Tag: it governance
Next week, I am scheduled for a semi-annual risk assessment with my dentist. He performs a very specific, highly focused type of risk assessment that is totally worth the $125 it will cost. In addition to performing specialized maintenance (hypersonic cleaning), he will provide a threat assessment (for oral cancer, cavities, periodontal disease and other anomalies). I’ll leave his office confident that my mouth is in a low-risk situation for the next six months as long as I continue to follow best practices and perform daily maintenance procedures. I am only vulnerable to these threats if I fail to follow a daily program of brushing and flossing.
I could always choose to save the small fee for these risk assessments and wait for a major dental disaster to occur. The problem with this approach is that a single incident may cost thousands of dollars if I need a root canal or some other type of procedure. Ten years of checkups are less costly than even a single disaster.
Enterprise IT risk assessments
Unfortunately, in the world of local government and SMBs, the most common approach to risk management is to allow a major catastrophe to occur before realizing the value of an enterprise risk management program.
I am at a loss to explain it. Incidents or problems involving your information and IT infrastructure are far more costly than risk management programs. Data loss, breaches, major downtime, malware, lawsuits and fines for compliance violations may cost hundreds of thousands or millions of dollars. They can permanently shut down your small business or really irritate your board of directors in a corporate environment. In the public sector, constituents pay for major screw-ups through increased taxes while the events are often covered up and the culprits skirt the blame and keep their jobs.
When was your organization’s last risk assessment? Can you put your hands on the report? If you haven’t had a risk assessment recently, it’s a safe bet that your policies are sorely lacking. Defining an organizational policy for risk assessment is an essential component of any comprehensive suite of security policies. Both HIPAA and GLBA require periodic risk assessments, but it is a sound practice for all types and sizes of organizations.
Where to start?
If you haven’t previously conducted an enterprise IT risk assessment you should carefully consider your starting point. For example, if you have few or no security policies, it may be wise to form an IG (information governance) committee and begin by developing of a comprehensive set of policies, procedures, standards and guidelines. On the other hand, your management team may benefit from the kind of wake-up call that a devastatingly thorough risk assessment can produce. A 100-page report that says you suck at security and risk management on every page may be just what you need to get everyone’s attention.
The results of a risk assessment should be used to reduce your organization’s risk exposure, improve CIA (confidentiality, integrity and availability), initiate positive change, and begin building a security culture. While using risk assessments as a punitive device isn’t the best approach, such reports often expose malfeasance and incompetence of proportions so vast that appropriate consequences are in order. In other words, if you have been paying a CIO $200,000 and the assessment uncovers gaping policy, security and privacy holes, you should certainly replace the CIO with one who has the required skill set.
Scope the project carefully
Risk assessments come in a lot of flavors and the specific purpose and scope must be worked out with the auditors in advance. A few years ago, a client of mine released an RFP for a risk assessment after we worked extensively on the development of their information security policies. The proposals ranged from $15,000 to well over $150,000. This can happen even with a pretty clear scope. Big 4 firms, for instance, have hourly rates that may be several times what a local, independent practitioners may charge. NIST SP 800-30 provides valuable information on how to perform risk assessments, including some information on scoping.
Risk assessments may be qualitative or quantitative. You may be able to do some of the quantitative work in-house by gathering cost data for all your assets in advance of the assessment. Regardless of the scope and approach, the auditors will ask to see lots of documentation.
One positive outcome of a risk assessment is that it may force your management team to rethink EVERYTHING – in-house application development, infrastructure support, IT staffing & responsibilities, LOB (line of business) staffing & responsibilities, budgets, and just about everything else related to the manner in which your organization is run.
Risk assessments are way cheaper than disasters, so go schedule your checkup.
© Copyright Jeffrey Morgan, 2017by
Because Mother Nature is so stingy when she doles out the gene for common sense, frameworks and standards for IT governance had to be invented.
Recently, I heard about an incident in which a municipal IT director was planning and executing significant changes to a department’s critical infrastructure without informing the customer — the department personnel. After being confronted, he insisted that he wasn’t required to inform the stakeholders because it was routine and he didn’t need departmental approval. Huh! To make matters worse, the changes involved significant risks that were far beyond the understanding of that IT director and his staff.
This behavior is appalling on many levels, but it is representative of the service provided by many municipal IT managers who believe IT is a dictatorial, rather than collaborative, profession. A few of the things this scenario tells us about the organization include the following:
1. The organization isn’t using a framework for IT governance and IT Service Management (ITSM).
2. Executive oversight of IT is inadequate.
3. The organization lacks a risk management program with change-control policies and procedures.
I will address the first two items below, and we can address item No. 3 in a subsequent article, so don’t forget to check back.
Sacred cows and your executive legacy
Municipal IT operations tend to be monopolies, and the customer service they provide is all too often in keeping with what one would expect from any monopoly. There is no good reason for this state of affairs, and you can fix it with relative ease. Enabling deplorable IT services doesn’t have to be one of your executive legacies.
Municipal IT often operates on a charge-back model, where customers (internal departments) are forced pay a flat annual fee or an hourly rate for IT services. The customers are unable to pursue competitive services from external vendors that may provide considerably better quality at a significantly lower cost. In the bubble of government IT, market forces never apply the pressure required to initiate change, and the IT department remains a sacred cow trapped in outmoded thinking and ancient processes.
Solutions, tools and techniques
In previous articles[i], I have discussed several management tools, techniques and processes that will significantly improve IT performance and customer service in your organization. Here, I will add one more concept: the RACI (Responsible, Accountable, Consulted and Informed) model.
The RACI model is an excellent tool for clarifying roles and responsibilities within a process. Using RACI can increase transparency and address the lack of oversight, so that all the players clearly understand their roles in the grand scheme. Let’s take a look at an example of how it might be used to identify appropriate roles for the operation and maintenance of a county clerk’s software application.
