The End of the IT Department? Not If You Want Stuff To Actually Work.

I read an article on 37signals.com that posited the end of the IT department. The main thrust was the with cloud-based services like GMail and Google Docs, “servers” were no longer necessary. They implied that most people, and the technology they use, are more than capable of dealing with everyday problems. While I do agree that some IT departments are run on the archaic principle that The Keepers Of The Technology are the Overlords, and you should be grateful for whatever they deign to allow you to do, fewer and fewer are going that way. They aren’t the exception, yet, but it is slowly getting better. Here are the problems I see with trying to let everyone do their own thing, and assume that everyone in the company can just take care of things themselves.

The first, and biggest, is security. It is hard enough to get technologists, like developers, to keep their local security on their own machines up to date, or even running. Lots (and I am guilty of this) will occasionally turn off the virus scanner to be able to get every ounce of performance from the machine “for just one test”, and then forget to turn it back on. A few minutes of surfing the wrong sites, and now their machine (and the ten machines around them) have at least one virus or bot installed, and your company’s security is compromised. I don’t expect a non-technical person to have to understand and perform the daily, weekly and monthly chores necessary to make sure their virus scanners, link scanners, e-mail scanners and firewalls are up-to-date. Again, it can be hard enough to get people who do know better to keep up with the work, it is even harder when the person in question is supposed to be doing something else, namely their actual job. Add on top of all this the need to make sure your users don’t open up holes in what is (hopefully) a carefully crafted and maintained network environment. “But it’s just a wireless basestation” is sometimes the explanation for an unsecure access point into your network, exposing your data (and potentially the company’s reason for being) to any and all who want to take a copy, and possibly delete it when they are done.

The second is stability of the entire ecosystem. A properly-run IT department gives their users enough leeway so that they can do their job and have some flexibility, but puts enough boundaries around the infrastructure to keep a single person from screwing it up for everyone. And these rules are in place to ensure that the corporation’s data is properly backed up (including off-site), and that the backups work. They are there to help with the “crap, I deleted the wrong file, can you get it from the backup for me?” requests. They make sure that one person or service doesn’t go and take up all the available bandwidth on the network, making it impossible for anyone else to get things done. They are there to make sure that a newly added device won’t take out the infrastructure that the entire company runs on. They also work immediately on problems that takes out resources the company needs, like networks. Companies have already seen the risks in allowing 3rd parties to host critical infrastructure: when RIM has a server problem, Blackberries don’t work (and for some companies, than can be thousands or millions of dollars in lost business). While Google’s services are important, Google isn’t going to care that you can longer provide customer support, or your corporation is basically dead in the water, when their GMail server has a hiccup or Google Docs is unavailable. Holding them responsible for a service you didn’t pay for gets to be very, very difficult.

The third is around the regulatory and legal environment. In the United States, under the laws for evidence and discovery, every corporation is required to keep a copy of their electronic records in a safe and secure location, going back several years, to be produced when required for any legal action or criminal investigation (and almost no one knows this, sadly). For Wall Street firms, the data has to be kept on write-once technology in a secure off-site location for at least 7 years (to comply with the SEC and New York state law) and the recommendation is to keep 8 years to allow for discovery. In some cases, that location has to be within the boundaries of the United States. Do you expect the receptionist, the folks in accounting or some one providing customer support to know this, and take the time necessary to make sure it occurs for their data? They have other things they are supposed to be doing, again their jobs.

Yes, there are draconian IT departments out there. They have to hoard what power they get, because in some environments, they will lose it if they don’t (or they believe they will, which is just as bad). But they are there for a reason, and it isn’t capricious. Just like there are locks on the doors, and larger companies have specific personal identification requirements (like badges), these people have a mandate to protect and maintain a valuable and limited resource: the network, servers and computers necessary to keep the company running. Sure, some small companies can easily be run without centralized IT. But there are some (primarily those in some kind of regulated environment) that cannot do that. There are others that, because of legal responsibilities to shareholders, simply cannot trust that everyone will just “do the right thing”. And to expect a non-technical person to truly understand the implications of using a product or service, and it’s impact to the stability and security of the corporate infrastructure, is simply irresponsible, bordering on reckless.

Advertisements