Friday, August 15, 2008

The Limits of Running IT Like a Business

I liked this CIO Magazine article by Chris Potts: The Limits of Running IT Like a Business:

A rallying call of corporate strategies for IT in recent years has been to run the IT department "like a business." When the technology-centric first generation of IT strategies reached a point of diminishing returns, this next stage was both inevitable and beneficial....

But with these benefits come pitfalls, especially if you take the IT-is-like-a-business approach to extremes. If you've tried managing an internal IT department as a bona fide business you already know that you can't take that very far, for the obvious reason that your IT department isn't a business. It is, after all, a part of a business: a significant contributor to a value chain, not a self-contained value chain of its own. And the harder you try to create a separate value chain for IT, the harder it becomes for the IT department to become integrated with the business of which it is truly part.

A strategy founded on running the IT department like a business will reach a natural point of diminishing returns, if it hasn't already. Innovative companies have moved to the next-generation strategy, in which the CIO's purpose is not necessarily to run a traditional IT department at all. Her primary role is to provide corporate leadership to business functions which are investing in and exploiting IT in the context of their business strategies and operating plans...

There's a world of difference between running the IT department "like" a business, and trying to run it "as" one. It's amazing how one word can fundamentally alter strategy. Running IT like a business means adopting a businesslike mindset, processes and financial disciplines. Running it as a business means competing for revenue and investment in an open market, and going bankrupt if you run out of cash to cover your liabilities.

What happens if a CIO attempts to run her department as a business? Colleagues in other departments will perceive that the IT department wants to be treated like a supplier. If the CIO's chosen business is primarily to be a provider of operational IT services, then that what is her "customers" expect her to concentrate on...

The IT department might find another pitfall if it tries too hard to run itself as a business. The company's business units will be reluctant to fund any material investment by IT in anything that looks like branding, marketing, selling or upgrading the management systems that support the IT department's own productivity. Why should they? One of the primary cost advantages of an internal department is that it doesn't require all the capabilities a real supplier needs to compete in the open market. So the CIO is caught. She has placed herself in competition with bona fide external suppliers but without access to the investment that they have in order to compete as an equal...


I liked this article because I see this "internal business" model everywhere, particularly when security projects must justify their "ROI". Ugh.

6 comments:

Gunnar said...

So if Enterprise IT Security is not a business, then what is it? A charity?

Richard Bejtlich said...

Hi Gunnar,

Did you read the article? The author probably can answer your question.

Gunnar said...

Yes I did, the author's conclusion was that CIOs get out of IT altogether and instead focus on strategy:

"Therefore the CIO is faced with developing the core capabilities outside of the IT department. As she is the executive leader of those capabilities, which means she may need to give up day-to-day control of IT service delivery and concentrate on corporate strategy."

The result of the CIO delegating day to day IT decisions to the business and focusing on strategy of course is that IT becomes more controlled by the business not less. In many cases this is not a bad idea.

The problem you are facing and anyone who works on enabling technologies is - who pays for the power plant? every one wants electricity, clean water, trash removal, and even network security monitoring, but you can't make the business case for one single project. It has to be made in a larger context, not a tactical single project view.

Richard Bejtlich said...

Hi Gunnar,

I think you just answered that question -- taxation.

Simon Finn said...

If you liked Chris' article, you should read his book, fruITion. I read this book 3 times, and it contains excellent messages about the new role of the CIO. He wrote it in a novel format with character development and a plot, so it really grabs your attention.

Anonymous said...

I agree with the article.

An internal IT department really is not a business in it's own right. It is a service center who's only goal is to support the business in which it resides.

It's only reason for existence is to enhance the success of the real business. It is NOT there to earn profit for its own sake. ROI for an IT department is as sensible as ROI for the cleaner or janitor.

On the flip-side, a business which neglects it's IT infrastructure is likely to run into problems just as if they neglect maintaining things like cleaning and building maintenance. An unsafe environment taken to the extreme can result in sick, even dead, staff and customers. Neglected IT infrastructure may not be as physically nasty but is likely to result in security and performance issues which can also damage a company.

We're a SERVICE and SUPPORT industry people!