Although your matrix may be different, what won’t be different is that multiple stakeholders are involved. If there are a significant number of public users of the system, such as attorneys and title researchers, you might want to add them to the matrix as well.
While the RACI model is an important component of frameworks and standards such as COBIT, ITIL and ISO 20000, undertaking a full implementation of any of these programs isn’t necessary to make significant performance improvements to your IT operations and customer service.
Don’t count on common sense as a reliable management tool; use IT governance instead.
For further reading
“How to Design a Successful RACI Project Plan,” by Bob Kantor, CIO.com, May 22, 2012
[i] “Improving IT Customer Service with Service Level Agreements (SLA),” by Jeffrey Morgan, e-volve Information Technology Services
“What Is the Biggest Threat to Internal IT Departments?” by Jeffrey Morgan, CIO.com, Oct. 3, 2016
“High Crimes and Misdemeanors of CIOs,” by Jeffrey Morgan, CIO.com, Oct. 17, 2016
“Improving IT Customer Service, Part 2: Using a PSA System,” by Jeffrey Morgan, e-volve Information Technology Services
This article was first published on CIO.com at http://www.cio.com/article/3195073/leadership-management/county-municipal-it-customer-service-and-the-raci-model.html
© Copyright Jeffrey Morgan, 2017by
The cybersecurity risk to local government
Weak or nonexistent cybersecurity programs represent a massive organizational risk to county and municipal government agencies in the United States. County and municipal executives are often unaware of these risks because they assume that their IT Director, CIO, or an external vendor is managing security and addressing the risks. It is rare that such an assumption is correct.
While the Ponemon Institute[i] found that “federal organizations have a stronger cybersecurity posture than state and local organizations,” the Brookings Institute[ii] concluded that “the vast majority of public agencies lack a clear cybersecurity plan.” Much of the available research is based on small samples and I believe that these studies may understate the scope of the problem. Based on my 23 years of working with public sector organizations, I can state with confidence that most lack any cybersecurity plans at all.
Your job as a municipal executive is to provide leadership and management in order to get the big picture right throughout your organization. What follows is advice on how to ensure that an appropriate cybersecurity program is established and functional in your organization. I recommend that you, the municipal executive, assume high-level responsibility for cybersecurity oversight. You don’t need to know the technical details, but you must know whether or not the appropriate frameworks, infrastructure, policies and procedures are in place and working correctly.
The need for information security is as old as civilization and possibly as old as life on earth. Information Security (Infosec) was invented to protect the first secret – whenever and whatever that was. Infosec is not solely a human artifact — my Great Dane always felt the need to maintain security concerning the location of his favorite bones and dead woodchucks. Techniques, methods and models for protecting information haven’t changed all that much and the methods of cybersecurity are largely based on models for protecting physical information.
Information Security refers to the discipline and processes to protect the confidentiality, integrity and availability of all your information regardless of form. Cybersecurity is a subset of information security and applies to digital data. In this article, I may use them interchangeably even though they are not, but counties and municipalities need an Infosec plan that includes cybersecurity.
Municipal data – a pot of gold
County and municipal networks are treasure chests overflowing with priceless gems. Mortgage documents, deeds, births, deaths, ugly divorces, medical records, social security numbers, and military discharge documents are among the many types of publicly accessible documents that may contain PII (Personally Identifiable Information), PHI (Protected Health Information), or other sensitive information. Constituents turn over all this information naively assuming that you are doing everything in your power to protect it from theft and misuse. Are you a worthy steward of this treasure?
Root causes and obstacles
Let’s discuss eight of many root causes of failure to establish appropriate information security programs in local government organizations. Subsequently, we’ll move on to a methodical, practical approach you can initiate immediately to improve your cybersecurity posture.
“A lack of skilled personnel is a challenge at both federal and state and local organizations.”[iii] One problem is that many public sector IT Directors and CIO’s don’t have the knowledge, training and background to plan and deliver acceptable, standard’s based comprehensive information security programs. They are often unaware of widely accepted standards, guidelines and frameworks that are readily available, so cybersecurity planning is often amateur and homebrewed. Moreover, HR and hiring managers often don’t understand the required skills[iv] and look for the wrong people.
The largest municipal agencies may employ a CISO (Chief Information Security Officer) but the vast majority of public sector organizations do not have a dedicated information security executive and staff, nor should they necessarily require one.
IT staff members are rarely trained in or even familiar with relevant statutory compliance requirements. I have come to expect a deer in the headlights look from public sector CIO’s and IT staff when inquiring about security policies, privacy policies and other matters of security and compliance. Questions about HIPAA Security Rule compliance, for instance, are almost always met with “What’s that?”
A jumble of regulations
Municipal organizations may have dozens of departments, divisions, or lines of business with varying regulatory requirements from numerous federal and state agencies. Municipal governments do a lot. They may be involved in building bridges, managing traffic signals, providing water, waste, electric and sewer services, supervising elections and recording deeds while providing physical and mental health services and dental care.
A typical County government may have to comply with regulations like HIPAA[v] (Health Insurance Portability and Accountability Act) and 42 CFR[vi] while also complying with policies from CJIS[vii] (Criminal Justice Information Systems) in addition to compliance with state regulations from organizations such as an Office of Mental Health, or Department of Health. Additional requirements for records management from State Archives agencies add to those complexities and often contradict other regulatory requirements.
Departments with vastly different information security and regulatory compliance requirements often coexist on a shared network where the security posture is designed for the lowest common denominator rather than for the highest. Often, municipal IT staff members don’t have clearly defined policies and procedures for reviewing information such as security logs and system events. Even if they do record these events, their stance is usually reactive rather than proactive.
