Professional Documents
Culture Documents
G E TT I N G T H E B E S T O U T O F C Y B E R S PA C E
Eduardo Gelbstein
Recent publications by the same author
• Justifying I.T. audits to executives: paper for the proceedings of the “Governance and Audit Africa”
Conference, Mombasa, Kenya, 2006. Published by the MIS Training Institute.
• Crossing the Executive Digital Divide (abriged version), 2006, published by the Diplo Foundation
• Jargon, protocols and uniforms, barriers to effective communications (with Stefano Baldi), Intercul-
tural Communication and Diplomacy, 2004, published by the Diplo Foundation, http://www.diplo-
macy.edu
• Misunderstood: The I.T. manager’s lament, Intercultural Communication and Diplomacy, 2004,
published by the Diplo Foundation, http://www.diplomacy.edu
• The Information Society Library (consisting of ten booklets) (with Stefano Baldi and Jovan Kurbali-
ja), December 2003, published by the Diplo Foundation. Details available at: http://www.diplomacy.
edu/ISL/intro.htm
• Sections on “Data vs. Information”, “End User Computing” and “Outsourcing” of the Encyclopedia of
Information Systems, Academic Press, 2003.
• Conectivity for a better world, IEEE LEOS Newsletter, Vol 17, N° 3, June 2003
• Information Insecurity (with Ambassador A. Kamal), 2nd Edition, November 2002, published by
the United Nations Information and Communications Task Force – available as a free download
from: http://www.unicttaskforce.org
ISBN
Published by DiploFoundation and Global Knowledge Partnership
DiploFoundation
Malta:4th Floor, Regional Building
Regional Rd.
Msida, MSD 13, Malta
Switzerland: DiploFoundation
Rue de Lausanne 56
CH-1202 Genève 21, Switzerland
E-mail: diplo@diplomacy.edu
Website: http://www.diplomacy.edu
Global Knowledge Partnership Secretariat
Lot L2-I-4, Enterprise 4
Technology Park Malaysia, Bukit Jalil
57000 Kuala Lumpur, Malaysia
Email: gkps@gkps.org.my
Website: http://www.globalknowledge.org
Edited by Dejan Konstantinović and Steven Slavik
Illustrations: Zoran Marčetić – Marča and Ed Gelbstein
The use the Hemera Royalty Free “Giant Box of Art” and the copyright free Microsoft
Clipart Gallery is gratefuly acknowledged
Cover Design by Nenad Došen
Layout & Prepress: Aleksandar Nedeljkov
© Copyright 2006, Eduardo Gelbstein
Introduction
The success of the Information and Communications Technology (ICT) industry has been
such that many organisations now have a computer in every desk, workers have their own
personal computers, personal digital assistants, smart mobile phones and more.
Many countries in the developing world are major players in ICT – such as the software de-
velopment industry in India and the manufacture of personal computers in China. Interest
in participating in the Information Society is apparent everywhere.
Many executives tend to see ICT as a purely technical matter to be delegated to a Chief In-
formation Officer or to a service providers. This chapter argues that there is another way of
looking at these technologies: as part of a “game” played by executives and the Chief In-
formation Officer, and presents several facts about ICT that require executive attention.
The ICT game is played with real money, it has flexible rules. The definitions of what it
means to win or lose varies from place to place. Moreover, once the game has started,
there is no way to leave it other than by going out of business.
Experience shows that when executives do not take an interest in the strategic role of ICT,
these systems and facilities are not seen as corporate assets but rather as an expensive lia-
bility. In these situations return on the investment is poor, and even negative.
If ICT is expected to play a strategic role in an organisation, the digital divide that exists be-
tween the executive unfamiliar with what it takes to derive benefits from these technolo-
gies and the technologists who tend to focus more on technology than on what it is used
for must be bridged.
utives do not need to know how they work to be able to use them to ad-
vantage: plug the right device into the right socket and that’s it. Some-
body else takes care to make sure that it all works properly. This is not
yet the case with computers but it is increasingly going that way.
Besides, the disruption that followed the widespread use of electricity and
telephones took place in the 19th century and the current generation has
no memory (other than by visiting a museum) of the transitions that took
place in factories and offices, in banking and commerce and also to the
providers of the services that new technologies displaced such as the sup-
ply of coal and ice to buildings, gas lighting, telephone operators and
many more.
Electronic computers are relatively new – roughly sixty years. Computer
networks are newer still and the earlier ones were limited to at best, a sin-
gle organisation. The Internet started as a multi-organisation network for
a limited community at the end of the 1960s. The World Wide Web and the
current enthusiasm for the Internet became apparent in the mid 1990s.
In the early days anyone who do anything at all with a computer was re-
ferred to as a “mathematical genius” and the role of computers was lim-
ited to automating relatively simple repeatable activities involving large
quantities of numbers, like accounting and payroll.
In these earlier days, executives never saw a computer unless they were
curious to see what this expensive monster in the basement looked like:
lots of flashing lights, many switches and surrounded by people wearing
white labcoats.
Information and communications technologies have become ubiquitous
and, at least in the developed world, financially more accessible than ever
before. Despite this much about them remains a mystery to executives
even though it is now well known that expenditures on ICT represent a
substantial proportion of operating costs and that these costs are rising.
Digital divides
Much has been written about the Digital Divide. This term is mainly used
to describe those parts of the world that have no access to ICT at afford-
able prices or that cannot invest in the necessary infrastructures. Those
facing these problems usually also lack the skills and the software need-
ed to put ICT to productive use.
Advanced economies have digital divides too – parts of the geography
where services like broadband Internet access are not available or socio-
economic groups of people who are unable to exploit these technologies.
Crossing the executive digital divide 17
This book is about a different “digital divide”: that of executives who are
too busy, unfamiliar or even unaware of the impact that ICT can have on
an organisation in the Information Age and have not thought about what
it takes to deploy ICT successfully in an organisation.
There are other Digital Divides, for example in countries which for polit-
ical or cultural reasons restrict access to information from external sourc-
es such as satellite television or the World Wide Web. These aspects of the
Digital Divide fall outside the scope of this book.
As the Information Age is only just starting, most people are finding their
way learning how to gain the benefits that ICT has to offer. Treating to-
day as a transitional stage towards a new kind of literacy, and taking steps
to increase it, will have a good return for individuals and organisations.
The ICT function does not usu- Our changing times :
ally report to senior executives In the 5th Century AD, St. Ambrose, Bishop of Mi-
but is placed lower in the man- lan was described as the brainiest person in the
agement structure. Chief Infor- world: he could read without moving his lips.
mation Officers (CIO) or Direc- In 1970, only a small number of people could do
tors of ICT often work as peers of anything useful with a computer.
those responsible for other utili- In 2004, there are an estimated 750 million
ty functions. people who have access to the Internet.
Because some 50 years ago the finance function was one of the first to
adopt computer systems, it is not unusual to find the CIO reporting to the
Chief Finance Officer or to the Chief of Administration. This reflects the
significant cost and emphasis on technology of ICT as a utility. When an
organisation categorises the CIOs as a “technical expert”, thet are treat-
ed as outsiders to the business strategic planning and development pro-
cesses.
To compound the CIO’s challenge, the benefits of making good use of ICT
do not arise from technology, which is only an enabler, but from peoples’
creativity, ability to spot opportunities for changing the status quo and
to apply and use technology where it matters – having an ICT strategy
that works.
Exploiting ICT can very different from one organisation to another, de-
pending on where they are positioned on each of the lines. This can only
succeed when technical services work well enough for their intended pur-
pose, just like any other utility.
Crossing the executive digital divide 19
This utility aspect of ICT (as distinct of its strategic use) distances exec-
utives from the ICT function and, conversely, the ICT function finds it-
self isolated (and often unloved) by the executive.
Why not look at investing in ICT as if it were a game that has to be played
in order to participate in the information society?
This game is played with real money and it is not a game of chance (and
certainly should not be). Unlike a board game it should be a Board game
in which the governance of ICT should not be delegated (or abdicated) to
technical people in the hope that all will be well.
20 Crossing the executive digital divide
The game, which requires considerable sums of real money involves sev-
eral players, among them the Chief Executive Officer, the Chief Opera-
tions Officer, the Chief Finance Officer, the Chief of Human Resources,
the Internal Auditors, the Chief Information Officer and also external
parties: vendors, service providers and outsourcers.
The game has few rules:
1. Once a player has entered the game, there is no possibility to quit;
2. Each player has different objectives and different definitions of what
it means “to win”;
3. There are three strategies for playing this game: Lead, Follow or Lag
Behind;
4. Winning a round of this game does not give a player an advantage
for subsequent rounds.
There are shades of winning this game, and these are determined by how
well the player is able to perform in a number of areas:
• Like in other board (and Board) game, a wrong move can penalise a
player (for example “you have invested in the wrong computer sys-
tem and must live with it for at least five years before you can replace
it”) while an inspired move can place a player in the lead;
• Benefits are always in the future and speculative. Playing this game
to win requires an act of faith from executives, who place their or-
ganisation’s money on priorities, choices and vendors that appear
right at decision time;
• Playing the game to be a leader involves the biggest risks –by invest-
ing in technologies and products that may not be mature enough or
Highly visible and successful first movers include Amazon, the online retailer, e-Bay, online
auctions and Federal Express (document and parcel distribution). Many other winners of
the ICT game are only visible in their own field and not so well known by the general pub-
lic. These will be found in hospitals, airlines, online learning institutions, financial services,
and everywhere else.
Successful leaders breed followers – when for example a few banks started to offer online
access to their clients, other banks had really no choice but to do the same. This “me-too”
approach works well for organisations that have business strategies that do not require
them to be the top player in their market.
It is inevitable that there will be laggards – organisations that because of their culture or finan-
cial environment are unable to even keep up with the followers and end up lagging behind.
Laggards would typically have old computer systems (some possibly no longer useful) and old-
er technologies (perhaps no longer supported by their vendors). The gap between leaders and
the laggards will continue to grow creating yet another form of a digital divide which, if noth-
ing is done could make laggard organisations irrelevant in the Information Age.
Crossing the executive digital divide 21
developing products and services for which the market may not be
ready. Those first movers that succeed have a major competitive ad-
vantage over others in their field;
Losing the game results in one or more of the following, although this list
is not complete:
• The organisation’s ICT is a clear liability that prevents it from main-
taining a credible position in the Information Age;
• The organisation has ICT projects that failed or were completed late,
at greater cost than planned and/or with disappointing results;
• The day-to-day ICT operations of the organisation are not good
enough, information security may be inadequate and contingency
plans insufficient;
• The cost of ICT to the organisation is not well known and, if known,
higher than peer organisations.
This book proposes to executives two premises to avoid becoming a los-
er in this game:
Premise #1: Competent ICT people are very interested in the subject, en-
thusiastic, optimistic and hard working. However their focus may be
stronger on technology than on what it is used for and how well this is
done;
Premise #2: Certain decisions concerning ICT are too important for an
organisation to be left to ICT people: The governance of ICT should not
be left to the Chief Information Officer alone and should not be a rubber
stamp by the executive or the Board. Behind the jargon and acronyms,
the management practices that lead to effective results in ICT are no dif-
ferent from those in other activities.
admired in the organisations for which they work and rarely have a place
in management boards or other executive circles. Instead they are regard-
ed as the organisation’s plumbers, a word used by several senior ICT man-
agers at various times. They also frequently voiced the complaint that “my
boss does not understand me and is not interested in what we do”. But
then it is also true that ICT people are, by and large, not great communi-
cators.
When the working and cooperative relationship that ought to exist be-
tween business processes and ICT are not strong, the organisation as a
whole is weakened.
Discussions over many years confirmed that ICT is regarded by many ex-
ecutives (who avoided playing the Board game and detached themselves
from these matters) as an expensive headache while a smaller number of
them see ICT as a force to strengthen their organisation and enrich the
work environment when properly executed.
The utility aspect of ICT – the technologies, processes and people that:
• Make computers, networks, directories, software and other things,
function correctly seven days a week, twenty four hours a day;
• Ensure disruptions are handled quickly and effectively;
• Take steps to deliver these services at a reasonable cost
is unavoidable (it is also outsourceable). This utility represents 70 and 80
percent of the ICT budget and should only be an executive concern when
it does not perform as expected (technically, financially or organisation-
ally).
The strategic tool role of ICT implies innovation. Innovation drives
change. Given that most people desire stability and that nobody likes to
be a loser, change represents a significant executive challenge because it
is likely to be opposed.
Of course, if the ICT utility does not work well enough, it is unlikely that
ICT will be used as a strategic tool as the Chief Information Officer would
not have the credibility to be a member of the executive team.
Crossing the executive digital divide 23
Action Points
An old proverb states that “When there is a will there is a way”. This is
particularly true for ICT and bridging, or at least narrowing, the Execu-
tive Digital Divide is one step that should help.
Executives who take a serious interest in ICT and see it as a strategic tool
and are also prepared to lead the organisational change that follows such
implementations will be better placed to gain value out of the significant
investments involved than those who don’t.
Taking a greater interest is necessary but not sufficient. The executive
also needs a good awareness of what ICT can deliver and what it cannot
do, understand the issues that need to be addressed, be good at risk man-
agement and not least, ensure that the right people are engaged to deliv-
er results that make a difference.
C h a p t e r
2
How well are we
doing with ICT ?
The performance of the ICT utility is well understood – technical services are invisible until
they fail, at which point the activities of an organisation are disrupted. But this is not the
only symptom of poor performance: the technology may work wonderfully but when it is
used to support poor processes, it only succeeds in speeding up the mess…
Information technologies and systems that fail to support the needs of their users are a li-
ability to any organisation. The same is true of systems that are functionally adequate but
are not matched by a workforce that has the skills to exploit them or the information they
produce.
As ICT represents a significant percentage of an organisation’s total expenditures, it is le-
gitimate to assess the contribution that ICT makes to business results. The results of this as-
sessment can then be used as an input to strategic decisions on ICT should be managed in
future.
Several approaches are presented, from simple and quick reviews to various levels of audit.
The chapter also refers to other, more sophisticated tools such as the Balanced Scorecard
that take a wider view of the role of ICT in the work of an organisation.
In less than 60 years, ICT has become ubiquitous. This does not mean
that we are able to take full advantage of what the technologies allow:
wide ranging access to information, the ability to combine and process
data and information and the creation ofnew knowledge out of this pro-
cessing.
ICT requires significant budgets and human resources. Depending on
what an organisation does, these are in the range from around 3% to 10%
of total expenditures. Such amounts are too high to hide as overheads and
also too high to accept without question as “the cost of doing business”.
28 Crossing the executive digital divide
The second link represents all the computer systems that have been
bought and developed to meet the requirements of an organisation, the
data, databases and other sources of information (for example workflow
and document management systems), Intranets, line of business systems,
administrative applications, etc.
See Chapter 14
Crossing the executive digital divide 29
The acronym used in ICT since its early days is GIGO – Garbage In, Gar-
bage Out: he best computer systems will not be of much use if the data
they process is of poor quality (inaccurate, outdated, incomplete). Con-
versely, in the Information Age, having quality data but no systems to
analyse it for patterns, discoveries and other non-evident features, is a
handicap.
The third link is about how well technologies and systems are delivered
to the people who use them, i.e. the quality of delivery processes, the
skills and experience of the technical personnel involved in these tasks
and the skills of database administrators and others who manage data
and information. When the quality of service delivery is not good enough,
dissatisfaction and frustration grow quickly among those condemned to
use these systems and facilities.
The final link addresses the skills and experience of the people who use
these tools, data and information sources.
The weakest link in this chain will determine whether investments in ICT
are worthwhile or a waste of money. Identifying and strengthening this
weakest link is one of the many challenges facing executives. Strength-
ening just one link may not be enough and diagnostics of how well ICT
is performing should be conducted on a regular basis.
Chapters 8 and 9
30 Crossing the executive digital divide
• The ability to deliver ICT projects that are (reasonably) within the
original specifications, budgets and timescales;
• The ability to deliver ICT services (computer room operations, net-
working, information security, user support, disaster recovery and
other to an appropriate level of quality;
• The relationships between the ICT function with executives, staff and
vendors, particularly in terms of credibility and trust;
• The ICT skills of staff and management to exploit information sys-
tems, data, documents and other related facilities;
It is to be expected that executives confronted with a a poor ICT track re-
cord would have either taken action or are looking for the best way to deal
with this. Those who recognise this problem and do nothing about it are
likely to discover that this poor track record will not improve by itself and
could get steadily worse.
Question 2: What are the efficiency and effectiveness of the organisa-
tion’s ICT?
Efficiency is all about doing “ICT things” the right way – making best use
of resources, removing systematic problems and working to achieve sim-
plicity to displace complexity, the enemy of manageability.
An ICT function that is not efficient incurs expenditures greater than
necessary and at the same time is not able to deliver the required level of
service quality or to complete projects on time and within budget.
Effectiveness is doing the right things
(better still, doing the right things the
right way). An effective ICT adds value
by enabling innovation, automation,
knowledge work and by making the
best possible use of data and informa-
tion assets in support of the organisa-
tion’s business strategy and objectives.
An ICT function that is not effective
cannot make a contribution to an or-
ganisation’s work and may even be an
obstacle to its development.
Question 3: Where does the money
spent on ICT go?
Crossing the executive digital divide 31
One way of finding an answer to this question is to look at the budget lines
of the ICT function. This will provide answers but these may not partic-
ularly illuminating – so much spent on salaries, so much on purchases,
so much on third party contracts, and so on.
While this information may give indicators about the cost of the infra-
structure, the productivity of the ICT function, the cost-effectiveness of
the technologies, the competitiveness of charges for services from exter-
nal suppliers, etc., the executive will remain in the dark as to whether this
money is spent to support business objectives.
A different approach assigns the cost of individual components to what
computer systems and networks are used for, and the four categories of
“value creation”, “ongoing support”, “administration” and “security” are
just examples of how this approach works. Value creation is the category
most strongly linked to effectiveness and therefore the one with the high-
est impact and strategic importance.
Many support tasks are critical to the smooth operation of an organisa-
tion, ranging from effective websites, electronic mail and those functions
that are closely linked to business activities such as accounts receiv-
able).
At the other extreme, basic administration (accounts, procurement, hu-
man resources) are activities that must be carried out but which add lim-
ited business value and as such, present an opportunity for seeking cost
reductions.
Information security is an corporate function growning in importance
as a result of living and working in a networked world: cybercrime and
other forms of cyber-attack have become a fact of life.
Many cost accounting systems are not structured to provide financial
data in this format and some organisations actually know how much they
spend on ICT but not exactly how these expenditures map against these
or comparable categories. Whether or not this is a problem for an execu-
tive depends on an organisation’s governance culture.
