10 Hard Truths IT Must Learn to Accept
In a perfect world, your network would suffer no downtime and be locked down tight. You'd be in perfect compliance with all government regulations, and your users would all be self-supporting. The cloud would take care of nearly all your infrastructure needs, and there wouldn't be a single device accessing the network you didn't first approve of and control.
Also: You'd finally get the respect and admiration you truly deserve.
Good luck with all that. The gap between your dreams and cold hard reality just gets wider every day. That doesn't mean you should give up, but it does mean you need to get real about what you can change and what you must accept.
Here are 10 things IT must learn to live with.
More and more workplaces these days resemble a geeky party that's strictly BYOD (bring your own device). The problem? Many IT departments either never got an invitation or failed to RSVP.
May 2011 surveys by IDC and Unisys found that 95 percent of information workers used self-purchased technology at work -- or roughly twice as many as executives in those surveys estimated. IDC predicts use of employee-owned smartphones in the workplace will double by 2014.
Nathan Clevenger, chief software architect at mobile device management firm ITR Mobility and author of "iPad in the Enterprise" (Wiley, 2011), says the iPhone and iPad are the catalysts for the consumerization of IT. Tech departments can either enable them to be used securely or risk the consequences.
"Unless IT supports the devices and technologies users demand, the users will simply go around IT and use personal tech for business purposes," Clevenger says. "That is a much more dangerous situation from a security standpoint than supporting the consumer devices in the first place."
Tech departments need to steer a middle course between attempting (and failing) to keep consumer technology out of the workplace, and allowing unfettered access to the network from any device, notes Raffi Tchakmakjian, vice president of product management at Trellia, a cloud-based mobile device management provider.
"BYOD is a scenario IT departments are learning to live with, but they struggle to manage them from a security, cost, and operations perspective," he says. "It becomes very difficult to ensure compliance to corporate standards and still meet business needs. They need a management solution that ensures corporate data security and allows them to manage costs with minimal impact on IT operations and infrastructure." (InfoWorld's "Mobile Management Deep Dive" PDF report shows how to do so.)
It's not just consumer devices invading the workplace. Today a business user with absolutely no tech acumen can spin up a third-party business cloud service with a phone call and a credit card or, in many cases, a Web form and a click of a button. IT has lost control over IT.
That's not necessarily a bad thing. The burgeoning universe of cloud and mobile apps can give frustrated business users access to tech resources they need without putting an additional burden on IT staff or budgets.
"For years, IT has controlled every device, application, and process around technology," says Jeff Stepp, managing director of Copperport Consulting. "But with business units getting more technically savvy and frustrated with IT, they have gained executive support to go off on their own to research, procure, and implement new apps and gadgets. These newly empowered business units are often successful in getting what they need implemented more quickly and cheaply than going through their own IT department."
Your job is no longer to provide top-down solutions; it's to enable business users to make the right decisions, says Scott Goldman, CEO of TextPower, maker of text-messaging platforms for business.
"Instead of struggling to regain control, tech departments should strive for something more valuable: influence," he says. "When IT departments treat their users as customers instead of complainers, they get more of the results they want. The days of the all-powerful IT department dictating methods and machines is gone. The sooner they realize it, the faster they'll actually regain some level of control."
Eventually, even the best-maintained data centers will go down. Think you have redundancy up the wazoo? You're one of the lucky few.
In a September 2010 survey (PDF) of more than 450 data center managers, sponsored by Emerson Network Power and conducted by the Ponemon Institute, 95 percent reported suffering at least one unplanned shutdown during the previous 24 months. The average length of downtime: 107 minutes.
In a perfect world, all data centers would be built around highly redundant, dual-bus architectures where maximum load on either side never exceeds 50 percent, says Peter Panfil, a vice president for Liebert AC Power, a division of Emerson Network Power. They'd be able to handle peak loads even when critical systems fail and others are down for maintenance, with a separate recovery facility ready to come online in case of a region-wide disaster.
In the real world, however, 100 percent uptime is only possible if you're willing to pay for it, and most companies aren't, says Panfil. That forces data center managers into a game of "IT chicken," hoping outages don't occur when systems are beyond 50 percent capacity.
