10 hard truths IT must learn to accept

Unsanctioned devices, compromised networks, downtime -- today's IT is all about embracing imperfections

In a perfect world, your network would suffer no downtime and be locked down tight. You'd be in perfect compliance with all government regulations, and your users would all be self-supporting. The cloud would take care of nearly all your infrastructure needs, and there wouldn't be a single device accessing the network you didn't first approve of and control.

Also: You'd finally get the respect and admiration you truly deserve.

[ Bring peace to your IT department by avoiding IT turf wars. | Find out which of our eight classic IT personality types best suit your temperament by taking the InfoWorld IT personality type quiz. ]

Good luck with all that. The gap between your dreams and cold hard reality just gets wider every day. That doesn't mean you should give up, but it does mean you need to get real about what you can change and what you must accept.

Here are 10 things IT must learn to live with.

IT concession No. 1: The iPhone revolution is here to stay

More and more workplaces these days resemble a geeky party that's strictly BYOD (bring your own device). The problem? Many IT departments either never got an invitation or failed to RSVP.

May 2011 surveys by IDC and Unisys found that 95 percent of information workers used self-purchased technology at work -- or roughly twice as many as executives in those surveys estimated. IDC predicts use of employee-owned smartphones in the workplace will double by 2014.

Nathan Clevenger, chief software architect at mobile device management firm ITR Mobility and author of "iPad in the Enterprise" (Wiley, 2011), says the iPhone and iPad are the catalysts for the consumerization of IT. Tech departments can either enable them to be used securely or risk the consequences.

"Unless IT supports the devices and technologies users demand, the users will simply go around IT and use personal tech for business purposes," Clevenger says. "That is a much more dangerous situation from a security standpoint than supporting the consumer devices in the first place."

Tech departments need to steer a middle course between attempting (and failing) to keep consumer technology out of the workplace, and allowing unfettered access to the network from any device, notes Raffi Tchakmakjian, vice president of product management at Trellia, a cloud-based mobile device management provider.

"BYOD is a scenario IT departments are learning to live with, but they struggle to manage them from a security, cost, and operations perspective," he says. "It becomes very difficult to ensure compliance to corporate standards and still meet business needs. They need a management solution that ensures corporate data security and allows them to manage costs with minimal impact on IT operations and infrastructure." (InfoWorld's "Mobile Management Deep Dive" PDF report shows how to do so.)

IT concession No. 2: You've lost control over how your company uses technology

It's not just consumer devices invading the workplace. Today a business user with absolutely no tech acumen can spin up a third-party business cloud service with a phone call and a credit card or, in many cases, a Web form and a click of a button. IT has lost control over IT.

That's not necessarily a bad thing. The burgeoning universe of cloud and mobile apps can give frustrated business users access to tech resources they need without putting an additional burden on IT staff or budgets.

"For years, IT has controlled every device, application, and process around technology," says Jeff Stepp, managing director of Copperport Consulting. "But with business units getting more technically savvy and frustrated with IT, they have gained executive support to go off on their own to research, procure, and implement new apps and gadgets. These newly empowered business units are often successful in getting what they need implemented more quickly and cheaply than going through their own IT department."

Your job is no longer to provide top-down solutions; it's to enable business users to make the right decisions, says Scott Goldman, CEO of TextPower, maker of text-messaging platforms for business.

"Instead of struggling to regain control, tech departments should strive for something more valuable: influence," he says. "When IT departments treat their users as customers instead of complainers, they get more of the results they want. The days of the all-powerful IT department dictating methods and machines is gone. The sooner they realize it, the faster they'll actually regain some level of control."

IT concession No. 3: You'll always have downtime

Eventually, even the best-maintained data centers will go down. Think you have redundancy up the wazoo? You're one of the lucky few.

In a September 2010 survey (PDF) of more than 450 data center managers, sponsored by Emerson Network Power and conducted by the Ponemon Institute, 95 percent reported suffering at least one unplanned shutdown during the previous 24 months. The average length of downtime: 107 minutes.

In a perfect world, all data centers would be built around highly redundant, dual-bus architectures where maximum load on either side never exceeds 50 percent, says Peter Panfil, a vice president for Liebert AC Power, a division of Emerson Network Power. They'd be able to handle peak loads even when critical systems fail and others are down for maintenance, with a separate recovery facility ready to come online in case of a region-wide disaster.

In the real world, however, 100 percent uptime is only possible if you're willing to pay for it, and most companies aren't, says Panfil. That forces data center managers into a game of "IT chicken," hoping outages don't occur when systems are beyond 50 percent capacity.

Organizations where uptime is essential to survival are segmenting their data centers, he adds, reserving high availability for their most critical systems and settling for less elsewhere. If their email goes down for half an hour, it's annoying but not fatal. If their real-time transactions system goes down, they're losing thousands of dollars a minute.

"It is always better to have the capacity and not need it than to need it and not have it," he says. "But the people who are signing the checks don't always make that choice."

IT concession No. 4: Your systems will never be fully compliant

Like uptime, 100 percent compliance is a lofty goal that's more theoretical than practical. In many cases, focusing too much on compliance can hurt you in other ways.

Your level of compliance will vary depending on what industry you're in, says Mike Meikle, CEO of the Hawkthorne Group, a boutique management and information technology consulting firm. Organizations in heavily regulated fields like health or finance probably aren't in full compliance because of how often the rules change and the different ways they can be interpreted.

"It's safe to say that just as no network can be 100 percent secure, no organization can be sure it's 100 percent compliant," he says. "If a vendor is trying to sell you a product that ensures perfect compliance, they're lying."

Another danger area is falling into the compliance trap, where organizations expend too many resources trying to stay in sync with regulations while ignoring other, more vital parts of their operations, says Meikle.

"Organizations that strive for compliance with regulations often fall down in other areas," he says. "Being compliant with regulations doesn't necessarily mean you're doing what you need to do with your business. Compliance is really just a component of risk management, which is itself a component of corporate governance. It's an overarching business issue and needs to be addressed as such."

IT concession No. 5: The cloud will not fix everything (and may even break some stuff)

Clouds are on the IT horizon. According to Gartner's 2011 CIO Agenda survey, more than 40 percent of CIOs expect to run the majority of their IT ops in the cloud by 2015.

But even the cloud is not the ultimate solution. Reliability, security, and data loss will continue to cause headaches for IT departments -- they'll just have less control over the stuff that's in the cloud.

"Data loss is inevitable within any organization and can still happen in the cloud," says Abhik Mitra, product manager for Kroll Ontrack, a consultancy specializing in information management and data recovery. "Businesses must prepare for the worst by working with their provider to plan for downtime, data recovery and migration, and catastrophic loss. Data security will always be a concern, though advances in cloud solutions make it less of a risk as time progresses."

The cloud also introduces a new problem: how organizations can accurately measure their IT spend, especially as business users spin up cloud services without IT supervision. Accounting for this form of "shadow IT" can cause headaches for enterprises and force tech departments to take a hard look at the value of the services they provide, says Chris Pick, chief marketing officer for Apptio, a provider of technology business management solutions.

"For the first time, business users have a choice between what services IT is offering and what users can requisition on their own," he says. "But until the CIO can get a firm grasp on what it costs to deliver IT, he or she won't be able extend meaningful choice back to business users. This will only serve to supply more oxygen to the fire of shadow IT."

IT concession No. 6: You will never have enough hands on deck

IT departments often want a fairer shake when it comes to outsourcing and head count reductions, but they're not likely to get it, says Meikle.

Because the tech outsourcing industry is much more mature than, say, legal services or HR outsourcing, IT is often the first to suffer when corporate bloodletting occurs. That's not likely to change.

The solution to IT manpower problems, says Meikle, is to take advantage of third-party outsourcers and integrate with them as much as possible. The bodies are still available; they're just not under your own roof anymore.

Also, says Meikle, be sure look out for No. 1. Keep your tech chops current with an eye on the next job before the current one evaporates.

"IT pros need to understand they work for themselves first, the organization second," he says. "They need to continue developing their network and contacts, marketing themselves, and developing a personal brand even when they are employed. Like it or not, IT pros may have to pony up some dough personally to pay for their education and marketability, but that will pay dividends when the chips are down."

IT concession No. 7: Your network has already been compromised

Everybody wants their networks to be easy to manage and hard to breach. What they usually settle for, though, are racks and racks of security appliances that are hard to manage and easily compromised, says Joe Forjette, a senior project manager at enterprise security appliance vendor Crossbeam.

"The worst part is that each appliance needs to be constantly patched and updated," he says. "The result is a sprawling, highly complex, and costly security infrastructure."

It's also not working all that well. According to the Computer Security Institute's most recent survey, 4 out of 10 organizations experienced an incident such as a malware infection, bot net, or targeted attack in 2010; another 10 percent didn't know if their networks had been breached.

A smarter approach is to start with the assumption your network has already been compromised and design security around that, says Wade Williamson, senior threat analyst at network security company Palo Alto Networks.

"Modern malware has become so pervasive and so adept at hiding within our networks that it is increasingly common for enterprises to assume they have already been breached," he says. Instead of slapping yet another layer of patches onto the corporate firewalls, security pros can spend more time looking for where the nasties may be lurking, such as inside a peer-to-peer app or an encrypted social network.

The notion of a "zero-trust architecture" is gaining traction among many organizations, says Williamson.

"This is not to say that these companies are simply throwing away their security," he says, "but they are also turning their attention inward to look for the tell-tale signs of users or systems that may be already be infected or compromised."

IT concession No. 8: Your company's deepest secrets are only a tweet away

Your employees are using social networks at work, whether they're allowed to or not. According to Palo Alto Networks' May 2011 Application Usage and Risk Report, Facebook and Twitter are in use at some 96 percent of organizations.

The problem? According to Panda Software's Social Media Risk Index (PDF)5, one-third of small to midsize businesses have succumbed to malware infections distributed via social networks, while nearly one out of four organizations lost sensitive data when employees spilled the beans online.

"The behavior of people using social media is like their behavior using email 10 years ago," says Rene Bonvanie, vice president of worldwide marketing for Palo Alto Networks. "With email, we've learned to never click on anything. But inside social media, people click on every tiny URL because they trust the sender. That's why botnets we successfully rebuffed five years ago are now coming back via social media. It's a big risk and we see it all the time."

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies