In his book Freakanomics, Steven D. Levitt asserts that “Incentives are the cornerstone of modern life. And understanding them—or, often, ferreting them out—is the key to solving just about any riddle, from violent crime to sports cheating to online dating”. It’s valuable for leaders to apply similar logic to the management of our IT systems. Let’s examine a few of the common relationships and stakeholders in the technology process, and how incentives may impact their suggestions. I will describe each stakeholder’s incentive in two areas —Scope of Success and Risk. The incentive of Scope of Success means, “What is this stakeholder’s primary view of success”? The Riskcategory will describe what could go wrong if incentives are not properly identified. Often, a prudent management team can evaluate the various incentives and scopes of success between stakeholders to better gauge IT risk and make more informed decisions.
In house System Administrators
Scope of Success
The first person or group of people a management team will approach about new technology is the internal IT staff, who is almost always the correct person with which to discuss technology changes. They are employed by the company and usually have the company’s best interest in mind. However System Admins have competing incentives, and a competing scope of success. On one hand, end users require access to systems and data to do their job. On the other hand, System Admins have an obligation to secure and protect data, which can hinder an end users’ ability to perform their work. An inverse relationship exists between end user acceptance and IT security. System Administrators balance this relationship on a daily basis. Therefore his primary scope of success could be to minimize the quantity of end users’ support calls by making access to data easier, thus reducing security controls. Or, the scope of success might be securing information at any cost, constraining end users from performing their job responsibilities efficiently and effectively.
In-house System Admins are very valuable to the success of a company. But they juggle a lot of different roles. Often, System Admins do not have the time or ability to become an expert on every piece of technology deployed, which could leave weaknesses in the configuration of your systems. Some System Admins can talk “over” decision makers by using technical lingo and leading to uninformed decisions by the governance owner. Always be cautious of these types of situations. Technology is like an investment portfolio—if you don’t understand it, don’t buy it.
Third Party Network/IT Vendors
Almost all Small to Medium Sized Business (SMB) have a relationship with a third party network vendor. This relationship is valuable to the SMB because they have access to in depth IT resources without having to pay for salary and benefits of a full time employee.
Scope of Success
Much like an in-house System Admin, third party vendors also must balance competing incentives. Their responsibility is to complete their service according to the scope of work. This usually means making a system operate with a positive response from the end user, sometimes to the impairment of security or availability. A successful install from the perspective of an IT Vendor is generally when end users don’t have any error messages and can perform their work.
IT Vendors are businesses too, and as such intend to grow their revenue (we at YHB are accountants and endorse revenue growth). Their scope of success includes generating new work, so they may try to upsell you into unnecessary products or services, or sell you more product than is necessary. I’m reminded of the recent Farmers Insurance commercial here. Don’t pay for the Ferrari when you only need the Kia. Obviously not all IT Vendors do this, but it may be helpful to evaluate them on a case by case basis.
Many IT Vendors partner with hardware or software providers like Microsoft, Citrix, VMWare, etc. This certainly demonstrates their depth of knowledge of certain products. But if your SMB is working with an IT Vendor to solve a problem, they may use the tools in their toolbox when another less expensive solution could work better.
Another consideration with IT Vendors is that they handle multiple clients and may take steps to make that process easier. For example, a network vendor may use a predefined password or password creation scheme across multiple clients which could create a risk to your systems.
Next newsletter we will continue our evaluation of incentives of IT stakeholders with Consultants (Non-IT Auditors) and IT Auditors. That’s right; we’re going to put ourselves under the same microscope as the others. As decision makers, it’s important that you are aware of why a stakeholder may be suggesting a solution or recommendation. Use all of the resources at your disposal to properly scrutinize an idea, recommendation or solution and gain a better perspective on your technology.