Silos and turf wars
Counties and municipalities may have highly distributed management structures which function as silos rather than as a cohesive team. In some states, the silos may be a “feature” of constitutional government where elected officials manage some departments and may not be accountable to central executives. One result of this is that a county executive, and consequently County IT, may not have global control of IT and information security because other elected officials choose not to cooperate. Some real world examples I have seen include:
- County Judges and their staff members refuse to sign and abide by acceptable use policies.
- County Sheriffs refusing to cooperate with an IT security audit claiming their security policy and processes are “secret.”
- Social Services commissioners unilaterally declaring that HIPAA regulations don’t apply to their operations.
Silos in organizations create massive gaps in security management. When multiple parties are responsible for security, no one is responsible.
Most security problems are internal
90% of breaches occur because of an internal mistake[viii] and 60% of breaches are a result of internal attacks[ix]. Unfortunately, county and municipal information security programs often treat outside threats as 100% of the problem rather than focusing on more probable internal threats.
Insufficient budget is often used as an excuse for low quality IT services and lack of security in public sector organizations. It’s usually a red herring. In my experience, there is no correlation between budget and quality in the public sector. I have seen small, low-budget organizations build excellent security programs and have also seen large organizations with eight-figure tech budgets fail to establish even the most elementary components of an information security program. A cybersecurity program will cost money, but it doesn’t have to bust your budget.
In local government, critical management positions are often filled based on political considerations rather than quality of candidates. Expertise in information security should be a major component in your CIO’s toolkit.
Tech versus strategic thinking
If you think in terms of technology, stop it! I am always a little suspicious of industry professionals who fall in love with a particular technology. Technology is rapidly replaced or superseded so think strategically instead. There is no such thing as a technology problem; there are only business problems. Identify and solve for the business problem and the appropriate technical solution will reveal itself.
Start with Information Governance (IG)
What’s the first step in establishing your cybersecurity program? It has nothing to do with cybersecurity.
Information Security and cybersecurity must be components of your overarching Information Governance (IG) Program, overseen by an interdisciplinary team with executive support. Treating cybersecurity as a standalone program outside of the context of your organization’s information universe will produce a narrow approach. Do you currently have an IG program?
I can hear some grumbling right now. “Jeff, when do we get to the important stuff?”
IG is the important stuff. There are no silver bullets. There are no miracle pills that will address your information security requirements. No miraculous hardware or software will magically keep your information safe unless you have the right policies in place. There is some real work to do here and the P-things are the most effective tools to pack for your InfoSec journey. You will develop these from your IG Program:
Policies Processes Procedures
What is information governance?
I like Robert Smallwood’s succinct definition of Information Governance: “security, control and optimization of information.“[x] In order to develop sound InfoSec and cybersecurity programs, you must know what you are protecting and why you are protecting it. The purpose of the IG program is to map, understand and manage your entire information universe. The map you create will serve as the foundation for your information security programs.
In a municipal government organization, an IG committee may include legal, HR, records management, IT, finance, and auditors, as well as other departments. Let’s say your municipality has a public health clinic, recorder of deeds, personnel/payroll and a sheriff. This means you have medical records, prisoner health records, recorded 911 calls, police reports, mortgage documents, confidential personnel records, payroll records, social security numbers and a lot more. The people with special knowledge about the nature and disposition of all this information must be on your committee.
In some organizations, information and security policy is developed at the whim of the CIO or IT Director. Is that IT Director expert in statutory requirements and industry best practices for all the areas mentioned above? I doubt it. This is why you need a cross-functional team to map the universe and make a comprehensive plan.
Establishing a comprehensive information security program
Once you have begun building your IG foundation and framework, your Infosec and cybersecurity requirements will be much clearer. Also, IG, Infosec, and Cybersecurity are not one-time activities. They require a process for continuous improvement like PDCA (Plan, Do, Check, Act) or DMAIC (Define, Measure, Analyze, Improve, Control). Get something in place first, and then continue to improve it. Attempting to get it perfect from the start will only result in implementation delays. This job never ends but it gets much easier once a solid foundation has been built.
Information Security Management Systems (ISMS), Frameworks and Standards
Once you have a comprehensive understanding of your information universe, develop security policies and programs for implementation and enforcement of those policies.
Use an existing framework. Designing comprehensive information security programs is more complicated than installing firewalls and anti-virus software and there is a great deal to think about.
There are many freely available information security tools in addition to standards and frameworks that require payment or membership in an organization. You can build a successful security program using only free tools, but my crystal ball is on the fritz today so I can’t see which tool is best for your organization. I wish I could tell you there is a one-stop shop, but there isn’t. You will have to evaluate your situation, do the research and make informed decisions about the best approach for your organization. Following is a brief discussion of some of them.
The National Institute of Standards and Technology (NIST) provides an enormous quantity of information and the gateway to it is available here. NIST’s Framework for Improving Critical Infrastructure Cybersecurity is available here and a new draft was release in January of 2017. Their Cybersecurity Framework Workshop starts on May 16, 2017 in Gaithersburg, MD if you would like to attend and learn more about it. You can also view a webcast with an overview of the Framework. In their words, “The core of the framework was designed to cover the entire breadth of cybersecurity . . . across cyber, physical, and personnel.“[xi]
NIST also provides three Special Publication (SP) series: SP800 deals with Computer Security, SP1800 contains Cybersecurity Practice Guides, and SP500 covers Computer Systems Technology.
SP800-53, Security and Privacy Controls for Federal Information Systems and Organizations will likely be an essential part of your planning process if you are building upon NIST.
If a division of your public sector organization provides clinical services, it might fit the definition of a covered entity (CE). If so, that division is required to comply with applicable federal regulations including the HIPAA Security Rule. The regulation provides a clear, jargon-free framework for developing information security policies and programs. While it won’t address all the requirements for a municipal cybersecurity program, it can help you build a solid foundation for your security programs. I don’t have any official data on HIPAA Security Rule compliance in municipal organizations, but my personal experience is that it is extremely low. Is your CE compliant? If not, why not bring your entire organization up to HIPAA standards?