Question 4: What is the value assigned to information, knowledge work
and ICT?
Financial and management accounting always include tangible assets
such as computing equipment and other infrastructure items. From time
Chapter 11
32 Crossing the executive digital divide
Chapter 5
Chapter 6
Crossing the executive digital divide 33
Chapter 12
34 Crossing the executive digital divide
The above questions may tempt the reader to call for a consultant to find
the answers. This may not be in the executive’s best interest as consul-
tants come and go, leaving behind them a report which may or may not
be read in detail and for which they assume no liability. An audit may be
a better option.
In addition to audits (discussed below) there are other tools that could be
used internally requiring different degrees of effort. A companion vol-
ume to this book, the Toolkit for Executives contains a collection of such
tools as well as checklists and lists of proven practices. A few of the tools
are presented here.:
Tool 1: Audits for ICT effectiveness and efficiency metrics
Tool 2: Strengths, Weaknesses, Opportunities and Threats (SWOT) anal-
ysis
Tool 3: How agile is your ICT organisation?
Tool 4: Organisational information intelligence
Tool 5: Organisational metabolic rate
Crossing the executive digital divide 35
1.1. Surveys are used to discover what people in the organisation feel about
ICT – for example user satisfaction surveys and client or stakeholder sat-
isfaction surveys.
This can be simple questionnaires or forms placed online on an Intranet
or website or also interviews with a statistically meaningful sample. Such
surveys provide feedback on the efficiency and effectiveness of ICT as
perceived by the people for whom ICT services and facilities are intend-
ed.
The grading that can be obtained from such surveys is fairly coarse, usu-
ally five levels between “Highly satisfied” and “Highly dissatisfied” and
most people, unless assured anonymity, will be cautions rather than can-
did.
The statistics produced by the Help Desk (when they do) can also be good
indicators. These would include: average number of calls to the help desk
per day, most frequent problems, most frequent callers).
Risk management
Are we complying with legislation and regulations with I.T. implica-
tions?
How much risk of data disasters or fraud do we face?
Could our organization survive an I.T. disaster and recover from it?
Each intersection in the figure defines a possible audit framework. The clos-
er you are to the point of origin of these lines, the less confidence you should
have on your I.T., even if you did not have any major problem so far.
The factors that influence the decision of which audit is “right” in any
given situation are:
Type
I.T. audits can be grouped into six main categories. Experienced auditors
often add one more, informal, category: the “the smell test”: there are I.T.
organizations run in a way that an experienced auditor will quickly de-
termine that they “stink”.
Common indicators include: dirty and untidy computer rooms, spaghet-
ti cabling, incomplete or no documentation, unsupported (and even un-
licensed) software, easy access to facilities and/or no fire extinguishers,
the lack of a standby generator and more of the kind.
Crossing the executive digital divide 39
COBIT does not specify what the appropriate level of maturity for an or-
ganization should be although levels 0 and 1 are unlikely to be of much
help to anyone.
Data analysis audits
These audits are found in the grey area between audits and investiga-
tions. Audits that require auditee data to be extracted and analysed
(frequently when fraud is suspected) is supported by Computer As-
sisted Audit Techniques (CAATs) and data mining software that can
be used on huge databases to narrow down and be able to focus on
specific issues.
Technical reviews
These consist of in-depth analyses of a computing environment and in-
cludes operating systems, application systems, networks, connectivity,
internet and intranets, disaster recovery and business continuity plans,
vulnerability review, business applications, change management, IT
strategic planning, and any other I.T. issues relevant at the time of the
audit.
These reviews, carried out by specialist auditors, should provide author-
itative and objective opinions on the extent to which an organization can
rely on systems and technologies. Their detailed nature also implies that
these audits require considerable time to complete.
Implementation and post-implementation benefits audits
Pre-implementation reviews and audit participation in the development
of a computer system project are the cheapest and most effective way to
provide for systems auditability and adequacy of controls. Finding that
these are insufficient at the stage of rolling a system out or once it is up
and running implies additional programming, change controls, testing
and disruption to end users.
Post-implementation benefits audits are the least frequently performed.
Their purpose is to validate that the future benefits used to justify an I.T.
project have been achieved. These audits are an opportunity to strength-
en the evaluation of business cases for I.T. investments, for which there
is a tendency to claim that benefits are “intangible” or otherwise difficult
to quantify even though such investments can reach tens to hundreds of
millions of dollars.
While the case of post-implementation benefits audits appears strong,
these are difficult, time consuming and, by implication, costly. They are
Crossing the executive digital divide 41
Frequency
“Rarely” – including “never before” and “not for a long long time” are
common situations outside the financial services industry and particu-
larly noticeable in small organizations.
“After a crisis” is a common reason for calling the auditors. A crisis can
be anything from discovering, for example, after a power cut that the
computer room has no standby power supply, that data has been lost or
disclosed, fraud, a logical bomb followed by extortion and other unpleas-
ant surprises.
“For every major project”, where “major” should be taken as a something
that has high visibility in the organization’s budget and/or is critical to
its future activities.
Depth
Audits disrupt the day-to-day activities of an I.T. organization as the CIO
and many of the staff need to meet with the auditors, provide documents,
discuss preliminary findings. It is therefore good practice to agree on the
scope of audit to be just “good enough” to meet requirements.
Besides Internal Audit units are often unable to resource extensive I.T.
audits. Contracting this work out is an additional expense and there is
merit in scoping the audit to be also quick (= less expensive).
A detailed review of controls in a major and complex application such as
a customized ERP, or for the configuration and controls of operating sys-
tems (e.g. IBM’s family of TPF, z/OS, and Linux in one data centre) re-
quires considerable expertise and time to be conducted at a depth that
produces dependable results.
Organizations for which certification is important, for example to ISO
27000 “Information security management system requirements stan-
dard”, must accept that such audits are mandated by certifying organi-
zations and that they need to be conducted at prescribed time intervals.
Financial benchmarks
These are harder to establish and, from a corporate perspective, prob-
ably the most useful. They relate to how much is spent on ICT and how
42 Crossing the executive digital divide
Other tools
A companion publication, “The executive toolkit”, contains many other
tools and provides guidelines on their use. Five of them are briefly dis-
cussed here:
Tool N° 2: Strengths, Weaknesses, Opportunities and Threats (SWOT)
analysis
Organisations are com-
plex systems that serve
no purpose working in
isolation. As complex
systems they are not
perfect and each organ-
isation, regardless of
what they do and where
they are will have
strengths and weak-
nesses.
Most organisations are
willing to recognise and
make explicit their own
strengths (sometimes
overstating them). They may be less willing to admit to their weakness-
es, legacies and constraints, and even less willing to take action to deal
with them. These are often rationalised and accepted as things that are
“too difficult” or that cannot be changed (a myth invented by people who
have an interest in maintaining the status quo).
External factors can be described as either opportunities and threats.
Chapter 5
The squandered computer, by Paul Strassman, Information Economics Press, 1998
Crossing the executive digital divide 43
Harvard Business Review, Managing by Wire, Sep-Oct 1993) Stephan Haeckel and
Richard Nolan
Crossing the executive digital divide 45
The Balanced Scorecard: translating strategy into action, by Robert S. Kaplan and
David P. Norton. Harvard Business Review.
46 Crossing the executive digital divide
This, and other executive dilemmas in this book, has multiple possible
answers and no single right answer that would apply in all circumstanc-
es.
The Internal Auditors of a large multinational delivered a confidential
and sensitive report to the Chief Executive: the ICT function, which had
not been the subject of a technical audit for several years, is responsible
for several exposures for the company. The summary findings of the re-
port indicate that:
• The Chief Information Officer was unable to work effectively with
Business Units to deploy standards for technology and computer ap-
plications across the company – many Business Units had become
autonomous in ICT and were working without due regard to best
Crossing the executive digital divide 47
Action points
M Monitoring
31 M1 Monitor and evaluate IT performance
32 M2 Monitor and evaluate internal control
33 M3 Ensure regulatory compliance
34 M4 Provide IT governance
The full material of COBIT (CDROM, books and other material) can be obtained from
the Information Systems Audit and Control Association (http://www.isaca.org)
C h a p t e r
3
Information assets
and technology
Data is no more and no less than symbols about the property of some-
thing. Data can be observed, measured and collected and then used for
reasoning or calculation. An example of data would be the number that
appears in a house’s electricity meter.
Information is obtained when data from one
A major challenge to the exploita-
or more sources is summarised and organ- tion of data is the often weak un-
ised for a purpose and in a given context. In- derstanding of the semantic
formation can be presented in multiple for- meaning of data. The Mars Cli-
matic orbiters that crashed in No-
mats (text, images, video). The invoice from vember 1999 did so because dis-
the electricity distribution company that ar- tance data was processed in met-
rives after the meter has been read, shows ric units by one system and impe-
rial units by another one.
the difference between two readings (data)
54 Crossing the executive digital divide
and applies a tariff to the quantity used (data) and becomes information
for the recipient. This information leads to an action, payment.
Knowledge is harder to define without getting into philosophical argu-
ments. A definition that works well is that “knowledge is the ability to
use information to do something with it”.
While information can be collected, distributed and shared, knowledge
is an individual’s attribute and, as such, hard to detach and transfer. In
most cases it is difficult to acquire.
The lowest level of knowledge is awareness: to know about something.
Visiting a website that discusses tropical birds or the origins of colour
television, will give the visitor information that can be absorbed and put
in context with what the person already had found out about a subject.
Knowing about something is not sufficient to learn how to do something.
Reading books about playing the piano will not make the reader a a pro-
ficient pianist. Knowing how to do something requires practice and a
transfer of advice and experience from somebody who already knows
how.
The highest level of knowledge is reached when a person understands why
something is the way it is – the level at which theoretical physicists, econ-
omists and other researchers operate, building frameworks and applying
analytical and systems thinking skills as well as creativity.
The pursuit of knowledge and the collection and sharing of information
have a prominent place in human history. The earliest technologies were
used some 30,000 years ago to leave paintings in caves detailing the en-
vironment of their inhabitants and these evolved some 5,000 years ago to
the point that gave us writing and devices that could store information
(clay tablets then).
• More information has been produced in the past 30 years than in the previous 5,000;
• A weekday edition of The New York Times contains more information than the average
person of the 16th century would encounter in a lifetime ;
• The amount of available information now doubles every five years.
While organisations have a senior person with a title like Chief Informa-
tion Officer, much of their time is devoted to managing technology and
service delivery and not to managing the data and information that tech-
nologies process and store. Responsibility for data and information is
usually distributed among several functions or departments.
To complicate matters, authors, consultants and vendors talk about
knowledge management (KM). Solution sellers will say that KM will “en-
able workers to capture, manage and share information throughout their
organisations”. Consultant-speak turns this into “leveraging assets and
experiences” and other such words that fail to address the cultural bar-
riers to sharing information and the difficulties inherent in transferring
knowledge.
The cook, knowledge and experience
The fact that most accounting functions are done using computers is tak-
en for granted. In the light of recent financial misadventures, the idea of
“cooking the books” leads to the cook metaphor: the cook is an example
of how a knowledge worker operates. What does a good cook do?
1. Selects ingredients for their suitability and quality;
2. From training and experience, the cook knows how to prepare and
combine these ingredients for maximum effect – how to cut them, mix
them, how long to cook them for, what to add and in what quantities;
3. Arranges the cooked ingredients into a plate ready for serving at the
right time.
A good cook is also able to produce different dishes from essentially the
same ingredients.
A cook uses an array of
technology – knives,
blenders, whisks, pots,
pans, let alone refrigera-
tors, freezers, microwave
and conventioanl ovens.
As anyone who has tried
their hand at cooking
knows, the end result will
depend more on the ingre-
dients and preparation
than on the tools used to
prepare them.
56 Crossing the executive digital divide
Moving out of the kitchen into an office, (where nobody is cooking the
books!), a knowledge worker must find the right ingredients (data and in-
formation) to accomplish a given task and use experience and judgment
to combine them in the right way to create new information to meet a
particular requirement.
Does this information have value? Organisations think it does as oth-
erwise they would not employ people to work with information. Some
information has a clear commercial value, for example patents, propri-
etary processes, the ownership of a unique photograph, breaking news
and other privileged information. In many other cases, such value is
not evident. Trying to put a value on data and information is no differ-
ent from trying to measure pain because there are no common units of
measurement, and its definition involves many subjective and intangi-
ble elements.
This situation is not satisfactory from an executive’s perspective, as in-
vestments in ICT are significant and technology alone does not contrib-
ute to results – only the way technologies are used does. In a letter to the
MIT Technology Review (September 2004), Paul Strassmann writes that
… “IT is a catalyst of excellence but also an accelerator of incompe-
tence”.
The earliest applications of ICT in organisations (in the 1950s and 1960s)
were for the support of repeatable, structured and systematic activities
(processes) such as payroll and financial accounting.
Process support is close in concept to the use of machine tools in manufac-
turing – the machine (in this case the computer, software and other com-
ponents) does the work and the operator feeds the machine with raw ma-
terial (data). The worker does not need to have special skills or a deep un-
derstanding of what the machine does or how it does it: the systems are de-
signed to do the “thinking”, which is not really thinking but the systemat-
ic application of the steps and business rules built into the software.
Taking the examples of a supermarket cashier or an airline seat reserva-
tion, ICT is used for process support, and as each article processed or res-
ervation are individual transactions: the worker is a transaction worker.
Transaction workers are trained in the use of systems without much dif-
ficulty and are also interchangeable. Automation is used to deskill tasks,
and has social consequences – alienation and lack of mental stimula-
tion.
When process support is combined with publication – for example the
Frequently Asked Questions pages in an e-commerce website - this is
done to enable the client to operate on a self-service basis. In many cases
it takes a great deal of knowledge and skills to find a way to actually con-
tact a person at the online vendor’s organisation.
The left hand side of the chart deals with a different dimension. Here the
worker uses the machine in order to support her or his thinking and cre-
ative skills. In a book published in 1988 (In the Age of the Intelligent Ma-
58 Crossing the executive digital divide
Publication vs Personalisation
Information quality
Information science and information
management are much older than ICT. A man with one watch knows the
Many aspects of it are hundreds, if not time. A man with two watches is
never sure.
thousands, years old, going back to the
oldest libraries. Unattributed statement
In theory, it is possible that a single computer system will handle all the
functions relating to an employee as shown in the diagram. It is more
likely that several of these functions are handled by separate computer
systems, possibly owned and managed by different departments - for ex-
ample membership of the pension plan, medical insurance with a third
Crossing the executive digital divide 61
Quality Assurance
Even the best technologies cannot help those who are culturally reluctant
to use them (like the technophobic executive who never sent an e-mail
and has their incoming e-mail printed by their secretaries (they do exist)
or the person who has never bought anything online.
Most critical are those employees who lack the basic skills on how to use
these technologies the corporate equivalent of the person only able to put
a frozen meal in the microwave oven. Technology will not make them a
become a better cook.
The identification of skills gaps, briefings, training and due attention to
the need for such skills during recruitment are vital factors for an organ-
isation to be able to exploit their information assets.
Action points
• What have we learned about the impact of ICT in the “real world”?
• Should ICT investments make a difference, and if so, how much?
• How do organisations and people react when confronted with disrup-
tive change?
• What are the challenges facing the non-ICT executive?
The introduction of new technology in the workplace invariably brings change with it. The
amount of change that an organisation absorb depends on its culture and environment. As
the father of Total Quality Management, W. Edwards Deming once said, “it is not neces-
sary to change. Survival is not mandatory”.
Given that change is opposed to human nature’s need for stability, is likely that many
change initiatives will be resisted and that not all the members of the workforce can adjust
to such changes, particularly if they are disruptive rather than incremental.
The managerial challenges of leading change and ensuring the successful implementation
and adoption of ICT initiatives are discussed in the context of organisational culture and fo-
cus on the executive’s challenge – not the technologist’s which are of a totally different na-
ture and are discussed in subsequent chapters.
Observations
There are, of course, many case studies based on companies and public
sector organisations that had tremendous successes deploying ICT. There
are many more that discuss the lessons learned from systems that worked
more or less as intended but which provided no benefits or from invest-
ments that resulted in negative productivity gains because of the inap-
propriate use of an employer’s information technology facilities as well
as misuse and abuse.
The most famous current successes include: Federal Express and UPS in
logistics, Amazon in online retailing and several e-government initiatives
(such as the ability to renew driving licenses or submitting tax returns
on line) in several countries.
Less successful ICT deployments are not talked about in polite circles un-
less they become known as the Great Computer Disasters like the infa-
mous London Ambulance Service Computer Aided Dispatch system
(LASCAD) of 1992, the Mars Climate Orbiters that crashed in 1999, the
current US Government’s Internal Revenue Service overhaul of its sys-
tems and many others. ICT managers (should) know of such situations.
When these four first observations are fulfilled and combined, they have
a positive impact on individuals. This gives a good chance that invest-
ments in ICT will have an impact on results – profits in the business sec-
tors and whatever other metrics of success are used in the public sector
and other non-profit ventures.
Observation # 5: Reward and risk are In his 1997 book “Disruptive Technol-
linked – innovative ICT focused on in- ogy”, Clayton Christensen describes
cremental improvements and low organ- “the innovator’s dilemma” where
technological innovation can cause
isational or business risk will have mod- great companies to fail. An example
est benefits. High impact, high benefit of this was the emergence of the per-
ICT projects will be, by their very nature, sonal computer, that became a re-
spectable business tool when IBM
disruptive to an organisation and there- first produced a 16 bit PC in 1980. A
fore, high risk. few years later IBM and Wang were in
serious trouble because they did not
Observation # 6: Something like 70-80% have a monopoly on these PCs which
of all ICT expenditures go to maintain were displacing demand for other
what is already there and the remaining products. IBM managed to get out of
their bad situation in the mid 1990s
20-30% is devoted to new developments. and Wang has since gone out of busi-
Therefore, attempts to reduce the cost of ness.
ICT by cutting budgets do not work as in-
tended as they result in abandoning innovation, the impact on results
these could have and freezing the status quo.
76 Crossing the executive digital divide
Observation # 7: There are better ways to reduce the cost of ICT than cut-
ting its budget, and these should be led by the ICT function – such as sim-
plification, vendor management, rationalisation, adoption of best prac-
tices and outsourcing.
Chapter 6
78 Crossing the executive digital divide
will use political skills, internal networks and their organisational knowl-
edge and experience to derail the change initiative. They often succeed.
Bystanders are likely to be in the majority and will support the idea of
change “in principle” on a wait and see basis. Most but not all of them
will succeed in adapting. Those who fail to adapt will become legacy staff
for as long as they remain in the organisation.
