Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
IT Management Fundamentals
IT Management is critical to IT success. Join the Community IT President and CEO as he reviews the fundamental functions needed to successfully manage IT.
Because of the pace of innovation in technology and in nonprofit technology specifically, and the “new shiny object” syndrome that can occur, there’s a tendency to focus on the technology itself and what it can do for your organization. Don’t forget about the importance of managing that technology effectively!
Without proper IT management at your nonprofit, IT can NOT be successful.
Without management you will find:
- Unsolved problems
- Unused solutions
- Frustrated staff
- Failed projects
- Missing information
- Costly mistakes
While there are bad technology solutions and, especially in the nonprofit sphere, inappropriate technology solutions, in the view of Community IT almost all technology failures can be traced to management mis-steps – whether in assessing the business goals, selection, implementation, or maintenance.
Join CEO Johan Hammerstrom in an engaging and frank presentation on the basics of IT management fundamentals and how you can create leadership teams and systems that can maximize your IT return on investment.
This webinar is appropriate for nonprofit executives, managers, accounting, development, and nonprofit IT personnel – and as with all our webinars, it is appropriate for a varied audience.
Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
President and CEO Johan Hammerstrom has always been interested in using technology as a force for good that can improve our world. In college, he pursued this interest through science, first studying Chemistry, Physics and Biology at Stanford University, graduating with Honors with a BS in Chemistry. He then studied Biophysics at Johns Hopkins University and received a Masters Degree.
The time spent in Baltimore convinced Johan that there were more pressing and immediate problems that technology could and should be used to address. He pursued a career in Information Technology, with the express goal of improving our communities and our world. He started at Community IT in 1999 as a Network Administrator. Since that time, Johan has been a Network Engineer, a Team Lead, the Director of Services, Vice President of Services, Chief Operating Officer, and beginning July 2015 President and CEO. Working directly with over 200 nonprofit organizations, to help them plan around and use technology to accomplish their missions, has been one of the most positive and rewarding experiences of his life. He always enjoys talking about IT management fundamentals and how the nonprofit world can do IT better to better achieve their missions.
Johan Hammerstrom: Thank you for joining us for today’s webinar on IT Management Fundamentals.
My name is Johan Hammerstrom. And I’m the President and CEO of Community IT and the moderator for this series. And I’m also going to be the presenter for today’s webinar.
Before we begin, I’d like to tell you a little bit more about our company. Community IT is a 100% employee-owned company. Our team of nearly 40 staff is dedicated to helping non-profit organizations advance their missions, through the effective use of technology. We’re technology experts, and we have been consistently named a top 200 North American Managed Service Provider, by MSP mentor, an honor that we received again last year, in 2017.
Thank you so much for joining us today, let me get right into it. And I’m really looking forward to reviewing IT Management Fundamentals with you all.
IT Management Essential for Successful IT
Because of the pace of innovation and technology, and because of the “shiny new technology syndrome” that’s often occurring in IT, there’s a tendency to focus on the technology itself, and forget about the importance of managing that technology effectively.
I believe that most people would agree with me when I say that without proper IT management, IT cannot be successful. And we’re all too familiar, I think everyone on this webinar is familiar with all of the things that happen when you don’t have effective IT management.
I’d like to run through a couple of those and just see if any of these sound familiar to you. And you can use the chat feature to send me any of your own sort of thoughts on the sorts of things that happen when IT isn’t managed properly.
- Unsolved problems, staff have IT problems that never seem to get solved, I believe that can be traced back to a lack of proper IT management.
- Unused solutions, IT solutions that have been purchased, but may not have ever been deployed or they’ve been deployed, but they’re not being used by the staff, if that happens it’s generally the result of a lack of IT management.
- Frustrated staff in an organization where the staff are constantly frustrated and unhappy with their IT. In general, the main culprit is a lack of IT management.
- Failed projects, often people will pursue IT projects that ended up not being successful, either they don’t achieve the objectives that they were set out to achieve. They never get completed. That can happen with IT projects, they run well over budget, they do not achieve the original scope of the project.
Those are all things that happen when you don’t have proper IT management.
- Information goes missing either through the attack of a crypto virus that renders all of your files inaccessible, or through a hacking event. Hardware fails and you don’t have the ability to restore the information that is lost. There are a variety of different ways in which that can happen. But again, if your information is missing, you’re losing a valuable asset. And it can be traced back to a lack of proper IT management.
- And then costly mistakes and things can happen that end up costing the organization a lot more than they would have if they’d invested in IT properly in the first place.
So there’s probably other examples you can think of. And again, I encourage you to chat those in if you have any in mind. But it turns out that most of the failures that we encounter with IT are, in my view, the result of ineffective management.
Now there are bad technology solutions. It’s true, and there are inappropriate technology solutions. But in general, it’s more common for there to be inappropriate solutions that are poorly implemented and improperly supported. And it kind of requires all of those elements for things to fail. And that again can be traced back to poor or lack of IT management. And yet, despite the central importance of IT management, it doesn’t always receive the proper attention.
