Ted Demopoulos’
securITy
___________________________________________________________
The free newsletter
of Demopoulos Associates,
www.demop.com
We NEVER rent,
sell, or share email addresses.
Please forward
this newsletter to anyone you know who might enjoy it!
Why doesn't IT get along
with everyone else? - And how to fix this.
An Interview with
Dr. Jeffrey Stanton, Syracuse University
Prelude: I have
known Dr. Jeffrey Stanton for over 25 years and he is one of the brightest
people I know. He has always done things I couldn't understand, yet 5-10
years later they make perfect sense to me. When he decided to leave IT
to pursue an advanced degree in Organizational Psychology, claiming "IT
isn't working as well as it should - the business promises are not being
remotely fully realized and I'm going to research why and figure out how to
fix it" (I paraphrase – it has been over a decade since we had this
conversation, although I do remember it well). I'll admit I didn't
understand. I caught up with Dr. Stanton for this interview recently and was
absolutely fascinated when I found out about his research, and especially
the results! And let me state right now, Jeffrey is no ivory tower academic.
He has spent over a decade in IT, both in technical and management roles,
and is very active consulting with impressive, bottom line oriented results.
Ted Demopoulos:
Dr. Stanton, tell me about your work examining the relationship of IT and
business.
Jeffrey Stanton:
I fell into it pretty much by accident. My early research looked at
performance monitoring of employees. Because this activity is increasingly
accomplished with networking and computers, I also began to look at things
like employee satisfaction and technology use and how organizations absorb
and adapt to new IT. I was lucky enough to get a research grant to support
work in this area, and that led to a number of different studies where we
went into an organization, looked at the people and the technology over
time, and began to form some conclusions about how things went right and how
they went wrong.
Ted Demopoulos:
Based on the title of this interview, and what seems to constitute large
amounts of empirical data, do you agree that the disconnect between IT and
everyone else is as significant as I'm led to believe?
Jeffrey Stanton:
I think a lot depends on the size and culture of the business.
In small businesses,
the IT team tends to have a very tactical function focused on support. This
focus, along with the small size, means that most employees and managers
feel personally connected with the IT staff. This is not to say that there
can't be dysfunction in small businesses - there sometimes is. But in firms
larger than 500 employees, IT tends to get big enough that it exists as an
independent entity and may serve a number of strategic functions for the
business. In these cases, unless there is cooperative and competent
leadership in IT, HR, Engineering, Marketing and so forth you definitely can
get some major disconnects.
In most cases,
competent IT leadership means having senior staff in IT who can really talk
the language of the other folks and understand their perspectives. When
we've found big problems in our research it has often seemed to result from
a kind of cultural divide between the IT people and other areas.
Ted Demopoulos:
Are the problems more common as companies get larger? And can you elaborate
on the cultural divide between the IT people and others.
Jeffrey Stanton:
These problems emerge as companies get larger because the IT function
naturally takes on a life of its own. As the domain of IT responsibilities
grows, the staffing, budgets, and bureaucracy of the IT function grow along
with it. Once IT gets large enough to have its own distinct and persistent
culture within the firm, that's when it is not unusual to find these
cultural divides.
The cultural issues
that we have seen in our research seem to have arisen because IT has become
more and more of an identifiable and coherent profession. For a parallel,
take nurses. There are lots of different kinds of nurses, with different
specialties, levels of responsibility, compensation, work settings, and so
forth. But most would agree that nurses have a unique occupational identity
that sets nurses apart from, say, doctors, or airline mechanics. With that
identity comes a particular vocabulary, outlook, rules, practices, a system
of credentialing, ways of letting people into the profession, and ways of
kicking them out. All of this stuff together might be considered the
"occupational subculture" of nurses. What we found is that IT people have an
occupational subculture as well. When the language, beliefs, rules, and
practices of that subculture come into conflict with other groups in the
organization (e.g., executive managers), that's when big problems may arise.
Ted Demopoulos:
How do these problems manifest themselves?
Jeffrey Stanton:
The two biggies: 1) An IT adoption failure; 2) A catastrophic information
security breach.
In the first case
what happens is that a series of missteps between IT and executive
management, along with substantial ignoring of the user community from both
of these parties ends up with the implementation of a project which is
technically operational, but so bad from a user standpoint that it gets
scrapped.
In the second case
you start with similar miscommunications between IT and executive
management, particularly about priorities for business continuity. Then what
generally happens is a major hole develops in security as a result of some
behavior that either system administrators or users are supposed to be doing
but are not doing (often because they don't have the right tools or
training!). The hole is not visible to management because they don't have
the capabilities or expertise to look into the technical domain.
The hole remains
unseen by IT staff because they are stretched too thin, under-resourced, or
their attention lies elsewhere. The hole is then exploited to the detriment
of the firm by a malicious insider or the usual cast of external malware,
hackers, and script kiddies.
Ted Demopoulos:
How can
organizations tell if they have these types of potential problems?
