10 Hard Truths IT Must Learn to Accept
Like uptime, 100 percent compliance is a lofty goal that's more theoretical than practical. In many cases, focusing too much on compliance can hurt you in other ways.
Your level of compliance will vary depending on what industry you're in, says Mike Meikle, CEO of the Hawkthorne Group, a boutique management and information technology consulting firm. Organizations in heavily regulated fields like health or finance probably aren't in full compliance because of how often the rules change and the different ways they can be interpreted.
"It's safe to say that just as no network can be 100 percent secure, no organization can be sure it's 100 percent compliant," he says. "If a vendor is trying to sell you a product that ensures perfect compliance, they're lying."
Another danger area is falling into the compliance trap, where organizations expend too many resources trying to stay in sync with regulations while ignoring other, more vital parts of their operations, says Meikle.
"Organizations that strive for compliance with regulations often fall down in other areas," he says. "Being compliant with regulations doesn't necessarily mean you're doing what you need to do with your business. Compliance is really just a component of risk management, which is itself a component of corporate governance. It's an overarching business issue and needs to be addressed as such."
Clouds are on the IT horizon. According to Gartner's 2011 CIO Agenda survey, more than 40 percent of CIOs expect to run the majority of their IT ops in the cloud by 2015.
But even the cloud is not the ultimate solution. Reliability, security, and data loss will continue to cause headaches for IT departments -- they'll just have less control over the stuff that's in the cloud.
"Data loss is inevitable within any organization and can still happen in the cloud," says Abhik Mitra, product manager for Kroll Ontrack, a consultancy specializing in information management and data recovery. "Businesses must prepare for the worst by working with their provider to plan for downtime, data recovery and migration, and catastrophic loss. Data security will always be a concern, though advances in cloud solutions make it less of a risk as time progresses."
The cloud also introduces a new problem: how organizations can accurately measure their IT spend, especially as business users spin up cloud services without IT supervision. Accounting for this form of "shadow IT" can cause headaches for enterprises and force tech departments to take a hard look at the value of the services they provide, says Chris Pick, chief marketing officer for Apptio, a provider of technology business management solutions.
"For the first time, business users have a choice between what services IT is offering and what users can requisition on their own," he says. "But until the CIO can get a firm grasp on what it costs to deliver IT, he or she won't be able extend meaningful choice back to business users. This will only serve to supply more oxygen to the fire of shadow IT."
IT concession No. 6: You will never have enough hands on deck
IT departments often want a fairer shake when it comes to outsourcing and head count reductions, but they're not likely to get it, says Meikle.
Because the tech outsourcing industry is much more mature than, say, legal services or HR outsourcing, IT is often the first to suffer when corporate bloodletting occurs. That's not likely to change.
The solution to IT manpower problems, says Meikle, is to take advantage of third-party outsourcers and integrate with them as much as possible. The bodies are still available; they're just not under your own roof anymore.
Also, says Meikle, be sure look out for No. 1. Keep your tech chops current with an eye on the next job before the current one evaporates.
"IT pros need to understand they work for themselves first, the organization second," he says. "They need to continue developing their network and contacts, marketing themselves, and developing a personal brand even when they are employed. Like it or not, IT pros may have to pony up some dough personally to pay for their education and marketability, but that will pay dividends when the chips are down."
Everybody wants their networks to be easy to manage and hard to breach. What they usually settle for, though, are racks and racks of security appliances that are hard to manage and easily compromised, says Joe Forjette, a senior project manager at enterprise security appliance vendor Crossbeam.
"The worst part is that each appliance needs to be constantly patched and updated," he says. "The result is a sprawling, highly complex, and costly security infrastructure."
It's also not working all that well. According to the Computer Security Institute's most recent survey, 4 out of 10 organizations experienced an incident such as a malware infection, bot net, or targeted attack in 2010; another 10 percent didn't know if their networks had been breached.
A smarter approach is to start with the assumption your network has already been compromised and design security around that, says Wade Williamson, senior threat analyst at network security company Palo Alto Networks.
"Modern malware has become so pervasive and so adept at hiding within our networks that it is increasingly common for enterprises to assume they have already been breached," he says. Instead of slapping yet another layer of patches onto the corporate firewalls, security pros can spend more time looking for where the nasties may be lurking, such as inside a peer-to-peer app or an encrypted social network.
The notion of a "zero-trust architecture" is gaining traction among many organizations, says Williamson.
"This is not to say that these companies are simply throwing away their security," he says, "but they are also turning their attention inward to look for the tell-tale signs of users or systems that may be already be infected or compromised."