Iyfjky

Question

I work in IT audit in a medium sized company (~1500 full time employees). Many issues I encounter and document can be traced back to lack of process centralization / standardization. As a result of the different tools used, risks such as data breaches,and inconsistent integration with enterprise technology are increased. Controls relating to system change management, operations...etc are difficult to enforce in such an environment - major part of my job duties. Related problems such as shadow IT are indirect risks.

I have talked to my manager and he agrees with my suggestions, that haphazard processes are increase business risk.

How can such ideas be communicated to executive management so as a solution can be implemented?

Show them the annual manhour/Money it will save.It wont be a over night process will need at least year of inclusive engagement.You cannot force such changes.Show the carrot. — Jan 13 '16 at 4:19
Consider editing your post for content and to clarify your goals. Right now you're being a bit vague and 1500 FTEs is certainly not a "smaller" company unless you're comparing to MNCs. — Jan 13 '16 at 11:51

user45269 · Accepted Answer · 2016-01-13 15:20:56Z

You don't say what kind of industry you are in, nor your country.

OPTION 1 - the Stick

In many countries certain industries are required by law to secure PII data.

If that applies to you, then write up your findings and make a request to have an external auditor review the company and document its liabilities - both monetary and criminal.

This will catch the attention of management, and if they are properly informed, they should agree to this due diligence audit.

If the external auditor agrees with your findings, part of their job is to define the potential cost and risk of jail time for not securing data properly. This will be given to upper management, and then it is up to them to implement the corrections.

OPTION 2 - the Carrot

Sloppy software lifecycle management and data management almost always cause minor "outages" at least once a week, and usually a nice big fat outage at least once a year.

Document those as costs against the company - but not only against the company, but this also hurts the IT employees - they have to stay late to fix problems, they are always fearful of deployments because they have no confidence in their processes, they spend time fixing things rather than creating things, and their systems appear as big, scary blobs of unknown code and data, and the business is getting sick of asking them to do things, because they're always busy fixing things - which causes the business to engage in Shadow IT and may even cause them to consider hiring consultants to replace company IT.

Write up a proposal that shows how properly managed processes will reduce outages, reduce overtime needed, build confidence in the systems, make more time to do new and exciting things rather than fixing things, and better help the business by supporting their needs.

You will attract to your side folks that do not like fixing other people's mistakes, who do not like to stay late to fix problems that should not exist in the first place, people that want to do new things rather than babysit old things, the business side and management. Opposed, you will find people that like to be the "hero" when they fix something, don't like structure or learning new processes, or are people that have deployed code to Production with the understanding that "they can always fix it later if needed".

One or Both

Option 1 is easier - and if you do have legal obligations, probably the first you should try. Most senior IT managers should know by now what their risks are, but, I still find clients where they are completely oblivious to the fact that they, and/or their CEO's could go to jail or face very heavy fines (in the US) for the way they handle data.

Option 2 is harder, and requires more socializing - but, if you seek out the right people, you'd be amazed that many will support you. Once you have the support and the socialization complete, you can then make the proposal. Make sure to include the people that support you in writing the proposal, this gives them ownership and they will back it even more.

blankip 19.9k74781 · Answer 2 · 2016-01-13 06:08:32Z

I had a job very similar to yours back 15 years ago or so. I too scratched my head and wondered what the hell was wrong with everyone. Doesn't everyone understand that XYZ are not secure, that they cost more than what they have, and we have the wrong people working on the wrong things.

Currently at my company we have as many people in internal IT as you have at your company. I respect many of them - greatly. However many are nothing but project managers with a bit of tech skills.

My position is basically a hired gun in our tech world. I fill in the gaps or erase gaps due to bad Enterprise vendors, incomplete solutions, and bad implementation. I am a controlled producer of shadow IT for sure. But I can produce projects scoped at a year in weeks and I can fill a vendor gap without our clients or employees knowing. I come in after IT has had its chance and blew it.