The remaining category, the Change Agents are those who will identify,
argue for and lead initiatives. They ought to be considered as star per-
formers in organisations that think creatively about the future. They are
likely to be seen as “dangerous individuals” in those organisations that
prize bureaucratic conformity.
The distribution of such characters in an organisation depends on its cul-
ture. Change Agents may be very senior managers or leaders – as was the
case when IBM brought in Lou Gerstner to be their Chief Executive de-
spite his lack of experience in the ICT industry – or middle managers that
seize and opportunity to do something important for an organisation,
such as restructuring a whole department or business unit. From time to
time, the Change Agent will be a less senior manager who discovers a
great opportunity and is able to share the enthusiasm for pursuing it with
executives.
Organisations consist of people and assets. The collective behaviour of
people in an organisation defines its “organisational culture” through its
activities, history, values and the expectations of the organisation’s own-
ers. This book proposes four parameters to describe it. These parameters
can take any value between the two extremes and together can be used
to describe anything from a department or business unit to a major con-
glomerate, at least in broad terms.
Crossing the executive digital divide 81
The final class of organisations discussed in the book are those rare in-
stances that face dramatic change on a frequent basis – the sphere in the
diagram. These are not found in the corporate or government worlds but
rather in innovative and creative environments where ideas and efforts
that do not appear to lead to success are abandoned and replaced by some-
thing else – for example in advertising.
One more factor influences the way in which organisations respond to change:
their metabolic rate. Those with a fast metabolic rate are well used to deal
with changing needs and act upon them promptly. Organisations in a com-
petitive environment need a fast metabolic rate to survive and thrive.
Those with slow metabolic rates, react to opportunities by creating com-
mittees, working groups or task forces in the search for consensus, and
engage in Analysis Paralysis. These tend to be pyramid organisations
with a long history, often with a strong trade union presence as well as in
the not-for-profit sector.
Action points
Albert Einstein
Crossing the executive digital divide 87
Organisations spend between 2 and 10 percent of their turnover on ICT. At the same time,
it is clear that the price of a personal computer and its standard software is in the order of
1,000 US dollars or Euros and that a wireless home network can be implemented for a few
hundred more. This chapter explores where the rest of the corporate money goes.
Direct costs are linked to the complexity of ICT, the level of quality of service required, the
uniqueness of solutions. Indirect costs are often forgotten and this leads to the belief that
all ICT expenditures are represented by the budget of the ICT function. This is not true and
the direct costs incurred by other functions together with indirect costs can add to as much
as the budget of the ICT function.
When the true cost of ICT is now well known, executives will not be able to determine how
their expenditures compare with those of other organisations in the same line of business
(and this is true for the not-for-profit world. Not only this, they will not have a sound basis
on which to evaluate the potential for outsourcing some or all ICT activities.
Cost drivers
In the corporate environment the cost of end-user hardware and software
represents around 15 percent of the total cost of providing ICT systems,
facilities and services. Where does the money go? The answer is that four
factors drive costs upwards. These are:
• The many components behind a computer on a desk;
• The complexity required to provide a quality service;
• The scale of ICT operations;
• Computer applications software
ICT hardware and software will, sooner or later, fail to operate. This could
be the result of a mechanical or electrical failure, software errors, poor or
incorrect configuration or any of a multitude of possible causes includ-
ing human error.
90 Crossing the executive digital divide
For a single user this is inconvenient. For an organisation this could rap-
idly become a major problem – this is certainly the case for anyone en-
gaged in e-commerce, financial institutions, airlines and other transac-
tion-oriented organisations.
This is just as much of a problem elsewhere – any multinational organi-
sation with employees at many locations around the world whose net-
works, e-mail systems or other facilities become inoperable for the best
part of a day will be seriously disrupted. “Quality of service” is the way
to define the degree to which ICT should be organized to avoid disrup-
tions. There is a price to pay for service quality, and a significant one at
that:
Twenty four hours a day, seven days a week, (24*7)
The Information Age has made distance and timezones
less relevant than they used to be. While many organisa-
tions continue to work in the world of “Monday to Friday,
9am to 5pm”, their ICT requirements extend beyond these
hours.
Remote access to systems and facilities by a mobile workforce, access to
electronic mail, websites and information security, etc. all require ICT
operations twenty-four hours a day, seven days a week.
This has cost implications: Regardless of the level of automation in a com-
puter room, human intervention is essential when disruptions occur and
on-site presence needs to be catered for to provide 24*7 cover.
As a typical employee works
some 7 to 8 hours a day for
220 days in a year, it takes five
people (suitably qualified,
trained and willing to work
shifts) to provide cover 365
days a year in three shifts of
eight hours.
99.9x availability
When business processes rely on ICT, downtime – the time during which
the ICT is not available to perform – means that business processes can
either not be conducted at all (electronic commerce) or can only be per-
formed in a degraded manner by doing them manually and then updat-
ing the computer systems when their operation is restored.
Crossing the executive digital divide 91
and will need to be supported by technical people. Then there will be reg-
ular requests for MACs (moves, additions and changes). At this level, day-
to-day operations require additional features such as voice mail.
Anything above ten thousand telephones is a major project, and the total
cost of such an operation divided by the number of telephones would be
much greater than the cost of a single phones. Of course, the economies
of scale of buying ten thousand identical phones would help to reduce the
total cost but not enough to compensate for the cost of scale.
Business applications, the software most strongly aligned with the busi-
ness processes and activities of an organisation needs tailoring to the
practices and preferences of each organisation (a process referred to as
customisation). Quite often, applications are made to measure from
scratch to meet specific requirements.
The customisation of commercial products involves substantial sums of
money – an Enterprise Resource Planning system (ERP) for an organisa-
tion with several thousand employees will have an implementation cost
in the tens of millions of US dollars/Euros. A major part of this cost will
be the fees of the experts who carry out the customisation.
Developing systems of any level of sophistication (= complexity) from
scratch is a major undertaking where costs, timescales and risks are all
significant. As in the case of customisation, the main cost component is
expertise, regardless of whether the work is done by employees in an ICT
function, a contractor or vendor or in off-shore centres where salaries are
considerably lower than in OECD countries. The management of such
projects is discussed elsewhere in this book.
A list of all the items that need to be considered to understand the cost of
a software project – from initial concept to its implementation and oper-
ation - would look like this:
Item Cost Estimator Accuracy
Project preparation costs
Concept, definition, feasibility assessment
Preparation of detailed estimates or of a Request
for Proposals (RFP) (consultancy + internal
resources)
Evaluation of responses to the RFP
Contract negotiation costs (legal fees, travel, etc)
One time costs
Project management and project team
Setting up change control processes and systems
Hardware purchases
Software licences and tools
Custom software development (in house or
external)
Crossing the executive digital divide 95
Tables of this kind are more useful and plausible when they indicate who
worked out the cost estimates and the accuracy to which these costs have
been estimated.
96 Crossing the executive digital divide
Lifecycle costs
This table shows four cost categories. Together they represent the cost of
a computer system over its service life. The desktop telephones used in
the example on scale are likely to have a substantial service life, ten years
or more and relatively low maintenance costs. This is not the case with
the majority of ICT equipment.
Many enterprises have maintenance contracts, sometimes included in the
procurement contract so that the vendor or an associated company per-
form repairs on such equipment. Larger items of equipment – from serv-
ers to enterprise storage systems and networking devices always have
maintenance contracts. It is prudent to assume that the annual cost of
maintenance for such hardware is in the order of 10% of the purchase
price.
Software licences come in many categories, ranging from a one time pay-
ment (typical for desktop software, although some vendors charge annu-
al license fees) to usage-based fees or machine-size related fees. Some of
these fees are annual, other involve a first payment followed by annual
fees.
In addition to license fees, there are other costs related to software: main-
tenance charges that entitle the licensee to obtain upgrades, patches and
fixes (additional software provided by the vendor to “cure” defects in the
licensed product). From time to time vendors package all these features
into a new release of the software. These are frequently available against
payment of an additional fee. There is a catch: while obtaining such a re-
lease is not mandatory, the vendor will not provide technical support un-
less a certain version and level of the software has been installed.
For software developed to meet the specific requirements of an organisa-
tion – either by customising a package (ORACLE™ Financials or SAP™,
for example) or by developing the application from scratch, there are also
maintenance and enhancement costs to be incurred. “Maintenance”
means correcting bugs and errors and keeping the relevant documenta-
tion up to date. “Enhancements” means the development of additional
features.
Unpleasant and expensive surprises may arise when the vendor decides
to issue a completely new version of the basic software, usually followed
by an announcement that support for existing versions will be terminat-
ed in the not so distant future (often two years). A new version of a pack-
Crossing the executive digital divide 97
age may not allow the migration of all the customisation work done for
the version in use and require considerable effort to achieve this.
Typical maintenance expenditures can be estimated at around 15% of the
total cost of developing the software. The cost of enhancements can vary
from zero, when the application is frozen to large amounts of money if
the enhancements are large and complex.
Expenditures to maintain and upgrade infrastructure items are hard to
justify through conventional Return On Investment (ROI) calculations
as they are merely a component in a complex network of separate com-
ponents that only add value as a whole and then only when they are put
to productive use.
Direct costs
These are the clearly identifiable ITC costs associated with specific re-
sources. However, budgets and accounting systems do not always capture
these expenditures in a way that identifies the purpose for which the ex-
penditure was incurred.
Prerequisites to understanding direct costs include comprehensive inven-
tories of hardware, software and personnel (including temporary staff,
consultants, contractors, trainees and others), as well as all ICT contracts
(for maintenance, services, etc).
The following (typical) questions may not have good answers unless ac-
counting systems are designed to collect data and prepare reports of this
kind:
• What is the total direct cost of developing and maintaining the soft-
ware for the payroll system?
• How much time has employee “Joe Bloggs” spent on the enhancement
of the SAP® payroll module?
Accounting practices such as Activity Based Costing (ABC) may give a
better picture. ABC is not always worth implementing because of its com-
plexity, and is primarily used where detailed cost accounting is a prime
98 Crossing the executive digital divide
business requirement. For example, ICT Service providers use ABC be-
cause of intense competition in the outsourcing of ICT operations. Know-
ing the exact cost of service provision can make the difference between
profit and loss.
When weak cost reporting is combined with weak governance, many ac-
tivities will increase costs:
• Diversity of solutions, technical platforms and parallel initiatives,
particularly for common tasks where standardisation might be a bet-
ter option;
• The enthusiasm of technical personnel for the newest technologies
resulting in “evaluations and pilot schemes” – these are resource-in-
tensive but may have limited business value and be subsequently
abandoned;
• The Mindless Pursuit of Perfection reflected in the over-specification
of technology and performance requirements;
• Extensive reliance on consultants.
Indirect costs
The ubiquity of ICT has caused expenditures to migrate to where they are
not easily counted, and these become indirect costs. Many will be regard-
ed as the “Cost of Doing Business” and may or may not appear as specif-
ic budget items.
Such indirect costs fall in two categories: those that could be reasonably
measured or estimated and those that are hard to monitor and should
therefore be referred to as “invisible costs”:
The first category includes the costs of
• Accommodation for ICT staff, computer rooms, their ancilliary
equipment and related services – for example building maintenance
and physical security;
• Procurement of ICT items by the purchasing department in an envi-
ronment where this is treated as a corporate service not charged in-
ternally;
• Eecruiting ICT staff – the advertising, interviewing, travel expenses,
etc of candidates when these activities are carried out the Human Re-
sources department;
• Reviewing ICT contracts by the corporate Legal Department, inter-
nal audits, etc …
Crossing the executive digital divide 99
While cutting the budget of an ICT function does indeed contain costs,
this may prove to be no better than an SMRC approach: Saving Money
Regardless of Cost – an inefficient ICT operation risks getting worse un-
less six actions to contain costs are implemented in earnest. These six ac-
tions are:
• An emphasis on standardisation;
• Enterprise wide contracts;
• Rationalization and consolidation of ICT activities and infrastruc-
tures;
• Service levels that are “good enough” and no better;
• Effective change control;
• Outsourcing.
ICT vendors produce price lists. These are usually negotiable and volume
purchases can lead to attractive discounts. These must be assiduously ne-
gotiated.
Salami-slice procurement where a few items are purchased at a time does
not benefit from such benefits and has the significant added (but rarely
counted) cost of processing purchase orders and the subsequent invoices
and payments.
Change control
A method for ensuring that the idea of “good enough” is given more
weight than the Mindless Pursuit of Perfection, change control is a pro-
cedure for ensuring that frivolous changes to infrastructure, technology
or applications are not progressed. This is discussed in some more detail
in the chapter dealing with the operational aspects of ICT.
Is outsourcing expensive?
Fully expect ICT staff to say it is, certainly more expensive than what they
do in-house because outsourcers need to advertise and market their ser-
vices, employ lawyers and make a profit.
All of this is true but the “more expensive” statement should only be be-
lieved if there is good knowledge of the total cost of ownership support-
ed by systematic benchmarking against published information and inde-
pendent audit reports that define quality of service, process maturity and
other tangible metrics.
Outsourcing is the subject of a separate chapter in this book. It suffices
to say that ICT outsourcing is a competitive business with annual reve-
104 Crossing the executive digital divide
nues of around 100 billion US dollars. This shows that there are both
many providers of outsourcing services and a large number of clients who
consider that outsourcing is worthwhile.
Among the many case studies of the successful outsourcing of ICT – there have been some
unsuccessful exercises too – is that of DuPont de Nemours (http://www.dupont.com). A
large multinational with around 75,000 networked computers around the world, it signed
a contract in June 1997 to outsource is networking and computing operations to Comput-
er Science Corporation and its software development to Andersen. This represented at the
time the largest outsourcing contract of this kind: 4.2 billion US dollars over a ten year pe-
riod.
Interviews in various newspapers with the Chief Information Officer of Dupont reveal that
as a result of a programme of consolidation, rationalisation and standardisation, followed
by outsourcing, the company reduced its total cost of ICT from 1.2 billion US dollars per
year to 600 million.
Action points
Find out if there are indications that your organisation is spending more
than it needs to on ICT – but you can expect cries from the ICT function
that they are “not spending enough”.
Find out if the expenditures incurred on ICT are well aligned with the
business objectives of the organisation – what’s the value of a World Class
infrastructure if the computer systems are inadequate to support busi-
ness activities or management decisions or if the workforce does not have
skills to exploit them?
C h a p t e r
6
Financial aspects of ICT
Benefits
Having suggested that the cost of ICT is not always well known, benefits are even harder
to evaluate and demonstrate. This creates a difficult situation for executives, as technolo-
gists will advocate to invest in “newer, faster, better, cheaper” technologies without show-
ing specifically how the proposal to spend will contribute to the organisation’s results – re-
gardless if it is a commercial company, a not-for-profit organisation or a government de-
partment.
Executives who do not validate the benefits derived from ICT could be said to be gambling
with their company’s money, rather than making prudent investments. Such validation
should take place twice: at the time of considering a proposal for new systems or facilities
and then again, some time after the completion of the project, this time to determine
whether the promised benefits did materialise.
Assessing benefits is hard to do, as they need to be expressed in units that relate to the ac-
tivities of the organisation such as waste reduction, risk reduction, cost avoidance, etc.
The GIGA Group (ICT industry specialists) advocates an approach that works well to put a
value on such benefits
However, the assessment of benefits at the time of justifying an ICT investment is only a vi-
sion of what is expected. The factors that will unlock the benefits of investing in ICT require
executive action as these actions are always beyond the reach and authority of ICT manag-
ers.
108 Crossing the executive digital divide
Immature Senile
organizations organizations
This may appear to be an attractive approach, but the sums of money in-
volved are large –the entry price for an Enterprise Resource Planning
(ERP) system is 10 million US dollars and it may end up costing ten times
as much (it has happened). Sooner or later somebody (a board or govern-
ing body) will ask uncomfortable questions. Unless good answers are pro-
vided this body could take dramatic action in the shape of major budget
cuts, replacing the CIO and/or their boss and possibly outsourcing the
ICT function.
Example: Online book retailer Amazon.com is totally reliant on its ICT capabilities and that
of its supply chain partners (suppliers, transport logistics, credit card handling). Their sys-
tem design and databases allow them to provide all four of the above benefits as they op-
erate 7 days a week, 24 hours a day at six global locations (USA, Canada, UK, France, Ger-
many and Japan) in a highly consistent manner.
Their search engine correlates individual queries with those of other individuals to provide
lists of recommendations “other people also bought…” and keeps track of your interests
that are used to create e-mail notices when new books or items that may be of interest to
you are available.
Their extensive self-help sections allow orders to be modified and tracked and provide lists
of how to deal with specific issues.
Some of these benefits – for example those associated with online cus-
tomer support based on ICT can be rigorously estimated because the al-
ternatives are not to provide them (zero cost, zero benefit, doubtful fu-
ture if another retailer does it) or to provide them through a call centre
(many staff, high cost).
However, putting a financial value on softer features is harder and re-
quires an act of faith on the part of executives because these benefits can
only be measured indirectly – how many more books were ultimately sold
Crossing the executive digital divide 111
because they were recommended after a search for another book? Intan-
gible benefits can be real eno.
When estimating such benefits, there is a risk that they will not materi-
alise, and this needs to be assessed.
Knowledge work
In the two previous categories, ICT is close to the centre of the action –
the people who do the work follow the machine. In knowledge work, the
reverse is true: people manipulating data and information to extract pre-
viously unseen meaning use ICT as a tool. Typical knowledge work appli-
cations include:
• Business Intelligence and situation analysis
• Data mining and Discovery
• Improved decisions based on relevant, timely and accurate informa-
tion
None of these are com-
modities and, the last
one has disappointed
executives who have
been promised over
the years that “Deci-
sion Support Soft-
ware” and “Executive
Information Systems”
were just around the
corner. They still are.
We intuitively know
that:
• Quality information reduces uncertainty
• Reduced uncertainty improves decisions
• Improved decisions lead to more effective actions
• Effective actions give better results.
There should be little argument that these las four points make sense.
This makes quality information a valuable resource and raises the prob-
lem of finding a way to put a financial value on knowledge-rich compo-
nents such as “thought leadership” and “creativity”.
112 Crossing the executive digital divide
Whatever answers are found, they will not be uniform across areas of ac-
tivity. Technology plays a minor role in the creation of value through
knowledge and many of the tools used are in fact commodities in the ICT
marketplace. It is knowledge that makes a difference.
Innovation
There is no right answer, except perhaps the motto of the British special
operations unit, the Special Air Service: “who dares wins”. In other words,
when there is a choice, who wants to be a loser or work towards achiev-
ing mediocrity?
Problem # 8: The benefits of ICT are all in the future
This is true for most investments. ICT projects have relatively long lead
times (major projects are rarely completed within the originally estimat-
ed budget and timescale). Benefits will start to accrue when the informa-
tion systems and facilities are fully operational and everyone who uses
them is able to exploit them to good advantage. Until then, all you have
are expenditures…
Problem # 9: The benefits of ICT don’t go to those who invest
In budgetary terms, the major part of ICT expenditures is incurred by an
ICT function. If and when value is derived and benefits are gained, these
do not appear in the ICT function but elsewhere in the organisation. This
makes it difficult to put together an organisation-wide case for investing
in ICT unless there is good dialog and coordination with the potential
beneficiaries of the investments.
Experience shows that benefits do not emerge immediately after imple-
mentation. There are many instances where massive but unexpected ben-
efits emerged five or more years after the implementation of a computer
system. However this was the case only when the people working with
the system were allowed to think creatively about its potential.
In the early 1990s, the Swiss state pension organisation (AVS) embarked on an ambitious
ICT project. This project aimed at a total migration from working with paper documents
(the offices had several floors of filing systems) to working with stored images of all the
documents and no paper.
This was a major project that took several years to complete. The benefits that had been
identified for this system concentrated on the office space that would be liberated and the
improved ability to track the status of all the transactions in progress.
Several years after its implementation, other benefits became apparent, notably a reduc-
tion in personnel absences due to sickness, presumably the result of not having to work
with old, dusty and mouldy paper documents.
It was subsequently discovered that the personnel found the use of the system and the
workflow processes with other colleagues a much more stimulating work environment
than dealing with large stacks of pending paperwork and were much more motivated than
in the past.
Crossing the executive digital divide 119
Waltzing with bears, by Tom DeMarco and Timothy Lister, 2003, Dorset House
Publishing
120 Crossing the executive digital divide
ICT managers who like technology are likely to encourage their organi-
sation to indulge in the latest gadget – their individual price is usually
small and it is only when a large number of them needs to be supported
that costs are noticed.
Problem # 12: Lack of post-implementation benefit audits
The time elapsed between presenting a business case to invest in ICT, im-
plementation and subsequent digestion by an organisation is long, mea-
sured in years for any sophisticated system.
After all the money has been spent, it is good practice to validate wheth-
er the benefits that were claimed to justify the investment in the original
business case have actually been achieved, if only to serve as a “lessons
learned” exercise.
When such post-implementation benefits audits are conducted, they tend
to reveal that many benefits were not thought of at the time of preparing
the business case. However, researchers in the USA have found that less
than half the organisations making major ICT investments conduct such
benefit audits.
These emerge when the people
using these systems are allowed
to use their knowledge and expe-
rience to make creative use of the
systems’ capabilities, particular-
ly when these support knowledge
work or can be applied to areas
not initially considered.
What should the Chief Executive do? Here are some questions to consid-
er:
• What are the risks of being a first mover?
• Would the benefits of the new CRM system be large enough to take
these risks?
• What would be the consequences if their main competitor succeeds
in installing such a system before they do?
• Are there any alternatives to this particular product – and if so, have
then been explored?
Action points
Organisations carry out two sets of activities to meet their business ob-
jectives:
Tactical activities, to do with action and the execution of business pro-
cesses through operations, risk management and compliance with poli-
cies, regulations and legislation.
Strategic activities are focused on preparing for “tomorrow”, i.e. planning,
defining priorities, risk assessment and alignment.
A workable strategy requires asking many questions that have uncertain
answers because of the non-linear, unpredictable nature of our world.
Therefore, a strategy should be seen as the equivalent of a rough and in-
complete map of uncharted territory.
128 Crossing the executive digital divide
If only this was enough to have a strategy that works! Assuming that the
strategy is well aligned with the business objectives of the organisation,
without effective governance of ICT and successful execution, even the
best strategy will not succeed. Dogmatic assumptions about what can and
cannot be changed, inflexible plans and rigid budgets also work against
having an effective strategy.
In creative mode, the most challenging, ICT plays the role of enabler, cre-
ator and change driver by creating awareness of opportunities with a sig-
nificant technology content.
By making explicit the mix of business objectives the relationship be-
tween the business strategy and the ICT strategy can be seen as the equiv-
alent of a couple dancing tango: they are close and move in harmony –
both partners can initiate moves but one partner (business strategy)
leads.
Strategy
observable business benefits.
This will only occur if three
factors converge for this pur-
Alignment Execution pose: good execution, good
Effectiveness
alignment and good gover-
nance.
Only the first, execution, is the responsibility of the ICT function and re-
lated service providers. The other two require executive participation.
Alignment is the process through which investments in ICT are made in
areas that deliver business value. In the tango dancers analogy, alignment
represents how well the dancers match each other’s steps.
Governance is the process through which those who define policy guide
those who follow policy. Returning to the tango dancers, governance is
the process of choosing the tunes for the dancers to dance to.
Crossing the executive digital divide 131
Execution, the ways in which the components of the strategy are deliv-
ered to the organisation and its people. In the analogy this represents the
dancers’ ability and experience.
A valuable executive guide to strategic planning can be found in the CO-
BIT Guidelines, presented in Chapter 2.
Alignment considerations
Doing what adds value cannot be achieved without understanding:
• The strategic business objectives of the organisation;
• The baseline upon which the strategy will be developed;
• The technical, financial, organisational and cultural constraints of
the environment for which the strategy is designed;
• How the organisation determines and measures the value associated
with data and information;
This understanding must be fostered and guided by business executives.
The CIO Chief Information Officer (CIO) alone cannot be an effective
judge of what ICT investments will provide benefits and opportunities to
the organisation as a whole.
Critical Success Factors (CSF) and Key Performance Indicators (KPI)
should be used to validate alignment issues. Such CSFs and KPIs will be
specific for each organisation.
The strategy:
1. Focuses on using ICT to enhance the organisation’s operations and
management and support its business objectives (from cost reduc-
tions to developing of new products or services);
2. Focuses on providing information resources and capabilities to meet
the identified and emerging needs of the organisation;
3. Is integrated with the organisation’s governance and leadership
mechanisms;
4. Includes policies to ensure that the organisation’s employees and oth-
ers who use the ICT systems and facilities make effective use of the
information resources provided.
132 Crossing the executive digital divide
Performance Indicators
Governance considerations
As in the case of alignment, granting full autonomy to the CIO for choic-
es and decisions that have major impact on an organisation gives the CIO
power that could be misused when there is a lack of executive awareness
of the potential consequences.
The practices that make ICT governance effective, include:
• Approval of strategic, business and operating plans for ICT
• Oversight of the organisation’s information assets portfolio;
• Evaluation of benefits and identification of who will be accountable
for delivering them;
• Approval of funding that enables the ICT strategy and its components
to be delivered;
• Enterprise-wide standards for technologies and applications and def-
inition of the limits of business units, departments and geographi-
cally dispersed units autonomy on ICT matters;
• Criteria for the use of outsourcing and the extent to which it is
used;
• Accountabilities for content and information management (quality,
editorial policy, definition of access rights and conditions, etc), tech-
nology assessment, cross-organisation coordination, development of
detailed policies;
• Appropriate use policies that define how the organisation’s ICT re-
sources may be used for purposes other than those directly related to
work activities (examples: personal use of e-mail, Internet access,
telephones);
• Information security policies covering the availability, confidential-
ity and integrity of the organisation’s data, documents and informa-
tion;
Crossing the executive digital divide 133
Execution considerations
Execution must match the quality needs of the organisation for the de-
livery of ICT projects and operational services. Chapter 5 has shown that
a higher quality than necessary has important financial implications.
Conversely, when service quality is insufficient the result will be a degree
of inconvenience, even paralysis. For anyone engaged in e-business (eBay,
Amazon, Dell, etc.) this could be disastrous.
What is “good enough” will be different from one organisation to anoth-
er and needs to be given careful consideration.
There are no standards or best practices for the contents of an ICT Strat-
egy. What works well is the production of a concise document, built in-
crementally and revised on a regular basis. The minimum contents of an
ICT strategy are:
• Objectives linked to business strategy and targets;
• The baseline including known constraints and legacies;
• Assessment of the technical and business risks of the strategy;
• Assumptions underlying the strategy
• ICT initiatives and their relation to a portfolio of information assets
• Technical architectures and standards
134 Crossing the executive digital divide
• Sourcing
• Estimated cost of implementing the strategy (± 30% or other avail-
able figure)
• Description of expected benefits (± 30 to 50%)
• Critical Success Factors for the strategy
ICT strategies begin with a history: over the years, organisations have
built computer systems, data definitions, databases, on a variety of tech-
nical platforms. Each of them implies constraints and legacies.
Data definitions and database technologies can be migrated to new tech-
nical architectures through conversion, cleansing and other complex pro-
cesses. This often turns out to be an implementation obstacle and the
source of unplanned expenditures. Lack of knowledge of how these lega-
cies will affect the implementation of new systems is a major handicap.
The organisation’s culture and the availability of skills are non-technical
constraints to the implementation of a strategy. Resistance to change is
natural and should be expected and if the magnitude of change leads to
major changes (relocation, downsizing, the need for new skills), these
constraints need to be addressed at an early stage to avoid significant fric-
tion and other problems later on.
Technical risks: These revolve around not knowing the answers to:
Business risks:
• Is the project truly aligned with the organisation’s needs and priori-
ties?
• Is the organisation capable of absorbing the changes that will re-
sult?
A strategy must make explicit what the organisation “knows it does not
know” – the assumptions made in preparing the ICT strategy. Executives
should question and discuss these assumptions before committing funds
to the implementation of the strategy. Checking the validity of these as-
sumptions is part of the risk assessment and management process.
Executive Dilemma
• The fast track approach will bring disruption and budget constraints,
and there is a general lack of trust within the organisation that the
CIO can roll out effective ICT systems and on the availability of com-
petent staff to work with the new systems.
• To increase data-quality and integrity, reduce maintenance costs and
improve security, the organisation needs to abandon the present dif-
fused and uncoordinated computing and database configuration.
• There are too many applications developed by individual offices and
headquarters units, to compensate for shortcomings of existing cor-
porate systems. These software applications have been developed
over the last 10 years. Generally they have inadequate functionality,
are poorly integrated and are showing serious signs of reaching the
end of their economic and/or technical life.
• Across its network of offices, the organisation has 16 different cor-
porate systems for its resource management functions. Each of these
systems has its own history and constituency.
Would you approve the expenditure and proceed with this strategy?
NB – this dilemma is based on a real case. Three years on, the strategy is
still being implemented. One of the central components of this strategy
was an Enterprise Resource Management System using one of the major
ERP software packages. It emerged that knowledge about the strategy did
not reach everyone, as one business unit implemented their own (differ-
ent and incompatible) solution at a cost of 5 million US dollars.
As a senior executive what lessons can you draw from this situation?
Action Points
Ensure that the business objectives of your organisation are known and
understood by those responsible for ICT strategy.
Strengthen ICT governance mechanisms to enable ICT to deliver the ap-
propriate quality of projects and services with acceptable track record and
costs.
Focus the work of the ICT governance body on alignment and value issues.
Demand that ICT strategies be regularly updated and that they reflect the
input of all constitutent parts of the organisation.
C h a p t e r
8
ICT service delivery
processes:
resources, quality
and risk
ICT, like most critical infrastructures - electricity, water, telephone – becomes invisible
when everything works as intended. Disruptions to services are noticed immediately and
cause, as a minimum considerable inconvenience.
Ensuring that ICT service delivery provides a consistent level of quality requires discipline.
How much structure and discipline is required for a given organisation is determined by the
potential impact of service delivery disruptions on the operations of the organisation.
When ICT services become unavailable (downtime) organisations incur losses because of
their inability to operate. Surveys conducted in the United States identified that such loss-
es range from the tens of thousands of US dollars an hour (46% of respondents) to over
one million US dollars an hour (8% of respondents) and it is therefore not a trivial matter.
There are many best practices that can be used to manage service delivery and not putting
them into practice is a self-defeating game.
Service Agreements
for from a central budget, charged to user departments) and the mecha-
nisms for reviewing performance and amending the terms of the agree-
ment. It is usual to include sections on penalties and other arrangements
when the agreed service levels failed to be delivered.
Performance criteria include measurable parameters such as service
availability, response time and where it is measured, the definition of
maintenance windows and problem resolution targets.
These definitions should be unambiguous: a service availability of 99.8%
is quite a different matter in each of the following:
• Monday to Friday, prime
time (08:00 to 18:00)
• Seven days a week, over
two consecutive work-
ing shifts (08:00 to
24:00)
• Seven days a week, twen-
ty-four hours a day
In-house service providers
will have budgetary con-
straints and if required to deliver high quality without adequate funding
will end up diverting resources from other activities such as end user sup-
port or, most frequently, innovation and development.
Outsourcing service providers work within a contractually agreed frame-
work and changes to specifications are treated as amendments to the con-
tract.
Performance assessment
Help desk
Incident and problem management
Security management
Contingency planning
Software control
Change management
Service level management
Contract and cost management
Availability management
Storage and media management
Capacity management
The risks of a change management system that is not mature enough are:
• Delays in implementing changes, particularly if the change manage-
ment system is paper based and involves bottlenecks (particularly in
the approval stage);
• Failed implementations due to side effects that were not properly con-
sidered before the change;
• ICT staff may be tempted to bypass the process leading to changes
that are not documented or known to others and creating complica-
tions should the change lead to problems at a later date;
• Resistance to a unified Change Management system from different
parts of an ICT organisation due to the different views of staff.
Configuration management is a process designed to give direct control
over all ICT assets and to use this control to ensure that ICT services pro-
vide value for money.
Configuration management requires a complete inventory or portfolio of
information assets at a level of detail that balances the amount of infor-
mation collected and the resources needed to do so.
Effective configuration management requires that all information assets are
included and that these are regularly verified to ensure that these correspond
to the records held in the configuration management documentation.
The risks associated with weak configuration management are
• That staff may bypass the process either for speed of implementing
an urgent change or to deliberately cause problems (sabotage);
• Not having staff available to implement emergency changes outside
normal office hours.
Service level management is as much a discipline as it is a process, and re-
lies on having defined Service Level requirements for specific systems
and facilities. These agreements are entered into by representatives of the
service provider (in-house or outsourcer) and those of end user groups.
This requires the service provider (the ICT function or an external provid-
er) to establish a complete catalog of services and the cost of provision.
The ICT function should also have mechanisms for collecting informa-
tion on service performance, validate it against the requirements of the
agreement and take remedial action when it does not.
The risks associated with not having service level management at an ap-
propriate level of maturity are:
Crossing the executive digital divide 153
People issues
Processes and how they are deployed depend entirely on people. An en-
thusiastic technical person fascinated by trying new things may not be
the best choice to manage processes: process people need to be systemat-
ic, meticulous, patient and effective problem solvers.
Creative and curious people may get easily bored with the structured na-
ture of process management and are unsuited for long-term assignments
in process tasks. However they make terrific troubleshooters.
Good process people also need to be motivated and flexible, as in ICT such
work requires shift work and on-call availability to provide continuous
coverage (24*7) every day of the year.
156 Crossing the executive digital divide
The data centre of Organisation XYZ is run by Michael, a very clever in-
dividual whose primary skill is in computing programming and who has
spent most of his working life in the same organisation. In an effort to re-
duce operational costs, Michael devotes all of his working time and a good
part of his spare time to do things as cheaply as possible.
The photograph shows some of the results: a cheap but very fragile oper-
ation where problems were the order of the day. However, in this execu-
tive dilemma, Michael was regarded by many as a “genius” and therefore
an indispensible individual who did not accept criticism from anyone.
Moreover, Michael never saw the point of attending conferences of dis-
cussing operational performance with his peers.
Whenever the people responsible for service delivery are skeptical of the
value of standards (ISO 9001), best practices (ITIL and COBIT) and insist
that adopting such practices would be expensive and require more staff,
it would be prudent to get a second opinion.
No diagram
or records
Sticky labels
(many missing)
Ordinary twine
Spaghetti
cabling
From an operational
data centre (really)
Given that executives rarely, if ever, visit the data centre on which their
organisation relies for service delivery, what would they find if they de-
cided to conduct an unannounced visit?
Crossing the executive digital divide 157
Action points
ICT projects have a less than brilliant track record. A cynic once said that the basic formula
for such projects is R = 2*2*½ (the Results you get take twice as long and cost twice as
much as you planned for and are only one half of what you expected). Regrettable as it is,
this formula continues to be regularly validated by experience.
Many projects are successfully completed, and this is not because of luck. The combination
of technical complexity, optimism and the lack of effective (and experienced) project man-
agement constitutes a lethal mix that will reduce the chances of success of an ICT project.
Executives are the ultimate sponsors of such projects and, as such, have a critical role to
play to ensure that projects are properly managed, that major events – changes, delays and
other disruptions – are evaluated and controlled. Equally important for executives is to be
satisfied that project risks are sensibly managed.
Projects are one time events consisting of multiple linked tasks with well
defined objectives and quality criteria, performed by teams of people
within a desired time and budget framework. The membership of these
teams may be internal (employees), external (consultants, vendors, con-
tractors and many others) or hybrid.
Projects can be categorised in many ways. Two particularly appropriate
categories for ICT projects are
1. The nature of the project
2. The size of the project.
The nature of a computer systems project is described by a point defined
by the three parameters shown in the figure.
162 Crossing the executive digital divide
The risks associated with such small projects are mainly end-user frus-
tration as a result of not meeting their expectations and delays. Delays in
the delivery of software are a common occurrence for reasons discussed
later in this Chapter.
Medium-size projects – with timescales of less than a year and a budget
that could reach around a million dollars or Euro include cabling proj-
ects, major data centre enhancements, and the development of software
for a specific application, typically with a low degree of integration with
other enterprise or corporate systems.
The risks of medium size projects include, in addition to those of small
projects
• The creation of “information islands” using incompatible definitions
of data or technical architectures that do not fit well with that of the
organisation as a whole;
• The introduction of unauthorised functions, malicious software or
backdoor access to systems. This can lead to fraud, sabotage and/or
blackmail;
• The possibility that the product or vendor chosen may no longer be
available by the time the project is completed (mergers, acquisitions,
bankruptcy, etc should never be excluded from a project’s risk anal-
ysis);
• Causing organisational slow-down or paralysis in the event of a failed
implementation.
In mid-July 2004, the peak of the holiday season, the SNCF - French National railways com-
pleted a medium size project to implement new networking software to upgrade the con-
nection of their seat reservation system to 4,000 points of sale. This failed in service and it
took three days to restore normal operations, having inconvenienced several hundred
thousand travellers and “gained” extensive negative publicity.
