Security

INDUSTRY ANALYSIS

Out-of-Control IT Departments

In San Jose, California, the city IT organization started an aggressive program to build the most advanced city hall in the state. The department’s leaders thought they grasped the technology, and there wasn’t a hot buzzword that was missed in the proposal. The local paper, The Mercury News, took an in-depth look at the bid, and the end result was an embarrassing investigation into city technology acquisition practices and a call for the resignations of a number of high-ranking officials. Meanwhile, the construction on the city hall was embarrassingly delayed. Further review indicated the city was overpaying by millions and had violated its own polices by single-sourcing to one vendor, Cisco.

This followed a series of events some months ago, when the State of California followed a similar path that ended in the firing or demotion of most of the senior officials involved. This controversy involved the single-sourcing of another local vendor, Oracle. In the state case there were clear implications that the head of the organization making the deal had a personal arrangement with Oracle. That badly compromised the integrity of his organization, which subsequently lost its funding.

Problem Signs

In the years I spent running one of IBM’s internal audit teams, I developed a methodology for testing organizations to see if they were likely to have problems. At every executive level, you have to be able to trust the people doing the job, but you also need to make sure there are controls so that this trust isn’t as necessary.

When you put trustworthy people into jobs that reward untrustworthy behavior, they will either leave or become untrustworthy. If you put untrustworthy people into jobs with proper controls, they will depart, voluntarily or involuntarily.

The two simple questions you want to ask are these: “Can I trust this person?”; and “Are the controls over the job strong enough that I don’t have to?”

There are three warning signs to look out for in today’s IT organizations: Call them sole source, open source and outsource. In addition, you can use benchmarking to regularly assess where your IT organization is in relation to others. If you have an internal project that shows any of these warning signs, take a closer look. It may not be a problem, but it will provide an opportunity to test the integrity of your IT organization.

Sole Source

Sole-sourcing is the practice of using one vendor to the exclusion of others. Done right it selects the vendor with the only solution that is appropriate for the job; done wrong it improperly eliminates the competitive process that can ensure the best product at the best price. In my experience as an IT analyst, it is more often done wrong than right, which is why it makes for a good test. What you need to do is bring in a trusted third party to challenge the justification behind the sole-sourcing agreement. If the third party finds the justification inadequate, you have a problem of trust and likely need to change the controls over your IT organization.

This doesn’t mean that bid processes ensure integrity. A few years back I watched a Canadian government bid process be altered to favor a specific database vendor to cover up what was clearly a side agreement. But such deals are incredibly hard to catch.

Open Source

Open-source products put you into the software business. This type of software is surrounded by a near-religious fervor in the IT community, and as a result it provides a strong opportunity to test the decision-making processes in your IT department.

The primary platform used in open source is Linux, which is made available under the GPL or General Public License. This contract has unusual clauses that commit the company using it to share intellectual property that it might not otherwise be willing to share. In addition, most open-source projects are widely collaborative and involve seeking critical help from Web-based resources that have probably not met the corporate security guidelines for such activity. Typically a risk such as this would require senior-level approval; in some instances, the CEO or the board might be required to approve such a project.

This does not mean that open-source projects should be avoided, only that they provide a good way to explore how a decision was made and assess the adequacy of the decision-makers as well as the policies that surround them. Because open source is so different from proprietary software, it typically requires a more exhaustive approval process; and because it is so attractive, the urge to bypass this approval process is very great. Once again, this is a relatively easy test. You should be able to determine relatively quickly if policies were followed and whether sound judgment was used.

Outsource

Taking a critical function and passing it on for others to do has a number of inherent risks. These include security, control and cost containment. As with open source, because of this risk, the approval process typically goes up to the top of the company. Because of the money involved and the amount of competition, there is a significant opportunity to violate policy and trust.

Here you are looking for due diligence. Was there a clear, clean bid process overseen by a truly independent third party? Were the bidding companies fully checked for compliance with organizational policies, and are they financially viable to a degree that they won’t become dependent on your company for survival? For instance, if the company is planning to grow (or decline) over the strategic horizon, does the contract specification take this into account? You also want to see if references were contacted. The most important thing, however, is to make sure the impact of outsourcing has been fully analyzed.

Once again, your goal here is to understand the strength of your IT executive staff and the policies around them. Mistakes are one thing, but if you find cover-ups or incompetence, you clearly have a problem.

Benchmarking

Without some type of independent comparison, I don’t see how anyone can assess the effectiveness of an IT group. Any company should have in place a solid benchmarking effort covering its key expense areas. It amazes me that I know of only one company that does proper benchmarking for IT. Perhaps that is because it is all they do. Although I’ve never had a formal relationship with the company, I have recommended it for years as the best way to know how your IT organization compares to others. That company is Compass Management, and it is international in scope.

There is less and less tolerance for executives who don’t have a good handle on what their subordinates are doing. Recently we’ve seen the sudden departure of a number of CEOs, not to mention legal cases resulting from executives breaking the law or simply taking their eyes off the ball. A few simple practices could help you avoid a similar experience with your own IT organization.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Rob Enderle
More in Security

How confident are you in the reliability of AI-powered search results?
Loading ... Loading ...

Technewsworld Channels