The Cranky Admin

The Marks of a Successful Enterprise IT Team

It requires a proper needs assessment at its base.

• By Trevor Pott
• 11/21/2017

The government of Canada has had some spectacular IT disasters of late. The most famous was the botched payroll rollout that left 80,000 government employees without pay; a problem that has dragged on for over nine months. The government's response is a public declaration they will implement enterprise IT concepts. Should other Canadian businesses be considering the same thing?

The entire discussion is shot through with bias and misinformation right from the start. The term "enterprise IT" means completely different things to different people. The most prominent IT practitioners endlessly debate exactly what qualifies as enterprise IT. Vendors will tell you that whatever it is they sell at their top price point is "enterprise."

There are entire philosophies about how to merge business management approaches with IT, application development, manufacturing and other business domains. Information Technology Infrastructure Library (ITIL), agile, DevOps and more are frequently bandied about here. Business owners and shareholders, on the other hand, just want to know how to get the perceived benefits of better security and lower costs that enterprises are presumed to enjoy.

There is one -- and only one -- secret that successful IT teams have learned which escapes their less experienced brethren: the absolute doctrine of needs assessment.

Different Strokes
The most dangerous possible concept for any organization is management by trade magazine. Marketing buzzwords are easy to regurgitate, and when a charismatic speaker gets on stage at a conference to tell you they've transformed their business by using the latest trend in IT, it's very tempting to believe the same will apply to you.

The truth is that IT is not -- nor will it ever be -- a one-size-fits-all solution. Public cloud may be the answer for one business, with a particular mix of people, a given risk appetite and a specific amount of capital. Their competitor two blocks over, however, may be owned and operated by a completely different group of people with different circumstances; to them, owning physical assets they can sweat through the bust times is critical.

Successful IT teams, which includes many enterprise IT teams, understand this. This is why you almost never find an enterprise with a homogenous IT apparatus. Many will be running legacy applications written 40 years ago on mainframes right next to their hyper-converged, hybrid cloud solutions.

What's also worth bearing in mind are the number of catastrophic data breaches that enterprise and large government IT teams around the world, from Sony to Yahoo to the Office of Personnel Management of the United States, have suffered.

Successful IT is IT that fits the needs of the organization. And unlike what a lot of vendors will tell you, in IT you don't get what you pay for. Properly-implemented, low-cost IT accurately matched to the needs of an organization is far better than expensive IT that doesn't do what's needed.

Security
The one place enterprises do better than anyone else is security. Yes, enterprises are breached all the time, but they are also successfully warding off billions of attacks every year. Enterprise IT teams realized long ago that the eggshell security model was dead.

Eggshell security is based on the idea that threats are going to come from "hackers" attacking from outside the organization. Security investments then focus on creating a strong perimeter. You'll know people are talking about perimeter security when they are talking about firewalls, a DMZ, intrusion detection and proxies. 

We've known since the 1990s that eggshell security is hopelessly inadequate. Despite this, the majority of businesses -- and even government organizations -- still rely on this security model. During the 1990s, as Internet access became more widespread, enterprises started to move toward layered security: a series of perimeters isolating different segments of their networks from one another. It was a good start, but it wasn't enough.

Virtually everything -- sometimes including our lightbulbs -- has Internet access in today's businesses. We use cloud computing, placing critical applications outside our organizations. This means we need to refocus on a concept known as perimeterless IT: each and every system and application needs to be individually defended.

Automate Incident Response
Another security concept adopted by successful enterprises but rejected by everyone else is the truth that no network is impenetrable. All of our networks -- personal, corporate and governmental -- will eventually be compromised. While attempting to keep out invaders is important, detection of compromise is arguably more important, as it ideally not only detects external compromises, but compromises from internal threats as well.

Detecting compromise is only useful if plans exist to deal with compromise. This is known as incident response. Where formal incident response plans exist, they can be automated. The future of security for successful organizations, then, rests in a concept called automated incident response: try your best to keep out the bad guys, but make absolutely sure that if you fail you can detect that something wrong has occurred and have computers automatically trigger a lock-down when the bad guys win one.

No one product will make you successful or secure. Buying what the other guy buys isn't going to make you a winner. To succeed at IT -- to think like a successful enterprise IT team -- you need to do the hard work of finding out what your needs and limitations are and then finding the right solutions to fill the gaps.