Tuesday, February 1, 2011

Why IT must be run as a business

I recently read this blog post on Richard Bejtlich's blog (and I am a bit behind the times) but it really rubbed me the wrong way. I am probably misinterpreting the point of the post but the way I read it, Richard was just pointing out that there were some salient points. I guess that I read the points that he highlighted and found that they were either people squabbling over semantics or they were IT nerds that had been promoted to management roles and somehow thought that they were unique, beautiful snowflakes and were different or more important than any other business function.

How is IT any more "special" than say marketing, sales, finance, etc? They aren't. 

I want to believe that the aim of the article was to say that IT should seek to be a trusted advisor to the business and serve the meet those ends, but it really read to me like IT should be able to dictate terms to the business and demand what they want. 

Now I've worked in some places with IT departments that have been described as an "post apocalyptic backwards IT environment". And those places were paradise compared to some of the hell holes I've seen since. And the worst ones I have ever seen are those that locked into this mindset that they can dictate how/what/why/when and where the business can do what it wants. They dictate what laptops they can use, what applications they can use and so on and so on. 

Now don't get more wrong, I understand the reasons why this is necessary to some extent: ensuring standardised operating environment, maximising pricing benefits, maximising process efficiency and so forth. But seriously, if IT is going to be the lynch pin to the business, then dictating terms is the worst thing you can do.

C-level executives are keen to reduce cost and focus on numbers not for the sole purpose of "looking good" to the board or shareholders. They know that but reducing their marginal cost of production, they are able to produce goods at a lower opportunity cost than their competitors. This means that potentially they are able to put their competitors out of business just on pricing alone. And this is simply one tactic can use to crush competition.  So any CIO looking to gain efficiency is going to look at reducing the size, complexity and operational overhead of their IT infrastructure, applications and staffing where ever they can. I know I would. 

I remember meeting one client ages ago who is quite well known for reducing their IT size to an almost infinitesimally small size. At the time I met this client I thought the concept was in itself, appalling. After knowing what I know now, going through my degree, I'm convinced this guy is actually a visionary. 

These goals are a primary driver behind the booming enterprise architecture industry which seeks to bridge IT and business by optimising business process through efficient, robust, scalable and re-usable architectures. Any CIO or IT manager worth his weight who is not seeking to optimise and consolidate and cannot rationalise the cost benefits of doing so, is doing his company a disservice. For every IT manager that fights to retain infrastructure in-house, even when it is more expensive in doing so is also harming the longevity in the company by forcing them to spend money on an area that isn't a core competency.

And for all the bitching in this article that IT isn't focusing on innovation, I will tell you this: For every dollar your company spends retaining and managing IT assets, that is one less dollar your company is spent doing really cool, innovative, exciting stuff that is core to your brand. And for every dollar you spend maintaining something that isn't core to what you do, that's potentially a dollar that your competitor is gaining on you.

Now before I'm stoned to death by my infosec peers, I'd argue that our role is to acknowledge that progressive, forward thinkers are out there and we need to acknowledge that stopping the move to cloud based technologies (IaaS, SaaS, etc), outsourcing, etc, is comparable behaviour to people throwing sabots into textile looms back in the 15th century for fear of losing their jobs to automation. 

Are we as an industry really that unevolved and immature?!? Why can't we look at our methods for ensuring that information assets are adequately secured as part of the migration, that they are managed appropriately and in the even they simply can't, that mitigating controls are applied as best as possible and residual risks are understood by all so there is no misunderstanding?

I understand that internal chargebacks are not popular and I understand the argument about the chilling effect it can have, but simply put, this is good economics. It simply proves the point that the business is wasting money on a service that it can get from a third party provider for less (that is of course assuming that the business is comparing apples with apples and not say, a fully redundant SAN storage with a USB hard drive from Dick Smith).

If IT really want to talk innovation and do really cool, exciting stuff, look at how you can get rid of those crappy legacy applications in your environment that are unpatched and unmanaged. Look at sloppy, inefficient business processes and see how you can improve communication, consolidate storage and better facilitate excellent customer service. The cost savings are a secondary benefit and should be obvious in the face of such synnergies.

As security folks we have the potential to be the glue in these discussions, looking at ways we can protect the business. We can ensure that developers build applications using robust methodologies and guides, leverage APIs, etc. We can ensure provisions are included into contracts to enforce minimum standards of security, even influence choices of vendor and/or pricing. We have a lot more to offer the business than we often realise but it really does come down to the approach. In that respect, I think the article hit the money.

Unfortunately working in infosec is not glamorous and we get saddled doing our jobs, working with what we have rather than what we'd like to. This to me is what it is really about - making better use of what we have and looking at how we can help the business rather than hinder it.

In the future, businesses are not going to have monolithic IT shops. The future is going to involved outsourcing on a scale that you or I today can hardly conceive of. Enterprises will have all their applications, infrastructure, development - all outsourced. Other core functions will also become increasingly outsourced (I've already seen this). This enables businesses to become increasingly agile and better focus on their core competencies. IT will become more ubiquitous and pervasive than we can conceive today. Information will fly around in so many directions across so many devices that our very notions of privacy and security will be constantly redefined based on an threat landscape that will beggar belief. 