In fact, as I was preparing for this webinar today, I went back and looked over our library of webinars. We’ve been doing webinars since 2012. So we have 60 plus cataloged on our website, and actually I had to go back two years to July. It was exactly two years ago, July of 2016 that we last had a webinar that really focused on an IT management topic. And that was building an effective non-profit IT department. So even though I’m a firm believer in the importance of IT management, we haven’t done a webinar on this topic in two years.
It’s kind of the vegetables of IT in some ways, especially when compared with shiny new technology. It’s not always popular, but it is essential. I just want to offer my kudos to all of you who are joining us today. I think there’s a clear business case for focusing on IT management.
Without [management], IT solutions
- won’t function properly, they’ll
- fail to deliver business value, and ultimately, they’ll
- fail to deliver or provide a return on investment. And IT solutions can be expensive, they can end up being a significant portion of an organization’s budget. And so it’s really important that they be implemented in a way that really delivers a return on investment.
How do we think about IT management? And actually, there are a wide range of frameworks for thinking about IT management and they all involve an alphabet soup of different approaches.
There’s COBIT, which is Controls for Business IT, Microsoft Operations Framework, which has been around for a long time. People even tried to apply manufacturing methodologies, such as Six Sigma or Lean IT Management.
By far the most popular is a framework called ITIO. And that’s something that we practice here at Community IT and it can be very effective. But all of these are essentially a set of methodologies that you can follow.
Before we get into that, what I’d really like to talk about is a concept of what makes an organization or defines the organization’s capacity to manage IT effectively.
And the model that I keep returning to and that I’ve found really useful is Gartner‘s Infrastructure, and Operations Maturity Model.
Many of you are probably familiar with maturity models; they’re fairly common, particularly in IT. Maturity models define the maturity level of an organization.
And in this case, this particular maturity model defines how well that organization is delivering IT services to the rest of the business. It’s rating the maturity of the IT department as it relates to the rest of the business.
Gartner Maturity Model
As with most maturity models, zero is the worst and five is the best.
Zero is survival. So if you’re at a zero-maturity level, you’re just barely surviving; you’re constantly putting out fires. And there’s no proactive approach to implementing or managing IT solutions. And there’s no alignment between IT and the rest of the organization.
Maturity level one is awareness, where there’s some understanding that there’s a problem. But there’s really no committed effort to solving that problem.
Maturity level two is that there are committed steps being taken, the organization is committed to improving its IT maturity, but it hasn’t yet put into place standard processes or practices. It may not have yet implemented an organizational structure that can effectively deliver IT services.
Three is the proactive level. That’s the point at which a proactive approach to IT is finally being taken. That can include things like an annual IT plan, IT budget, proactive maintenance of technology solutions all fall into the proactive maturity level.
The next level is where the services that are being delivered are aligned with the business needs of the organization. And so the organization’s business, in the case of non-profits, the mission requirements that the organization has are being effectively communicated to the IT department and the IT department is keeping those in mind and trying to meet those business needs in the solutions and services that it’s delivering.
And then finally, the top business level or maturity level is business partnership, and that’s where IT is seen as an equal stakeholder with the rest of the organization. And so, the strategic planning of the organization involves IT on anintegral level. The senior leadership of IT is considered to be also the senior leadership of the organization as a whole and IT is an integral value add for the work that the organization is doing.
One of the things that’s important to note about the maturity model is that it is a process. And you don’t just go straight from survival to business partnership. And I think a lot of organizations that want their IT to be more effective may bedown at level one, and they want to be at level five. And they’re frustrated that they’re not at level five. And I think it’s important to remember that it requires a process to go from level one to level five. You really have to implement good management. You have to implement standardized processes.
I’ve actually found it useful to map this maturity model with two axes.
And those would be the management capability of IT, and the business alignment of IT. So if you have very low business alignment, and very low management capability, you’re going to be down at maturity level zero or one. And as you move up in the maturity levels, your management capability is increasing dramatically. And the business alignment of IT with the business needs of the organization is also increasing dramatically.
Those two factors can help us define the various organizational approaches to IT that you often find in the non-profit sector. And we can take those two factors. And look at them in a slightly different way, in this quadrant.
You’ve got on one axis business aligned, non-aligned, on the other axis unmanaged and managed.
And so organizations that have low management capability, they’re down in that lower left hand axis, and are not aligned with the business needs are essentially in a dysfunctional situation.
If you’re in a situation where IT is just dysfunctional, chances are it’s not being managed properly. And the services that are being delivered by the IT function, whether it’s a department or just an individual, or an outsourced provider, those services are not aligned with the business needs of the organization. That’s a dangerous place to be because it just leads to a lot of frustration, and frankly, it leads to a lot of wasted resources.
