10 questions every IT department should be able to answer
Steve Cassidy raises the awkward questions that can help you better manage your IT services
Steve Cassidy raises the awkward questions that can help you better manage your IT services.
1 What’s the RoI on that?
Businesses exist to make money. Everything you do should be broadly aligned with that goal, and the same goes particularly for everything you spend money on. As you’re doubtless aware, return on investment – RoI to MBA types – is the notion that any given bit of kit, or service, ought to make a measurable contribution to the revenue-earning ability of the business.
While coming up with a precise number may be tricky, it’s easy to recognise RoI in things such as vans, buildings or manufacturing-specific lumps of metal. It’s a lot less easy with a laptop, which is very likely running the same software as machines 10% cheaper and ones 50% more expensive.
Expecting your IT team to fully price up its asset list and tell you how it contributes to the bottom line is a tough ask. Most IT teams know a lot about systems, but only a little bit about how exactly your business extracts value from them. Working out an RoI requires a deep understanding of not just the key driving factors in a business, but the practicalities of how users interact with the technology.
2 It’s cool, but is it green?
Greenness is a bit like RoI: it’s not a convenient single number, more a tendency that emerges from a set of attributes. Most IT departments have a power-consumption rule for their local servers, a different one for their cloud assets and that’s normally about it. But how an item is used and how much power it consumes is only the start of the calculation: environmental considerations run through every decision you make.
PC Pro’s own publisher has taken all sorts of steps to give the magazine you hold in your hands strong green credentials. The paper is bought from sustainable sources, it’s printed with non-toxic ink and the finished product is shipped to a schedule that doesn’t generate unnecessary extra journeys for the logistics people.
Clearly, this goes way beyond IT management; indeed, taking a lead on issues such as recyclability, right to repair and user-choosers might well put you at odds with the IT culture and objectives. Don’t blame the techies for this – helping them to contribute to a green score that’s mostly compiled by the actual business will deliver a far more accurate assessment.
3 Can you demonstrate your business continuity plan?
Everyone understands the importance of having a disaster recovery plan – but a plan is worthless if it doesn’t pan out in practice. It’s understandable that few businesses are willing to inflict upon themselves the disruption of a simulated outage, but if you put it off forever then you won’t discover any fatal flaws in your strategy until you’re already mired in genuine chaos and it’s too late to change course.
We should also stop thinking about business continuity as a single “plan” because different scenarios need different responses. There’s no point switching to a backup internet line if the actual problem is that your ecommerce platform has been compromised. On 7 July 2005, I was giving a presentation to a bank in London as news came in of the terrorist attacks; the company had a plan for relocating its operations, but it didn’t take into account the scenario of the entire public transport network being shut down.
Of course, the Covid-19 pandemic has provided a recent and universal illustration of how assumptions that seem reasonable during an ordinary working day can be turned upsidedown, so you may find that your IT team is already battle-hardened.
4 Who actually has our files?
It’s very easy for brands to develop on the cloud, while the actual resource provider melts into the background. Everyone’s heard of Netflix, but it’s a rare and nerdy fan who knows that Netflix is on Amazon’s cloud service.
Inside your own business, the details about exactly what is being hosted where, and under what terms, probably won’t be known to everyone. But there are plenty of situations in which that information could be crucial to your business. And it’s not just about being ready for disasters or big moves: there may be analytics and security monitoring tools that you can take advantage of, if you know where to look.
Unlike some of our other questions, this is information that most IT types should know and will be happy to share. But that doesn’t mean you should leave the issue safely in their hands: a companywide cloud audit might reveal that certain departments wish they could use cloud services, or are already unofficially using them. Pricing packages frequently change too, and you may find that your rollover services stopped matching your needs long ago. When exploring explo this type of question, I like to t requisition a whiteboard and an a plentiful supply of brightly coloured pens.
“Quite a number of IT managers treat their relationships with suppliers as a closely guarded, professional secret”
5 Of all our IT suppliers, which ones should we review first?
The internet is a complicated thing, but it’s not as complicated as the we web of obligation that ties together togeth hardware vendors, communications businesses, national suppliers and your humble local IT team.
If you ask this question of everyone in the company, you’ll probably get a diverse set of answers, which may only hint at the real truth. Quite a number of IT managers treat their relationships with suppliers as a closely guarded, professional secret; that doesn’t mean they’re getting backhanders, but they might be dependent on mentors and experts outside of your business. Restrictive purchasing agreements are also part and parcel of the IT job function.
