Wednesday, January 17, 2007

Making IT 'Good Enough'

  • I've been guilty of this before, and I'll undoubtedly be guilty in the future - going for the gold standard, striving for excellence, discovering and emulating best practices. But maybe in IT, doing so isn't always appropriate. Maybe it can be a misguided approach.

    Here's just one example. In the past few years, IT gurus have developed process frameworks and control frameworks in order to provide all companies - big, medium, and small - with best practices for IT management. All conscientious IT managers and CIOs want to be part of the select group of businesses who are doing IT right. It's a matter of professional pride and the automatic assumption that best practices will improve not only IT management but business performance too. From CoBIT to ITIL, from security mantras like "defense in depth" to regulatory compliance like SOX, IT managers are bombarded with calls for better management. Often, we assume that means best practices. But that assumption may be part of the problem.

    Best practices are, by definition, ideals. But when money is tight (and when isn't it?), doing more with less may mean going for bronze rather than gold. Sometimes, it makes more sense to aim for a 7 rather than a 10. Sometimes, taking steps to go to the next level just isn't cost-effective. Sometimes, aligning IT with business objectives means intentionally going for the good-enough solution rather than the perfect solution.

    CoBIT (Control Objectives for Information and Related Technology) and ITIL (Information Technology Infrastructure Library) provide so many markers for IT performance that IT management can become disoriented and lose sight of "key" performance indicators. These frameworks can still be useful, but leveraging them may mean incorporating home-grown measures and concentrating on fewer key performance indicators.

    The IT Controls Benchmark Survey, for instance, provided some surprising results. The smoking gun for top performers could be found in 2 measures, measures that the best-of-the-best were almost all doing and that almost all the also-ran were not doing:
  • Monitoring systems for unauthorized changes, and
  • Defining consequences for intentional unauthorized changes.
    What this means is simply that, while ITIL and CoBIT give a lot of good measures to consider, the biggest bang for the buck comes from concentrating on doing a few things well.

    The survey also showed that in manufacturing, the top performers were about twice as productive as the low performers. But in IT, the difference was five to eight times. It is a case of the 80/20 rule again. Eighty percent of the benefit on process and control frameworks come from twenty percent of the measures.

    With survey results like this, achieving excellence in IT may be more about being "good enough" than in following "best practices", or at least about doing a few key things really well, and the rest just good enough.

No comments: