Thursday, March 15, 2012

Your IT Department Only Needs 6 People

I have a confession to make. I am home repair retarded. I can't fix anything around the house that requires tools more complex than screwdrivers and hammers and paint. But I do know exactly what I want done, how I want it done, and what it is worth to me. So I hire experts. When I needed to build a shed I hired folks who spend their lives specializing in home construction and repair and they did a better job than I ever could have done. While they built my shed, I spent my time working on things that I'm good at. We were both productive.

Similar logic applies to IT departments. There can be an almost infinite amount of IT work in any organization. From upgrading the ERP to enabling BYOD (bring your own device), the choice of opportunities is vast. The challenge is not what to do, but what to ask someone else to do. Where does IT draw the line between internal vs. external work?

IT needs to maximize the value of existing resources on the most important activities and deliver other services through new channels and creative partnerships. They cannot do everything internally. To understand what can be divested, organizations must assess IT’s core competencies. Core competencies in an IT organization are functions that are central to supporting the mission of the organization.

The three criteria for assessing whether any particular IT function is a core competency are:
  • External service providers cannot perform the function more efficiently for lower cost, 
  • Performing the function internally maintains appropriate control of the function in the organization, and 
  • The knowledge needed to perform the function is central to the long-term success of the organization. 

Focusing the organization on core competencies requires reviewing the major activities performed by IT and deciding what to keep and what might be delivered in a new manner. Non-core competencies are often well served by partnering with a service provider whose sole specialization is the best possible delivery of that service. This approach is similar to hiring contractors to build my shed. Home construction is not my core competency, so I found someone who specializes in that line of work. Alternatively, why build a shed in the first place if my neighbour has extra space in his shed available for a cheap price?

If you were obliged to take this approach to the logical extreme, the process of assessing core competencies could lead to externalizing almost all the IT work. If an organization were to go to this extreme, what should be left? What are the ultimate core competencies of any IT department? I would suggest the minimal IT organization would consist of only six roles:
  1. Chief Information Officer 
  2. Enterprise Architect 
  3. Project Office Director 
  4. Business Administrator 
  5. Security Manager 
  6. Operations Director 

In this new IT world, there is still a need for a Chief Information Officer (CIO). This individual is responsible for making sure all the organization's IT needs are met. But the CIO's organization becomes a lean team of five staff. Let me describe each of the roles in the next few paragraphs.

The CIO drives IT through visionary leadership that inspires all staff and earns the confidence of clients. The CIO leads the organization's IT with strategic thinking and operational decisiveness, and is capable of bringing the entire organization through sustained periods of significant IT change. The CIO is a leader whose advice and guidance is respected for all information technology issues. These issues may not necessarily be part of the IT function, but the leader needs to be sufficiently well respected across the organization to be sought out for advice and guidance on any IT matter. The CIO ensures appropriate stewardship processes are in place and establishes information systems ethics.

If the bulk of the IT work is no longer a core competency, then the new challenge becomes how to link all the external service providers (contractors, hosted services, outsourcers, etc.) together. The Enterprise Architect (EA) owns this responsibility. The EA's first job is to understand and articulate how technologies, applications, and data interrelate. The second part of the job is to build a roadmap of where each of these functions will evolve. Defining context, setting direction, and linking external sources into a seamless information technology service is the role of the EA in this optimized organization.

With multiple service delivery providers come multiple projects. The organization needs to set non-negotiable project management processes and checkpoints to control vendor projects. Consistency of project delivery is essential to the management of expectations by IT's clients. The Project Office Director is accountable for all projects, irrespective of whether the staff are internal or external. Integrated and seamless delivery of project results are demanded and this director is responsible for ensuring everyone works together as single project team.

Since external suppliers will do most of the IT work, contract management and business relationships are essential to the success of the new IT organization. The Business Administrator manages the RFP writing, plans the operational and capital budgets, and handles the business affairs of the IT. The Business Administrator works closely with suppliers to negotiate IT services and projects required by the overall organization. The negotiations are done within the context of the enterprise architecture and the Project Office Director sets the project service delivery expectations.

The importance of IT security, data privacy, and compliance requires the presence of a full time Security Manager. The ideal IT environment would have unassailable policies, practices, and standards that are proactive, not reactive. Strong policy and enforcement is essential if external service providers are to be trusted with an organization's IT assets. The Security Manager is responsible for creating the policies and ensuring the appropriate practices are in place to enforce them as part of all contract negotiations.

The Operations Director is accountable for all production services. These operations must deliver according to service level agreements with external providers. This Director creates meaningful performance and capacity metrics. These are measures that the IT organization's clients understand. The Operations Director works closely with vendors to provide them with growth patterns for usage. Expected demand forecasts become part of the contract negotiation process and the Operations Director is responsible for meeting these needs by working with vendors.

Arguably, an IT organization could easily be larger than six people. But if you had to boil the organization down to its absolute minimum, these are the six roles you do not want to externalize. They are your fundamental core IT competencies.



  1. I'd add a seventh head to this: the value generator. Someone whose role it is to think — as their job — outside the box of business processes, looking for ways to make value to the enterprise from its information. Expecting the CIO to do this is setting it up for failure, as managing this team will require quite a bit of interaction, and being the relationship point person to the business, plus the governor-in-chief, will fill the rest of the CIO's time.

    Each position you cited says "this is a priority": that's the other reason for having that role explicitly named.

    I might also call the Operations Director the Service Manager, both because people "read into" Operations a diminished position that shouldn't be there, and because vendor management is their key role.

  2. Excellent point about adding a value generator! Sometimes the architect steps up to this role, but like the CIO assuming this responsibility, you set up the architect for failure.

    I also prefer your suggestion for Service Manager. It is really unfortunate but true about the stigma associated with the "Operations" title.