Something we encounter in IT frequently is the conviction of the non-technical crowd that we are a “computer person” so we must know how to [insert anything technical here]. Maybe we can, maybe we can’t. We may be flattered to be seen as a techno-demigod, but there is a darker side to this kind of worship. It becomes an expectation. If you can’t deliver, then you must not know what you’re doing. If they have any influence over you at all, you could be in an uncomfortable position.
As a result, we in IT can be tasked with everything from computers to fixing the wall clock. (This is an exaggeration, but not by much). In truth, it’s not all bad. Though, the breadth of our responsibility means that things can get lost in the clutter. Critical tasks can lose their priority. We may find ourselves overburdened or out of our depth. What is needed is to continually reassess our positions to ensure best practices. It’s time to take a hard look.
Here are four things in IT you’re likely mismanaging — and what you can do about them.
Striking a Balance with Vendors
IT pros aim for as efficient a department as possible. Relationships with vendors exist for this very reason – efficiency and sometimes necessity. Particularly in small IT shops, could you do everything yourself? Maybe. But that’s not a good place to be.
When dealing with a vendor, you’re leveraging their expertise while balancing costs with service levels. There are many levers to pull to achieve the desired objective. But it all comes down to cost and scope. In other words, what they do for you and how much you’ll pay them. Our impulse is to secure the best deal for our company, but this may be the problem. Remember that adage “penny wise, pound foolish”? Or the other adage, “You get what you pay for.” These certainly apply here.
Vendor mismanagement is also often a problem of complacency. We form relationships with providers and nurture our point of contact in order that the company’s needs are understood. The vendor takes steps to strengthen this bond with a few deals or perhaps the occasional perk. They’ll inevitably use the relationship they’ve built to expand their business with you. These offered goods and services may be beyond the normal scope of their business.
From our perspective, having fewer or even one point of contact seems attractive. After all, it’s less work for us, right? Plus, we are encouraged by the amicable working relationship we’ve cultivated over time. We trust them. Here is where the danger lies.
Unless otherwise advertised (and accordingly contracted), vendors are specialists, even the full-service ones. They provide a specific service. They do it well, but vendors have been known to embellish.
They may offer a service, but are they the best resource? For example, Vendor A’s core business is hardware. Are they the best resource for providing an Enterprise Resource Planning (ERP) solution? Maybe not.
Never lose sight of the vendor’s core business. Unless what they offer is a function of their core business, then what is on the table may not be the great deal it seems. If they are not experienced in the product, and if they do not have a well-established track record in place with the offered resource, think twice. After all, they are servants of their bottom line. Just as you’re a steward of yours.
Off-the-Shelf vs. Proprietary Software
Software management can be viewed from different perspectives. Large enterprises often have specialized needs and require proprietary solutions. Solutions are either developed in-house or outside contractors are hired.
In the late 1990s, the State of Oregon contracted with a software company to upgrade their motor vehicle license tracking system. Of course, it was the low bidder – as is the way. It was a massive, multi-million dollar, multi-year undertaking. When delivered, it functioned according to expectations. Shortly after delivery of the tracking system, planned hardware upgrades began. The tracking system failed on the new workstations.
It turns out the software was designed specific to the architecture of the IBM PS/2 – their desktop solution during development at the time. The software would not run on any other architecture. The State was forced to keep the antiquated PS/2s in their inventory until another solution could be facilitated.
This comedy of errors involved two vendors – IBM and the software contractor – doing two things that functionally opposed one another. This disaster could have easily been avoided if only the right hand had known what the left hand was doing.
Most companies, though, opt for off-the-shelf software solutions, and management becomes one of inventory and licensing. In small companies, this is easily handled. In mid- to large-scale enterprises, software licensing can easily snowball out of control. In the past, end users were allowed to install anything they needed, resulting in license breach.
To avoid this desktop cowboy effect, asset management and SCCM-type software can automate much of the process of installation, upgrade, and compliance. An administrator well versed in SCCM, specifically, can easily manage the inventory.
Everyone Mismanages Security
Cybersecurity is among the most mismanaged things in IT. It’s not even your firewalls or appliances – it’s mostly your people. Employees will still do unwise things with their credentials. S3 buckets are left open to the public. Repos contain tokens or even passwords.
These are human mistakes that can’t necessarily be managed, only monitored for. Even when applying the principle of least privilege, people will be people. Make sure access is monitored closely and take swift and immediate action when something suspicious arises. That’s easier with cloud services like AWS, and Bart Castle has an entire course on Proactive Controls like AMI and AWS Shield.
However, there are some things to consider before you put your eggs in the cloud basket. The benefits of the cloud are obvious to most. It seems an easy choice. Before you take this step, and even if you already have, there are a few things to consider.
Your data is under the stewardship of someone who has only a peripheral interest in your company. Yes, cloud storage comes with a heartfelt guarantee of safety. It is true that steps are taken to ensure the integrity and security of your data. We need to remember, though, that it is not their data. Beyond a monthly fee, they have no investment. With AWS, it’s called the Shared Responsibility Model. In essence, they secure their data centers. You’re responsible for the endpoints. Even password managers are purposefully indifferent. They have a “zero-knowledge” security approach, which means by design they’ll never see your data – and therefore have no responsibility for it.
Cybersecurity is a huge problem, and even the seemingly safe cloud is vulnerable. Attackers may find that your cloud storage vendor is one step ahead of them. But, as we know from the Shared Responsibility Model, you also have a role to play. Manage your company’s security like your data depends on it.
Outsourcing is Great – Until It’s Not
We have seen an evolution in outsourcing over the years. Payroll is a good example, with most of us being familiar with seeing ADP on our paychecks. Then manufacturing was offshored by large corporations as a cost cutting venture. Now, our workforce is increasingly fluid. No longer is it necessary to have an in-house IT department, or even warm bodies onsite. Once the infrastructure is in place, monitoring and administration can be handled remotely. But the pitfalls here are similar to our previous points.
In the Software Management section, we saw a massive fail in an outsourced software project. The key to outsourcing is oversight. Handing the keys to a contractor and thinking you can relinquish control without worry is foolish. Doubtless you have done your homework, but, again, humans are fallible. And their dedication to your company is for a fee. You are the one that knows what your company needs.
Those to whom you have outsourced depend on you to impart the sense of need in those to whom you have outsourced, whether it is a software project, or the maintenance and protection of your infrastructure. Meet with them often. Not only do you need to know the state of your infrastructure and security, the current and future needs of your company should be regularly reinforced. Don’t allow them to become complacent.
One Size Does Not Fit All
Taking all these topics into account, one size does not fit all, and this is not a comprehensive list. It is simply a starting point. Your solutions to the above topics will of necessity be unique. It is up to management to determine how to best to serve your company’s needs, and therein lies the challenge. Know your infrastructure. Live your five-year plan. Reassess constantly.
It’s your company.