The IT Expectation Gap – Why Your IT Isn’t Providing What The Business Actually Needs

 

When you say “IT”, what does that mean in your organization?  You might be thinking, isn’t IT just “IT”?  And to that I would say, not so fast!  Every IT department is different.  Yes, at a basic level IT manages your Google and your Microsoft, responds to helpdesk tickets, and makes sure your internet works.  The core stuff.  But most IT departments (even departments of one person) handle a lot more than that.

Every IT team manages an assortment of functions and duties that’s dictated by the company’s type, size, budget, systems, goals, and org structure.  If IT operates on an island disconnected from leadership, its mix of required functions is almost certainly not defined, its skills and resources are assembled reactively, and things can get pretty far out of alignment with what’s actually best for the business.

In new companies, it very rarely occurs to anyone to define a scope for the organization’s IT expectations.  A charter, if you will.  It is definitely a worthwhile exercise.  If you don’t do this, you may have multiple very-important-people in your company who either A) have a different idea of what IT is supposed to be providing, or B) have never thought about it.

Heck, most IT Managers have never thought about it.  Most IT Managers, being service-oriented professionals, come in with the attitude that, darnit, I will provide technology support in whatever way is needed.  But if “whatever’s needed” is not quantified or communicated, you’ll have problems whenever undefined IT expectations aren’t met.

“We should avoid that!” you might be (correctly) thinking.  If you do produce an IT charter, It’ll give you clarity on skills, staffing, and scaling, but more importantly it will provide a mechanism for IT and executive leadership to connect and agree on exactly what IT’s role and scope should look like in your company.  This will ultimately go a long way toward avoiding those “how could we let this happen?” moments down the road.

Let’s unpack this a little further.  To start with, what are the core IT responsibilities in just about every organization?  The list is relatively short:

Core IT functions:

1. Service delivery – managing applications, systems, workstations, user accounts
2. Helpdesk – supporting the environment, fixing things when they break
3. Infrastructure management – maintaining networks and servers

Beyond this, what else might IT be expected to own?  This list is longer.  Some functions that are integral to IT can be owned outside IT.  And, especially in small companies, some functions will have shared ownership, or don’t exist yet, or have no defined owner.

Potential IT functions:

1. Compliance – data security, privacy, audits, GxP
2. Strategy – roadmapping, digital solutions & transformations, emerging technologies
3. Business Systems – enterprise platform administration, integrations, data management
4. Project Management – cross-functional projects, portfolio management, change management
5. Procurement – budgeting, purchasing, vendor & contract management
6. Web Environment – web infrastructure management, corporate website development
7. Software Development – e-commerce & internal apps, DevOps, observability
8. (And more…)

Looking at the above you might be thinking “of course IT does that” for some items, and “why would IT do that?” for other items.  This is where expectation gaps can creep in.  Why is the IT department especially susceptible to expectation gaps?

• IT supports every department, and departments’ tech needs (and expectations) can vary quite widely
• IT collaborates with many departments – Legal, Accounting, Engineering, HR, Marketing, etc. – which can lead to ambiguous ownership of cross-functional duties
• IT tends to lag behind other departments in organizational maturity; newer companies often lack a strategic IT leader and many rely on outsource providers
• Technical people, overall, tend not to be business people, and as a result they don’t always know how to take a higher-level view or ask the right questions
• Business people, overall, tend not to be technical, and as a result they don’t always have an accurate idea of what’s “doable” with existing resources
• Since IT is technical, a lot of core work is done behind the scenes that’s not easily understood by the rest of the company, which can lead to a “what is IT actually doing” perception

If all this seems like a lot to grapple with for a small company, this is where I mention I can help 🙂  I can analyze your current state against your planned future state and put together a charter to ensure your IT team is structured and resourced to meet defined expectations.  The goal is to enable IT to scale for the future, provide required skills and outcomes, and mesh with complimentary functions throughout the organization.

IT Security: What Does the C-Suite Need to Know?

