1. Myth: If you get more “efficient” at IT, you will get a more “efficient” organisation. Reality: The more cost you take out of IT, the worse it is for users and customers. Optimising your cost base to the point, for example, where users have a PC that is orders of magnitude less capable than their delightful home consumer experience will just cause them to bring their own laptops to work. Then they’ll break all your security rules in order to use them. And what are you going to do about it? Fire them?
2. Myth: You must have IT security people who must approve everything you do in order to secure the organisation and manage your risk. Reality: Most Some IT security people don’t have much understanding of the new stuff they’re asked to adjudicate on. They just make it up as they go along. The worst ones can’t be bothered to keep up because it involves too much work, and anyway, they always have the ability to just say “no”. This doesn’t manage your risk, all it does is slow you down.On the other hand, count your blessings if you have been lucky enough to get a security group that know how to show you what you can do to do new things safely and efficiently.
3. Myth: High quality on-time and on-budget delivery are the development objectives and this will make you an IT leader. Reality: Who cares about whether you’re an IT leader or not from a development perspective? Superb delivery is a waste of time if what you’re delivering is crap in the first place. Forgive me the arrogance, but my observation is that many traditionalists don’t get the way the new world is changing as a result of technology, so what makes you an IT leader is if you can help them understand that, actually, what they’re trying to build is rubbish.
4. Myth: Most IT projects fail or are late, so we have to improve our failure rate to be successful. Reality: Causing any change whatsoever to happen is a success, since everything is optimised around stopping change in an IT organisation. If improving the “success rate” means doing less new stuff, then you’ve got a big fail coming up when your organisation fails to adapt because IT stopped it doing so. All in the name of improvement.
5. Myth: Governance is the key to discipline and control in an IT organisation. Reality: Governance is like a virus. It grows as swiftly as possible to consume all available resources, and then declares success when there are no project failures. Usually, this will be because there are no projects, or at least, none that have much way of progressing. Why does this happen? Because Governance is a licence for people without much capability to drive change themselves to get in the way of those who can and declare that they’re “part of the journey”. ‘Tis a rare Governance person who knows when not to govern.
What other sacred cows do you have in your IT-Shop?
"Most IT security people don’t have much understanding of the new stuff they’re asked to adjudicate on."
Possibly a little harsh, but I take your point. What is frustrating here, to my mind, is that tools for risk analysis are well-known and well-understood but they are used in a kind of review mode (or as part of gateway reviews) rather than as part of the continuous evolution of systems. I think it's security guru Bruce Schneier in one of his earlier books who said "security is a process, not a product".
I'm sure that many people in your organisation would agree that security (and privacy) should be built in, not bolted on, so we're all on the same page.
Posted by: Dave Birch | March 09, 2010 at 08:29 AM
You know, you're right. That statement of mine was too harsh. I'm going to modify it. And of course, everyone agrees - here and everywhere I think - that security is an essential part of everything. How could it not be? Your point about the process being built in and not tacked on is right on the mark,
Posted by: James Gardner | March 09, 2010 at 08:45 AM
Totally agree with all your points, James, with the exception of 4, the logic of which escapes me.
Causing any change is a success, even if what's changed is a failure?
Failure as in "not in the users best interests"?
Surely not. Surely the goal's not change itself, the goal should be better ways of working. Sure, change is part of that, but its just a component, like IT.
Aren't components always the means, not the end?
Any project races against obsolescence and irrelevance from the day someone even considers it. Overrunning IT projects are an anathema to success. They destroy advantage, remove benefit, drain budget. They are a total, absolute waste of time. Literally.
The only constant about IT is that the next version will be better, the next methodology more efficient and the next cost lower.
If a project overruns, it removes your opportunity to capitalise on those benefits because its probably still implementing version 1 when version 3 hits the street.
But the worst thing about overrunning projects?
The suppression of new ideas. Imagine this.
Techy: "Wait a minute, look at this. The Cloud version's ready now. We don't need that data centre we're building. This does everything better and cheaper..."
PM: "Stop right there. If you think I'm cancelling this now, after 5 years, 6 zillion man hours, spending £nn Million with the Audit Commission breathing down my neck to do something totally different, you're mad".
Show me that never happens and I'll retract.