Now you can start to manage your IT a little bit more effectively, and still not be completely aligned with the business. And in that scenario, IT is seen as a cost center. So those are organizations that have management capacity, that are starting to manage their IT more effectively. But they’ve not necessarily aligned IT solutions or services with the business needs of the organization.
And in those situations, it’s natural, they’re going to view IT as a cost center. It’s a necessary evil that demands some level of expense. Frankly, let’s be honest, in this day and age, you have to have a computer to work, to survive. You have to be able to send and receive email, create documents, and so forth. So it’s a necessary evil that demands some expense. But it’s not really seen as an investment that’s expected to provide some kind of return for the organization.
The best situation occurs when IT solutions are both aligned with business needs, and are also well managed.
In that scenario, IT is seen as creating value for the rest of the organization. And that’s a really mutually beneficial situation, both for the organization and for the IT department, the group or the person that’s responsible for IT. They’re seen as creating value for the rest of the organization, which for us IT folks is just a wonderful situation to be in.
It’s important to note that as you move to the upper third quadrant, this creating value quadrant, the value of the investment also grows. So dysfunctional organizations may spend less on IT, their total IT spend may be less than business aligned and well managed organizations. But they also have the lowest level of return on their investment, because they’re not getting any value from their IT.
And this concept can be particularly challenging for non-profit organizations, because non-profits tend to have pretty strict limits on their ability to generate revenue. And so they’re by their nature in a cost control situation. And the return on investment tends to be measured more in the form of social benefit, or mission terms rather than in financial terms.
And so it sometimes can be hard to create a business case for IT investment, because oftentimes creating value doesn’t take the form of a financial investment. So the cost benefit analysis can be a little bit more challenging, but still a case can be made and organizations with higher levels of IT maturity tend to be more effective in accomplishing their goals and achieving their mission, which is really the primary objective of both the non-profit board as well as the senior leadership of the non-profit.
The IT department, or the IT function really needs to make a case that investing properly in IT will help the organization achieve its mission goals more effectively. And that’s how value is really being created in the non-profit context. And if that case can be made, then it’s possible to recruit the governance of the organization into a position of fostering improved IT maturity.
And in fact, in my experience, the only entity that can really move an organization from the lower left hand quadrant (dysfunction) to the upper right hand quadrant (create value) is governance. Without governance an organization might be able to find a good manager, but the most she or he can hope for is to be seen as an effective cost center for the organization.
The business alignment part really requires involved governance and oversight of IT. So I want to take a few minutes just to talk about that word, because that can be kind of a scary word. And people, their eyes can glaze over, or can you immediately think of a 30-page document of bylaws. And that’s not at all what I’m talking about.
I’m really talking about governance as a relationship between IT and the rest of the organization.
The basic purpose and role of governance is to hold IT accountable for creating business value for the rest of the organization.
If governance is absent, some of the things you might hear are, “Well, there’s no buy-in. I’m not getting any buy-in for IT at this organization. There’s no executive support.” Those are kind of colloquial expressions that reflect an absence of effective IT governance.
The role of governance is to hold IT accountable for creating business value for the rest of the organization. So I want you to just think about that for a second. Is that the case in your organization? Is there someone outside of IT who holds a senior level in the organization that’s holding IT accountable for creating business value for the rest of the organization, because if that’s not happening, then it’s very unlikely that the organization can move up to the quadrant of creating value.
So who’s supposed to do this? You might be asking.
Generally, for smaller organizations, it’s provided by a
- Director of Operations or Finance. For larger organizations, it might be a
- CIO, CFO, sometimes it can be provided by a
- technology committee. In my experience, technology committees can be somewhat unfocused, because they’re not the primary responsibility of anyone on the technology committee.
And in fact, if you look at how this technology committee got created in the first place, oftentimes, it was the result of some political issue that was affecting the organization in the past. And rather than establish a clear line of ownership over IT, a technology committee was created instead.
I think it’s important to note that you wouldn’t have a finance committee for managing your finances, right? Most organizations have a single senior leader who’s responsible for the finances, whether the CFO, COO or Director of Operations or Finance. In the same way, you wouldn’t delegate that responsibility to a committee of people from various departments.
Anytime you’re establishing a governance structure or an accountability structure around technology. I always like to ask myself, “Would I do the same thing with finance with financial oversight?” Because in many ways, IT is responsible for the information assets of the organization.
I didn’t include the board on here. I probably should have because obviously the non-profit board is fundamentally the key governing body of the organization. And there are times where the board does provide IT governance. And this actually is becoming more common, especially as more and more board members have experience with or background in technology. And it can be very effective, the board obviously has a lot of authority to move the organization in certain directions. And so boards that take an interest in IT can be very effective in helping the organization improve its IT maturity.
It can be misguided at times. If you have a single board member who’s got a pet project that they want to see implemented. In the absence of IT governance, a lone board member who’s a bit of an activist for a pet project can create problems. So that’s just something to keep an eye out for.
