Seven Things IT Should Be Doing (but Isn't)
No 4: Flirt with disaster.
Many organizations think they have a disaster recovery plan in place, only to find out too late it's inadequate. Or they think that simply backing up their data is enough, with no way to keep the biz running -- and the revenue flowing -- while they attempt to recover.
"You'd be surprised how much downtime happens -- as well as lost goodwill from clients and vendors -- when you lose your data," notes Dimitri Miaoulis, vice president of Baroan Technologies, which provides 24/7 tech support for small businesses. "Every business needs a continuity plan that describes how it will continue to function, not only with technology but mail, fax, deliveries, phone calls, where people go, and what do they do."
But simply having a plan isn't enough -- it needs to make sense in real-world situations, says John Biglin, CEO of Interphase Systems, a management and technology consultancy.
"We had one client, a multi-billion-dollar HR services company, with a disaster recovery manual four inches thick," Biglin says. "On its Exchange Server Configuration page, there was one sentence: 'See company intranet for the latest information.' If the network at their corporate headquarters went down, they'd be completely hosed."
Blank backup sets, crumbling storage media, and recovery plans that haven't been updated since 9/11 -- all are recipes for an even bigger disaster. Large firms may have a comprehensive continuity plan but fail to update it regularly or do dry runs to see if they actually can recover and keep operating, says Biglin.
"Even customers who have a plan rarely take the time to validate that it works," he adds. "Unless you've tested it and can show that it truly works, you don't have a plan."
No 5: Capture old knowledge (before it disappears).
Odds are you have at least some of your key business data written in an ancient computer language, locked away on old iron, or buried inside the brains of aging coders. You need to capture that knowledge and bring it into the service-oriented century, or have a staff of semi-retired COBOL programmers on hand to draw from.
"The biggest thing IT isn't doing is capturing the 'corporate knowledge/culture' that their retiring IT staff has," says Robert Rosen, CIO of a U.S. government agency. "It's all the stuff not captured that will come back to bite IT when something fails and they say, 'Joe always knew how to do that.'"
It's not just the graybeards, says Venkat S. Devraj, co-founder and CTO of datacenter automation firm Stratavia. Everyone's day-to-day tasks need to be documented so that business processes continue to flow. "Otherwise, when an employee is on vacation, gets sick, is promoted, or leaves the company, the IP [intellectual property] is not available to get the job done with the same level of quality and predictability," he says.
The bigger, more important step: Become less dependent on aging code, says McFarlane, whose Nexaweb Advance software explores aging code, documents the business logic and rules embedded within it, and transforms it into a modern Java application that can be delivered over the Web.
"Enterprises must learn how to be less dependent on the shrinking number of folks who are well versed in the applications running the business like COBOL, PowerBuilder, and Oracle Forms," McFarlane says. "Most CIOs won't admit it, but not only do many of them not know how these applications work, they don't know if these applications work. All they know is they've got 30 million lines of COBOL code and no COBOL programmers, institutional knowledge, or documentation. They need to go in and liberate their intellectual property from the bowels of legacy systems."
No. 6: Plug data leaks.
Data spills are almost inevitable, but you can minimize risk and mitigate damage by keeping an eye on orphaned accounts, lax oversight of permissions, and mobile data access.
A survey of more than 850 executives by security firm Symark revealed that 42 percent of all businesses have no idea how many orphaned accounts exist on their networks, and nearly one-third have no procedure for removing them. Worse, many organizations are lax about policing who's allowed to access what data on the network.
"It's not uncommon for folders on file shares to have access control permissions allowing everyone to access the data inside it," says Johnnie Konstantas, vice president of marketing at Varonis Systems, a data governance solutions provider. "Global access to folders should be removed and replaced with rules that give access to the explicit groups that need it."
Konstantas says IT departments need to maintain a current list of everyone who "owns" each data store and review or revoke permissions on a regular basis.
Lax permissions policies, coupled with the growing threat from rogue mobile devices, raise the possibility of accidental data spills and deliberate data breaches, notes Ben Halpert, an information security researcher and consultant.
"The current security model is inadequate for dealing with today's threats," he says. "When it comes to mobile security, every organization needs to recognize certain realities. The first is that you can't stop mobile device proliferation. The second is that user awareness alone is ineffective. And third, point solutions like encryption will only shift the target."
A December 2007 survey conducted by the Ponemon Institute found that nearly 40 percent of employees have reported losing a mobile device containing company data, and that more than half copied sensitive data to USB drives despite company policies forbidding the practice.
Halpert says enterprises need to implement an overarching strategy for mobile security, taking into account technology, user populations, and processes.
"While the majority of your workforce does not have malicious intent, those involved in social engineering are masters of the human condition and will attain the information they desire," Halpert warns.
No. 7: Follow the money.
If IT wants to overcome its reputation as a corporate money suck, tech managers need to learn a few things about the bottom line -- including how to translate long-term goals into quarterly results for the CFO.
"Having financial knowledge is important, especially when you've got a $50 million IT budget that can easily spiral out of control," says Interphase Systems' Biglin. "The CIO can't approve every invoice. We find IT directors managing multimillion-dollar projects who don't know what costs to capitalize and which ones to expense. If you don't understand the difference, it's easy to wind up a year down the road where something has to be reclassified. It can really impact companies who report their numbers to Wall Street."
Basic concepts -- such as the difference between cash flow and profits -- need to extend throughout the IT organization, says Joe Knight, co-author of "Financial Intelligence for IT Professionals: What You really Need To Know about The Numbers."
"I think everybody in the IT department needs to understand how projects are made, why they're important, and the future benefits they will bring to the company," says Knight. "If you can speak the language of finance and present your IT case in financially astute way, you'll not only make better decisions but you'll also be able to drive your decision through the organization."