Large projects – these have timescales of three to five years and a budget
up to one hundred millions of dollars or Euro. Such projects include
building a new data centre or the consolidation of a number of operation-
al data centres at this new location.
Large software projects include enterprise software for an organisation
with thousands of employees, such as an Enterprise Resource Planning
system using a package that is customised for a specific organisation.
164 Crossing the executive digital divide
One of the ICT projects known to be in poor shape in 2004 is the US government’s Busi-
ness Systems Modernization program for the Internal Revenue Service (IRS) an 8 billion dol-
lar plan is running very late (one component was delivered three years behind schedule)
and costs are escalating rapidly by hundreds of millions of dollars.
An not-for-profit organisation of some 10,000 staff decided to implement a new ERP to re-
place a number of legacy systems. The organisation believed that its needs and operations
are unique and that no commercial package could be adapted to meet their procedures
and business rules.
When the project first started, it had been estimated that it would take two years and 8
million dollars to deliver a made-to-measure system using internal resources with some as-
sistance from a vendor.
The project was completed to great acclaim and recognition (the project manager was pro-
moted). However it took ten years and somewhere near 100 million dollars and a large ex-
ternal team to complete. This situation is by no means unique and many more examples of
this kind abound.
166 Crossing the executive digital divide
In 1999, NASA the Mars Climate Orbiter. Because of inadequate project controls and com-
munications, the Orbiter was transmitting distance data in metric units while the earth sta-
tion operations were working in imperial units. The craft approached Mars’s atmosphere
too low and too fast and was never heard of again. The cost of this misadventure: 125 mil-
lion dollars.
The project manager and the project sponsor need to recognise the inev-
itability of change and ensure that the planning process is designed to ac-
commodate change and then work towards minimising the impact and
risk associated with such changes.
Fact # 5: Size matters
Small projects have a higher rate of successful completion than very large
projects. Various studies, including that of the Standish Group indicate
that less than 30 % of very large projects are ever completed.
The difficulties associated with very large projects are related to the num-
ber of people that must work together and to the complex inter-relation-
ships between parts of the project, the people working on them, vendors
and other suppliers and the time taken by the project.
168 Crossing the executive digital divide
Waltzing with bears, Tom DeMarco and Timothy Lister, 2003. Dorset House
Publishing Co.
Crossing the executive digital divide 169
(WRBL). This and other tools have been compiled in a companion vol-
ume to this book entitled “The Executive Toolkit”.
The final part of this stage is the negotiation and signing of contracts and
the development of detailed project plan that identifies the activities to
be performed by the vendor and by the client(s).
STAGE 2: Setting up a project follows executive approval to go ahead and
starts with the signature of a contract to deliver the project or being giv-
en the “GO” if the project will be resourced internally.
Best practices include formalising several component parts of the project
to ensure clarity of purpose and communications. These include as top
level activities:
• Project Organisation
Making the appointment of a project manager and the project team
and assigning the percentage of time that they shall devote to the
project (from 20% for a small, non-critical project that can be done
concurrently with other activities to 100% for any substantial or crit-
ical project). In addition, suitable arrangements for accommodation,
tools and related facilities need to made at this time.
For large and very large projects and for projects of any size that have
a major impact on an organisation, a Project Review Board (or group,
task force, committee if these names are more appropriate in a given
environment) should be established.
• Decision making process and delegated authorities
Defining the scope of authority of the project manager and the proj-
ect team members concerning expenditures, changes of scope, tech-
nologies, products, etc., and defining who can authorise changes (and
how) other than those delegated. Such definitions should cater for ar-
rangements that enable urgent decisions in non-delegated areas to be
handled effectively.
The project manager remains responsible for all activities of the proj-
ect, including those delegated to members of the project team or con-
tracted with external parties
• Review Management
Defining how, who and how frequently the Project Review Board or
equivalent body will meet with the project manager /project team to
The Executive Toolkit by Ed Gelbstein and Elöd Polgar, Diplo publications, 2005
(www.diplomacy.edu)
Crossing the executive digital divide 173
review the progress of the project as well as the authorities of this per-
son or group.
Particularly important for major projects, this group should have the
authority to decide whether a project should be terminated or, at the
very least, be responsible for requesting such a decision from the Ex-
ecutive.
STAGE 3: Project implementation is the collection of activities and re-
sources that transform a plan into deliverables. Almost entirely the re-
sponsibility of the project team and any vendors, contractors or other par-
ties involved, project management activities include:
• Progress management (tracking and recording the evolution of the
work against a project plan). This is a key the main purpose of which
is to identify early signs of trouble in a project and deal with devia-
tions from the plan by managing changes to it through a formal
Change Control process and maintaining the project plan up to
date.
Project plans must be kept up to date to show all changes to the proj-
ect and be shared among the project team, the sponsor and other ex-
ecutives, notably those members of a project review group to be of
real value.
It is acknowledged that there are organisational cultures where voic-
ing bad news, whether slippages or technical problems, is considered
akin to treason. This goes against the principles of risk management
and does not help project success.
• Change management
The need for changes to a project plan will be driven by many differ-
ent factors – for example:
- Changes in requirements identified during the development of the
project;
- Changes in technical products (versions of software, new hardware,
vendors going out of business or ceasing to support a product);
- Changes in the constitution of the project team and the need to
brief new members and integrate them into the team;
- Delay in completing a task that prevents another from being start-
ed;
- Lack of funds that obliges the project to be put in suspense during
its execution;
- and a multitude of other reasons
174 Crossing the executive digital divide
tegration with other technologies and systems and end user testing to val-
idate that the ergonomics of the system are consistent with the skills and
ability of the people who will use it.
When the project relates to a computer system that will involve confiden-
tial and financial transactions, it is also good practice to conduct an au-
dit that the appropriate controls have been correctly implemented.
Introducing a new system into operation can be done in two ways - Big
Bang or phased:
The concept of the Big Bang is a courageous approach to the implemen-
tation of large, complex software systems – waiting until all the develop-
ment has been completed before releasing the system to an operational
environment. This requires massive efforts in testing, transferring data
to the new system from older systems, training, preparing for the sup-
port of the people who will use it and a critical period of transition from
the old to the new.
The opposite approach of phased implementations is favoured by a sub-
stantial majority of the people working in the software industry, who ad-
vocate that systems should be broken down into usable portions that can
be implemented in no more than two years.
Moreover, when the new system is a replacement of an old system, paral-
lel running - keeping the old system operational until there is a sufficient
level of confidence that the new system is performing well, is a way to re-
duce risk. Like all risk management activities (except hoping for good
luck), it involves additional costs.
One difference between ICT projects and other projects, such as the con-
struction of a bridge or the launching of a satellite is that in the event of
failure the latter projects are investigated and a report on the cause of fail-
ure is produced. In the computer industry some failures get public atten-
tion because of their impact and visibility but it is not unusual to cover
up failures whenever possible, minimise them and when this is not pos-
sible, provide “rational explanations”. The most common reasons for proj-
ects to go wrong can be grouped in two categories of different natures:
176 Crossing the executive digital divide
Complexity Optimism
Complexity
Optimism
iv) Belief in Magic: whenever a project gets to the situation that this “new
tool”, “team member”, “product” will fix the problems that the proj-
ect is facing and put it back on course. Anything of this kind should
ring loud alarm bells in the sponsor’s mind.
Project Management has been treated as a science for many years. There
are many courses, books, software programs and tools to train people in
project management methodologies and in methods for measuring prog-
ress (and also measure deviations from the targets set for the project).
No two projects are ever the same and project managers can expect to be
confronted with situations that require experience, common sense, intu-
ition, creativity and negotiation skills to resolve – which make project
management an art as well as a science.
Formal project management aims to maximise the probability of the suc-
cessful completion of the project, meeting the planned targets for results,
timescales and costs. When done properly, it also includes the identifica-
tion, mitigating and management of the risks to which a project is ex-
posed. Chapter 10 is dedicated to this topic.
Action points
Risk management prepares you against a problem that has not yet happened
Problem management is what you do when the problem occurs
Crisis management is what you have to do when you cannot solve the problem
Crossing the executive digital divide 183
• What exactly is risk and what are the factors that determine it?
• What is the scope of risks associated with ICT?
• Why should an executive be concerned with ICT-related risk manage-
ment?
• What are the steps needed to manage risk?
Living and working in an imperfect world, things never work as planned. Risk management
is the discipline through which the effects of unplanned events can be mitigated.
ICT bring with them additional components of risk: threats and vulnerabilities that can
have a certain impact on the activities of an organisation. Countermeasures are put in
place to remove or reduce these threats and vulnerabilities, and what remains is a residual
risk, i.e. that the countermeasures are not sufficient to remove a threat or a vulnerability,
or that an unexpected (even unthinkable) event occurs.
Understanding threats and vulnerabilities and implementing good countermeasures are es-
sential components of risk management strategies. These strategies start with risk evasion,
a “do nothing” approach in which an organisation relies only on good luck and extend to
complex arrangements of risk containment, mitigation and transfer involving other parties
such as insurance companies and outsourcing service providers.
Managing risks
Risk is part of daily life and most people recognise that harm, loss and
danger are real and could actually happen to them.
Cautious people buy health and property insurance and also wisely hes-
itate to undertake activities involving long ladders and climbing on roofs
or tall trees and make arrangements to look after their children should
something bad happen to them. In addition, cautious people do not at-
tempt to fix things they do not understand, like plumbing (those who
have a go, must accept the consequences).
Then, there are thrill seekers who go bungee jumping, parachute from
planes, go mountain climbing and other activities that they believe can
be achieved without harm. Finally, there are those who do things with-
out thinking about risk. Statistics are not in favour of poor preparation.
Many of those who don’t succeed get mentioned in books such as the Dar-
win Awards and the Chronicles of Human Stupidity.
184 Crossing the executive digital divide
How many of the people in these categories behave the same way in their
workplace? When it comes to ICT it would appear that the cautious group
may be in a minority and the rest may just be unaware of their role in
managing enterprise risk.
When nothing is done about risks, the result is a surprise. Surprises are
NEVER good news.
Countermeasures
These are all the actions that are taken to avoid or reduce threats, vulner-
abilities and impact. In terms of the example of the computer room and
the river, one possible countermeasure would be to relocate the facility to
a place where the threat of flooding is much lower – away from rivers and
the sea.
However, some threats are much harder to deal with by an individual or-
ganisation, for example that of civil disorder or that of a terrorist attack
in a particular city.
Vulnerabilities are much more manageable in terms of finding and im-
plementing countermeasures, but on condition that appropriate effort is
put into identifying these vulnerabilities and reviewing the situation on
a regular basis.
A computer room without access controls that can be monitored is a typ-
ical example of a vulnerability. Another example would be Antivirus soft-
ware not kept up to date. The countermeasures needed to address these
vulnerabilities are relatively simple but require action to be implement-
ed.
The potential impact of
an event is of prime im-
portance in deciding the
extent to which counter-
measures will be put in
place – very few counter-
measures can be imple-
mented without cost.
Six distinct areas of risk will be considered in this chapter. Four of them are
derived from the Control Objectives for Information Technology (COBIT):
Weak governance (COBIT Planning and Organisation)
Projects (COBIT Acquisition and implementation)
Operations (COBIT Service delivery)
Lack of audit (COBIT Monitoring)
and the remaining two are: non-compliance (with legislation, contracts
and policies) and people issues.
Non-compliance risks
Organisations must comply with national and regional legislation on
many matters, including privacy, data protection, health and safety and
work, the accuracy of financial reports and more. They also need to take
steps that their workforce complies with internal policies and codes of
conduct.
In addition, organisations have responsibilities to third parties and these
require compliance with the terms and conditions of contracts and licenc-
es and to all situations where third parties may have recourse to the law
to seek compensation or damages for the misuse of data.
People-related risks
People play a key role in any organisation. The main areas of risk relat-
ing to them include:
• The provision of access rights to computer systems and networks to
non-employees, including vendors, customers, maintenance person-
nel, consultants, contractors, interns;
• Dishonest, malicious or disgruntled employees;
• Industrial espionage;
• Infiltration by organised crime;
• Abuse through social engineering;
• Lack of awareness of essential information security and related is-
sues.
Chapter 2
190 Crossing the executive digital divide
Understanding risks
Things that we can think of as potentially harmful may never happen (in
plain language this is called luck) but luck cannot be counted on as sta-
tistics are against it.
While the previous section listed some areas of potential exposure, the
process for understanding risks needs to be customised for every organ-
isation. The process involves two steps: discovery (or identification) and
evaluation.
Discovery requires being open minded and candid about the things that
can occur to harm a process, project or activity.
There are many techniques that can be used to identify risks and brain-
storming is a favourite one. Successful brainstorming requires a mixture
of experience (after all, risk is managed by people), good communications
that allow risk to be discussed openly as some risks require saying things
that may conflict with organisational culture, for example:
• “Tony is incompetent – the project will fail is he is made project man-
ager” when Tony happens to be the Chief Executive’s nephew;
• “There is no way that this project can be completed by the end of this
year and besides the budget is totally inadequate”;
To populate the list of risks, it is good to assume that every problem ex-
perienced in the past is a future risk. In addition, the brainstorming
group should look for what they don’t know – the subject of every ques-
tion to which the answer is “I don’t know” is a risk.
Similarly, the assumptions being made in looking for risks should be
challenged – for example “there is no way that one of our employees could
act dishonestly” may not be valid.
There are tools that can be used to support and extend the brainstorm-
ing process. The “Five Whys” technique is an extension of the natural cu-
riosity of a three year old in which questions are asked to identify the root
Crossing the executive digital divide 191
Following a couple of branches of this tree, first the policy branch: if the
organisation does not have a policy to limit data access on a need to know
basis as part of its appropriate use policy, if there is no policy for moni-
toring access to systems and keeping appropriate logs for critical trans-
actions and there is no policy specifying what action will be taken in the
event of non-compliance, the possibility of fraud has been facilitated.
Looking at the process branch, if the process for terminating access rights
for a person leaving the organisation (on retirement or to another job else-
where) is not properly carried out, there will be people who have legiti-
mate user IDs, passwords and whatever other mechanisms to ensure
identity management while no longer being entitled to such rights. An-
other factor that makes fraud possible and not-so-difficult.
192 Crossing the executive digital divide
Once identified, risks should be evaluated, i.e. the estimation of the prob-
ability of a risk manifesting itself. Those not convinced of the value of risk
management will, at this point, argue that the probabilities of risks can-
not be determined.
While these numbers cannot be accurately known, boundaries and rea-
sonable estimates can be derived by looking at history, statistics and
trends and then discussing best and worst case numbers and agreeing on
a “most likely” value.
If someone says that “the project office could be hit by a meteorite”, this
is possible and global statistics can be used to show that the probability
of such an event is several orders of magnitude lower that the probabili-
ty that the project manager will resign midway through a project.
For every activity there are one or more events that can be described as
showstoppers. If this event occurs it will result in an undesirable outcome
which could include events with disastrous consequences.
For example, an organisation that is working on an innovative product
or service and planning to be the first in the marketplace discovers, two
thirds of the way through the project, that a competitor has beaten them
to it with a superior product. The best choice left to them is to abandon
the project and write off the expenditures incurred this far.
The root cause of this risk was the incorrect assumption that they could
be the first in the marketplace and ignoring possible competition. The
owner of this assumption, usually the project sponsor, may have not been
thorough enough in the risk discovery stage.
Unthinkable risks – those that could have fatal consequences for an or-
ganisation – may be unthinkable but are not impossible. Organisations
where cultural issues prevent such risks from being articulated make risk
management very hard, if not impossible.
Worrying about a problem does not solve it. Doing something about it
might. This statement is the basis of the five possible risk management
strategies: avoid, contain, mitigate, evasion, transfer.
Risk avoidance implies not pursuing an activity – a person will avoid the
risks involved in parachute jumping simply by not jumping. This strate-
gy also foregoes any benefits that pursuing the activity may have deliv-
ered – thrill and pride in the case of the parachute, business benefits in
pursuing innovative projects to be first in the marketplace.
Risk containment is about having sufficient reserves of money, time and
people to cover the outcome of the combined risks should these materi-
alise. This is what organisations do when they cover, from their reserves,
the cost of an undesirable event – credit card fraud, for example.
Risk mitigation is the collection of measures taken to reduce the emer-
gence of a risk and reduce the cost of containment. All the activities re-
lating to risk mitigation are carried out in advance of the materialisation
of a potential risk factor – examples include:
• Implementation of security policies and measures, background
checks on employees;
• Preparation and testing of contingency plans;
• etc.
Risk evasion consists of crossing your fingers and hope the risk factors
don’t materialise and in practice they don’t. The success of this strategy,
although much used, is not supported by statistics.
Risk transfer occurs when one or more risks are contractually shared be-
tween two or more parties, insurance and outsourcing being typical ex-
amples of risk transfer. This works well if there is complete clarity in the
roles and responsibilities of the parties involved and a formal agreement
on the consequences of failing to meet the contractual obligations.
Risk containment, mitigation and transfer all cost money and this should
be taken into account in the budget preparation process.
Each risk factor will have one or more indicators that it is materialising
or has occurred – for example an intrusion detection system in the net-
194 Crossing the executive digital divide
work security perimeter is an indicator that one or more people are test-
ing the electronic defences of the organisation.
The earlier such transition indicators are seen, the greater the opportu-
nity to implement problem resolution and mitigation activities. The only
problem with this is that early indicators may be full of “false positives”,
i.e. not a manifestation of the risk occurring but something that looked
as if it might.
The manifestation of a risk leads to a problem, and while some problems
can be solved and closed without too much difficulty – for example, the
project manager for a large software development was suddenly taken ill
at a time critical to the project. Fortunately, the second in command in
the development team is fully briefed and quite capable of taking over for
an indefinite period of time as the team has sufficient resilience to be re-
configured to take care of this.
Other problems rapidly escalate into a crisis – they cannot be solved and
become highly disruptive and visible.
Where this balance does not exist, being uncertain is not acceptable (al-
though being wrong often is). These organisations will promote a loser
by stating that “Joe Bloggs made a superhuman effort to deliver” even
when proper risk analysis would have shown that Joe Bloggs never had a
chance to deliver because of the risks involved in whatever he had to
do…
In other organisations, there is a tendency to shoot the messenger if bad
news need to be delivered. Here the person raising concerns about risks
will be told things such as:
Why must you always be so negative?