So I’m guessing that most of the attendees on this webinar are either on the governance or management side of IT for their organization. Some of you may be in a role that is sort of ancillary to IT. Some of you may be providing direct technical work, but based on the registrations that I looked over before starting, it seems to me that most of the attendees are either on the governance side or the management side.
And so the question becomes, how do you effectively hold IT accountable?
Most nonprofit staff, that are charged with providing IT governance, don’t necessarily have a technical background. And oftentimes, when I’m working with those staff at our clients, they’ll tell me that they don’t know anything about IT.
Oftentimes, someone who’s in the governance role might say, “Look, I’d love to hold IT accountable. But I don’t even know what questions to ask! I don’t know anything about technology.” I just want to encourage all of you who are in that situation, that while it helps to have a technical background, it’s not necessary.
And in fact, the IT management fundamentals that we’ll be discussing in the remainder of this webinar can bereadily understood by anyone in any management position throughout the organization. And I’ve worked with hundreds of nonprofit staff over the years at hundreds of organizations.
Thinking back on the people I’ve worked with, those who’ve played the governance role the best, and really helped to turn the organization into one that was creating value through technology, did not have a technical background.
But what they had was the ability to ask lots of questions.
And they would ask follow-up questions. And they would generally say, look, I don’t know anything about IT and then they would ask a fantastic question, not in technical terms, but in business terms. And they would require that we explain our technology recommendations in business terms. Those are really the most effective.
So if you’re on the governance side, I would encourage you to just keep asking questions of IT. Ask them to explain. And fundamentally, anyone who is in an IT management role has to be able to explain and draw a connection between the technology solution and the business need that it could solve. They don’t necessarily have to understand all of the business needs of the organization or necessarily be able to make all those business decisions. But they have to be able to connect the dots between technology solutions, and business needs. I think that’s a fundamental, just a basic requirement of being in an IT management position.
So asking questions, it’s definitely the best way to hold IT accountable. In smaller organizations that could just be a weekly or a monthly check in. Obviously, it takes on a more formal structure in larger organizations. Larger organizations that have defined structures for governance can apply those structures to IT.
So what questions do you need to ask? Now we really get to the meat of this presentation. And I really like to talk about these four functional domains.
I really like to think of effective IT management as fulfilling four different categories of functions:
- planning and design,
- information security,
- operational support, and
- infrastructure maintenance.
Effective IT management has the capacity to execute effectively, and deliver IT solutions effectively in each of these four functional domains.
And this concept of these four domains can be applied both to individual IT solutions.
So thinking about Office 365, and I’ll go into some more specifics later on, if we have time.
But Office 365 is a pretty common solution for a lot of nonprofits right now. To deliver that service effectively requires proper planning and design, it requires maintaining proper information security considerations, you have to be able to support the solution over time, and you have to maintain the infrastructure of that solution. And again, I’ll get into specifics.
But this concept of these four functional domains can also be applied to not just a single particular solution, but the entire set of solutions that an organization might be using, and also how all those solutions fit together.
Planning and Design
So let’s go into some details here. We’ll start with planning and design. So planning and design, each of these four functional areas consists of a set of expertises, capabilities that all sort of fit together. The chances of getting one person who’s really good at planning and design, infrastructure maintenance, operational support and information security is very unlikely.
This is why, for larger organizations, you build out an IT department and staff that department with people who bring these different expertises and can work together to ensure that all these things are being delivered for the organization.
In smaller organizations, you probably would outsource some of it. For example, planning and design. You might not need someone to help with planning and design on an ongoing basis. But maybe every few years, when you’re envisioning large changes for the organization, you can bring someone in who has that capability.
At any rate, planning and design involves skills, such as being able to envision the future. It involves a function of seeing the big picture, understanding the larger context, being able to connect possible technology solutions with organizational business needs, and understanding the politics of the organization. These are all things that the IT department has to be able to do in the planning and design domain, if they’re going to be successful in managing IT.
- Architecture involves looking at the big picture of the IT services, the systems and solutions used by the organization and how they all fit together. And it’s really about achieving and maintaining balance and harmony between the solutions.
So if you’re looking at organizations that may have Association Management Systems that they’ve been using for a long time, you have to keep in mind the importance of that system and the limitations of that system integrating with various email solutions as part of the planning and design process. So if the organization, let’s say, has an Access database that they’re still using, that could create some challenges with integrating with the G Suite for example, if they wanted to go. It’s a bit of a farfetched example, but I think you get the point.
So architecture is about seeing the big picture and understanding the big picture, that’s an important ability for any effective IT management.
- integration is understanding how and whether or not all those services can and/or should be connected to each other. And that has become an even more important task in the last five or six years as more and more services have moved out to the Cloud environment.
