5 Steps to Get Off the IT Treadmill

by becki on February 7, 2010

Anyone who works in IT knows that they usually have too much work relative to the number of people available to do the work. It’s a fun mix of day-to-day operations and projects and the same pool of people to do the work. What you end up with is a never-ending juggling act of shuffling people between the latest break/fix fire and urgent project task. This is the source of the stress of the job.

Is there any way to get off this treadmill? It might be difficult for you to believe that it can happen, but I’m here to tell you that it can. I’ve done it, and it was the most rewarding achievement of my professional career. Here are the 5 steps :

  1. Survey the battlefield. Just like a military general, you need to get above the battle and survey the landscape. You need to take some time to think at a higher level than your normal day-to-day activities allow. You have to look at your group as a whole. Where are you spending your time? Where should you be spending your time? What are the bottlenecks? Where are you leaking time? Are you spending a lot of time on re-work? Why? Get away from work for a couple of hours and just think about these questions. You may have to spend time at home, but this is an important investment in your future, so find some quiet time to think.
  2. Spend time on the right activities. Stephen Covey has a time management matrix that spells this out. Check it out here if you are not familiar with it. Spend as much time as possible in the not urgent & important quadrant. This may be difficult for you if you are currently spending all of your time fighting fires. Constant fire fighting is the cause of the IT treadmill not the solution. This is a point that too many IT leaders either do not know, ignore, or have simply resigned themselves to accept as a fact of live. Do not let this describe you.
  3. Fix your building codes. I like to say, “if you’re spending all of your time fighting fires, you really need to change your building codes.” You are spending too much time on service interruptions or re-working failed changes. I often hear, “Testing takes time and we don’t have time to test.” How’s that working for you? How much time do you spend fixing what you build? Even if you don’t measure the time you spend on unplanned work or your change success, I bet the pain in your stomach can tell you that you spend too much time on doing work two, three, and four times.
  4. Write policies, standards, and procedures. No one, and I mean no one likes to hear this. I’m sorry, but this has to be done. You’ve tried everything else and it doesn’t work. You know that if you have two people build the same server they don’t build it and test it in a consistent manner – you know this so suck it up and just do it. Next time you need a server built, have the person write the procedure. Have your most junior person test the procedure and if they have to ask a question, have them update the procedure. You’ll soon have a set of solid procedures and consistent builds. Don’t tell me you don’t have time – see steps 2 & 3.
  5. Get buy-in. This is a critical step, and can be difficult. However, I find that people are most receptive to change when they are in pain. People don’t like coming in to fix something at 2 AM, they don’t like taking three days to build a server that should take a couple hours, they don’t like having to wait for the guy who’s out of the office to return so they can get a critical puzzle piece that is missing. Use these pain points to teach your team why they are “slowing down” to write procedures or to do pre-production and post-production testing. Use the successes to reinforce the lesson. When a server goes down and is rebuilt in an hour because you have solid procedures, use that event to remind your team how long it took to restore service before you had the procedures.

Execute these steps and you will have an entirely different work environment. You’ll be spending most of your time on the important tasks and very few on the urgent ones. You’ll have time to spend building your team. You’ll have time to improve your relationships with your customers and be able to give them better support. You’ll get to go home at night and rarely get called for an emergency.

Getting off the IT treadmill requires change, but it can happen if you and your team are committed to the spending less time on urgent activities and more time on the important ones. You are the leader. It is up to you to make the decision to change and to lead your team to a new way of working. You will find it both challenging and rewarding.

Are you ready to get off the IT treadmill? Have you started and quit? Have you succeed? Do you have suggestions to share? Leave a comment and share your experiences.

Resources

If you are serious about starting this effort, I highly recommend that you read the Visible Ops Handbook. This book was my road map from the treadmill to relative boredom.

Read my earlier articles on how I used Visible Ops to stop fighting fires.

{ 0 comments }


Want Security Funding? First Learn the Business Language

by becki on January 10, 2010

The following article is one of my weekly papers for my MSIA degree at Norwich University.

Funding Security Projects

Getting Security Projects Funded in Small and Medium Businesses

This report will examine the process an information technology (IT) employee working for small and medium business (SMB) might use to gain funding for security projects. This process could also apply to an IT or information security consultant hired by a SMB.

SMB IT Organization

SMBs by their very definition are small organizations. Consequently, SMBs typically lack dedicated staff to perform IT or information security (IS) tasks and many times SMBs choose to outsource these functions to a service provider. However, the process to gain funding for security projects should be nearly identical, regardless of whether the IS function is performed in-house or outsourced.

Funding Challenges

SMBs can also present a challenge regarding operating capital. According to SCORE, half of SMBs fail in the first five years. Based on that statistic, it is not surprising that the owners of a SMB are concerned about survival first and foremost. The IS employee or consultant must understand this environment if he or she hopes to gain funding for any security project.

Funding Process

The process for gaining funding for IS projects begins well before there is a need to request funding. The process begins with the IS professional learning the business. Security analyst and author, Mike Rothman, wrote, “Unless you understand your business, you can’t understand the leverage points that will appeal to the business leaders. Read your annual report. Understand how your senior team is bounced. Find out who will get fired if a system goes down.” In other words, learn the pain points. Find a way to help to solve problems.

Become a Valued Advisor

The SCORE website quotes the results of a survey conducted by American Express that asked where small business owners go for advice and these were the results:

  • 52 percent from individual mentors
  • 51 percent from social networks
  • 44 percent from trade associations
  • 36 percent from business advisors
  • 31 percent from the Internet
  • 27 percent from Chambers of Commerce

According to this survey, business owners are asking their friends for advice. Only 36% of the respondents asked their business advisors for business advice. This is an opportunity for the IS professional.

The IS professional has the opportunity to be viewed as a professional specialist on par with a lawyer or accountant. Business owners and management often do not know the answers to IS related problems, but they do tend to understand risk. Learn to speak to the business leaders in their language. Explain the risk associated with using group passwords or of not performing a basic background check on a candidate for employment. Explain how to reduce or eliminate risks and fines by shredding papers that contain personally identifiable information (PII). A business owner understands that a fine for every leaked data record may put the business into bankruptcy, but he or she may not understand that it is “best practice” to shred papers that contain sensitive information.

Governance and Compliance

SMBs can be subject to governance and compliance as well. These are IS related issues and the IS professional must know which governance and compliance rules to which the company is subject. Examples include:

  • Sarbanes Oxley (SOX)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • State and Federal data breach laws

In this case, the process for funding is fairly straightforward; the IS professional works with the company’s risk council if they have one, or with the company’s lawyer and top management if they do not. The IS professional would review the governance and or compliance rules with the team, and would make specific recommendations including:

  • Costs – both capital and operating expenses
  • Project timelines
  • Risks – accept, transfer or mitigate and the costs associated with each

The IS professional that follows this process is speaking the language of the business leaders. They are speaking in terms of governance, compliance, risk, and managing risk. These are terms that are very familiar to the business owner and manager, and they can make decisions based on what is presented to them. If an IS professional presents the same information in terms of fear, uncertainty, and doubt, the business leader may have a more difficult time making a good decision.

Conclusion

The IS professional must realize that they are performing a vital business function only if they become integrated with the business. They must understand their business, the governance and compliance rules under which the business operates, and understand the problems the business is experiencing and how they can solve those problems. If the IS professional understands these things, they will have success in getting security projects funded. Conversely, if they propose security projects that do not solve a business need or if it is presented in a way that does not make it clear that it solves a business need, the IS professional will have a difficult time gaining funding for their projects.

Bibliography

“Small Biz Stats & Trends”. SCORE. 1/9/2010 <http://www.score.org/small_biz_stats.html>.

Rothman, Mike. “Guerilla Security Leadership”. FUDSec.com. 1/9/2010 <http://fudsec.com/guerilla-security-leadership-0>.

{ 0 comments }


Time to Prune Your Life

January 1, 2010

Pruning is the process of removing certain above-ground elements from a plant; in landscaping this process usually involves removal of diseased, non-productive, or otherwise unwanted portions from a plant. Wikipedia
We should prune our lives for the same reasons we prune plants; we all have “diseased, non-productive, or otherwise unwanted portions” of our personal and professional [...]

Read the full article →

← Previous Entries