Don’t say something is a problem unless you can prove it…
Don’t’ say something is a problem unless you have a solution for it…
Don’t say something is a problem unless you want it to become your re-
sponsibility…
In organisations that are unduly “careful” and risk averse, risk manage-
ment is largely irrelevant because the policy of risk avoidance is the most
likely to be pursued and it is politically incorrect to voice concerns about
risks.
Action points
Brainstorm potential risks to identify them, assess them and take appro-
priate actions.
If risk has not been well managed, consider applying the benevolent rule
that “Once is a mistake. Twice is a coincidence. Thrice is either careless-
ness or incompetence”, then act accordingly. Clearly there will be situa-
tions where a mistake should be dealt with before a “coincidence” oc-
curs.
Recognise that there is a real risk of loss of business and money as a re-
sult of shortcomings in information systems and the internal controls
built into them.
C h a p t e r
11
Information insecurity:
external risks
The need to protect information assets from unauthorised use, misuse and abuse has
grown as a result of reliance on interconnected networks, mainly the Internet to carry out
transactions with customers, vendors, partners, and with an increasingly mobile work-
force.
Cyberspace – the world of software and data – brings many opportunities to people intent
on stealing, copying or modifying data or simply disrupt the operation of networks, sys-
tems, websites and other electronic facilities. Hackers, crackers, scammers and organised
crime are all known to be active in these activities and, without managing the security of
its information assets, an organisation is exposed not only to loss but also to operational
disruption.
There are many tools and products to strengthen information security and there is an inter-
national standard – the ISO 17799 “Code of Practice for the management of information
security”. These are however, not enough. Executive action is needed to create an organi-
sational environment where these can be deployed and used effectively.
Availability is the ability to access information systems and facilities when so required;
Integrity is the degree to which it can be assured that when data (including software) is
created or modified, this is done by a person who has a legitimate right and the proper au-
thorisation to do so;
Confidentiality is the requirement that data is made available only to those who have the
right to access it.
Crossing the executive digital divide 201
Becoming a com-
petent hacker is
easier than ever
before as the tools
and know-how
are readily avail-
able either free of
charge or for a
small charge.
It should be a
matter of concern
that major hacker conferences count their participants by the thousands,
while conferences for information security professionals conferences at-
tract, at best, a few hundred. This imbalance suggests that hackers are
better at sharing experiences and information (usually about their suc-
cesses) than corporate defenders (who would be disclosing their fail-
ures).
Hacktivists, people with a “cause” who use information security attacks
to gain visibility and the attention of the media;
Organised crime, with vast resources to put to play and operate for finan-
cial gain and there is no doubt that computer crime pays. The Associa-
tion of Fraud Examiners of the USA estimates that the average computer
crime involves sums in excess of 2 million dollars;
Industrial and other spies, who also have vast resources to put to play;
Military, intelligence services (from anywhere in the world) and cyber-ter-
rorists (assumed to exist). In an attack situation they may favour targets
such as critical infrastructures such as electricity, water, air traffic con-
trol, fuel distribution, central banks and emergency services. However,
the possibility that other organisations could be attacked cannot be ex-
cluded.
Preparation
Issue # 1: How much security?
Security must never be an afterthought. A fact of corporate life is that se-
curity implies costs and inconvenience. Because of this the question of
“How much security should be put in place and how much cost and in-
convenience are appropriate” in a specific environment is entirely legiti-
mate.
The answer should be given by executives and not the Chief Information
Officer or other technical person: the result of delegation will be either
an incomplete answer and, possibly, inappropriate solutions based on a
“mindless pursuit of perfection”.
Costs need to be incurred to acquire equipment, software, facilities and
employ people to manage them. It is possible to outsource the operation-
al aspects of security in the same way that physical security is outsourced
to companies who specialise in this. The lifecycle costs of security also
204 Crossing the executive digital divide
Critical infrastructures would be found at the three to five level while gov-
ernment departments and others where continuous operations are less
critical can accept higher levels of residual risk. The process through
which the parameters that determine the level of protection to be sought
is known as Business Impact Analysis (BIA). Such analysis is a compo-
nent of a disaster recovery and business continuity planning (Chapter
13).
Many steps have been taken in the last few years to facilitate the manage-
ment of information security, notably the international standard ISO
17799, “Code of Practice for the Management of information security”.
This short and readily understandable code of practice confirms that
technology plays a partial but important, role in the management of se-
curity.
The ten sections of ISO 17799: “Code of Practice for the Manage-
ment of Information Security
1. Develop and implement security policies
2. Put in place a security organisation
3. Maintain an information asset classification
4. Address personnel issues of security
5. Implement physical and environmental security
6. Ensure adequate network and computer operations
7. Implement system and network access controls
8. Build security into systems development
9. Have disaster recovery and resumption plans
10. Comply with legislation and best practices
“Social Engineering” is often used to bypass security. This involves the abuse of good will
that some people will exhibit when asked nicely to be helpful and the unaware will happi-
ly lend access to a networked computer to a complete stranger, provide a password over
the phone to somebody pretending to call from the help desk, and provide other informa-
tion in response to a question.
Validation
Security arrangements that are not tested or validated may turn out to be
less effective than hoped for and independent validation is the mecha-
nism that executives can adopt to increase their confidence that their in-
formation assets are adequately protected.
Issue # 7: How far should validation be taken?
A scenario where there is no validation relies on the CIO (or most senior
security person) stating that “everything is fine”. This is a courageous ap-
proach as it may prove untrue when the time comes. An improvement
can be obtained when the CIO and other computer system owners pro-
duce a signed statement recording all known vulnerabilities and their as-
sessment of the threats faced by these systems, although this is not yet
common practice.
The introduction of the Sarbanes - 0xley Act in the USA, making direc-
tors personally responsible for the accuracy of corporate information, is
likely to increase the need for transparency and accountability for infor-
mation.
Ethical hackers are information security specialists with a reputation for
integrity and who work for respectable, well established companies. Eth-
ical hackers can test the security arrangements of an organisation, or at
least specific computer systems. Such tests usually involve breaking into
systems to retrieve an agreed data file. There are informal claims that
ethical hackers are successful in more than 80% of cases but companies
engaged in this kind of work favour non-disclosure.
Security consultants are engaged to review the arrangements made for in-
formation security. They can be expected to be familiar with best prac-
tices across many organisations and to provide advice on opportunities
for improvement.
By the time they concluded their activities, ethical hackers and security
consultants are likely to know more about the security arrangements of
an organisations that the people working in it, and therefore trust be-
comes a fundamental issue.
Certification of Information Security professionals and practitioners.
There is a growing trend towards certification schemes such as those pro-
vided by the International Information Systems Security Certification
Consortium (ISC)2 (www.isc2.org) a not-for-profit organisation that pro-
vides two levels of certification: CISSP, for information systems [IS] se-
212 Crossing the executive digital divide
Action points
The answer to the question, “Which abusive, fraudulent and criminal activities that could
adversely affect an organisation would be easier to commit from the inside?” is an easy
one: ALL OF THEM.
The Association of Chartered Fraud Examiners and many other bodies have highlighted the
fact that fraud and other forms of electronic misconduct are taking place in organisations
and are often undetected.
While most forms of electronic misconduct are variants of well established schemes, the
combination of access rights to computer systems, knowledge and opportunity, coupled
with the perception that computer crime is hard to detect, there are grounds to deal with
these matters in a stricter manner than hitherto, particularly in financial institutions and in
critical infrastructures (electricity, water, air traffic control, etc) due to the risks of infiltra-
tion by organised crime or by agents of terrorist organisations.
Electronic Misconduct:
abuse, fraud and crime through ICT
Abuse of IT resources in the workplace arises when these are used for pur-
poses unrelated to an individual’s work. Such abuse ranges from using
corporate e-mail for personal matters to producing during working hours
translations or developing software unrelated to the employer.
Abuse is most likely to occur where there are no formal, clear policies on
what constitutes appropriate personal use and where employees know
that there is little or no monitoring and no sanctions if the policies are
breached.
218 Crossing the executive digital divide
tion and tools and many websites specialise in this. They are available in
many countries and in many languages.
Not all hackers have criminal intent and many work as security experts
and consultants. To learn the tools and techniques to be a hacker, there
are also books, articles, CDROMs and software on how to act like a hack-
er. Knowing how to be a hacker is not an offence. Only being caught do-
ing something illegal is, and then only if it can be proven in a court of
law.
Less easy is learning how to think like a hacker, as this requires creativ-
ity (which can be learned) and a certain willingness to take risks by dis-
regarding policies, rules, regulations and legislation. The expression that
“you need a thief to catch a thief” also applies to cyberspace.
In addition, hacker conferences bring together large numbers of like-
minded people, ranging from the anti-social element to the intelligence,
defence and police community who go there to learn and recruit. One of
the largest and best established of such conferences is the annual Defcon
event in Las Vegas.
The digital world makes many things “invisible” and many forms of cyber-
crime, if done subtly, can be committed over long periods of time without
anyone being aware of them. The Association of Certified Fraud Examin-
ers estimates that 85% of such crimes are committed by insiders – and con-
firms that these insiders are well informed and smart individuals.
Who is an insider?
Clearly the employees of an organisation are insiders. But this is the be-
ginning of a long list of people who, for various reasons, are given access
to networks, data and systems:
Temporary employees – sometimes supplied by an agency, interns (such
as university students doing summer work related to their studies), con-
tractors working on a project for the organisation, consultants and exter-
nal auditors engaged for specific tasks that require them to spend time
within the organisation.
220 Crossing the executive digital divide
er, “I know you’re stealing something; I just can’t figure out what it is.”
The worker replies, “I’m stealing wheelbarrows.” Extrusion is the unau-
thorized transfer of your assets in broad daylight.
Doing this could be as easy as 123… and the stages involved are shown
below:
them and gather other information that would in due course allow a per-
son with intent to access and/or take control of such systems.
The practice of allowing remote access to systems to certain people cre-
ates an opportunity for a hacker to gain access to these systems by tak-
ing over control of the mobile or home computer of a targeted authorised
user – this is basic.
While the computers on the corporate network may be adequately pro-
tected by software and hardware, this is not always the case for home
computers which may not have the latest version of all corrections (patch-
es) to software, not fully uptodate antivirus software and more impor-
tantly no tools to detect spy code (that could capture the key strokes need-
ed to log in to a system) or trojan horse software that allows a hacker to
use the computer as their own without the knowledge of the owner.
Once a hacker has established a base of operations within the network
(which could be from outside the premises), it becomes possible to plan
and covertly execute any of the activities listed in this section, with a good
chance that such activities will remain invisible unless discovered by
chance or by a whistle blower.
Exporting data out of an organisation has become easier because of the
ever decreasing size of media – a memory stick with a capacity of up to 1
gigabyte measures roughly 6 cm in length, 1 cm in width and 6 mm in
thickness (and is inexpensive). In organisations where insiders can access
the internet, it is also possible to exploit what is known as a “reverse HTTP
channel” in which the insider’s computer is acting as a server instead of
as a client, and this can be used to transfer substantial amounts of data
invisibly.
The most common and dangerous insider threat comes from people with
good intentions but no understanding of the consequences of their ac-
tions.
Common instances of their actions are password sharing, giving some-
one else the information needed to access a network and one or more
Crossing the executive digital divide 223
Emotion
Executive dilemma:
Suspicion of a malicious insider
Gain
The assumption that every organisation has a (small) percentage of dis-
honest staff is confirmed by experience. It is generally hard to tell where
appropriate use of corporate resources ends and dishonesty begins. For
the purpose of this discussion, “gain” is meant to represent substantial
financial amounts. All categories of fraud fall in this category, and collu-
sion with third parties is not uncommon.
Executive Dilemma:
What shall we do about Susan?
Susan, a trusted employee who has been with a major healthcare servic-
es firm for 15 years had an argument with a supervisor and was forced to
leave the company under less than pleasant circumstances.
Shortly afterwards, her former colleagues and others complain that their
passwords on certain corporate systems, including the e-mail system are
no longer working. It is known that Susan had knowledge of those sys-
tems, including default or known passwords, and there are suspicions
Crossing the executive digital divide 225
that she has used that knowledge to access components of those sys-
tems.
In an effort to resolve the situation, IT management issues an urgent re-
quest for employees to change their system passwords. Some respond ap-
propriately and change their passwords; others ignore the request. So far,
three issues have emerged:
• The organisation’s policy regarding removing employees’ access rights
to systems when they leave is not being followed. The same is true for
the policy requiring employees to change passwords regularly;
• The organisation appears to allow the use of corporate applications
that rely on default or hard-coded passwords at the system level. This
means that critical application functionality will fail if the passwords
are changed and this is a major vulnerability. Should there be a pol-
icy restricting systems from using hard-coded passwords or requir-
ing implementation teams to change default passwords prior to go-
ing live with systems. What should such a policy look like?
• The decision to shut down compromised systems or disconnect them
from the Internet must be considered. Who should be the party re-
sponsible for making that decision, and does it address the impact of
that decision on business?
Because Susan had gained illicit access to the e-mail system, the poten-
tial exists that other applications may have also been compromised, for
example the firm’s online subscriber information database. Some of these
applications may have default passwords that are crucial to their opera-
tions.
If Susan knows these default passwords, she also may know other em-
ployees’ passwords to these applications.
As a response to this potential issue, programmers and vendors for the
potentially compromised applications are contacted. They report that
changing certain passwords on some systems is possible; however, it will
take a month or more to make necessary programming changes and con-
duct remedial testing. The one-month time frame will affect the avail-
ability of the applications—perhaps even requiring that they be taken of-
fline, which would necessitate a public explanation. This time frame will
require adjusting the priorities of the current IT staff, thereby affecting
the timeline of other projects currently underway.
Meanwhile, system and security administrators have put extra resourc-
es into determining how Susan is accessing Internet systems, but have lit-
226 Crossing the executive digital divide
tle to show for their efforts. Some of the organisation’s information sys-
tems are configured to log activity; others are not. However, even those
systems that log information are only logging certain events, for exam-
ple, failed logins.
They offer nothing in this situation because the ex-employee is not fail-
ing to log in; she knows passwords and she knows the system’s “back
doors.” She knows where the system’s holes are, which means she could
change security configurations on the systems and no one would know.
This raises the following additional issues:
• There are no implemented policies for logging security events on all
systems or for accountability with regard to monitoring those sys-
tems.
• Without knowing which systems have been compromised, the organ-
isation cannot learn whether data has been modified, stolen or delet-
ed, or whether sensitive or critical information, such as customer
data or information regarding business partners, has been compro-
mised.
Five days have elapsed since the first security breach was discovered. Su-
san is still accessing corporate systems and changing employee pass-
words. She has hijacked the e-mail account of a current employee and uses
it to send an internal e-mail to management. This e-mail, appearing to
come from a current employee, complains that the ex-employee was “let
go” unfairly and “did nothing wrong.”
The issues under discussion have become broader in tone, and more ur-
gent:
Activating the business continuity or disaster recovery plans is consid-
ered. The decision to contact law enforcement is considered, as well as the
public relations ramifications of taking that step. What might these be?
Susan sends another e-mail to selected company managers, this one con-
taining an agenda. It reveals that for some time she was frustrated by the
firm’s lack of security and that “no one listened” to her attempts to ad-
dress it. Now, she has their attention. The e-mail further reveals that she
is in possession of patient healthcare histories and intends to disclose the
information to the public, just to show how insecure the company’s envi-
ronment is.
At this juncture, the scenario could move in several directions. However,
the point has been made that the well-being of the organisation has been
Crossing the executive digital divide 227
placed in grave jeopardy by the actions of one person who may have lim-
ited but critical knowledge of the system and perhaps only ordinary com-
puter skills. This scenario is genuine (the names of the parties and the in-
dustry have been changed) and it could be played again anywhere and
anytime.
Key issues arising from this dilemma:
• Would the digital security program currently in place have the re-
sources to find the necessary answers, and do so in a timely and or-
ganized fashion?
• Would prior decisions made by executive management about digital
security empower or hinder those responsible for digital security as
they sought to find solutions?
• What would it cost to address this scenario?
• What would shutting down a busy website for 24 hours cost in terms
of lost revenue, not to mention the damage to the organisation’s pub-
lic image?
• What are the legal ramifications of having sensitive private informa-
tion publicly released?
• What would it cost to have system administrators spend hundreds of
hours investigating the incident and rebuilding compromised sys-
tems?
• What would it cost to have administrators and senior management
spend dozens or hundreds of hours in meetings during and after the
incident?
• What would it cost to have the public, government and media rela-
tions departments spend hundreds of hours working on damage con-
trol plans and collateral materials intended to restore decreased cus-
tomer and shareholder confidence?
• How much will the stock price drop, and how long will it take to re-
bound?
• Worst of all, what if such an attack happens again before the organ-
isation has a new program in place?
228 Crossing the executive digital divide
2. Authentication
These are the mechanisms through which an end user is identified
and accepted by computer systems. The most common practice re-
quires users to provide something they know: a “user name” and a
“password”. Other, stronger, mechanisms may include something
they have (like an USB key or smart card) or something they are (fin-
gerprint or eye scan).
Authentication policies specify the level of protection given to sys-
tems and data. These are implemented through one or more tech-
niques in order to prevent the disclosure and/or sharing of anything
that may facilitate access to systems by unauthorised persons.
When passwords are used, there is a need for password rules (mini-
mum length, composition, not to be written down or disclosed to oth-
ers, frequency of change). Passwords should also be regularly changed
without cycling or repeating passwords.
3. Access rights to organisation’s systems and data
This policy defines an organisation’s philosophy to access to systems
and data. The two most common positions are: “Limited access to
specific systems, otherwise access to everything else” and “Access on
a Need to Know basis and to nothing else”.
The first is typical of organisations with relaxed attitudes to securi-
ty. The second is found in security conscious organisations. The need
to know approach has implications on the design of systems and da-
tabases by requiring classification (into public, restricted, confiden-
tial, etc) and segregation of data to ensure people only have access to
the data strictly required to perform a particular function.
Organisations should also make distinctions between access rights
for staff, employees with temporary contracts, interns, contractors
and consultants. If these distinctions are not made, the protection of
systems and data may be considerably weakened.
4. Fraud and impropriety
A formal policy that specifies what is considered to be appropriate
use of the data, computer systems and facilities of an organisation.
This policy describes in appropriate detail activities that are consid-
ered to be an offence and as such be the subject of investigation and
disciplinary action. For example:
Is an unauthorised alteration of an annual leave record fraud?
Is removing a CDROM with copies of the organisation’s data an of-
fence?
Is allowing unauthorised access to personnel data an offence?
230 Crossing the executive digital divide
These may not contain the latest online updates but are available as
media (disks, tapes, CD or other carrier) and their unauthorised copy
or removal could enable others to recreate the system and read all the
data. It could also allow for the corruption or destruction of backup
data and software to prevent successful recovery.