A vital part of planning and design is
- change management and this is where I think a lot of IT management falls short. I think it’s possible to do the architecture and the integration fairly well, because those tend to be technical and somewhat insulated. If you’re just looking at the technology, you’ll have a good sense of whether or not all of your different systems are going to work together. You can make good decisions about whether or not you’re going to have a firewall that’s more cloud friendly, whether you’re going to deploy a wireless solution that meets the needs of opening five new locations over the next three or four years.
But change management is all about the people in the organization that are using the technology. And that has to be taken into account, when you’re putting together an IT plan. How does the organization normally handle change? Is the organization one that’s changing rapidly? And sort of has all of that organizational muscle memory for how to change systems and how to work in new and different ways? Or is it an organization that hasn’t changed in a long time, and is very resistant to change?
That’s incredibly important to keep in mind when you’re planning out new IT systems. And that really helps you with prioritizing the systems that you put in place. If you know that it’s an organization that can really only handle one change at a time, then you have to prioritize, is it more important for us to upgrade our email system? Or is it more important for us to migrate to a new constituent management system?
Making those sorts of decisions has to happen in the planning process and if you’re not giving some forethought to those decisions, then the implementation is not going to be successful because it’s going to push the organization beyond its abilities.
That’s another thing. What are the change limits? If an organization is growing, and they’re opening new offices, that typically requires a lot of work on the part of existing staff. Can they also handle the rollout of a new IT system while that’s going on? You can’t just look at other IT projects that are occurring, you also have to look at other organizational initiatives that are occurring. Is this the year of a big gala or an anniversary event? If that’s the case, maybe this is an off year for replacing a bunch of workstations. You should wait till next year. Or do you know that in 2020, we have our big 2020 event? So let’s get all those workstations replaced in 2019, so that we’re setting ourselves up for success in 2020.
Those are the sorts of considerations that an organization needs to take into account when it’s doing its IT planning. And if you don’t execute effectively, during the planning phase, you are going to run into problems down the road. And it has nothing to do with how good the laptops are, or even how well they were deployed. It’s about the timing of when you choose to deploy them and that is vital. Those decisions are really important and that all happens during the planning and design phase. That’s all part of the planning and design capacity or capability of your IT functions.
- User adoption is somewhat related to change management. Change is really about the capacity of the organization to incorporate something new, user adoption is about the capacity of individual staff at the organization to learn and effectively use new technology. And if they don’t have time to learn and use new technology, obviously it’s not going to be a success.
But there are other factors separate from change management that also influence user adoption, such as the savviness of the users.
Some organizations have a very savvy staff who use IT very effectively. And you can throw a lot of new solutions at them and they take it all in stride. In fact, some organizations have users that are so savvy that if you’re not meeting their IT needs, they’re going to go out and find their own solutions. That’s actually something we see a lot more of these days.
So user adoption, it kind of cuts both ways. I think the typical impression that most people have is that nonprofit staff are not good at using technology and it’s kind of an uphill battle to get them to adopt new technology. And I think the reality is, it’s a lot more varied.
There are definitely plenty of cases where organizations are not changing their technology fast enough to keep up with the needs of their users. That’s an important consideration when putting together an IT plan and when thinking about rolling out IT initiatives. And then leadership support is so important to user adoption.
I’m sure you’ve all encountered situations where the senior leadership or senior leader signs off on a new system, and then is the biggest stick in the mud in terms of using that system. And people recognize that. They know that if the ED is not using the system, then it gives them an out for not using it either. Setting the example, setting the tone for the rest of the organization is really important.
And then finally,
- budgeting. Obviously people, it’s really vital to have an IT budget. The IT budget is the financial record of all of the decisions that have been made based on the considerations that we just ran through.
The budget is the financial summary of the work that you’ve done in putting together an effective architecture, thinking about the integration of your different IT services, taking into account the change management needs of the organization, and planning for effective user adoption.
In my experience, each organization is different. Every organization I’ve worked with has a different approach to budgeting. And in general, the tool that gets used, or the methodology that gets adopted is the organization’s methodology and that’s generally defined by whoever’s running the financial department.
We did have a question, how to budget for unforeseen incidents?
I think there’s a couple different ways to look at that. One is how do you budget for disaster recovery? In my view, if the organization wants to be prepared to deal with disasters, there would be some sort of non-IT budgeting approach to that. If the office floods, where do you set up another office? If some other disaster strikes, how are you accounting for that? The IT mitigation should be included in that part of the budget.
Other than that, if you’re going through the planning process effectively, there shouldn’t be a whole lot that’s unforeseen or unplanned.
What will happen is, i.e. the program department is launching a new initiative in fiscal year 2019. And they just didn’t tell the IT department and then that becomes an unseen item. And I don’t think it’s effective to have a line item for that.
I think it’d be more effective to say, “Well, you never told me that you were planning for this initiative. And we need to figure out how we’re going to budget for it.” But really this is why we all need to collaborate and work together on the planning process.
So, planning and design, very important part of effective IT management.