I have worked extensively with HIPAA regulations and NIST products for nearly 2 decades and I like them a lot. If they are not a good fit for your organization, there are other resources, including the following three.
The Information Security Forum (ISF) publishes the Standard of Good Practice for Information Security, available free to ISF members.
The International Organization for Standardization (ISO) publishes the ISO/IEC 27000 family of standards for Information security management systems. ISO products are not inexpensive, but in the overall scheme of things you might find them to be a reasonable investment. Organizations can certify through accredited registrars, which can also be an expensive process.
ISACA publishes COBIT5, “the leading framework for the governance and management of enterprise IT” which provides an integrated information security framework as part of a larger IT governance framework. According to Joseph Granneman, “It is the most commonly used framework to achieve compliance with Sarbanes-Oxley rules.”[xii]
The role of vendors
Trusted vendors can be helpful in building your programs, but overreliance on vendors for security advice is a suboptimal approach. While they may be knowledgeable about many aspects of your industry, only you and your cross-functional IG team truly understand your business requirements. Their job is to “sell you stuff” but they will generally draw the line at writing policy and taking responsibility for overall information security in your organization. If there is a major breach or some other catastrophic security event in your organization that becomes public, you are the one whose picture will be in the paper.
Summary – one step at a time
Take a few simple steps to improving your cybersecurity infrastructure:
- Establish an IG committee and program.
- Discover and map your information universe.
- Establish an information security framework and security policy.
- Develop and implement your cybersecurity plan, based on the above.
- Use a cycle of continuous improvement.
This article first appeared in two parts in my CIO.COM column at:
A continuation of the subject appeared in:
References, Resources and Further Reading
Four critical challenges to state and local government cybersecurity efforts. Government Technology. July 17, 2015.
The need for greater focus on the cybersecurity challenges facing small and midsize businesses. Commissioner Luis A. Aguilar, October 19, 2015. US Securities and Exchange Commission.
How state governments are addressing cybersecurity. Brookings Institution. Gregory Dawson and Kevin C. Desouza. March 2015.
Four critical challenges to state and local government cybersecurity efforts. Government Technology. July 17, 2015.
Human error is to blame for most breaches. Cybersecuritytrend.com.
[i] The state of cybersecurity in local, state and federal government. Ponemon Institute. October 2015.
[ii] The vast majority of the government lacks clear cybersecurity plans. Brookings Institution. February 3, 2015. Kevin C. Desouza and Kena Fedorschak.
[ix] The biggest cybersecurity threats are inside your company. Harvard Business Review. Marc van Zadelhoff. September 19, 2016.
[xii] IT security frameworks and standards: Choosing the right one. Joseph Granneman, Techtarget.com. September 2013.
If you found this information useful, or would like to discuss cybersecurity in your organization in more detail, please feel free to e-mail me at email@example.com. I would be glad to discuss your situation.
This article first appeared in cio.com at http://www.cio.com/article/3184618/government-use-of-it/county-and-municipal-cybersecurity-part-1.html
© Copyright Jeffrey Morgan, 2017by
How is your IT Operation Performing?
Is your Municipal Information Technology department delivering amazing and cost effective customer service? Are they operating using best practices and industry standards for IT Governance? If the answer is no, or if you are not sure, keep reading and I will provide you with some simple tools and a high level overview of improving your IT business processes and operations.
Expertise in, and a deep understanding of technology disciplines isn’t required to get the most out of your IT Manager; understanding basic principles of IT Governance is. As a County or Municipal Executive, you can provide the necessary leadership to improve your operations by ensuring that your IT management is adhering to industry standards and best practices. If you are fortunate enough to have a CIO, these standards and practices are probably already in place. However, there are over 22,000 County and Municipal entities in the United States and most can’t justify the cost of a full-time CIO.
There are tried and true standards, methodologies, policies and procedures that smaller counties and cities can and should establish in order to improve IT operations. If you don’t have a CIO, you can familiarize yourself with the basics and see if they are in place in your organization.
In highly regulated industries such as insurance, pharmaceuticals, health care, and banking, there are clear regulatory guidelines that define many of the basic functions, best practices and requirements for an organizational IT operation. Audits and evaluations are conducted routinely to ensure that IT operations are following applicable regulations and guidelines. There are no such required standards for municipal and county governments in most states. However, IT departments should always be operating as if an audit is imminent.
Part of the management problem is statistical, and I have written about it here, but solutions are readily available and a few of the basic management components that should be in place are described below.
Some Root Causes of Problems with Information Technology Departments
IT staff members under an audit generally blame poor customer service, poor performance, security problems and technical problems on an insufficient budget and understaffing. Sometimes they also blame the customers (end users). They often argue that if only the organization would increase the budget and hire more people, they would do a better job. In my experience, this is rarely true and two root causes of organizational IT problems are described in the table below. I have seen many IT departments that would function better with a smaller staff and a more focused business mission.
|Lack of Focus on the mission.||The IT operation is attempting to be everything to everyone. They don’t understand priorities and the business mission of your organization.|
|Tech Decisions||The Department is making technical decisions rather than business decisions.|
Customer Service Problems and Solutions
IT is a customer service driven business. If your IT customer service isn’t exceptional, you have a significant business problem, not just an IT problem. In the following table I have provided information about two tools that can help you improve customer service immensely regardless of what IT staffing model you use.
|Service Level Agreement||A Service Level Agreement is a required document for any IT Department, even if it is a department with only one staff member or the services are entirely contracted.|
|PSA System||A system for tracking IT problems and their resolutions is also a required, essential component of a well-governed IT operation. Such a system provides information about the productivity of your IT staff, but it also provides a wealth of information about your end users and your business operations. The data available from a properly configured PSA system can provide valuable management information for executives, not just for IT management.|
Cost Metrics, TCO, ROI
Here are some basic business questions to ask about your IT operation. If you haven’t performed these calculations before, the answers might surprise you.