Our role in this world as security professionals will be to constantly adapt and redefine these notions on the basis of the information exchanges needed by business and perhaps more importantly, the speed in which we can do it. The world is not perfect and neither is information security in practise. But if we can help businesses make informed decision of risk, then our work is not in vain.

- J.


Richard Bejtlich said...


If you think

"For every dollar your company spends retaining and managing IT assets, that is one less dollar your company is spent doing really cool, innovative, exciting stuff that is core to your brand."


"The future is going to involved outsourcing on a scale that you or I today can hardly conceive of. Enterprises will have all their applications, infrastructure, development - all outsourced."

then I think we have vastly different ideas on the value of IT. You see it as a waste and not a "core competency?" I see it as important as all the other parts of a business and definitely a core competency.

Anonymous said...

Two Questions here:
1) Is IT in your business an enabler that supports the business objectives or a cost sink ?

Much of this view will depend on the leadership of the organisation.

2) Have risk and compliance (or non-compliance) costs been factored into the cost/benefit of cloud computing ?

If these are not included in the value consideration are you doing the "right" thing by your company, customers and suppliers ?

Jarrod said...

@Richard -
Love your blog btw. :) Thanks for dropping in.

Maybe we do have different ideas? I see IT becoming increasingly commoditised. Applications, infrastructure, storage, even security services.

We happily hire professionals for performing specialist work such as penetration testing, even dentistry, or even landscape gardening. Why is IT any different? From the article and blog post, I'm not seeing a compelling argument as to why it should be.

@Anon: Both are the right questions to be asking to my thinking. I also think most IT divisions have some 'bloat'. How well they support the business varies in spades.

I also have my reservations on cloud offerings but at the end of the day, we can't "stop" the business using them. We can only point out cause and effect. And sadly, yes, some businesses are only to happy to shoot themselves in the foot.

- J.

Christian Frichot said...

Whilst I'll admit there is an intrinsic relationship between the concept of "running IT as a business within your business" and "insourcing v outsourcing", I wanted to make the following observation in the context of in v out only, not the IT as a business:

I think the insourcing/outsourcing argument/paradigm/whatever is a wave. It comes and goes. I don't agree with your statements on the future being all outsourced. In fact, my workplace recently insourced ALL their IT and a closely related business are also actively, progressively going the insourced route. Even for the specialist roles. So while I'm sure some industries are going that way, it's a sine-wave of in, out, in, out. No doubt in 5 - 10 years it'll swap over again.

With regards to the running IT as a business, and once again I may be biased because of my position, I certainly see the divide between what we offer and what we *should* be doing. We have a building full of devops peeps that seem to mutter the words "but do we have a project/cost code?" before they can even *think* about doing anything. This is broken.

I think perhaps the trickiest thing for large companies is to maintain enough interesting work for the specialists, who would traditionally work for external consulting-type firms. It's only when you're truly embedded within the culture and the brand that you're able to provide true, open-ended value. It's not just the work that you're brought in to provide to a specific manager within the organisation, you're an agent that is accessible to anyone within the organisation to help in any way you can.

After reading the above, I just wanted to re-iterate (apologise perhaps?) my bias. When I was consulting, it was a body-shopped experience anyway, and I ended up being more of an employee to the company I was bodyshopped to, as opposed to a consultant.

Christian Frichot said...

And sorry, just to elaborate again. When I use the term outsourcing I'm talking more about the meat-cloud, as opposed to cloud/utility-computing. I believe you can certainly maintain a highly skilled internal IT shop AND utilise cloud services.

Jarrod said...

Let me repeat, _economically_ speaking businesses will want to reduce cost. They will want to improve quality of product, time to market and a bunch of other things.

They see compliance and security as the "cost" of doing business. They don't care about it anymore than the absolutely minimum they need to. And why should they? In a general view of the world, that's correct.

The more caring ones I've dealt with are a great deal concerned with maintaining consumer trust and brand reputation, but they're a dying lot IMHO. :(

- J.

DD said...

I don't want to delve into the silo'ed somewhat argument - even if it is real but somewhat not in my opinion....Just looking at the "C-level" comments.

Some credit needs to be given to people and each circumstance. But I do generalise somewhat here to make a point. (In regards to infosec at least).


Enough information at the right places can and does work!

Jarrod said...

Draz - I'm not touching the security/reporting line issue with a ten foot barge pole. :)

I've spoken with a few C-level guys and in my experience (which I admit isn't as much as yours!) they run the gamut.

I wish I could say most care about security in a broader sense but in my experience they don't care more than they have to, however in a lot of cases that is a whole lot less than they should.

E.g. Companies like Vodafone - I bet their C-level didn't care one bit and look what happened to them. They're reaping everything that they've sown.

To be a good CSO requires excellent communication skills and the ability to succinctly articulate risk well to the business. If they can do that, then they can elevate these discussions and take the game to another level, but that capability is quite rare (it seems).

- J.