Let’s talk a little bit about the next one, which is information security. And I’m calling it information security, because I think that’s easy for people to understand. And that’s really what we call it in the industry. But Information Security really refers to control – a broader set of IT functions and capabilities that are really about process control.
IT is all about the processing of information. It’s about supplementing business processes and workflows in the organization, automating them through IT services. And anytime you’re talking about information, access to information, workflows, and processes, they’re going to be control points. Any effective work or business process is going to have control points to ensure that the process is being carried out properly and that it’s also being done in a secured fashion. So that’s a broader definition of what this management domain or function encompasses.
And the first one is
- identity management. Identity management basically is ensuring that the person accessing the IT service is who they say they are. Identity management is something that, for a long time, none of us really had to think about because it was all being handled for us by Microsoft.
Microsoft’s Active Directory or Domain Controller, you may have heard of, was a local server that you used anytime you entered your username and password to log into your computer to get access to files, to get access to your email.
Identity management and access control are really closely related. Identity management is verifying who you say you are and access control is then giving you access to the resources that the organization permits you to have access to.
And that’s become a lot more complicated or sophisticated with the move to the cloud because now, not everything is on a local server. Things are spread out, out in the cloud, and a variety of different places. And it can be much more difficult.
And obviously, you can have separate username and passwords for all of your different solutions. That’s fine. There are other ways to approach it. But if you do that, those still need to be managed. And then when someone leaves the organization, their access needs to be removed. So that’s really what identity management and access control refers to.
And the number one technology solution right now for helping to manage this effectively is something that’s called single sign on. And there are a number of different single sign-on solutions Octa, One-login, Microsoft has one in Office 365 called Azure AD.
So there are a number of different ways that you can implement single sign-on but the goal of single sign-on, it’s a technology solution that is helping you to consolidate and centrally manage your identity management and access control.
- Intrusion detection refers to a wide range of events where someone who does not have authority to access a system gains access to it.
That can be everything from a virus, a virus is a form of intrusion detection. It can be credential theft. So if a hacker or malicious agent compromises the credentials of someone who has access to your network, and then accesses the network without the permission of the organization, that’s a form of intrusion detection.
And so those are all things that the IT department needs to be thinking about and mitigating on some level, implementing technology solutions to prevent it from happening, leading the discussion around risk management.
So the other aspect to information security is the risk management aspect and
- compliance is a big driver of that. Compliance is something that smaller organizations don’t necessarily have to deal with, but it’s something that larger organizations particularly depending on the work that they do need to be mindful of. Compliance can be a great way of getting organizations to take information security more seriously. But the IT department needs to be aware at least of the compliance requirements that the organization is facing.
And there are other things that go along with compliance. Oftentimes there are reporting requirements. So HIPAA, for example, if there is intrusion suspected, that has to be reported to the appropriate compliance officer at the organization, and then they make a determination as to whether or not that gets reported to the Department of Health and Human Services.
Reporting requirements are something that IT needs to be aware of. Compliance typically is a negative motivator. And most larger businesses that are subject to compliance, regulatory compliance requirements, invest in systems because of the risk of having to pay a penalty motivates the investing. It’s kind of a reverse cost-benefit analysis. The value that you’re getting is not having to pay the penalty.
Even if you’re not subject to compliance regulations, there can be significant brand damage, or brand costs associated with unauthorized access to the system. That’s something organizations need to be aware of and needs to be communicated. So that’s a way that IT can be held accountable. Essentially, these are all business requirements that need to be defined by the organization in concert with the IT function.
- policy, finally. And you may wonder why I put policy under information security, rather than planning and design. Because policy is a written document, that goes along with the document creation involved in planning and design. And in some ways, developing a written policy is sort of like planning or budgeting. But at the same time, if all you have is a policy document, then you just have words on paper. And actually, the policy is mostly irrelevant unless it’s being enforced.
And enforcing the policy really becomes the domain of information security. Executing effectively on information security is all about enforcing the policies. Because ultimately, policy is a written summary of process controls that define what the staff in the organization can and can’t do. And so as a process control, it fits more naturally into information security.
When you think about IT or the IT department, most people think about operational support. And the goal of operational support is to maintain the status quo.
So hopefully planning and design has been performed effectively, and new solutions are being implemented properly. Once they’re implemented, you basically have an operational status quo. So that would mean essentially, your director of finance, let’s say, can come in the morning, turn on their computer, log into it, access the systems that they have the ability to access, whether it’s their email, the financial accounting package. They can print off reports, they can mail reports, they can upload them, they can check bank balances, they can process payroll payments. That all represents sort of the status quo for those IT services.
And anytime there is a deviation from that status quo, the objective or the goal of operational support is to restore service as quickly as possible. That’s one of three different things that operational support is supposed to do.
And that’s a concept that comes from ITIL. So one of the great concepts or frameworks or ways of thinking in ITIL is that every trouble ticket that gets submitted to IT is actually one of three things.
