Do you really know what your IT department is doing?

How do you know that the decisions your information-technology (IT) department makes and actions it takes are in the best interest of your business. Are you often uncomfortable with answers you get from your IT staff, or not quite sure you buy into what they are telling you and feel there might be a better way to do something? 

Do you often wonder if your company’s critical data is being backed up or if you could recover in the event of a disaster or interruption to your operation? Is the IT department left to its own devices — or in other words, do you lack checks and balances that can validate what is done and how? 

If you answered yes to any of the above questions, it’s a good idea to take action now and assess your systems and network so you can be in control.

Over the past 15 years, IT assessments have by far been our most popular engagement. It’s often the first service provided in a new client relationship, whether it is to begin an outsourcing arrangement or to provide a health check on the network and its associated systems. It is the quickest way for an organization to gauge the state of its IT environment and find problems that need to be addressed. 

As a business owner and IT professional, the findings in these conducted assessments are very concerning, leaving me compelled to write this article and stress the need for business owners and senior management to take the initiative and learn what is really going on within their IT departments. Ultimately, you are responsible.

Most small- to medium-sized businesses today require the same IT capability in as larger companies. However, many smaller companies often don’t have a sufficient budget to support the required IT infrastructure. This often leads to a homegrown IT department (an employee assigned from within the company) or hiring individuals without the proper training and experience. Sound familiar? As your business evolves, the number of applications and business processes that rely on IT increase and require a more complex IT infrastructure. This puts an even greater strain on the IT staff that may not have been qualified and trained for the job in the first place.

Signs to watch 

There are some warnings signs to look out for in your IT systems. The two types of trouble spots most likely encountered are glaring performance issues and others that are not so glaring — what I would refer to as subtle or passive aggressive.

Glaring signs will be evident in every day performance of the IT systems and you will notice things such as slow or unavailable applications, quirky workarounds, and intermittent performance with simpler applications such as printing and email. You may also notice that seemingly simple administrative tasks are taking a long time, such as setting up a share on the server and granting access for a group of end-users. 

Other signs will be more subtle and you have to learn to trust your instincts — it’s not in your head. Acting on your suspicions will likely be the single smartest IT move you make.

Be observant about the lack of documentation and short answers with no detail or back up from your IT people. Also, pay attention to IT staffers who are defensive or cut you off, take a long time to get back to you with answers, are generally evasive or avoid certain matters, and make you feel as if a problem or situation is too complicated for you to understand. If you pick up on any of these signs, there is most likely a deeper underlying issue. 

One last sign that is the most dangerous is when you have an IT person who can elaborate in detail about something, but it still doesn’t make sense to you. In those situations, the IT person may very well believe what he or she is telling you is the case but it just doesn’t make sense to you. Always make certain to pursue the situation until you fully understand it.

What we typically find

In greater than 80 percent of our assessment engagements, we find inadequate IT practices and the majority of these companies are unaware of the problem. Our experience has been that some know and just don’t want to deal with it until something happens. For the majority, they have left the IT staff to their own devices, meaning they have not put in place any type of control framework that would promote best practices and provide a means of checks and balances. 

We typically find inadequate or ineffective backup strategies, no business continuity / disaster recovery plan, lax security measures, absence of industry-accepted best practices, and inconsistent procedures. This means that the IT staff is usually in over their heads and flying by the seat of their pants — or in react mode. 

Why are they operating like this? Many tell us that there isn’t enough time and that they don’t have enough resources. Others tell us that what they are doing has always worked and that they never had a problem, so why change. 

But, the number one most concerning response we get is pure arrogance, meaning the IT personnel believe that they know best despite the results of an assessment that provides tangible evidence of problems. Those are usually the ones who are not adequately trained and have developed their own methodologies over the years and now, they believe that there is nothing wrong with what they are doing. We refer to this as baggage. This type of response is by far the most dangerous to your business.

What can you do about it?

The best way to uncover what is really going on within your IT department is to have an assessment conducted by a reputable IT consulting firm. This assessment should be a technical review of your IT network and systems. It is important that you request an assessment and not an audit. Although the assessment will typically look for evidence of controls and adherence to a set of specifications or control framework, it should be a valuation of practices and not an audit from a security-risk perspective. The main objective should be to provide you with a professional opinion and insight on the technical soundness of your IT environment from the perspective of conventional practices utilized in the industry.

If you have a feeling of uncertainty about your company’s IT practices, trust your instincts and act on them. The biggest mistake you as an equity stake holder or senior manager in the company can make is to do nothing. Don’t put it off — you owe it to yourself and your company to take control.

Mike Polce is president and principal consultant with M. A. Polce Consulting. The IT-consulting firm is headquartered in Rome and also has an office in Syracuse. Contact Polce at mike@mapolce.com