Low level: Read access only – where individuals can only access data,
view it, print it and possibly copy it for separate processing (statistics,
etc).
Such authorisations need to be granted by the systems owner and im-
plemented by the system administrator and/or database administra-
tor. All such authorisations should be on a “need to know” basis, be
formally logged and be the subject of formal change control.
ter course of action is vital for external attacks but not always suit-
able for internal ones.
vii) Evidence preservation and custody chain
Digital forensics is a relatively new discipline and there are many
tools that support this work. The problem here is a legal one: how to
seize, preserve and analyse evidence of abuse or crime that will be
accepted in a court of law. Knowledge of the appropriate applicable
legislation is a pre-requisite.
There are several sources of best practices concerning the seizure and
custody of evidence and recommended techniques for the analysis of
information from computer systems. If these are not followed, legal
action against an offender will not be possible.
Legal action is not always the best recourse as it involves public dis-
closures and adverse publicity, particularly when the actions were the
result of inadequate internal measures.
viii) Evidence analysis and forensic tools
Having seized and preserved evidence, analysis provides an under-
standing of exactly how the offences were committed and provides
the material on which to prosecute or take disciplinary action.
time considering the pros and cons of such actions are handicapped
by design.
Action points
Executives should ensure that there are clear and well disseminated pol-
icies, supported by consistent organisational behaviour with regards to
all forms of cybercrime. This behaviour should extend from formulation
of deterrence policies to sanctions and redress.
Those responsible for information security should be required to learn
how “bad guys” think and operate and incorporate appropriate defences
against external and internal threats.
Cybercrimes committed by an expert will be essentially undetectable.
The role of tests, audits and security certification must be seriously con-
sidered if the organisation’s information assets are valuable.
C h a p t e r
13
Contingency planning
for ICT
What happens to an organisation when its networks and computer systems become inop-
erable for a significant period of time – hours or days if it is merely a computing problem,
weeks or months if the cause also affected buildings or a town?
The last few years have seen many tragic events, some natural, others man-made. Lack of
adequate contingency plans to deal with such disruptions can have catastrophic impact on
an organisation ranging from a loss of credibility to going out of business.
Surveys from ICT research organisations such as the Gartner Group and professional asso-
ciations – for example the Business Continuity Institute – indicate that there are still many
organisations in all areas of activity that do not have adequate contingency plans.
For such plans to be effective at a time of crisis, it is vital that they should be kept up to
date, that they are regularly tested and that everyone concerned should be fully aware of
their roles and responsibilities when such plans need to be invoked.
Definitions
Contingency plan: the collection of processes, procedures and activities
that define what to do in response to an emergency.
Disaster recovery: the processes, procedures and activities that are ap-
plied to restore computing and telecommunications services after they
have been (severely) disrupted.
Business continuity: the processes, procedures and activities that define
how an organisation will operate after an event that disrupts it.
Although strictly speaking this may fall outside the field of ICT, corporate
contingency plans should give particular attention to the preservation of
vital records that will be needed in the reconstruction of corporate assets,
including contracts, ownership rights, inventories of company assets, etc.
A situation that causes an emergency may cause considerably more dam-
age to an organisation than just financial losses due to an inability to con-
duct its business, including legal liabilities for being unable to meet con-
tractual obligations, lost business, lost credibility, the possibility of in-
creased fraud while working under emergency conditions, the costs of re-
covery that are not covered by insurance and many more.
240 Crossing the executive digital divide
• Wait until the problem has been fixed, although some times it will
be obvious that this will take a long time – like dealing with the dam-
age caused by a fire and the subsequent intervention of a fire brigade
in a computer room;
• Invoke the contingency plans prepared to deal with such situations
– although the Executive Dilemma just presented shows that the con-
tingency plans may not always work as intended.
This chapter dis-
cusses the main el-
ements of the four
stages of dealing
with an incident
that has migrated
through the stages
of “problem” to
that of an emer-
gency.
The relationship between the four stages is shown in the figure. Clearly,
planning is a pre-requisite as, without good contingency plans, the only
alternative would be to improvise and this does not work well during
emergencies.
Stage 3: Response – taking the actions needed to deal with the emer-
gency
When the emergency is so real that contingency plans must be invoked,
everyone is working under considerable stress. Nevertheless, discipline
and order are vital to ensure that the planned arrangements will work as
intended.
The Emergency Coordinator and her/his Emergency Response team have
many critical tasks to address to implement the appropriate measures of
Crossing the executive digital divide 251
the plan – it may be necessary to implement only a part of the plan – for
example it would not be necessary to evacuate the building if the emer-
gency is due to fire damage to a computer room when this fire has not
spread to other parts of the building and when it has been contained/ ex-
tinguished but has severely damaged the ICT facilities.
Working through an emergency may require special measures that over-
rule security and other policies, record keeping and other administrative
procedures. It is important that the people involved make a best effort to
preserve whatever records are possible to ensure that the measures tak-
en and the working processes implemented during the emergency can be
subsequently audited to ensure that the occasion was not used to commit
fraud or otherwise abuse the organisation.
Communications also play a vital role during the response phase. Such
communications include, in particular:
• Status reporting to executives and other key stakeholders, including
the workforce;
• Informing relatives of members of the workforce who may not be able
to communicate with them directly;
• Dealing with the media should the event become public.
Executives should ensure that suitably qualified and experienced people
are assigned to these tasks.
that these were not correctly assessed. Constant revision of the plan in
the light of improved knowledge about the threats is essential.
Management commitment: All the activities described in this section re-
quire considerable time and decision making from executives. When
there is a feeling that such arrangements are not likely to be needed (op-
timism) or that they can be delegated lower down the organisation (ab-
dication of responsibility), the processes are likely to be implemented
half-heartedly and not work when required.
Funding: The perennial question of containing costs and budgetary pres-
sures work against contingency planning, disaster recovery and business
continuity, and the cost of these processes should be seen as the equiva-
lent of buying insurance.
Testing: You can never be sure of what you have not tested. Testing these
plans is complex, time consuming and disruptive. However the acronym
TINA is appropriate: There Is No Alternative.
Action points
There are many tasks that need to be performed to transform commercial products and tailor
made software into useful business tools. ICT organisations and their people exist to do this.
While much of they do is straightforward (at least in principle) and has been discussed in
previous chapters, ICT is probably the least understood by executives.
Although in general ICT people are dedicated and hard working and enjoy their profession,
they often complain that they are misunderstood and not given a chance to contribute to
the success of the organisation, and feel they are treated as “plumbers” looking after the
organisation’s nervous system but not seen as capable to contribute to strategy.
There are many types of ICT people and unless they are a good fit in the corporate culture and
understand the needs and constraints of a given organisations, there will be a poor relationship
between them and other executives, to the detriment of the organisation as a whole.
Visioning
This group of activities is really the world of projects. These fall in two
categories: assessments and the development of new ICT systems and fa-
cilities.
Assessment is the evaluation of technologies to determine their relevance
and maturity. This may include a pilot project to gain a better under-
standing of its capabilities and demonstrate its potential.
Technology assessment is most appropriate for early adopters of emerg-
ing technologies who are willing to take the risk to invest in them to gain
advantage. Elsewhere this kind of technology assessment could become
the equivalent of an enthusiast’s toy shop.
Can technology assessment be outsourced? Yes, but only to a degree: In-
dustry analysts study new technologies and report on their capabilities,
maturity, market prospects and vendor stability. Good analysts also com-
pare products from several vendors. However, their reports cannot re-
place pilot projects or the demonstration of what these technologies or
products can do.
Development groups the activities needed to transform a concept into
working systems and facilities. Large projects are handled by dedicated
teams and are progressed in a structured, formal environment. Such proj-
ects can be, and often are, outsourced.
The heart of the activities that support the day-to-day ICT activities of an
organisation, this is the world of processes, total quality management and
measurable performance. This activities usually represent 70 to 80% of
the total ICT expenditures and, when performed with internal resourc-
Crossing the executive digital divide 259
es, are likely to demand a substantial amount of the CIO’s time – at the
expense of visioning activities.
The activities performed to achieve service delivery and support are dis-
cussed in Chapter 8. ICT service delivery can also be outsourced and rep-
resents the oldest and largest part of the outsourcing business. Informa-
tion security (Chapter 11) is part of the activities involved in service de-
livery and support but is not the exclusive responsibility of the ICT func-
tion.
Information management
Often performed outside the ICT function, these are the activities where
value is added by the creation and maintenance of information assets,
ranging from databases to websites.
When information management is dispersed across the organisation it is
important to ensure that there are appropriate mechanisms to prevent
information anarchy. As a minimum these should include:
• Data administration and data standards to ensure the semantic and
digital compatibility of data held and processed in various systems;
• Quality assurance mechanisms to protect the organisation from us-
ing data which is inaccurate, outdated or incomplete.
The way in which these tasks are carried out make the difference between
success, mediocrity and failure in an organisation’s ability to derive ben-
efits from their investments in ICT.
Good ICT staff are hard working and career conscious. They rate job sat-
isfaction as critical to their working life. They are also mobile and rarely
hesitate to leave an organisation they judge to be at the lower end of the
ICT organisation thermometer.
A high turnover of recent re-
cruits considered bright and
with high potential is a bad
sign, particularly when the
turnover of staff with many
years of tenure on the job is
zero (other than through re-
tirements or death).
A study of organisations acknowledged to make superior use of ICT shows
that they have centralised specific activities, in particular:
• Establishment of organisation-wide policies and compliance with
these policies;
• Definition of standards for the whole organisation for critical hard-
ware, software platforms, desktop and groupware applications and
administrative systems;
• Major ICT procurement, licensing and contracts.
Besides this centralisation, it is good practice to enable business units
and/or functional departments to exercise a degree of autonomy for ap-
plications directly related to their core activities, encouraging sharing
and reuse of solutions across other units or departments.
Besides these centralised activities, many others that lend themselves to
outsourcing, notably day-to-day operations of data centres, networks, end
user support and other structured activities and also applications devel-
opment.
The decision whether to outsource such activities or not should not be left
to the Chief Information Officer as this creates a serious conflict of inter-
est as discussed in the next section of this chapter.
There are two other activities that should also not be outsourced:
• Business analysis, in particular the definition of information system
requirements and how these are aligned with the activities of an or-
ganisation;
262 Crossing the executive digital divide
Each of the roles and responsibilities listed above that remains unful-
filled, wholly or in part represents a risk, if not a problem, to the organi-
sation. This may happen simply because CIOs are not created equal.
A good proportion of CIOs are best described as Level III CIOs – they op-
erate the infrastructure and look after service delivery with a minimal
role in major ICT projects, particularly software ones. These CIOs will be
found on the left side of the chart and could be unkindly referred to as
Techies. Level III CIOs are largely invisible to the executive until things
go wrong and they should be aware that what they do is easily outsource-
able.
Level II CIOs are much more involved with major projects and work to
maximise the alignment between ICT and business objectives and will
be found on the right hand side of the chart. When they focus on busi-
ness processes, their visibility to the executive is reasonably high and al-
lows them to operate as a senior partner in the overall management of the
organisation.
Level I CIOs are fewer in number and are found at the right hand side of
the distribution in the figure. They are always close to the executive, who
relies on them to:
• Protect the organisation against expensive mistakes, useless systems
and missed opportunities;
• Recommend innovative business solutions that exploit the opportu-
nities created by technology.
264 Crossing the executive digital divide
At the most basic level, the ICT function will be seen as performing if
things simply work well enough for problems not to be seen as a major
corporate issue.
Depending on the nature of the organisation, this may range from having
few disruptions during working hours to a high level of order fulfilment in
an e-commerce environment and no (or very few) customer complaints.
While this represents a crude approach to measuring performance, the
emergence of visible issues at this level of analysis is an indicator that
Crossing the executive digital divide 265
Organisations expect a lot from their CIOs. They should ideally have the
combined skills of Peter the Great, Saint Peter, Macchiavelli and Houdi-
ni. The table summarises what is expected from a CIO and it has been
constructed from job requirements found over the years in recruitment
announcements:
ly of the four types in this list to have an effective dialog with the Chief
Financial Officer. Almost certainly a member of the executive team.
Making the choice when a new CIO needs to be appointed requires, in the
ideal world, all of the above considerations to be taken into account. If the
target appointee must be a technical person, this creates an additional
complication for an organisation as the selection process must include
the competencies needed to judge the technical capabilities of the candi-
dates.
Those working in the ICT function are the responsibility of the CIO and
the majority of them will be largely invisible in the organisation, partly
because of the work they perform which requires limited contact with
end users and their managers (there are exceptions such as the help desk
and installers).
ICT seems to attract people fascinated by technology, usually knowledge-
able and hard working. They are also happy not to have to talk to non-
ICT people and who, without the benefit of a good manager, will engage
in the mindless pursuit of perfection even when this does not add value
(but it is a great source of job satisfaction).
People engaged in End User Computing use their skills to create tem-
plates, complex spreadsheets, database queries, design web pages and,
sometimes, write small to medium size programs.
These skills can add value to an organisation and is part of the way in
which ICT is used by organisations. From an executive perspective the
only caveat to this work is that it should not and cannot replace a corpo-
rate ICT function in areas such as information security and quality as-
surance. To gain maximum advantage of End User Computing, there
should be a good working relationship between its practitioners and the
formal ICT function.
The risk of an out-of-control End User Computing environment is that of
creating islands of information where the use of non-standardised data
and inconsistent models delivers inconsistent results in different parts of
the organisation.
Budget cuts are a fact of corporate life. When the budget cut however is
not targeted at specific elements but is a blanket percentage without dis-
cussion or explanation it strengthens the perception in the ICT function
that it is not seen as a contributor to the organisation.
Another self-imposed difficulty is choosing the “wrong” CIO. While in
the private sector this is usually resolved by the CIO leaving willingly or
otherwise, in the public sector and in organisations where political cor-
rectness is a major factor, the suffering and frustration can last for a con-
siderable time as the CIO will not be fired and may not wish to leave.
The article entitled “Six IT decisions your IT people shouldn’t make” has
the subtitle “If your IT investments aren’t paying off, don’t blame IT”.
This article advises non-ICT executives to ensure that a) there is align-
ment between their organisations’ technology investments and corporate
strategy and that b) part of the way to achieve this, consists of not dele-
gating certain decisions to technical people or departments – hence the
six decisions in the title.
The article groups these six IT decisions in two categories: Strategy deci-
sions and Execution decisions. These six decisions are:
Six IT decisions your IT people shouldn’t make by Jeanne W. Ross and Peter Weill
published by Harvard Business School OnPoint, 2002
272 Crossing the executive digital divide
Questions on alignment
1. When proposing new investments in ICT systems and facilities, can
you show how these will contribute to business results and business
performance?
Rationale: To ensure that investments are not driven by technolo-
gies that are just “nice to have” or exercises in “me too” which may
give much joy to technical staff but are almost irrelevant from a per-
spective of providing some kind of return on investment.
2. What innovative and aligned projects or facilities have you initiated
in the last 12 months?
Rationale: To gain an insight into the ability of the CIO and the ICT
function to be innovative, aware of business needs and able to spot
opportunities to contribute to the effectiveness of the organisation at
what it does.
3. How often do you meet with Business unit (Department) managers
to discuss IT directions and issues, and what was the outcome?
Rationale: To ensure that the ICT function is not operating in isola-
tion from the rest of the organisation as this often leads to multiple
parallel initiatives in departments and business units. This can re-
sult in information anarchy because of independent and incompati-
ble initiatives. It can also lead to runaway expenditures.
Alternatively, this question may reveal that the CIO is concerned pri-
marily with running the infrastructure (which must of course run
properly) and has no time or interest to get involved with business
needs.
4. Do you maintain a formal and complete portfolio management ap-
proach for the organisation’s systems and technologies – does it in-
clude everything, including the work of departments, business units
and informal or “shadow” ICT groups?
Rationale: To ensure that ICT is actually “managed” in the organi-
sation and that strategic planning is supported by factual informa-
tion from across the organisation. If the CIO is unaware of the ICT
work done in other parts of the organisation, this should be taken as
a bad sign.
When the answers to these four questions are unsatisfactory, the
term CIO can be made to mean “Career Is Over”.
Crossing the executive digital divide 273
Questions on execution
5. When did you last procure an ICT audit (security/ technical)?
Rationale: In the absence of regular formal audits, technical, secu-
rity, compliance, or other, there is a risk that exposures to risk remain
unknown and unmanaged. A CIO’s self-perception of the quality of
their operations may be unduly optimistic and any shortcomings that
become visible will lead to a request for additional resources which
may not be the right answer to the problem.
6. How well is the IT work outside the ICT function/ outsourcer carried
out?
Rationale: If the CIO does not know – who does? In the case of out-
sourcing, monitoring what is delivered against what was specified is
critical.
7. Can you formally certify the security of our systems and infrastruc-
ture?
Rationale: The Chief Finance Officer is responsible for signing the
organisation’s accounts and submit them to independent audit. This
is rarely the practice in the ICT function where the CIO does not have
to sign anything (other than perhaps contracts). In the absence of for-
mal certification, particularly with regards to security, the organisa-
tion is facing a risk for which nobody is actually accountable. Recent
legislation (for example the Sarbanes-Oxley Act in the USA) is likely
to change this situation.
8. Who is responsible for information security and who is responsible
for monitoring and assessing these activities (qui custodiat custo-
dies)?
Rationale: Information security is a major area of concern for all ICT
operations and while many organisations have appointed Chief Se-
curity Officers, there needs to be clarity the lines of accountability
for security. If the CIO is not the person to whom the Information Se-
curity person reports, how can the CIO certify the security of systems
and infrastructure. And how does the CIO validate the performance
of the security person?
12. On the basis of these benchmarks, have you explored with outsourc-
ing companies the case for outsourcing our organisations operation-
al and/or project work – when was this and what was the outcome?
Rationale: CIOs that willingly consider outsourcing separate them-
selves from the technically focused crowd, as the latter see running
technology operations as the purpose of their life and are most reluc-
tant to consider outsourcing, seeing it as “giving their jobs away”. A
lack of interest in what the outsourcing industry can offer, evidenced
by an answer that shows such a possibility has not been actively pur-
sued claiming it would be “too expensive”, confirms such technical
focus.
Action Points
Outsourcing and offshoring have been hailed as a great way to gain access to specialists,
benefit from economies of scale and contain the cost of ICT. These activities have also been
demonised by politicians and the media as job-destroying practices that cause considerable
suffering to the individuals affected by outsourcing.