It’s either an incident, and an incident is deviation from the status quo. And with an incident, you want to try to restore service as quickly as possible.
It’s a service request. That’s something that’s creating a new standard of service that hasn’t existed before. So a service request would be to create a new user account for this person who is starting, or this person just got promoted, give them access to these systems now.
And service requests tend to be fulfilled within the context of a service level agreement. So sometimes depending on the needs of the organization, those will be filled quickly, sometimes not as quickly because to fulfill everything right away is expensive. And the organization has to make some decisions about how much they’re willing to invest in their help desk, because rapid response has a cost associated with it.
And then finally, problems which are more complex than incidents. They generally involve a large number of systems, or involve some persistent issue that requires more advanced troubleshooting.
But basically, you have a help desk that can provide remote support, generally over the phone or via chat, that can restore service to the status quo quickly. You could have desk side or onsite.
For larger organizations, onsite support tends to be more efficient. For smaller organizations help desk support tends to be more efficient. For organizations that have lots of offices, help desk with remote support is more efficient.
There is a balance and it depends on a variety of factors including the size of the organization. Onsite support can be more effective if there are a lot of physical issues. So for example, a healthcare clinic where you have physicians seeing patients, a school where you have educators that are teaching in a classroom, sort of nontraditional office environment may have unique support requirements that make having someone on site more efficient.
That’s something to keep in mind. User expectations are a big part of it. Organizations that are used to having someone on site, that are used to walking down to the IT office and grabbing someone to come help fix their problem. That may be a factor in determining how much onsite support is needed. But again, there is a cost associated with that. So it’s part of the planning process that’s something you need to keep in mind.
Operational support must provide some form of escalation. And so that’s for more complex technical issues. And with the shift to cloud hosting, there is less and less of a need for that like with on premises systems.
For larger, I think 100-plus staff organizations, there may be more advanced networking issues that arise and you need to have access to a network engineer who can solve those. But in general, a lot of systems are now out in the cloud. And so the form of escalation has become different.
Cloud solutions can be as complicated or even more complicated than on premises solutions were. And this is particularly true with Amazon Web Services or Microsoft Azure. So those can provide a better level of service. They’re not necessarily cheaper, but they get you out of having to have a server, on premises in your closet. But in many ways they might require just as much escalation support as an on premises server.
And then project implementation. So that’s part of operational support, just fulfilling the operational needs of the IT department, implementing the plans that were put in place.
Some of these things are difficult to do for smaller organizations. But in general, it’s good to have different staffing resources assigned to these different operational support needs.
If you have the same person providing help desk support, as desk side support, as project implementation, then there could be conflicts and something ends up getting short shrift. And usually, it’s the project implementation. So if you have your help desk staff working on projects, chances are the project is going to take a lot longer just because they’re going to be distracted by the ongoing support needs of the organization.
I’ve got a question here, and the question is: What tools do I recommend for managing projects?
Honestly, if the organization has something that they use, I would recommend using that tool. In my experience, very few IT projects of the scale of organizations with 200 staff or smaller, very few IT projects require anything more advanced than a spreadsheet. You could probably manage most IT projects with a spreadsheet. We have a ticketing system that is fairly sophisticated that we use for our help desk, because that’s our main in-house system. We also use it to manage projects.
For really large projects, we use a tool called Smartsheet, which is a cloud-based advanced spreadsheet solution that can be used to manage projects. That to me is the upper limit of what you’d need. In general, at this scale, managing projects is managing with checklists.
So that’s operational support.
And then finally, we have infrastructure maintenance. So you may ask yourself, how is that different from operational support? It’s actually very different. Operational support is all about fixing specific problems or fulfilling specific support requests that staff have related to IT services, infrastructure maintenance is all about the general.
So you’re providing something that is managed at scale, it’s repeatable, it’s standardized. Most of the work that gets done as part of infrastructure maintenance can be automated. Most of it can run in the background. Once you get the system in place, it doesn’t require a lot of manual intervention. But having the system in place is going to save your helpdesk a ton of time.
So for example, a centralized antivirus solution, or a centralized Windows update solution that more or less runs in the background and you’re just checking logs on a regular basis to make sure it’s running. That’s going to save you a ton of problems down the road. That’s something, once you get the system in place, just requires a little bit of oversight to make sure that it’s still running.
It doesn’t require daily work, but it saves you a lot of work in the long run. So there is a lot of software out there thatfalls into the category of infrastructure maintenance. These are all things that you don’t want to do manually, you want to automate them. And they help you maintain the state of the platform.
Even cloud hosting environments, though, require a certain level of infrastructure maintenance. And for example, Office 365. You can pull regular reports from Office 365, giving you insight into how many mailboxes you have, how large those mailboxes are. That’s something that you want to review on a regular basis. So it’s proactive, standardized, and generalized.
To summarize, this whole concept for managing IT services can be applied to individual solutions, like Microsoft Outlook. It can be applied to hosting environments like Office 365. It can and should be applied to hardware, like laptops. Effectively managing your hardware involves all these functional areas, but it also applies to how these things connect together.