What does this mean to you:

there is often a business case for shadow IT. Something needs to be done. Probably your group has said you don't have time, to use a solution that doesn't meet their full needs, or tell them yea we will get to that in 1.5 years.

understand the flaws of your system. Just because your system "works" doesn't mean it is usable to joe average user from an admin perspective. It also doesn't mean jane average user wants to use it from a UX perspective. People are used to easy and google and imagery - they want the data and the pop.

don't chastise people for going their own way initially. If someone builds a system to do something I would assume good intent. They went around your group because they didn't know you had a solution or felt your solution wouldn't work. You either need to accept that your solution didn't work and offer them any support you can (and doing this you can help adhere to policies) or get them to buy into a solution you have.

all that people care about is do you have a solution for their problem. IT gets done so poorly outside of IT departments mainly because the hiring managers have no idea how to hire a good IT/developer/whatever. So they get crap. You need to quit focusing on what everyone is doing wrong and change that to - how can our group help them. And don't use the Enterprise solutions excuse. Guess what? It works or it doesn't. If it doesn't it is a sunk cost. Does it help a group if you force them on your solution that meets 80% of their needs and can never achieve 100%... then the group spends 5 months trying yours out and is back to square one? Talk about wasting time.

you need to work with the key stakeholders for the unsupervised solutions. You need to figure out what is going on and why it is going on. You are not the police. You can't lock up their solution and put it in jail because that might put your company out of business. I would also focus on training and marketing of the solutions you have.

So before you go to upper management with your list of issues be ready to answer why your group isn't meeting needs. They could very well tell you they will hire someone outside your department to get things done. But don't worry because I share my code with IT/MIS daily.

Do you work for their company? I'm not sure why the fact that you share your code means they shouldn't worry. — Jan 13 '16 at 18:32

user45269 · Accepted Answer · 2016-01-13 15:20:56Z

You don't say what kind of industry you are in, nor your country.

OPTION 1 - the Stick

In many countries certain industries are required by law to secure PII data.

If that applies to you, then write up your findings and make a request to have an external auditor review the company and document its liabilities - both monetary and criminal.

This will catch the attention of management, and if they are properly informed, they should agree to this due diligence audit.

If the external auditor agrees with your findings, part of their job is to define the potential cost and risk of jail time for not securing data properly. This will be given to upper management, and then it is up to them to implement the corrections.

OPTION 2 - the Carrot

Sloppy software lifecycle management and data management almost always cause minor "outages" at least once a week, and usually a nice big fat outage at least once a year.

Document those as costs against the company - but not only against the company, but this also hurts the IT employees - they have to stay late to fix problems, they are always fearful of deployments because they have no confidence in their processes, they spend time fixing things rather than creating things, and their systems appear as big, scary blobs of unknown code and data, and the business is getting sick of asking them to do things, because they're always busy fixing things - which causes the business to engage in Shadow IT and may even cause them to consider hiring consultants to replace company IT.

Write up a proposal that shows how properly managed processes will reduce outages, reduce overtime needed, build confidence in the systems, make more time to do new and exciting things rather than fixing things, and better help the business by supporting their needs.

You will attract to your side folks that do not like fixing other people's mistakes, who do not like to stay late to fix problems that should not exist in the first place, people that want to do new things rather than babysit old things, the business side and management. Opposed, you will find people that like to be the "hero" when they fix something, don't like structure or learning new processes, or are people that have deployed code to Production with the understanding that "they can always fix it later if needed".

One or Both

Option 1 is easier - and if you do have legal obligations, probably the first you should try. Most senior IT managers should know by now what their risks are, but, I still find clients where they are completely oblivious to the fact that they, and/or their CEO's could go to jail or face very heavy fines (in the US) for the way they handle data.

Option 2 is harder, and requires more socializing - but, if you seek out the right people, you'd be amazed that many will support you. Once you have the support and the socialization complete, you can then make the proposal. Make sure to include the people that support you in writing the proposal, this gives them ownership and they will back it even more.

blankip 19.9k74781 · Answer 4 · 2016-01-13 06:08:32Z

I had a job very similar to yours back 15 years ago or so. I too scratched my head and wondered what the hell was wrong with everyone. Doesn't everyone understand that XYZ are not secure, that they cost more than what they have, and we have the wrong people working on the wrong things.