Posted by: Neil Robinson | March 10, 2010 at 10:02 AM
Governance is indeed a challenge in very large organisations with in excess of 50-150 projects often operating concurrently. Sometimes every project has its own project board, and of course the Business Sponsor insists that the highest member of IT is there just to demonstrate commitment and give the impression the project is important and has some clout, peer pressure can sometimes interpret delegation as a snub. This can all end up being a bit of a dilemma and a paradox.
A Dilemma in that with so much going on, people want a sense of assurance and control, but often project boards are not very well run and can end up as talking shops with a cast of thousands.
Often the invitee to a project board can be handed a 100 page briefing pack, half an hour before the meeting.
Sometimes those senior managers attending such things end up suffering information overload, or if they have to attend very large numbers of boards then their eyes can start to glaze over and fall asleep, resulting in poor decision making and therefore a paradox.
Other types of board (often Centralised) e.g. an investment committee, an enterprise architecture board, technology board etc, can be so crammed full with agenda items, that in the end there is not enough quality time to give to the relevant issues.
So considering Governance both as an investment and a process – Governance must be heavily optimised if it is to be both efficient and effective.
I think current industry mechanisms for Governance do not scale very well and can be overly hierarchic.
Perhaps a more inclusive, collaborative non-hierarchic form of governance enabled by Web 2.0?
Actually allowing people to make decisions remains an issue of empowerment.
Posted by: Stephen | March 10, 2010 at 05:27 PM
James,
Fantastic as always.
Myth 1: Comsumerization is at the core, over the next few years - if it's not already in smaller firms - is THE driving force in end user computing
Myth 2: IT Security is critically important but shouldn't be worrysome and it's not a reason not to do something. These blockers need to switch up their thinking and ask how they can make things better by making them more secure. If they don't know, they need to learn.
Myth 3: IT leaders today should be looking at consumer behavior as a bell weather for business behavior, it's been switched up and I think you are spot on.
Myth 4: Failure is a requirement of success. Many people don't get that, many people like to talk up success and hide failure. Well the first should be a given, the latter needs to be talked about, there's more to learn from it and far more impetus to do so.
Myth 5: I do this to an extent and I've learnt that I don't know everything (anything?) as such we get more done with more people with more freedom. All I do is shine the torch. I think it's the best approach.
As I said, great work and from me, 100% agreement!
Posted by: Simonster | March 10, 2010 at 09:16 PM
Neil, of course I agree that budget overruns and late delivery are bad things. Ideally, you'd not have them happen at all. But what I'm arguing here is that IT organisations are optimised to prevent change (for my complete argument on that, check this link: http://www.littleinnovationbook.com/technologists1.html) , and in that context, getting anything to happen at all is a success.
Posted by: James Gardner | March 11, 2010 at 06:58 AM
It is an issue of empowerment, and my argument is that governance people are all about taking empowerment away. That's the thing to fight, of course.
Posted by: James Gardner | March 11, 2010 at 07:18 AM
Regarding #1, the answer is 'yes', sadly. I worked in a place where things were 'sackable offenses'.
Regarding #2, people need to be sensible. Vulerabilities can be found almost everywhere, it's about proportional risk.
How the flip can you be expected to innovate if you can't actually do anything?
LOL @ "Superb delivery is a waste of time if what you’re delivering is crap in the first place".
Regarding #5, I wonder if that's something you see more in the public sector?
Posted by: Struth | March 12, 2010 at 04:34 PM
James; it's about the GOVERNANCE thing. Can you say ISO38500 and do you understand it?
Posted by: Chas | March 15, 2010 at 12:39 AM
There's governance, and then there's governance. Too many people think that governance is just like management, only more formal and rigorous. Those are the people who put in more and more gates and clog up the system with bureaucracy to the point where nothing happens.
Really, governance is about making sure that the right people are doing the right things - it's very much about empowerment. The critical key to empowerment is being clear about responsibility, and the lubricant that makes empowerment work is policy that empowered people use to guide their decision making.
ISO 38500 is founded on this view of governance, and it works. My book, Waltzing with the Elephant, explains how. See http://www.infonomics.com.au/wwte.htm.
Mark Toomey
Posted by: Mark Toomey | March 17, 2010 at 09:32 AM