So you have a laptop, it’s running in Microsoft Outlook, it’s accessing its email in Office 365.
Is that all being well planned?
Is it working in a secure way?
If something stops working or if you need access to something you don’t have, can you get that support?
Is the computer being updated on a regular basis?
Is it safe from virus infection?
Those are all things that need to be done as part of effectively managing the IT solutions both individually as well as collectively.
We are running up here on 5 o’clock East Coast time. So we’re almost out of time. I do want to leave a few minutes for questions.
This is a summary of everything that we’ve talked about. And this will be in the slideshow.
We post all of our webinars [here on our site]. The recording we post to our YouTube channel. And we’ll send that out afterwards. So you can get this one page summary of everything that we’ve talked about.
This chart summarizes the things that an IT department person or function needs to be doing in order to manage IT effectively. And if you’re in the governance role, if you’re in the role of holding IT accountable, these are the sorts of questions that you should be asking the IT department.
Right. So with that, just quickly announce next month’s webinar, will be presented by our information strategy partners at Build Consulting. And they’re going to be brokering a meeting between development and accounting — Development, Meet Accounting.
They’re going to be talking about the ways in which the development department, for example, records financial information for the organization in terms of things like gifts that are coming into the organization, donations, and so forth. But then that financial information, which maybe isn’t a development specific information system like Raiser’s Edge, needs to get ported over to an accounting financial management system like QuickBooks.
How does that happen? Are these departments talking to each other? How can you broker that conversation? How can you ensure that all of the different departments in the organization that are responsible for financial information are working together in concert?
Questions and Answers
I see that I’m right at 5:00. I have a couple questions. I’m going to get to those real quick. Thank you all so much for joining us today. Really appreciate it. And I hope you found this helpful. If you have any follow up questions, don’t hesitate to reach out to us directly. And if you want to stick around for some of the final questions feel free to do so.
One question is, this was someone who is leaving the organization, or they’re switching to part time. What’s the best way to continue handling day-to-day support of IT if they’re only going to be part time?
There are a couple of ways to handle that, and all of them involve a conversation with the key decision makers in the organization. If you’re working 40 hours a week, and you’re going down to a 20-hour a week schedule, and you’re the only person available to provide IT support, then that becomes an organizational decision.
Is the organization going to invest in a third party provider to assist with providing IT support? Are they going to allow someone else in the organization to take on that responsibility? Or is it going to still be on you at 20 hours a week to continue to provide IT support? And if that’s the case — then if that’s the decision that the organization makes, then the consequence is IT support is only going to be available during those hours. And I’ve seen organizations do every one of those. So there is no right or wrong answer.
Some organizations say, for a variety of reasons, based on our financial situation, based on IT needs of our staff, IT support will only be available from 9:00 a.m. to 1:00 p.m. every day. If you have a problem after 1 o’clock, you are going to have to wait till the next morning to get it solved.
For some organizations, that’s a terrible decision. For some organizations that’s a great decision. So it just kind of depends. But I think that question sort of highlights the fact that every IT decision ends up becoming a business decision in some way. And just turning it into a business decision generally ensures that the key decision makers in the organization are understanding the tradeoffs that they’re making.
So the next question is — this is a question that there have been sessions at NTEN on this. This is a question that I hear a fair amount: When to outsource? When does it make sense?
Going back to this slide, Should you outsource all of this, which components of this should you outsource? And in general, I think the standard advice from the business world on outsourcing is that it always makes sense to outsource things that are not core to your business, and to keep things in house that are core to your business.
And so if specific types of technical expertise are not core to your organization achieving its mission, then it might make sense to outsource those. For example, a small organization has an online database that’s central to the services that they deliver, and to the work that they do. They need to outsource some aspect of their IT. Or, they’re hiring, and they can only afford to hire one IT person. It really makes sense for them to hire a person who would be expert in supporting that system, because that system is core to the business needs of the organization.
And then they could outsource the rest of it, because they don’t necessarily need someone in house who knows Outlook, because Outlook is a generic solution that can be supported by a lot of different people.
Same with infrastructure maintenance. By its very nature, that’s something that is managed at scale. In fact, if you outsource that, you’re probably going to be working with someone who is supporting 1000s of computers, and really has some great economies of scale in terms of their ability to deliver infrastructure maintenance.
So again, that’s going to vary from organization to organization. If part of your core mission is delivering laptops for use in the field or for use internationally, you could potentially make the case that’s something that should be kept in house. It’s just going to vary from organization to organization. But I think the guiding principle is that question of core business need. Is this something that really fulfills a core business need of the organization?
All right. Well, I think we’re at time. So thank you again to everyone who joined us today, and we will be sending out an email with the recording and slides. Thank you for your time. I hope you found this webinar helpful, and we look forward to you joining us next month. Take care.