Jeffrey Stanton:
The front line folks will tell you readily, if you're a neutral party (i.e.,
not the boss). One company my research team worked with recently had a VP of
IT who said something like, "We're just one big happy family here and we all
get along great," while the front line IT people, as well as folks from
other departments were saying that they fought with each other like cats and
dogs. The IT folks said that the people from other departments were always
undermining them, not following rules, ignoring policies, screwing up their
PCs and so forth.
At the same time,
the folks from the other departments were saying that IT security always
gets in their way, stops them from getting things done, causes machines to
slow down and crash, etc.
Being a neutral
party is one advantage of playing the role of consultant, organizational
development specialist, or organizational researcher. People may have a
greater degree of comfort telling the truth about what is going on if they
feel confident it will not cost them their jobs. Similar benefits can be
realized from a purely internal operation, however only if the organization
can do a good, anonymous internal survey. Surveys can be great for keeping
managerial fingers on the pulse of the company, although there is also a
danger that if people bring up problems and they are not addressed in a
timely and effective way, both the survey process and the managers that
requested it can lose credibility.
Ted Demopoulos:
When you find this type of dysfunction between IT and the rest of the
organization, how do you "fix it?"
Jeffrey Stanton:
If you buy into the whole culture clash idea that I have, it suggests at
least one way of working that should have applicability in a number of
different organizations. What I recommend is a kind of "cross-cultural"
employee swap. Few small or medium-sized companies are rich enough that they
can let an employee simply disappear into another department for three
months. On the other hand, it may be more feasible to send Joe from IT over
into the finance department for six weeks and Mary from finance into the IT
department for the same amount of time.
Somewhere between
6-12 weeks of total immersion in a department gives one a strong sense of
the culture, norms, and language of that department. Then, when one returns
to the home department, one has a much stronger sense of how things work
"back over there." That understanding may then radiate out from the swapped
employee to his or her coworkers, employees, and supervisors. Further, the
swapped employee returns home with personal connections into the other
department and this enhances the informal communication channels between the
two departments immensely. This idea basically works the same way as study
abroad programs in high schools and colleges: The individual learns and
grows through immersion in the foreign culture and returns as a person who
can build bridges and readily cross the cultural divide.
Ted Demopoulos:
Personally, I have seen this culture clash numerous times as have many of my
colleagues. I wondered if I just had bad luck or if it was pervasive, as
have many of my colleagues.
What about less
invasive techniques than "total immersion"? For instance sending
Mary and Joe to each
other's respective department one day a week for a few months, or somehow
setting things up so that IT and other employees naturally interact? Perhaps
things as simple as having them eat in the same cafeteria, or having them
take (perhaps unrelated) training classes where they are required to
interact? Is there any value in these techniques??
Jeffrey Stanton:
All of these suggestions are potentially workable, but very much untested
(as is the total immersion idea). The critical question, as I see it, is how
do you help Joe, Mary, and the rest of their departments become effectively
bicultural, so that they can bridge the gaps in language, outlook, problem
solving approach, and so forth that got the departments at odds with each
other in the first place? The shorter their experience with the "other" the
less likely it is to work. On the other hand, your instinct to want to get
them to "naturally interact" on an ongoing basis is right on the money.
There are several studies of environmental design showing that the relations
between two departments in an organization depends in part on whether the
architecture of the building they inhabit promotes frequent, informal
interaction. Which also reminds me that most "cube farms" tend to discourage
this kind of interaction because all of the space is cut up into little
private plots. Another thing that can bring people together naturally is the
so-called foxhole effect: Send Mary and Joe to training together, have the
training be very difficult like boot camp, and make sure that Mary and Joe
need to rely on each other to succeed at the training. When they come back
they will have a social bond that will help enhance communication between
the two departments.
Ted Demopoulos:
It seems like there are a lot of potential solutions, but not much guidance
as to how to implement them. Any final thoughts about this?
Jeffrey Stanton:
As a researcher, my stump speech always includes a plea for research access.
Companies have to be willing to experiment with this kind of stuff to find
out what works. But they also have to be willing to share their successes
with the larger community so that we can build a better understanding about
how this stuff works. Academic researchers from psychology departments,
business schools, and information schools provide the perfect medium for
this, because academics don't have a product to promote or sell, and they
can provide a veil of anonymity if the company decides it doesn't want its
name associated with the research results. So my last word would be a
standing request for companies that are doing major technology projects to
open their doors to qualified academic research teams. Although the
interviews and such that academics do are a small tax on productivity, the
payoff can be much better feedback and honest progress reports that can help
a company's IT folks develop better rapport and coordination with the rest
of the firm.
Ted
Demopoulos:
Thank you very much Jeffrey! We wish you great success in your research, and
the enormous promise it holds. And hopefully some readers will be able to
provide you with appropriate research access!
___________________________________________________________
The free newsletter
of Demopoulos Associates,
www.demop.com
This newsletter is Copyright © 2004 by Demopoulos
Associates, Durham, New Hampshire, USA. All rights are reserved,
except that it may be freely redistributed if unmodified.
Sharing
securITy is encouraged if the copyright and attribution are
included.
Subscribe to the securITy newsletter
We NEVER rent,
sell, or share email addresses.
Please forward
this newsletter to anyone you know who might enjoy it!
|