Currently at my company we have as many people in internal IT as you have at your company. I respect many of them - greatly. However many are nothing but project managers with a bit of tech skills.

My position is basically a hired gun in our tech world. I fill in the gaps or erase gaps due to bad Enterprise vendors, incomplete solutions, and bad implementation. I am a controlled producer of shadow IT for sure. But I can produce projects scoped at a year in weeks and I can fill a vendor gap without our clients or employees knowing. I come in after IT has had its chance and blew it.

What does this mean to you:

there is often a business case for shadow IT. Something needs to be done. Probably your group has said you don't have time, to use a solution that doesn't meet their full needs, or tell them yea we will get to that in 1.5 years.

understand the flaws of your system. Just because your system "works" doesn't mean it is usable to joe average user from an admin perspective. It also doesn't mean jane average user wants to use it from a UX perspective. People are used to easy and google and imagery - they want the data and the pop.

don't chastise people for going their own way initially. If someone builds a system to do something I would assume good intent. They went around your group because they didn't know you had a solution or felt your solution wouldn't work. You either need to accept that your solution didn't work and offer them any support you can (and doing this you can help adhere to policies) or get them to buy into a solution you have.

all that people care about is do you have a solution for their problem. IT gets done so poorly outside of IT departments mainly because the hiring managers have no idea how to hire a good IT/developer/whatever. So they get crap. You need to quit focusing on what everyone is doing wrong and change that to - how can our group help them. And don't use the Enterprise solutions excuse. Guess what? It works or it doesn't. If it doesn't it is a sunk cost. Does it help a group if you force them on your solution that meets 80% of their needs and can never achieve 100%... then the group spends 5 months trying yours out and is back to square one? Talk about wasting time.

you need to work with the key stakeholders for the unsupervised solutions. You need to figure out what is going on and why it is going on. You are not the police. You can't lock up their solution and put it in jail because that might put your company out of business. I would also focus on training and marketing of the solutions you have.

So before you go to upper management with your list of issues be ready to answer why your group isn't meeting needs. They could very well tell you they will hire someone outside your department to get things done. But don't worry because I share my code with IT/MIS daily.

Do you work for their company? I'm not sure why the fact that you share your code means they shouldn't worry. — Jan 13 '16 at 18:32

Search This Blog

Iyfjky

How to encourage standard and centralized business processes in a smaller company? [closed]

closed as too broad by JakeGould, Dawny33, Lilienthalâ™¦, gnat, AndreiROM Jan 13 '16 at 15:23

closed as too broad by JakeGould, Dawny33, Lilienthalâ™¦, gnat, AndreiROM Jan 13 '16 at 15:23

closed as too broad by JakeGould, Dawny33, Lilienthalâ™¦, gnat, AndreiROM Jan 13 '16 at 15:23

closed as too broad by JakeGould, Dawny33, Lilienthalâ™¦, gnat, AndreiROM Jan 13 '16 at 15:23

2 Answers
2

2 Answers
2

2 Answers
2

Comments

Post a Comment

Popular posts from this blog

What does second last employer means? [closed]

List of Gilmore Girls characters

Confectionery

Category

Random preview

How to encourage standard and centralized business processes in a smaller company? [closed]

closed as too broad by JakeGould, Dawny33, Lilienthalâ™¦, gnat, AndreiROM Jan 13 '16 at 15:23

closed as too broad by JakeGould, Dawny33, Lilienthalâ™¦, gnat, AndreiROM Jan 13 '16 at 15:23

closed as too broad by JakeGould, Dawny33, Lilienthalâ™¦, gnat, AndreiROM Jan 13 '16 at 15:23

closed as too broad by JakeGould, Dawny33, Lilienthalâ™¦, gnat, AndreiROM Jan 13 '16 at 15:23

2 Answers 2

2 Answers 2

2 Answers 2

Comments

Post a Comment

Popular posts from this blog

What does second last employer means? [closed]

List of Gilmore Girls characters

Confectionery

2 Answers
2

2 Answers
2

2 Answers
2