Still, a lot of contracts in IT can be disputed or broken; it helps that many US vendors seem to think that nominating a particular US state for legal action holds sway in foreign markets. More difficult and annoying are relationships in sectors like telecommunications – migrating a PBX is not something to take lightly, although that doesn’t mean it’s not the right thing to do.
6 If I told you to cut off our internet connection due to ransomware, would you do it?
This s is a trick question, really: cutting utting the connection won’t solve the problem, and whenever you think you’re ready to get back online, the ransomware distributors will still be out there.
It’s worth thinking about, bout, though, because as soon on as a ransomware attack hits inside nside your network,
whoever’s on the ground needs to respond instantly to minimise the damage. For the record, taking your servers offline is more sensible than taking your router offline.
It’s not just about the decisionmakers, though. When you talk to frontline IT staff, you find that few of them have much experience with ransomware. What they do know is that a bad move in a ransom situation can make things much worse, which could lead to paralysis. It’s worth making clear to them that everyone needs to help out when the penny drops. Hiding away out of an excess of caution just makes it less likely you’ll have an employer to come back to, once the sorry tale has played out.
7 How many administrative backdoors do we have – and where is the list of accounts and passwords?
Back when every business ran its own local SQL server, it went without saying that the central database would have an administrative backdoor. This was the standard way to allow the database vendor to provide support and bug fixes.
Many vendors and businesses still work this way, but the practice has become controversial. One argument is that you shouldn’t be using administrator access or accounts at all: the security reasons are obvious, and have only become more urgent in the internet age. And since every business is now online, the other argument is that running your own database is unnecessary: databases and business functions can be served up over the internet and you need never worry about maintenance at all.
Still, IT teams like to know that, in case of need, they can quickly get into the guts of a database or other service.
Even if you’re using entirely hosted services, superuser accounts may exist for emergencies. It’s important that your IT team understands the risks associated with such loopholes – and if you decide it’s worth keeping them open, you should make sure that access is properly managed.
8 How much of our IT estate is unreachable from a Mac, iPad – or a phone?
The days of the standardised corporate laptop are over. Whether they’re putting in a spot of weekend overtime, working from home or bringing their own devices into the office, it’s a fact of life that employees use personal devices for work.
This shouldn’t be a problem if your developers have been appropriately agnostic about design and standards, but there’s still a tendency to test functions and services on a Windows laptop and not to worry too much about other platforms.
It’s important to press your IT team to identify any business tool or service that doesn’t work across the full spread of devices and OSes that your staff could conceivably be using. This isn’t just about accommodating user preferences – it’s about cyberresilience and knowing that, in the event of a crisis, it will always be possible to get in and keep the company ticking over using whatever technology is to hand.
9 How reliable and secure is our at-home workforce?
There’s no such thing as 100% uptime and that most definitely applies to homeworkers. There might be a week or two in which everybody’s happily Zooming away without a hitch, but then you’ll see a matching time period in which half of them can’t connect and the other half can’t hear one another.
During the pandemic, some IT departments sought to address this by buying a vanload of cheap, identical laptops and then distributing them amongst the workers, but as time goes on support issues will still arise – not to mention the vagaries of domestic broadband connections, and the increased risk of malware and other attacks outside of a managed corporate network.
There’s no single, simple solution to the challenges of supporting homeworkers, but knowing what’s out there means you can identify potential pain points and make informed plans. Waiting for a support call to come in before discovering what’s really happening in the outside world was painful enough even before the pandemic.
10 How many outsourced staff have our password and remote-access data?
For many businesses, it makes sense to use contracted IT services rather than taking on their own full-time staff. With the best will in the world, this raises questions of data security and accountability.
Naturally, outsourced staff need operational information and access to do their jobs. You might assume that this would mostly apply to things such as cloudbased machine backups, rather than individual customer transactions. However, in practice,
I’ve been surprised by how many outsourced IT people seem to bite their lips over a question like this.
I don’t mean to slur perfectly honest workers. Most likely it’s simply not something they have thought about, while they have been focused on doing a good job for you. But this isn’t just about whether you can trust your workers: there are implications, notably under GDPR, that you need to be on top of. The outsourcer contract may not directly address regulatory demands, but as the Brexit situation develops, it seems likely that consumer rights, foreign and domestic, will only get more restrictive. That’s something you need to get ahead of before someone’s data pops up somewhere unexpected.
“There’s still a tendency to test functions and services on a Windows laptop and not to worry too much about other platforms”