Duct tape and IT governance
The five years I spent as an IT executive ( after 10 years in IT audit and before 20 years running internal audit departments) had a lasting influence on my thinking about technology and its management.
I have seen a little good and a lot of bad management.
I have seen very few situations where IT led the organization to strategic excellence and operational quality.
I have seen many situations where IT served as a mechanic, liberally applying duct tape to keep the infrastructure operational. The only relationship they had with the seats at the executive table involved making sure they were well oiled. They didn’t even make sure they were a matched set that looked good together!
Consider these situations:
- As a member of the Finance leadership team, I called the senior IT director responsible for supporting the CFO and invited her to an offsite meeting. The purpose of the offsite was to lay out a vision for Finance, including how we would leverage the opportunities presented by new and emerging technology. The IT director said she would prefer that we meet without her, decide what we needed, and let her know. She would implement whatever we selected.
I had to explain to her that we needed her to understand what technology, both new and emerging, was available and what it would allow us to do. But, she again declined. “Just tell me what you want”.
Not only did we not have her at the strategy table, but she demonstrated no interest in leading the organization.
- I joined a company where the corporate IT function was engaged in selecting new corporate-wide ERP and supporting software. The latter would be selected not only for its individual functionality, but its ability to integrate with the ERP and other applications.
When the evaluation project was completed, the corporate CIO obtained the approval of the board. However, the company had set up each geographical region with its own CIO, reporting to the region leaders not the corporate CIO. One by one, they all rejected the corporate selection and opted for different solutions – one for each region.
As a result, duct tape was rolled out to bind the regional systems together to deliver fragile enterprise-wide reporting, both operational and financial.
Total cost far exceeded what a corporate solution would have entailed, and the individual ERPs were augmented by a variety of solutions (several for the same purpose) that had tenuous integration with the ERP and among each other.
- At a conference, during a presentation I was delivering on the need for timely risk and performance information, one attendee said that he liked my vision but it was impossible for his company. When I asked why, he explained that they had a variety of legacy systems cobbled together with string. There was no way they could replace them with new technology without great risk and an extended timeline. So much for agility!
Consider these questions for your organization:
- Does the CIO not only have a seat at the leadership table but occupy it? Is he part of the team that develops strategy and does the company look to leverage technology, with him as visionary, to deliver new services, products, and capabilities to the market?
- Do the CIO and his team have effective control over the technology deployed across the organization? Does he even know what is used to run the business, or are business executives heads as well as their apps ‘in the cloud’? Do they ignore any need to have a consistent technology infrastructure where the needs of the whole take priority to the needs of the individual?
- Does the technology deployed across the organization work together without duct tape? Is it clear that it will continue to do so in the future?
- When multiple solutions are selected, from different vendors and using different technologies (including different cloud platforms and vendors), how do you expect the information security practitioners to protect the organization?
- Does the business trust IT?
Is your CIO a leader or a mechanic?