At many businesses, line-of-business managers and staff are making decisions to move mission-critical and often sensitive data to the cloud, and they're performing local installs without the knowledge of the IT department.
Let's set aside the fact that IT departments even tolerate this -- and make it possible by providing users with administrative rights and other IT privileges that should be closely guarded. The lack of application controls and data loss prevention systems, which would stop program installation and exporting and importing of data, compounds the problem. (These issues of unfettered data access and admin rights for users -- which they should never have -- will require an entirely different article.)
The fact that LOB managers are avoiding the IT department seems, at first blush, like a good thing for the business unit as well as for the solution providers and vendors selling to them. After all, who better to choose the tools than those who would use them, right?
For IT resellers, it seemingly doesn't get any better than to bypass those with the professional capacity to question the claims of vendors and to consider the impact of a solution. Bypassing IT often shortens implementation time and sometimes reduces initial capital outlay (though not always). It gives control of a project to the LOB group, and, overall, it makes the project easier.
Unfortunately, bypassing IT limits the discussion about risk. Vital IT services such as disaster recovery, compliance and security, for instance, require in-depth discussions and consideration by IT. A botched technology project generally must be cleaned up by IT.
Selling to the LOB manager is not a new phenomenon for my company. Over the past 32 years, it has seldom originated business with IT staffers. More than 95% of our business originates from a leadership-level relationship in the office of the owner/CEO/general manager and/or executive-level CFO/controller. In other cases, the relationship starts with LOB and executive IT leadership. Because we are usually engaged by executive teams, we must work to develop a relationship with those who operationally manage IT to help ensure success. We work to ensure that they have an opportunity to inform and advise (even where LOB groups are actively trying to avoid them) in the areas where they will be impacted.
I have often heard it said that LOB managers in professions like healthcare, defense, manufacturing and law enforcement are more concerned about security and reliability than those in IT. In fact, I heard an analyst assert this on a healthcare technology webinar about a month ago. It was all I could do to not bite off my tongue. I don't think he could be more wrong.
My experience in working closely with IT in a broad spectrum of industries shows IT is far from perfect. IT staff members are not always trained, concerned or diligent about the issues of security, availability and the real cost of IT. But my experience also shows that their understanding and desire to protect information usually far outweighs that of LOB groups.
Unfortunately, IT has a hard time communicating with management in a language they understand. Many organizations' executives often blatantly disregard the IT staff and the issues they raise -- whether because of lack of budget, lack of understanding or sometimes even plain-old lack of concern. Whether it's cops on the beat, doctors and nurses in the trenches of healthcare, salespeople out in the field or accounting managers balancing the books, their primary goal is to get the resources they need when and where they need them.
Professional staff members require reliable and expeditious access to resources regardless of the method. Those who are on the ground feeling the pressures of profitability and even literally life and death are understandably more likely than IT to disregard issues of regulations, process and privacy, etc. This is not to say they don't care, but their primary pledge is, in the case of police officers, to protect and serve or, in the case of doctors and nurses, to save lives.
Where an LOB group locks IT out of the decision process, those decisions are being made by people that often rely not on experience and understanding, but on the highly unreliable and often disingenuous claims and assertions of the vendors. I cannot tell you how many times I have heard statements to the effect of, "But that's not what they told us when they pitched it" or "The salesperson assured us it was the right choice for us." (If you believe everything a vendor tells you, I have some property in Chernobyl to sell you.)
The analyst on the healthcare webinar plainly suggested that LOBs should go around IT, do the best they can (without the professional background required) to vet the services or product, attempt to pass liability to business associates and insure against losses. Wow! That is so wrong and willfully neglectful it's disturbing.
While this is a healthcare-specific example, where HIPAA and state regulations apply, many businesses are regulated by privacy, security and data integrity regulations such as Sarbanes-Oxley, the Gramm-Leach-Bliley Act and the Federal Information Security Management Act (FISMA) or government and industry standards such as Federal Information Processing Standards (FIPS) and PCI-DSS, just to name a few. They all have similar obligations and significant ramifications.
Let's review the implications of our analyst's assertion. Without IT pressing for security, LOBs almost invariably do not properly consider the most basic issues around compliance:
- Business continuity
- Disaster recovery
- Connection and device encryption
- Bandwidth consumption (which affects the entire company)
- Use of unique IDs and passwords
- Documentation of proper standard operating procedures
- Locking computers and mobile devices
- Policies for reporting a lost mobile device
- Separation of duties and documentation of changes by whom to what and when
The analyst in my example also failed to acknowledge the fact that IT is the assigned security officer in the vast majority of environments. Under the regulations, IT has about 80% of the security requirements and oversight responsibility under their purview.
The fact that LOB managers are making technology arrangements without running the plan by the risk managers, HR managers, IT infrastructure and security managers, disaster recovery and business continuity planners and those responsible for documentation is in my opinion willful neglect of basic business best practices and most regulations.
The LOB manager and the company are both guilty here. This scenario goes against the ethical spirit of the privacy and integrity obligations. I believe that, if there were a breach, the very act of going around IT for convenience would be grounds for stiff penalties arising from civil and criminal violations as well as lawsuits.
So, as you likely now see, what at first blush seems like a good idea, upon more examination it really is not. In my next article, I will challenge the assertion that IT organizations can insure against their failures and that passing liability to business associates and subcontractors limits exposure to an acceptable level. Neither of these is true.
About the author:
Kevin McDonald is president of Noloki HealthCare I.T. and Compliance, a healthcare technology services firm in Irvine, Calif.