If you think about it rationally, technology’s little more than a bunch of risks.
I mean, think about the average IT project. You pump a whole load of money into changing something that works *reasonably* well today, in the hope that it will work incrementally better tomorrow, with little guarantee of success.
Problem is that humans are lazy by nature – and will move heaven and earth to find an easier, less labor intensive way to get stuff done. They’re also inquisitive by nature, and will go to great lengths to make their own existences that little bit more interesting. For example, being a self- confessed geek, I will gladly spend 4 hours writing an Excel macro that will save me 2 hours in copying and pasting – *and* I’ll be able to justify that to myself as time well spent.
We’re also hopelessly optimistic too – there are a few technological breakthroughs that have made our lives immeasurably better. I’m thinking the PC, e-mail, the iPod, and the bread maker here. Most other technology projects aren’t quite so spectacular – and we rarely consider the downsides new technologies can bring. For example, my local supermarket recently had to resort to looking at and estimating the value of each shopping cart full of groceries when their fancy point of sale system went South.
So, we need to find a good way to save ourselves - and that’s where GRC comes in. When we set goals, evaluate risks and create rules in the cold light of day, we become much less likely to get drawn into expensive folly. However, it’s not enough to go through these academic activities when the mood takes us…as I said in the last post, we need to:
1. Have a policy that reflects our goals and make sure people know about it
2. Have a way to carry out the policy
3. Have a way to make sure the policy is being carried out
4. Have a way to find out how well the policy is working
5. Have a way to deal with the times the policy’s not being effective.
Across IT we need to make sure that we’re not doing things like spending time on a wonderful new Enterprise Service Bus when we have no real need for it, but at the same time have no DR plan for our website where 90% of our orders come in. Or flouting US Federal laws by not considering our visually impaired customers when we implement our new whizz-bang online ordering system (there are more reasons than just regulations why that’s a bad idea but we’ll come to those in a later post).
Also, we need to make sure we’re spending the right proportion of our budget on security – too little and we’re placing our company at risk of falling foul of the auditors, or being embarrassed in the Sunday papers. Too much, and we end up either simply throwing away money, or stopping the company adapting to change.
Archer helps our customers establish those goals and rules across IT in the cold light of day – from portfolio management to business continuity – and keep track of them as risks and business requirements change. Archer also helps customers define processes for deal with the times when things go astray, whether the reason behind that issue is security related or from elsewhere in the IT environment.
Comments