- What is the total cost of ownership (TCO) of your IT operation?
- How much does it cost per end user?
- How does that cost compare to other organizations similar to yours?
- How do you define an IT cost?
- What value and return on investment (ROI) does the operation provide?
Mission Critical Functions
If your IT staff does nothing else, they should at least be focused on Backup, Disaster Recovery, System Security, and Contingency Planning.
|System Security||HIPAA (full text of regulation here), ISO 27001, and NIST, to name a few, provide excellent frameworks for your Information Security program.
Even if you only have a 1 – person IT operation, information security should be a primary responsibility and your IT management should be well versed in these standards and how to implement them.
|Backup, Disaster Recovery, and Contingency Planning||Again, even in a 1-person IT operation, security, DR, Backup, and Contingency planning should be their main focus.|
|Information Security Policy||You must have a comprehensive information security policy!|
Are all of the components mentioned above in place in your organization?
Nothing I have discussed here will work in a vacuum. Improving operations and lowering costs will require your leadership and relentless follow-up. My father always taught me that good management is 10% telling people what to do and 90% making sure they do it. If you want to improve IT operations in your organization, go make sure they do it!
Feel free to e-mail me at firstname.lastname@example.org if you would like to discuss Information Technology projects, operations, or other business problems in your organization. If you are working on a major procurement project, you may find my book to be of interest.
Copyright © Jeffrey Morgan 2016
One of the most common mistakes I encounter in software procurement projects is a misunderstanding by County and Municipal executive management of the role of Information Technology in the procurement process.
Are you treating your project as a Business Project? Or do you think it is an Information Technology project because it involves software and hardware? If you are looking at the project as an IT project, you are making a common but significant mistake that may produce disastrous results. There is no such thing as an IT Project; there are only business projects! Because this is a business project, the appropriate business stakeholders need to be an integral part of the procurement process.
One of the least pleasant aspects of the consulting business is doing postmortem work on failed projects and it is usually easy to see where the project went off track. I have seen a number of projects fail because the procurement of business software was entrusted to IT Personnel on the mistaken belief that business software is something that Information Technology staff would naturally understand. Software = IT in some people’s thinking.
Software is generally a digital metaphor for classic, paper-based business processes that allow you to perform operations digitally that you can’t easily do with paper. Drop down boxes, autofill, mandatory fields, and automated reports can end-user proof the data entry and reporting processes, but you still need to collect the same data you did in your paper-based system and it can’t all be automated, yet. The same rules, processes and procedures that are part of any normal business process still apply. If you don’t understand the original, underlying business process you won’t get the metaphor either.
The inability to understand IT as a business function is a problem within executive and management ranks in many organizations. Remember the Dot Com Bubble from 1997 – 2000? The pundits and “experts” were advising stock buyers that the new Tech Companies no longer needed to follow the old business rules like making a profit and having solid financial and legal management. It wasn’t true. Tech companies had to follow all the business rules and so does your Information Technology Department.
There are some IT managers who are naturals at understanding business processes, but they are fairly rare. Many IT professionals fail to understand the core business functions of a product or process because they are overly concerned with the technical aspects. They make tech decisions instead of business decisions. IT professionals who are trained in business processes and workflows of specialized line of business operations are exceedingly rare. I have often heard IT people talk about “cool technology” in business meetings, which should be a dead giveaway about how things are going to end up if you take their advice. Your goal is not to acquire cool, cutting edge technology; you are trying to solve serious business problems.
In the olden days of MIS (Management Information Systems), many MIS people understood business systems, especially finance and accounting systems and knew how to build them from the ground up. There wasn’t a great deal of commercially available software and even when there was, it ran on a mainframe or mid-range system like a System 36, AS400, MicroVax or UNIX system. Building business systems was part of MIS training and knowledge. This is no longer true. Younger generations of IT people (MIS is nearly gone) are trained to build and support modular infrastructure systems, but not to build business systems like financial accounting software from scratch. Extensive training in business processes is no longer part of the education of the average IT employee.
I have seen outstanding, knowledgeable professionals with advanced degrees and professional licenses such as PE, PhD, MPH, and LSCW relegated to the back seat in procurement of software and services for their own department in preference to someone who was only qualified to operate a file server. This approach only makes sense once you realize that the executives who made these poor decisions were unable to understand the distinction between business and technological issues and processes. If a piece of software is a great fit for your organization and line of business processes, the underlying technology probably shouldn’t matter to you (but you should give it some consideration). It is difficult for me to understand why anyone would rely on the opinion of IT staff on an enormous business process decision requiring a firm understanding of a complex line of business. Basing critical business decisions on the opinions of technical staff almost always turns out to be a mistake. The denigration and humiliation of professional staff who were forced to the back seat in favor less qualified IT staff is something they will remember and senior management will eventually pay the price for this decision.
I believe the root cause of the misunderstanding about the appropriate role of IT in organizations emanates from insecurity among some managers over their lack of understanding of Information Technology. Because they don’t understand IT, they view it as a form of magic and can’t see how standard business and management rules apply. Let’s take a look at a couple of applicable metaphors.
I have been driving a car for decades, but I know very little about how an engine functions. I don’t need to know because I have a great mechanic. I can operate it and go wherever I need to go. I can put in gas, windshield wiper fluid, and occasionally oil. My mechanic does everything else. I buy used cars and I do sometimes consult with my mechanic about what car to buy, but I don’t consult with him about what routes to take, how I should drive it or how I should use my car to conduct business. I don’t consult him about my insurance coverage or what music I should play on the radio while I am driving. My car is a utility and I only need the mechanic to keep it running; how I use it and what I use it for are not his concern.
