After analyzing the three areas of pain, we start=
ed
looking for common patterns and root causes that led to the preservation of the status quo in the low
performers, despite the clear promise of alleviating the pain through achieving the characteristics of the=
high
performers. We identified f=
ive
initial root causes:
1. =
The
absence of an explicit articulation of current state and desired state:
Management concludes that the current
state, along with all of the companion pains, is tolerable. These organizations may <=
span
style=3D'font-size:75%'>articulate a litany of pains and frustrations, bu=
t in
the absence of being able to quantify the pain, may decide that it probably does not hurt enough yet =
to
warrant any corrective action, or don’t know what corrective action to take. This may be because of a sincere=
belief
that the pain is not high enough yet, or it
may be due to the next root cause.
2.A
culturally embedded belief that control is not possible: Management may n=
ot
know that there is an alternative,
believing that control is not possible
•due to the nature of IT and security (“IT operational and secur=
ity
issues are like the weather. There is
nothing we can do about it and bad things happen to us, just like rain or
hurricanes.”)
•due to business needs (“My business environ=
ment is
too dynamic to accommodate bureaucratic processes
or controls.”)
•as a result of a deliberate, or even unintentiona=
l,
abdication of responsibility.
3.
Rewards/reinforcements for personal heroics vs. repeatable, predic=
table
discipline: There may be a cultural =
norm or
a reward system (explicit or implicit) that encourages personal heroics.<=
span
style=3D'mso-spacerun:yes'> For instance, one person works throughout the night for an enti=
re
weekend fighting a fire and gets rewarded as the hero who saved the day. What is overlooked is that if one
person can save the entire boat, one person
can probably sink it too. I=
n these
organizations, implementing effective processes and controls may be resisted or actively rejected as =
too
bureaucratic, almost as an immune system would resist an unknown and foreign object.
4. =
Continued
argument that IT operations and security are different than other business
investments or projects: Because of =
their
technologically complex nature, IT and security are often not subjected t=
o the same rigorous performance measures that demon=
strate
their value to the business as other business
units. IT often operates as an insular stovepipe, often with a separate
security stovepipe within it, to per=
petuate
this ‘difference’ claim, holding the organization hostage and=
at
arm’s length. When IT and secu=
rity do
not have defined roles where they are collectively solving common busines=
s objectives with partnering business units, and wh=
ere
they are required to demonstrate business value, blame games and finger pointing for failures can =
ensue
and drain precious resources and man=
agement
attention.
5. =
A desire
for a technical solution, which is easier to justify and implement than p=
eople
and process improvements: Because of=
their
background and experience, IT management values automation and technology (exciting) over repeatable processes a=
nd
controls (boring and bureaucratic).
In the absence of defined,
implemented processes and controls, the deployment of new security techno=
logy solutions take precedence. This can result in the
unintended consequence of automatically performing devastating, irreversible IT operational changes =
in mere
seconds, resulting in potentially increasing amounts of unplanned work.
Combined with the previous root causes, this factor perpetuates th=
e continuing chaos.