Interesting exchange on Twitter this morning about the role of the IT Department and asking the question - are we scared of losing control.
it made me think - are we there to "Protect" or to "Serve"? Or maybe both.
The exchange went as follows:
 | @RobertEStroud | Why is IT so scared about losing control? |
 | @theitskeptic | @robertestroud IT aren't scared of losing control. It's our job to protect the organisation, manage IT risks. |
Skeps reply made me think - what is the primary job of IT? To protect the organisation or to serve it. I put the question to him...
 | @Simo_Morris | @theitskeptic @RobertEStroud What takes priority - protection or enablement? If protect a shutdown biz aren't you just a security guard? |
| @theitskeptic | @Simo_Morris that's why we are supposed to have Governance of IT: the governors should direct the balance. Not IT's fault if no guidance |
So, as always Skeps reply makes a lot of sense, but only in organisations that have a culture of the Business governing IT. I feel that in the majority of organisations this is the other way around - with IT holding the veto over technology decisions that could enable the business to do more.
Before working in ServiceNow I worked for a large multi-national advertising firm and remember the legendary stance of one man against the desires of around 130,000 people who wanted to connect their iPhone to the corporate mail system. He held the power of veto and held off the hoards for a fair amount of time.
When the IT organisation cast the veto on a particular venture that the business wishes to embark on - a topical example would be the use of iPads, tablet devices or BYOD - I'm sure that they are great at considering the risks involved, but cast a blind eye to the potential benefits.
Firstly - I don't think there are such things as "IT risks". There are business risks owned by the IT organisation, but to claim a risk as an IT risk is to put ourselves in a self-serving role.
The benefits of technology enabling the business are benefits owned by the business. The risks of technology enabling the business are also risks owned by the business.
IT should be in a position to protect it's users, but not by owning the risk and casting a veto, rather than providing mitigations to lessen the impact of that risk.
And anyway - if the venture that the business is proposing is SO risky we should be confident in our arguments, and the delivery of the arguments that the business would evaluate it and decide against it on their own.
The definition of risk is a balance between potential harm and potential benefit. When the IT organisation claims a particular idea is "too risky" I often wonder what they are comparing it against in terms of value.
Photo credit: http://www.flickr.com/photos/23912576@N05/3428496207/