Another appropriate way to look at your Information Technology department might be to view it the same way you look at your Public Works or Highway department. Your highway staff builds, maintains, and supports your physical infrastructure like roads and bridges. If there are potholes, they fix them. If a streetlight is broken, they fix it. Your road crew doesn’t get to decide who will drive on a road, where drivers go or what kind of vehicle they should drive on the road. They don’t enforce the rules of the road and they don’t teach people how to drive on it. In fact, your highway staff may not even design and build your roads – you may outsource that task and leave only the maintenance to your staff.
It is not unreasonable to treat Information Technology as a similar utility or line of business that primarily provides infrastructure maintenance services as a baseline. You don’t have to understand the granular details of how computers, networks or databases function to understand the role they play in your information infrastructure. It is job of your IT staff to provide a reliable infrastructure so your departments can run their business. It is not IT’s job to engineer your organizational business processes. Most of the time, they simply aren’t qualified.
If your IT staff is doing their job well, you shouldn’t even know they exist. Everything should simply work. Data should flow over the network and there shouldn’t be potholes or broken traffic signals that cause traffic problems. The staff should be providing reliable traffic flow over the network and reliable, stable servers to house your applications.
It is a natural inclination of IT Departments that are failing at managing their infrastructure to blame those failures on just about everything and everyone except themselves. Nothing to see here folks, look over there.
Your business requirements should be driving your Information Technology program, but too many organizations get this wrong and allow Information Technology to drive business functions they don’t understand.
Copyright © Jeffrey Morgan 2016
In the glamorous and sexy world of software procurement and implementation, dirty secrets abound. You shouldn’t assume that your new spouse is going to cook, clean, mow the lawn and drive the kids to school. Before becoming entangled in a new long-term business relationship, draft and execute a business pre-nup that includes a detailed project and implementation plan clearly spelling out the responsibilities and workload distribution of all the parties involved. And make sure you include plans for how to break-up in case things don’t work out. Implementation services may cost at least 2-3 times as much as a software license, and possibly more. Understanding the implementation model you are buying is critical to the success of the project.
One of the most common disputes between customers and vendors in software implementations (after the contract is signed and license fees are paid) concerns who was supposed to do what. These disputes can turn into ugly finger-pointing sessions reminiscent of your favorite dysfunctional family movie . Don’t assume that handshake deals and verbal agreements with the sales team are going to be honored by the company’s implementation and support team. After the deal is signed you may never see the sales rep again; you will be dealing with team members you have never met in-person. This isn’t the vendor’s first movie, but it might be yours so the time to work out the details is before the contract is signed. Make sure that all promises are in writing and are included in the SOW, project plan and other contract documents.
There are really only three implementation models with minor variations and you should clearly understand which one your vendor has proposed:
- Do it Yourself
- Train the Trainer
In a Do it Yourself (DIY) model, you license the software and configure the system using in-house staff or contractors and consultants. I have occasionally seen this model work. More often than not it turns into something resembling a nuclear disaster. It isn’t likely to save any money and I wouldn’t recommend it unless you have staff members who really understand the business processes AND the underlying technology. If you saved money by opting for this model, don’t assume the vendor will provide extensive implementation assistance under your support contract. Implementation support and post-Go-Live support are completely different animals. If the project doesn’t work out, you may have to scrap all your work and start from scratch.
Train the Trainer is the standard approach to implementation offered by many software vendors. The vendor uses webinars, remote access and on-site services to train key staff members and stake holders in configuring the software. This model can be successful if you and your staff are committed to making the project work and are willing to invest large quantities of time. A key benefit of this model is that your staff will really understand the software. One major problem with this approach is that your staff members already have a full-time job. How are they going to find time to setup an enterprise system that may involve months or years of configuration, testing and hundreds of configuration steps? This model has a higher success rate than doing it DIY, but spectacular failures are not uncommon.
In a Turnkey model, the vendor does the heavy lifting, but this doesn’t mean you’ll be sitting back while the vendor is waving a magic wand. At a minimum you will have to provide lots of data and configuration input, attend training and meetings, and execute quality assurance measures for every deliverable. This is the most expensive method for configuring software, but no one knows the system better than the vendor. If you opted for a milestone based payment plan, you can rest assured that each component is configured and tested before you pay for that service.
You might be thinking that you don’t have to worry about the paparazzi. After all, this is software, not Hollywood. But if you run into a a 6-8 figure cost overrun on a public sector software project, your picture might be prominently displayed on the front page of your local paper with a caption that reads “Lucy, you got some ‘splainin to do.” If a massive failure occurs in the private sector, it might be a long time before your next audition.
Copyright © Jeffrey Morgan 2016
I lived and worked in the Republic of Korea in 1986 and 1987 and spoke half-way decent Korean. I also spent 3 months in Thailand and learned enough Thai to go down to the market and bargain with vendors. I have spent time in other Asian countries as well.
One of the big lessons I learned was that even if you speak the language, cultural concepts and even body language often can’t easily be interpreted or translated using verbal communications. Even talking about basics like the color of an object can be difficult.
Does yes really mean no?
At one point in Korea, I was acting as an interpreter for a meeting between American and Korean General Staff. The two sides couldn’t come to agreement on an issue and the American General blamed the lack of agreement and acquiescence of the Koreans on my abilities as an interpreter. The real problem was cultural rather than a lack of communication or understanding. What I clearly understood was that the Korean General was giving off all the cultural cues that said NO without actually stating it verbally – something he would have considered to be rude. The American General couldn’t comprehend this because American officers are trained to say NO most of the time. Saying NO isn’t necessarily considered rude in our culture. Also, the American General was changing the pre-defined plan at the last minute. Maybe things have changed now, but at the time, that kind of entrepreneurial change of plans at the last minute wasn’t something that would be rewarded in Korean culture, least of all in the military.