 

IT security is complicated, technical, multi-faceted, and always changing.  It’s also an inescapable concern for every company.  How are the non-techies, business folks, and C-Suite leaders supposed to keep up??  What do you really need to know?  Here are 6 key principles:

1. The scary stuff – I’ll start with the part you already know: poor security leads to incidents and breaches.  These are never good for your company’s bottom line or reputation.  And it might not just be your data that gets compromised – you might expose your customers’ data, or conversely, an un-vetted vendor of yours might accidentally expose your data along with theirs.
   
   So, I know you know this, but it’s worth reiterating that breaches are costly.  There are fines associated with violating privacy laws; there are ransom payments associated with falling victim to ransomware (if you decide to pay).  And aside from the financial hit, a breach will bring significant logistical, legal, and reputational headaches.
   
   
2. The boring stuff – To fortify against the above, IT needs to do a lot behind the scenes that you’ll never even know about 99% of the time.  They configure firewalls, access rules, detection and monitoring systems, antivirus, patching, encryption, and more.  There’s a lot that goes into the day-to-day business of keeping the bad guys at bay and following best practices.
   
   
3. But security is even more than this – I was once asked in an interview, “so tell me about security?”  I was like, hmm, where do I start…  It’s not just technical controls.  It should be a mindset, a philosophy, a culture, something to be factored into every project, every system, every process in your company.  It’s something all of your employees should be trained on.  Is this always the case, especially in small companies?  Nope.  Should it be, especially as you grow?  Yup.
   
   
4. There’s doing it, and there’s proving you did it – Yes, you need to keep your ducks in a row to prevent security incidents.  You also need to document what you do.  Documentation is almost as important as the security controls themselves.  It will ideally feed into a third-party audit report like a SOC 2.  That way, if you DO experience a breach, your documentation – and your awesome clean audit report – act as evidence that you had reasonable measures in place, which can greatly reduce your legal exposure and reputational damage.
   
   
5. Compliance = customers – These days, in almost every industry, privacy and security compliance is mere table stakes.  Your customers assume – and require – that you comply with privacy regulations and you conduct security audits (like SOC 2).
   
   NOTE: for new companies wondering where to even start building their security posture, compliance is a great grounding point.  Taking steps toward adhering to applicable laws and regulatory requirements for your industry – and any contractual obligations – is a good place to start.  Adherence to a specific framework (like NIST, ISO, or SOC 2) will also definitely point you in the right direction.
   
   
6. Security is never finished – We are never 100% secure, and the bad guys are never finished finding new ways to ruin our day.  And our dependence on technology will only keep increasing.  It’s a never-ending effort – a journey not a destination – and our risk is never zero.  Ultimately, “security” is a process of mitigating, reducing, and managing risk.

So how can (should) the C-Suite participate?  What’s their role?

1. Oversight – You (executive leadership) aren’t required to be security experts, but at the same time someone outside IT needs to have visibility into the process.  IT can own the technical controls but the company owns the risks. Security risks need to be assessed as business risks.  Policies and audits should be reviewed and approved (outside of IT) annually.  This stuff directly affects your business, and leadership needs to be involved, at least at a high level.
   
2. Helping promote a security-first culture – As I mentioned, security is a mindset.  Promote it; define who owns it; ensure that security initiatives are prioritized.  Audits should have full sponsorship from the CEO.  Security is not just an “IT thing”, it extends to every department and every employee.  And the culture starts at the top.
   
3. Incident Planning – Certain activities require C-level participation, like risk assessment, disaster scenario testing, and creation of an incident response team.  Prioritize and take these seriously.

What should the C-Suite expect from their IT team?

IT can generally be relied upon to own:

• Controls – designing and implementing the technical measures used to protect data and systems
• Policies – creating, updating, and (especially) explaining and briefing leadership on major updates and, really, on anything they need to know
• Audits – until such time that you have a compliance department, it’s fair for IT to own the security audit process
• Staff Training – your employees are your “human firewall”; security awareness training is critical
• Communication – proactive monitoring, tracking, notification, and documentation of risks and incidents

Of course there’s a bit more to all this! The above is meant to be an overview, but here is the part where I mention that I can help 🙂  I can start with an assessment of your current security stance, structure, skills, gaps, priorities, and help you develop a plan.  Contact me if you’d like to discuss.