Organizations where uptime is essential to survival are segmenting their data centers, he adds, reserving high availability for their most critical systems and settling for less elsewhere. If their email goes down for half an hour, it's annoying but not fatal. If their real-time transactions system goes down, they're losing thousands of dollars a minute.
"It is always better to have the capacity and not need it than to need it and not have it," he says. "But the people who are signing the checks don't always make that choice."
Like uptime, 100 percent compliance is a lofty goal that's more theoretical than practical. In many cases, focusing too much on compliance can hurt you in other ways.
Your level of compliance will vary depending on what industry you're in, says Mike Meikle, CEO of the Hawkthorne Group, a boutique management and information technology consulting firm. Organizations in heavily regulated fields like health or finance probably aren't in full compliance because of how often the rules change and the different ways they can be interpreted.
"It's safe to say that just as no network can be 100 percent secure, no organization can be sure it's 100 percent compliant," he says. "If a vendor is trying to sell you a product that ensures perfect compliance, they're lying."
Another danger area is falling into the compliance trap, where organizations expend too many resources trying to stay in sync with regulations while ignoring other, more vital parts of their operations, says Meikle.
"Organizations that strive for compliance with regulations often fall down in other areas," he says. "Being compliant with regulations doesn't necessarily mean you're doing what you need to do with your business. Compliance is really just a component of risk management, which is itself a component of corporate governance. It's an overarching business issue and needs to be addressed as such."
Clouds are on the IT horizon. According to Gartner's 2011 CIO Agenda survey, more than 40 percent of CIOs expect to run the majority of their IT ops in the cloud by 2015.
But even the cloud is not the ultimate solution. Reliability, security, and data loss will continue to cause headaches for IT departments -- they'll just have less control over the stuff that's in the cloud.
"Data loss is inevitable within any organization and can still happen in the cloud," says Abhik Mitra, product manager for Kroll Ontrack, a consultancy specializing in information management and data recovery. "Businesses must prepare for the worst by working with their provider to plan for downtime, data recovery and migration, and catastrophic loss. Data security will always be a concern, though advances in cloud solutions make it less of a risk as time progresses."
The cloud also introduces a new problem: how organizations can accurately measure their IT spend, especially as business users spin up cloud services without IT supervision. Accounting for this form of "shadow IT" can cause headaches for enterprises and force tech departments to take a hard look at the value of the services they provide, says Chris Pick, chief marketing officer for Apptio, a provider of technology business management solutions.
"For the first time, business users have a choice between what services IT is offering and what users can requisition on their own," he says. "But until the CIO can get a firm grasp on what it costs to deliver IT, he or she won't be able extend meaningful choice back to business users. This will only serve to supply more oxygen to the fire of shadow IT."
IT concession No. 6: You will never have enough hands on deck
IT departments often want a fairer shake when it comes to outsourcing and head count reductions, but they're not likely to get it, says Meikle.
Because the tech outsourcing industry is much more mature than, say, legal services or HR outsourcing, IT is often the first to suffer when corporate bloodletting occurs. That's not likely to change.
The solution to IT manpower problems, says Meikle, is to take advantage of third-party outsourcers and integrate with them as much as possible. The bodies are still available; they're just not under your own roof anymore.
Also, says Meikle, be sure look out for No. 1. Keep your tech chops current with an eye on the next job before the current one evaporates.
"IT pros need to understand they work for themselves first, the organization second," he says. "They need to continue developing their network and contacts, marketing themselves, and developing a personal brand even when they are employed. Like it or not, IT pros may have to pony up some dough personally to pay for their education and marketability, but that will pay dividends when the chips are down."
Everybody wants their networks to be easy to manage and hard to breach. What they usually settle for, though, are racks and racks of security appliances that are hard to manage and easily compromised, says Joe Forjette, a senior project manager at enterprise security appliance vendor Crossbeam.
"The worst part is that each appliance needs to be constantly patched and updated," he says. "The result is a sprawling, highly complex, and costly security infrastructure."