Xenophobia vs. Business Decisions
I frequently recommend strategic contracting and outsourcing to my clients, but contracting to people whose native language is not English from half way around the world is not what I am proposing to them. When I recommend outsourcing, I am suggesting that they contract with a local or regional professional services firm with people who have a shared cultural perspective.
Language isn’t the only problem. Culture can be a huge problem too. This isn’t xenophobia; it’s a business calculation. I have lived and worked all over the United States and the cultural differences between South, North, West, and East are vast. From a cultural point of view, California, New York and Texas are in many ways different countries, but we do share language and to some extent, culture. Conducting business when all the players don’t share language, culture, and common goals can present insurmountable obstacles.
I worked on a disastrous project in the late 1990’s that resulted in an 8-figure loss to taxpayers and several wasted and frustrating years for hundreds of people. The project was a top-down initiative from the highest levels of state government to implement a state-wide social services case management application. The software development was contracted to a firm from half-way around the world. The entire concept of the project was flawed from inception and the project, stakeholder, and communication management were poor.
The workflow was cumbersome and illogical and I always suspected that the workflow probably made sense if your brain had been wired differently based on language. It was clear that no one had bothered to consult case workers in the field about how they collected, managed, and entered data in the field. Everything was wrong with this project and there was plenty of blame to go around – especially blame for the executive management at the state level. However, communication with the foreign programmers and support personnel was a significant problem. The communication problems were both cultural and linguistic. Even the concept of what constitutes “customer service” has significant cultural ramifications and the idea of “social services” is not something universally understood around the planet.
There are cultural differences between companies as well, even if all the players are native English speakers from your region or your local community. If you are considering strategically outsourcing some aspect of your IT operations, cost shouldn’t be the only consideration. There is a value to cultural compatibility. The company culture of a potential vendor may or may not be a good fit with your organization, even if their office is right down the street. Cultural fit is an essential component of a successful business relationship and determining that fit should be part of your procurement process.
Copyright © Jeffrey Morgan 2016, 2017
There be more ways to the wood than one and the methods for managing your organization’s Information Technology needs run the gamut from 100% contracted services to a full-service, in-house IT shop with help desk, software developers, and and other support including network and security engineering. All of the variations between these two extremes can work if they are strategically planned. Which one is best for your organization? That depends on your business requirements, goals and objectives, industry, organizational culture, and budget. Key elements that will contribute to whether or not the model you choose is successful include a Strategic Plan and and highly specific contracts and service level agreements.
Cost Vs. Value
Before we perform a summary examination of some specific models, let’s stipulate that this is a business project. Cost is important, but so is value. In order to determine which model will best suit your needs, you will have to make your own calculation of the Cost vs. Value equation for your organization.
How Much Does IT Cost?
How much does your operation cost now? And what value is being provided right now? Surprisingly, very few organizations can concisely and immediately answer these questions. IT costs are often buried in departmental budgets and sometimes linked to inappropriate budget accounts. Shadow IT Staff, staff members not technically part of IT but performing IT functions under a different title, are often unaccounted for in a summary of IT costs. Moreover, the cost of IT equipment has gotten so low that much of it is expensed under office supplies or something similar, so it doesn’t show up as a fixed asset or an IT line item. Unless you have very strict accounting rules, it is possible that accurately calculating the cost of IT may be difficult or impossible. This entire discussion might bring up another question: What exactly is an IT cost? Sometimes, the simplest questions are the hardest to answer.
Before we look at specific models, let’s talk about one more thing. What do you want? What are your business goals and objectives? Do you want a Help Desk to answer the phone and provide assistance with applications like Microsoft Office? Does it make sense to pay for that service? Do you require in-house server and network support to get immediate response? Or is a contracted service with a 1 or 4 hour service level agreement good enough? Are you looking for the development of institutional knowledge in-house or can a long term contract provide that security?
The secret to an efficient operation is good management that focuses on quality of service regardless of the model. A Service Level Agreement (SLA) is always required to define the scope and services to be provided by both in-house staff and contractors.
100% Contracted Services
This model is commonly used in small organizations but it can easily scale to relatively large operations. If you choose this model, I would recommend that you separate duties so that the vendor who sells and installs “stuff” is different from the vendor or consultant who is providing direction, design and planning services. In this way, you can eliminate the conflict of interest that may encourage a vendor to oversell or over spec. Consultative selling is big in the IT market and many vendors who sell solutions will provide honest advice on the best direction to take, but why risk it? Moreover, the sales people and techs whose job it is to sell products and services may not understand the minutiae of your business operations, goals, and objectives especially if you have highly specialized lines of business.
Contracts in a fully outsourced model may have some combination of a fixed rate for fixed services as well as an hourly rate for additional, incidental services. As with all contracts, close monitoring is required to keep costs in check.
The Technology Coordinator Model
One popular model is the use of a single Technology Coordinator. The position might have different names, but the general idea is that a single employee manages the strategic plan, coordinates services and manages all the contracts.When using this model, it is important to avoid the scope creep that can result from using the Coordinator as a front line fix-it person.
Most medium to large entities use some sort of hybrid model that includes a combination of in-house staff and contractors. Again, service level agreements are essential and the in-house staff can easily grow to gigantic proportions without careful management. I have seen medium sized operations with 20 or more IT FTE’s where a few staff members and strategic contracts would have been a more economical and efficient solution. In some industry sectors, a large staff may justified. However, in something like a typical medium sized municipal operation, a hybrid model with a bias toward contractors makes a great deal of sense. If your contracts are well-written, it is easy to get rid of an under-performing contractor, but eliminating or replacing employees can often be a nightmare.
Full Service Models
If Information Technology is a core business function for you, a full-service, self contained IT operation may be appropriate, but this scenario is rare if you are truly basing your decision on objective business criteria. Even the largest organizations strategically contract some services. If you are currently responsible for a large, full-service IT operation maybe it is time to do a cost-benefit analysis of other options.
In a medium to large manufacturing operation with a dynamic network, network and security engineers may be required. In a static operation of a similar size, it might make more sense to contract these services since they will rarely be required. In-house software development is similar. Some organizations might require full-time software developers, but for more static organizations, purchasing Commercial-off-the-shelf software is far more efficient and cost effective than custom software development.
If you require assistance evaluating staffing models for your organization, send me an e-mail at email@example.com. If you would like to read more about IT Governance, check out http://blog.e-volvellc.com.
Copyright © Jeffrey Morgan 2016
By Jeffrey Morgan
While conducting IT Audits over the years, I have often heard end users relating stories about how hard the IT Staff works at putting out fires. Generally, the IT Audit is being conducted because the customer service being delivered by IT is abysmal and the end users know it, but they usually try to find something nice to say about their coworkers. The end users think they are stating something positive to me, but what they are really doing is waving an alarming red flag. Danger, Danger Will Robinson!
In a well run IT operation, putting out fires should be rare. The IT staff should be spending most of their time on routine operations, preventative maintenance, projects, and implementation of a cycle of continual improvement. Putting out fires is a sign that there are problems that may include network infrastructure and configuration issues, improper server and software configuration, improper configuration of end user devices, etc. With proper configuration and preventative maintenance, the systems should be stable more than 99% of the time. There may be other problems as well, such as end user training issues or malfeasance. Root causes surface pretty quickly if you conduct a thorough IT audit and investigate all the potential factors. Well managed IT operations are proactive rather than reactive.
In a stable environment, IT management is not necessarily the most exciting job. Critical tasks in a stable environment include validation of backups, routine administration, reviewing security logs, patch management, disaster and recovery planning, and other essential preventative maintenance tasks. Another important task is ensuring that the organizational policies such as the Security Policy, Acceptable Use Policy, SLA (Service Level Agreement),and other governing policies are being complied with. Depending on your industry, regulatory compliance may be a critical task.
Is your system stable, or are your IT people constantly putting out fires? If you have questions about how to fire-proof your IT operation, send me an e-mail at firstname.lastname@example.org.
Copyright © Jeffrey Morgan 2016
Poor customer service is an epidemic in both public and private sector IT organizations. Art imitates life and there is nothing more hilarious than watching skits with Jimmy Fallon playing Nick Burns, Your Company’s Computer Guy. These skits are so funny because they ring true in most people’s life experience. Unfortunately, bad customer service in your organization isn’t anything to laugh about.
Let’s put this in the form of a syllogism – “We have a customer-service problem. Customer Service is the responsibility of management. Therefore, we have a management problem.” As an executive, it is your responsibility to address the management problem. The good news is that you can fix this problem and I will provide you with a high-level overview of one way to do it.
Once you have a Service Level Agreement, you can take the next step in order to improve the quality of customer service being delivered by your Information Technology Department – A Professional Services Automation (PSA) system. As I have previously discussed, no system you purchase will inherently do anything to improve the quality of your services. You must use the system correctly in harmony with other tools such as leadership, training, process, policy and procedure.
Regardless of what type of model you are using to support your IT operation, or the size of the operation, a PSA system is a required tool. These systems are widely available, affordable, and available in SaaS (Software as a Service, aka Cloud) solutions. If you have a small IT Department, or even a 1-man operation, the Cloud solution may make the most sense. Whatever you decide to do, buy one of the commercially available options rather than having a staff member write one in-house. I have seen organizations try this and it never works out.A correctly implemented and configured PSA system can also provide a wealth of other management data that can show you an X-Ray of of information management in your organization.
There are 3 basic rules for using a PSA system effectively – with no exceptions.
- Everything goes in a ticket. No Exceptions.
- Employees must account for ALL of their time in the PSA system. If they work a 40 hour week – 40 hours should be documented in the PSA system. No exceptions.In fact, you may wish to use the PSA system as the time sheet for the IT Staff and only pay them for what they have documented.
- Everything (Absolutely Everything!) related to a ticket gets documented in the system. No Exceptions.
Once you have data in the system, it might be worthwhile to have your team along with an expert 3rd party evaluate the system’s reports. There are common problems. For instance, one problem you might find is that some employees require more time than necessary to complete tasks. You might even find some pretty egregious consumption of resources like techs taking 10 hours or more to complete something that should be a 1 hour task. You may not know how long standard tasks require, but you can find an expert who does.Also, you may find that IT staff are performing activities that are not defined in your SLA, thereby wasting precious resources.
You will be able to identify other problems as well. Are there recurring problems with specific users? With specific departments? With a specific piece of software or hardware? How much are these problems costing your organization? Are IT staff members actually causing problems? Do end users require additional training?
Getting from abysmal customer service to a baseline of acceptable customer service may take a while. During the Go Live period for the PSA system, your IT Management should be living in the system. If you have long been suffering bad customer service, the IT management may require considerable coaching and training just to understand what good customer service looks like.
Your staff members may present all sorts of obstacles to such a system. For instance, they may say that it takes too long to document every incident. Like any other skill, it takes practice to thoroughly document your work and activities, but the results are worth the effort.
Another argument you might hear is Why don’t the other departments have to document their work? Many professionals document their time and activities: Attorneys, accountants, physicians, consultants,truck drivers, and pilots to name a few. There is no good reason why Tech professionals shouldn’t do so as well. In fact, once you have the PSA system in place and working, you may like the results so much that you will want to start a similar program for other groups, like your facilities staff as one example.
If you would like assistance with implementing a PSA system or with improving the customer service in your IT organization, send me an e-mail at email@example.com. If you would like to watch Nick Burns, take a look here.
Copyright © Jeffrey Morgan 2016