The bulk of CIOs time is spent working on data breaches, security issues, disaster recovery, business continuity and justifying technology investments. However, there are some issues that may not seem that obvious but can have serious consequences when overlooked. Here are some undercover risks that need to be addressed.
Let’s start with the IT staff. Critical expertise in IT is neither earned nor can be handed over overnight. IT managers know their key players and know their expertise but they often fail to understand that small things these players contribute every day. As almost always is the case, the value of this key member is understood when he leaves. The situation strikes even more drastically when the IT manager must manage without this expertise. This is one of the reasons why CIOs have to look for ways to keep their IT staff and back up their work and expertise with other members.
Continuing with the IT staff, the internal attacks launched by the IT staff are often overlooked. IT dedicates its time to secure the company from the outside attacks to ensure business continuity, but often does not spend enough time to consider insider attacks. A frustrated IT staff member with high privileges can severely paralyze a company. Imagine a domain administrator waking up at 2 o’clock A.M. and placing malware on the domain controllers to corrupt the Active Directory contents. Knowing about such risks and taking actions begin at the employee screening phase and continues with assigning at least two IT staff members to high security areas.
Aside from security, today’s IT is about many specialities. Inevitably, every speciality builds specialized knowledge and in turn every specialized knowledge builds its own experts. This is good so far but when those specializations hamper effective communications, the first thing that will take the hit will be the projects that touch those specifications.
The communication risk, or more generally interpersonal skills is an area to watch out for. IT staff tend to speak in its own jargon and tend to keep their relationships inside the IT department. This tendency results in “tech talk” and this tech talk is viewed as IT arrogance by the non-IT people. It is exactly this point where the bells should ring for the IT managers: this is one of the places where IT is being broken from the business, creating IT versus business scenarios.
Inside IT, there is the case of developers and the code. I have many clients who run a custom built application on legacy systems. The application works fine, without any problems and it is not touched because it is running. However, there is no documentation, there are no people left in the company that know how it runs, there is no similar software package, there is no one that can support, modify or fix the code. However, if/when it fails, it is the responsibility of the IT department to get it up and running. IT managers should have the courage to touch the code and to convince the management that it is not the costs involved in replacing the application is prohibitive, it is the costs involved when the application fails.
Great working relationships has to be maintained both inside and outside the organization, including the vendors. A changing account manager or a changing vendor can therefore have very negative effects. One of my clients have switched its backup software from Vendor A to a much bigger, so-called industry-leading Vendor B. Just two weeks after the deployment project started, my client realized that Vendor B’s work ethics were questionable despite their position in the industry. To make things even worse, the account manager in Vendor B has changed a few months later, which left my client in almost no position to get support. It has been about 3 years by now and still the effects of the account manager and the contract lock-in clauses make the company’s backups suffer still.
There is also the issue of multinational support. It is tempting for the management to select a support solution that works in every country; the tendency is to select a vendor that works in all countries. Even you select a multinational vendor, the operations of the vendor will most likely to be outsourced in some countries, resulting in different service levels. A perfect example of this is one of my ship owning client: it has various cargo ships sailing the world, with servers on board. When there is a any problem, we see how the service level of the servers’ vendor differs from one port to another: from Rotterdam to Fuzhou, from Boston to Conakry. When you are evaluating the vendors, try to evaluate what service levels it offers in the areas that you operate/plan to operate in.
This, so far is my list or risks that may effect any CIO one way or another. What are your undercover risks? Please share your experiences in the comments below.