Newbies to the world of comics see the "Batman v Superman" film trailer and are puzzled -- "Aren't they friends?" In fact, the two superheroes have similar goals but also an underlying mistrust of one another. It's not only superheroes: There's a similar vibe between IT and the CIO, who ultimately serves the business management.
There's merit for the mistrust: I recall a time when IT submitted its must-have list without being questioned. If IT said it needed something, that something was accepted as essential. All too often those must-haves turned out to be expensive, low-value wants.
As an example, I recall a conversation in 2002 where an IT admin was pushing his director to approve a Fibre Channel SAN for high-performance backups. The problem? It was at a 100-person accounting firm that could have done as well with an Ethernet "poor man's SAN." Then it happened: The director said no. It was the right decision, but it shocked the IT admin that his request was denied.
Since then, more IT pros have been similarly shocked. Businesses needed to put the brakes on IT spending, so they began pressuring the CIO to reduce costs and focus on ROI and TCO as a way to justify spend. But I believe the pendulum has swung too far in the opposite direction.
For example, this week I met with the IT leads for an organization looking to move to Office 365 from its on-premises Exchange environment. The IT leads are convinced that their existing environment (which includes a third-party gateway) is better because it's more secure than Exchange Online, even with Exchange Online Protection (EOP). But management decided the cost savings of using the off-the-shelf Office 365 service was more important than the purported security risk.
The IT leads didn't argue their case with management, but instead talked darkly among themselves that a breach might need to occur for management to invest in security. Despite their concerns, there was no fight in these folks. They were going to fold their arms and wait for something bad to happen.
That giving up without a fight is as bad as the past IT culture of fighting to the death over security of their environment no matter the cost.
It's time to rebalance. The key is for IT admin to regain the trust of the decision-makers. That can occur only if IT admins evolve their role into a trusted well of knowledge for the CIO. For example, if you want to convince management that additional security is needed from a third-party vendor, you need to be able to provide clear examples from vendor-neutral sources to demonstrate the risk and both the cost and value of reducing it. Yes, even security is an ROI calculation, in the form of risk avoidance.
It'll take work to alter this dysfunctional relationship, but the alternative where we wait for something bad to happen so that we can get the budget we know we need is absolutely ridiculous. It's true you may be paying for the sins of IT admins past, but that's simply what needs to be happen at this point. The payoff of being proactive now is reestablishing a position of trust and respect for the IT admins of the future.