabilities and trade-offs around decisions regarding security, business processes, etc. It is inappropriate, however, for IT to attempt to dictate these decisions”
Business processes should be determined by the appropriate business unit. That includes the IT business unit. And just like IT should advise the business units in how IT impacts their processes, business units should advise IT on how their needs impact IT decisions. But the decisions must be made and owned by the group with the appropriate expertise.
That’s why I’ve been referring to this as a “balance”. Each group needs to be responsible for, and should own, process decisions in their area of expertise. None should make these decisions without consulting the others. Sometimes one group or another has to give. Sometimes one group or another can’t afford to give.
LikeLike
Here’s the thing…I see very few decisions as being “IT decisions” (other than decisions about IT’s internal operations). There are business decisions about technology that belong to individual units, those that belong to groups of units, and those that belong to the enterprise as a whole. We don’t “own” the decisions at the upper levels of granularity – when a business unit is making money with an unapproved technology and we can’t make the case for stopping them, then the real owner will slap us down. We lose credibility and end up with that much more shadow IT. At the end of the day, the ones paying the bills are going to own the decisions. Working with and not against them is the best way influence those decisions.
LikeLike
“I see very few decisions as being ‘IT decisions'”
Nor should there be many of them. IT overreach, while rarer IME, is just as damaging as business overreach. Which doesn’t change the facts that 1) The business just has a naturally longer reach and 2) I think I’ve run this “reach” metaphor as far as it should go. 🙂
“We don’t “own” the decisions at the upper levels of granularity – when a business unit is making money with an unapproved technology and we can’t make the case for stopping them, then the real owner will slap us down.”
The problem is that there’s a big difference between “can’t make the case” and “can’t SELL the case”. And yes- in practicality the real owner is indeed the business in cases like this. They just shouldn’t be. I’ve cleaned up too many messes caused by the business deciding that they were going to ignore IT cases simply because they could. All but one of my previous employers (current one is not counted) have had major failings in several areas because IT didn’t own IT decisions and weren’t allowed to enforce them. Mostly in the realm of InfoSec.
LikeLike
“I’ve cleaned up too many messes caused by the business deciding that they were going to ignore IT cases simply because they could.”
Yep, and the classic management situation perpetuates that. When IT “owns” technology, business units get to wildcat and then dump the result (“good” or bad) onto IT for support. In my experience, people become a lot more reasonable and open to suggestion when they’re going to have to live with (i.e. pay for) the results of their decisions.
InfoSec is a good example. It’s an enterprise policy, not an IT concern (“…weren’t allowed to enforce them” = management wasn’t on board). You don’t want to be the cop, you want to be the one helping them get what they need while staying on the right side of the “law”.
LikeLike
Apparently, we’ve hit WordPress’ “Reply” limit.
InfoSec may be an enterprise policy, more or less, but it’s definitely an IT concern. I’ve never seen executive management step up to clear out a website and database that has been so thoroughly compromised that it isn’t necessarily accurate to call it “ours” anymore. Nor would I expect them to- this is something that comes with owning your area of expertise. But in these cases, I rarely see business units or upper management “pay” for the decision to ignore InfoSec policies. It’s more often a case of someone else owning the decisions while IT owns the consequences. Since IT is the only group that can own the consequences, they should also own the decisions. Of course, maybe I’ve just been super unlucky in this area. All I have are my experiences and observations.
You’re right- ideally, I want to be the guy helping guide toward the best decision, which often means a balance of everyone’s needs. But at times, someone needs to be the cop. Seems only reasonable that the people who own the results of the decisions should get to play that role.
i’d make this same case for business units insisting on non-dangerous, but misguided, IT requests. I’m going to stick with development because that’s what I know. If a business unit communicates a need to development, but for whatever reason implementing that need turns out to be harmful to their process- maybe they don’t need the work after all, maybe it turns out that they can’t pay for it, whatever- then they own both the decision and the consequences. In a case like this, IT should offer advice, but since it’s a business process request, the business unit should have final say. It’s just as wrong for IT to own the decision of if and how a business process should be implemented but stick the business unit with owning the consequences.
LikeLike
“I’ve never seen executive management step up to clear out a website and database that has been so thoroughly compromised that it isn’t necessarily accurate to call it “ours” anymore.”
Of course not. I’m not talking about doing the work, I’m talking about making the decisions and being the one to enforce them. It’s a lot easier for the CEO to override a rule made by the CISO when the offending executive shows some revenue than it is for the CEO to override his own rule (which was ghost written by the CISO). Likewise LOB executives are less likely to ignore upper management dictates than IT dictates. If upper management won’t commit to the policies up front, then you’ve got a systemic issue – IT can “own” it, but they don’t own anything of substance because they won’t get the support when it’s needed.
LikeLike
Yes, upper management can always veto decisions. Whether they know the consequences or not. And yes, executives/managers can always ignore IT. I think we’ve all bee there, and I think we can all agree on how toxic that sort of environment gets. But it’s toxic because other areas are ignoring decisions made by the group charged with being the experts in that area.
But regarding whether or not it’s appropriate for IT to own certain policy decisions, there are a few that they should. Not many, but a few. And the reason does come down to their area of expertise and the fact that they’re the ones with the responsibility for dealing with decision consequences. Communication and buy-in are key, of course. Nothing in a company should be a dictatorship. But certain matters should be decided, and enforced, by IT. Just like a legal department has final say on certain communication matters because they know the legal consequences of, for instance, using company email to talk to someone about an ongoing lawsuit.
Sure, the corporate world doesn’t always work like that. But it should.
LikeLike
Regardless of how things should work, we’re stuck with how they do work. I’ve seen the oblique approach (advise those with the actual power and let the rules go out under their signature) work time and again.
LikeLike
Pingback: Conflicts, Collaboration, and Customers | Form Follows Function
Pingback: Fixing IT – Too Big to Succeed? | Form Follows Function