It's also not working all that well. According to the Computer Security Institute's most recent survey, 4 out of 10 organizations experienced an incident such as a malware infection, bot net, or targeted attack in 2010; another 10 percent didn't know if their networks had been breached.
A smarter approach is to start with the assumption your network has already been compromised and design security around that, says Wade Williamson, senior threat analyst at network security company Palo Alto Networks.
"Modern malware has become so pervasive and so adept at hiding within our networks that it is increasingly common for enterprises to assume they have already been breached," he says. Instead of slapping yet another layer of patches onto the corporate firewalls, security pros can spend more time looking for where the nasties may be lurking, such as inside a peer-to-peer app or an encrypted social network.
The notion of a "zero-trust architecture" is gaining traction among many organizations, says Williamson.
"This is not to say that these companies are simply throwing away their security," he says, "but they are also turning their attention inward to look for the tell-tale signs of users or systems that may be already be infected or compromised."
Your employees are using social networks at work, whether they're allowed to or not. According to Palo Alto Networks' May 2011 Application Usage and Risk Report, Facebook and Twitter are in use at some 96 percent of organizations.
The problem? According to Panda Software's Social Media Risk Index (PDF)5, one-third of small to midsize businesses have succumbed to malware infections distributed via social networks, while nearly one out of four organizations lost sensitive data when employees spilled the beans online.
"The behavior of people using social media is like their behavior using email 10 years ago," says Rene Bonvanie, vice president of worldwide marketing for Palo Alto Networks. "With email, we've learned to never click on anything. But inside social media, people click on every tiny URL because they trust the sender. That's why botnets we successfully rebuffed five years ago are now coming back via social media. It's a big risk and we see it all the time."
Even organizations that use social media security solutions or data loss prevention tools can't keep Facebook fans or Twitter heads from spilling company secrets or other embarrassing facts to the world, says Sarah Carter, vice president of marketing for Actiance, a maker of Web 2.0 security tools.
"What's most important is education," says Carter. "Educate, re-educate, and educate again. Put technology-coaching solutions in place, where you can remind users of the risks regularly and remind them also of your company policy about visiting sites that are not relevant to business."
It's the dream of every IT department. If they could only get those needy users off their backs they might get some actual work done. But despite investments in online knowledge bases and automated support solutions, the notion that organizations can ditch their help desks is still the stuff of science fiction, says Nathan McNeill, chief strategy officer for Bomgar, a maker of remote support appliances.
"IT can deflect a big chunk of common issues -- like password resets -- with self-service, but it will always be more cost-effective to have humans handle the one-off and more complex issues," he says. "Even if the technology miraculously works 100 percent of the time, users won't be able to figure it out 100 percent of the time. As long as technology keeps evolving, humans need to be around to evolve IT support."
Instead of self-service, organizations would do better to invest in remote assistance solutions, says Chris Stephenson, co-founder of management consulting firm Arryve.
"Many organizations build a database of questions and leverage workflows to help drive end-users to an online answer," he says. "In reality, end-users are more frustrated when they finally talk to a support person. The investment in self-help support would be much better replaced with remote assistance in many situations where the support staff can gain access to the user's computer immediately and solve the problem directly."
Call it Rodney Dangerfield Syndrome: No matter how hard they work or how vital they are to an enterprise's very existence, IT pros shouldn't expect to get a lot of respect outside their own ranks.
"What IT people want is to be appreciated, valued, and understood," says Steve Lowe, founder and CEO of Innovator, a custom software developer. "And they so rarely are."
Depending on the circumstances, IT is usually either perceived as Santa Claus (bringing cool new toys for all the business girls and boys), Dr. No (only interested in keeping users away from the resources they need to do their jobs), or the NSA (monitoring their every Internet move for suspicious activity and cutting them off), Lowe says.
The best way to finally get some respect? Earn it every day, Lowe says.
"The main thing IT leaders can do to counter these misconceptions is to focus on providing extraordinary value to the company in any way they can," says Lowe. "Find a place where a little technology will have a huge payoff, and just do it. Success is very difficult to argue with. If you can show that IT makes a difference, that makes it easier for executives to give IT the respect it deserves."