Like with everything else, both perspectives have their element of truth and the decision to
outsource is never a simple matter. Well thought out strategies to outsource ICT activities
implemented with companies that can deliver the expected results can make a major dif-
ference – DuPont de Nemours (discussed here) is a good example.
There are also instances where poorly planned and poorly negotiated outsourcing con-
tracts resulted in both high cost and dissatisfaction with service quality. Good preparation
and an understanding of the long term nature of outsourcing contracts and the many trad-
eoffs to be made are essential.
Offshoring (outsourcing to a country with low labour costs) brings with it the factor of in-
ter-cultural communications which, if not properly understood and managed, could have
disastrous results.
The oldest ICT outsourcing activity. Here, the hardware, software, staff
and other components of a data centre are transferred to a specialist third
party. These services are usually provided from the vendor’s premises.
The vendor undertakes to deliver services to a contractually defined ser-
vice level.
Here the large number and nature of the items involved requires the ven-
dor to be present at the client’s premises. It is usual for the outsourcer to
have a major, often total, say in technology choices, management tools
and all other items that have an impact on service delivery;.
Information security
The client buys access to a managed application and the ASP provides the
software licenses and the infrastructure to host, operate and support
these applications.
The main characteristic of the current ASP market is that their offerings
are standardized or have minimal customisation.
Software projects
No two projects are the same. Software projects are invariably non-stan-
dard and often not very structured even when packaged products and
standard methodologies are used. They also require considerable creative
input. Their metrics are more complex to define, collect and manage than
for processes.
Outsourceable software projects include the maintenance of legacy appli-
cations, the customisation of Enterprise Resource Planning (ERP) pack-
ages, the design of totally custom software for a single client and the de-
sign of websites.
The skills required for this work are in short supply and many companies
across the world that have built large software factories employing 500 or
more employees, using Rapid Application Development tools, are Total
Quality Management certified.
For large new systems, the requirements defined at the outset of the proj-
ect will change many times as the development work progresses. This will
require intensive interaction between client and vendor, likely to include
a physical presence at the client’s premises.
ing does not work well, the CIO needs to quickly find out the reasons for
this and act accordingly. Otherwise, a problem can become a crisis that
paralyses the organisation.
There are many variants of “people issues” in outsourcing and these can
cause outsourcing to fail.
To the staff affected by a decision to outsource, this is a political and emo-
tional issue, as it will change their employment, their terms and condi-
tions, the location where they work and more.
As the language associated with process outsourcing often uses expres-
sions such as “non-core activities”, “zero added value”, “lean and mean”
when referring to jobs to be transferred to the outsourcing vendor, the
people doing these jobs will find it difficult to avoid making value judge-
ments and can be expected to be critical of the whole issue.
There is a risk that some unrecognised or undervalued skills will only be-
come apparent when they are withdrawn, such as in the case of unique
knowledge relating to a “legacy” application. This is a common situation
and it can also arise with downsizing and early retirement programs.
Action points
Be clear about the objectives for seeking an outsourcing option. The over-
all track record of ICT outsourcing is pretty good and reducing costs is
not the only reason for pursuing this path.
Remember that the people carrying out activities suitable for outsourc-
ing have a vital interest in preventing this from happening and that their
views are likely to be biased.
C h a p t e r
16
Legal and ethical
aspects of ITC
Laws are like sausages. It is better not to see them being made.
The good old days when the Chief Legal Counsel looked after legislative matters, the Chief
Information Officer ensured ICT worked properly and the Chief Executive could delegate
these matters are, in many countries, over. Recent legislation on Data Protection and on re-
porting financial results (such as Sarbanes-Oxley in the United States of America), makes
directors personally liable and penalties, under criminal law, can be severe.
There is a substantial amount of legislation relating to ICT, and this is evolving rapidly, but
not as fast as technology or cybercrime. There is also significant disparity between legal de-
velopments across countries and what may be an offence in one country is not considered
so elsewhere. This is being taken advantage of by cyber-criminals and also by various ac-
tors in marketing (namely spammers) who move their actual technical operations to coun-
tries that do not legislate against such activities.
In addition to cybercrime, there are laws concerning the workforce’s health and safety at
work, computer misuse and abuse, national security and, most recently, the need to en-
sure that computer systems cannot be exploited to create misleading or fraudulent finan-
cial statements and reports. There are also important legal issues of protection of intellec-
tual property.
Contract law, particularly that relating to computer contracts, is another potential mine-
field for the unaware and the Romans’ Caveat Emptor remains good advice.
Finally, there are many issues of human rights and freedom of expression that need to be
meshed with an organisation’s code of conduct, in particular concerning what represents
appropriate personal use of the organisation’s ICT resources by a member of the workforce
and the extent to which the employer may monitor an individual’s activities, examine the
contents of their computer and conduct investigations on the basis of perceived unusual
activities.
Legal matters
An example can illustrate this situation: a young student of computer programming in the
Philippines, Onel de Guzman, was accused in May 2000 of creating and disseminating the
“I love you virus” which was sent as an e-mail attachment and infected a large number of
computers and deleted certain types of files (mp3 and jpeg among them).
After being traced, arrested and charged, the Department of Justice in Manila dropped all
charges against de Guzman in August 2000 despite the fact that this virus had affected
tens of millions of computers. California-based IT consultancy Computer Economics esti-
mated worldwide damage to be $2.6bn by the end of its first week of circulation.
Old laws, those that predate the information age, are primarily concerned
with tangible objects. The major exception to this are laws dealing with
defamation and libel, focusing on an individual’s reputation.
Data and information are incorporeal – their only physical manifestation
is the package in which they are contained regardless of its form (disk,
CD or DVD, newspaper, book). Their proliferation has created new re-
quirements to provide a legal framework for the correctness and integri-
ty of data and for protecting individuals about the misuse or abuse of data
about them in electronic form.
Additional “old law” problems still exist in some countries where for ex-
ample legislation on theft, larceny and embezzlement requires the offend-
er to take an item of another person’s property which could be interpret-
ed to be limited to tangible objects.
Similarly, under some legislation, fraud requires the deception of a per-
son and therefore it would not cater for a situation where the one defraud-
ed is a computer and its software.
Facts about the law
Fact # 1: There are thousands of laws, by-laws and other codified state-
ments around the world. These evolved when the need for amendments
or new legislation became apparent because existing laws could not be
satisfactorily interpreted or modified to apply in a new situation.
Interpreting existing laws in
a new context does not re-
sult in consistent results as
analogies are not always ap-
propriate and are challenged
on appeal.
As a result, legislation always lags behind technology. For example in
2004 there is no international legislation on transnational cyber-crime
or on several other areas of contemporary concern such as genetically
modified foods. The Council of Europe Convention on Cybercrime en-
tered into force in 2004 but has only been signed by 33 countries, many
of which have not yet ratified it.
Fact # 2: Legislation is often a lengthy process. The OECD had discussed
the criminalization of computer abuse in 1983 to 1985 and the Council of
300 Crossing the executive digital divide
Europe initiated work towards the convention shortly after that. It was
only in November 2001 that the Council of Europe got 33 countries to sign
its Convention on Cybercrime. The convention finally entered into force
in 2004 after being ratified by the required five countries.
There are exceptions, particularly in national legislation. The Sarbanes-
Oxley Act of the USA was passed in a relatively short time to reflect the
need to regulate accounting in the light of scandals arising from overly
creative statements of financial results.
Fact # 3: The absence of legislation is a time of opportunity – just like the
“Wild West” of the United States of America in the 19th century attract-
ed adventurers and risk takers, cyberspace, the world of data and soft-
ware, has many parallels in particular the knowledge that when some-
thing goes wrong the legal framework might not be there and that the re-
sources available to “police” cyberspace are very limited.
Fact # 4: People with malicious intent – from fraud to theft of intellectu-
al property, including identity theft, unsolicited e-mail (spam), virus and
worm writing, do so in the knowledge that even if they are caught the
chances of a successful prosecution against them are small.
Fact # 5: Even when legislation, conventions, agree-
ments do exist, not all countries in the world respect
them to the same degree – the business of pirated
software, DVDs and other counterfeit products (in-
fringing copyrights) represents billions of dollar of
trade outside such agreements.
Fact # 6: Ignorance of the law is no excuse. This is
particularly true in a corporate context.
Privacy
Rights of access to personal information held by third parties
Defamation and libel in cyberspace
Data protection
Software copyrights and patents
Contractual obligations of ICT vendors, including ISPs
Electronic contracts
Digital signatures
Taxation of e-commerce
Censorship
Obscene publications
Protection of minors
Consumer protection
Gambling in cyberspace
Money laundering through electronic means
Telecommunications interception
National security and anti-terrorism
Search and seizure of ICT material to be used as evidence
And indeed much more.
For the purpose of illustration, the main legislative instruments in Great
Britain relevant to ICT include:
The Data Protection Act (1998)
The Regulation of Investigatory Powers Act (2000)
The Copyright, Designs and Patents Act (1988)
The Computer Misuse Act (1990)
The Operating and Financial Review Regulations (2005)
The Privacy and Electronic Communications Regulations (2003)
and many more…
As another example, France introduced the law 2004-575 “Loi our la con-
fiance en l’economie digital” – the Law for trusting the digital economy”.
Organisations that operate in many countries need to know that varia-
tions in the application of such laws varies greatly, particularly when
these laws interpret the requirements of regional legislation (such as Eu-
ropean Union Directives) in different ways.
To make matters more complex, companies listed in the United States of
America also need to comply with the Sarbanes-Oxley Act, passed to deal
302 Crossing the executive digital divide
sonal digital assistant logs, cookie files and personal history files, Instant
Messaging (IM). The possibility of similar requirements being introduced
into the legislation of other countries cannot be excluded.
Hardware
Buying and leasing hardware is well established, well legislated and in
principle unproblematic. These are goods that are traded in a fairly com-
petitive market. The word “fairly” is used because not all ICT hardware
consists of commodities available from several vendors. Proprietary
equipment continues to be manufactured for specialised applications and
migrating from one set of proprietary “standards” to another is usually a
complex project with significant risks and costs.
Software
Software is quite a different story, as it does not consist of tangible goods oth-
er than the storage device on which it is stored in electronic form (a diskette,
CDROM, tape or similar carrier) and when the software is in fact download-
ed from one server to another computer, it has no tangible form.
This is one part of the problem. The other is the ownership of the intel-
lectual property of the software. The two most common situations are
those of obtaining a license to use a product and that of developing cus-
tom software for use by a particular organisation or company.
Product licenses for software are no more than permission to use a par-
ticular set of programs, and the software itself remains the property of
the supplier at all times.
Product licenses for software come in three distinct models: Proprietary
software supplied by a commercial company against a license fee; Share-
ware, where the owner of the intellectual property is not necessarily a
company and offers a license against a modest payment which is often
left to the discretion of the end user and Freeware which can be obtained
free of charge.
In the case of shareware and freeware, the end user acknowledges to use
the software “as is” and accepts that it does not have warranties and that
Crossing the executive digital divide 305
the provider will not accept any liability for situations arising from the
use of such software.
The legal status of software product licences is somewhat ambiguous and
depends on the type of software in question and on the countries where
the transactions take place.
• Sell their products “as is” and to disclaim liability for product short-
comings.
In addition, UCITA allows restrictions that prohibit users from crit-
icizing or publicly commenting on software they purchased. Most
software that makes use of one or more of the provisions of UCITA
requires the installer to accept the conditions before the software can
be installed.
For software other than shrink-wrap licences, such as that used for serv-
ers and larger computers, system management utilities, databases, enter-
prise resource planning systems and other applications, their vendors re-
quire the acceptance of their standard conditions of contract.
Such standard conditions describe the type of license that applies to a par-
ticular product in at least two distinct categories of definitions:
• One dealing with the type of licensing arrangement – for example a
perpetual license, a periodic license (for N years) and whether it is
exclusive – the licensee owns the intellectual property if the software
or any particular features were developed at the initiative of the buy-
er – or non-exclusive, which means that the software may be made
available to other interested parties.
• The second set of definitions describe the rights of use of the soft-
ware. In the case of large systems software such rights may be limit-
ed to a specific machine – the price of the license may differ for dif-
ferent size processors – at a particular location, and it may include
clauses giving the vendor the right to conduct an audit for compli-
ance with these conditions. All such contracts include a multitude of
disclaimers and waivers of the vendor’s liability.
Well drafted software contracts make provision for changes to such rights
of use and the charges involved in doing so. One instance where such
changes may be needed is when computer centre operations are out-
sourced and this involves the relocation and resizing of the computer(s)
involved.
In practice, “standard” contracts are negotiable. To succeed, this requires
the involvement of the procurement and legal departments (if necessary
with additional support from a lawyer specialising in software contracts)
and consulting ICT industry advisory services.
The contractual and legal issues of custom software developed by a third
party are discussed in the next section.
Crossing the executive digital divide 307
Services contracts
Software development
When software intended for the exclusive use of an organisation (for ex-
ample a tailor made system or facility – like the one click button in Am-
azon or a “made-to-measure” payroll system) is operated by a third par-
ty such as an outsourcer, a consultancy organisation or contractors it is
308 Crossing the executive digital divide
essential to ensure that the contract for these services makes adequate
provision for each of the following matters:
Ownership of the intellectual property of the specification and of the
source code (the program as developed by the provider of the service) and
relevant documentation;
Rights and conditions of use for the service provider to reuse part or all
of the software code created for a particular client;
Quality assurance and security audit of the code (to ensure that the de-
velopers did not include facilities not specified by the client such as back
doors, logical bombs and other forms of undesired software).
When buying software developed specifically for one organisation, the
contract should include provisions for:
• Obtaining a copy of the source code (the listing of the computer pro-
gram in a language that is understandable to others);
• Exclusive ownership – a clause to prevent the vendor from selling the
same software to another client. In situations when this cannot be
agreed, the contract should define limitations on when the software
could be sold to others;
• The buyer’s right to sell the computer program and code (source and
object) to a third party, with provision to pay royalties to the devel-
oper for each copy sold;
Conversely, a professional software developer would be likely to ask that the
license be non-exclusive and that the contract includes a limit on the num-
ber of copies that the buyer can make (for example limited to backup pur-
poses) and forbid reverse engineering or disassembly (mechanisms through
which the buyer could discover how the software is constructed).
Ethical issues
Ethical matters
There is a difference between our values and ethics in the work environ-
ment. Our values, part of our culture define what we think is right, good,
fair, and just. It is not up to an employer to define what the personal val-
ues of an individual should be – these are part and parcel of the person
that joins the employer.
Crossing the executive digital divide 309
Action points
Executives must work with their Chief Information Officer, Legal Coun-
sel and Internal auditors to ensure that the organisation is fully aware of
its legal obligations and that suitable programs of work are put in place
to ensure compliance.
Policies concerning all aspects of compliance with legislation must be de-
veloped, circulated to all relevant personnel and acted upon in terms of
implementation of appropriate measures, monitoring for compliance and
action to ensure compliance is achieved.
Monitor developments in legislation that have an impact on the need to
retain documents and databases in electronic form, as these have an im-
pact on the organisation’s disaster recovery and business continuity ar-
rangements and its overall ICT expenditures.
C h a p t e r
17
Concluding remarks
Key assumption: We already are in the early stages of an Information Society. Those who
adapt and adjust to its challenges and learn how to get the best out of their information
assets will be among the Winners. Those who don’t will join the Losers.
• The business use of ICT continues to grow steadily – the global ICT
industry turns over at least a trillion US dollars a year and a single
company, IBM is close to having an annual turnover of 100 billion.
The ICT services outsourcing business is also worth over 100 billion
dollars a year;
• Electronic bank transfers are currently running at 5 trillion US dol-
lars a day;
• ICT is finding its way into areas other than the office and the home.
A car built in the year 2000 has more of these technologies than the
NASA Lunar Module of 1969, and this is growing as systems such as
Global Positioning by Satellite also become commodities;
• Online learning is growing fast, providing education and training on
an “anywhere, anytime” basis to millions of people who would oth-
erwise not have access to the education needed to operate effectively
in the Information Society;
• Many governments around the world are embracing the online soci-
ety and it is now possible to make enquiries from government depart-
ments, download forms, renew driving licences, complete tax returns
and pay taxes online through the Internet.
If is safe to assume that the Information Society being created will be
very different from past societies.
Alvin Toffler, in his series of books (Future Shock (1970), The Third Wave
(1980) and Power Shift (1990)) made a powerful case for expecting the fu-
ture to be different and challenging, particularly for those who are un-
prepared.
During the first wave of civilisation that started some 10,000 years ago
with the first towns, organized farming and the domestication of animals
– both of which led to the production of food surpluses and, indirectly,
to the invention of writing to record the ownership of these surpluses,
time was measured through the seasons and the height of the sun in the
sky, and change was slow – major discoveries and inventions were sepa-
rated by hundreds, even thousands of years. Knowledge and goods moved
with the speed of the caravans.
The second wave was triggered by the growing interest in science and
mathematics that followed the Renaissance and the Age of Enlighten-
ment, some five hundred years ago and led to the Industrial Revolution.
At this point change started to accelerate driven by the growing body of
knowledge and major shifts in the way people live (increasingly in towns
Crossing the executive digital divide 317
and cities) and fulfil their material needs (dual role of producers (in fac-
tories) and consumers – no longer reliant on self-sufficiency).
As technologies became mature, there were major shifts in all areas of
endeavour – sailing ships were displaced by steamships, canal barges by
railways and the physical delivery of information by the electric telegraph
(around 1860), the transoceanic liner by the airlines and more. Each of
these shifts resulted in Winners and Losers.
The telegraph is a major landmark of the Information Age as it enabled
information to move faster than the fastest means of transport and pro-
vided the instantaneous transmission of beyond the line of sight.
While ICT has a long history: a mechanical programmable computer had
been developed in 1833 by Charles Babbage – and Lady Ada Byron, Count-
ess of Lovelace became the first programmer by working on this “Ana-
lytical Engine”. Punched cards, tabulators and other electromechanical
sorting machines go back to the 19th Century and the first electronic pro-
grammable computer (ENIAC) was used in 1943.
The last sixty years of information and communications technologies
have produced changes that exceed the expectations of most people work-
ing in this industry.
The challenges of making good use of information and the technologies
that enable us to exploit it remain many and complex as it seems that the
one thing that is constant in the Information Age is rapid change.
The inability to adapt and capitalise on this change will divide organisa-
tions into Winners, Losers and those that stay outside the Information
Age. This will create a new digital divide distinguishing those who can-
not from those who will not.
Mark Twain said that “the man who does not read good books has no advantage over the
man who cannot”. This statement holds true when extended to the “literacy” needed to
exploit the tools of the Information Age.
The Winners will be those who learn how to create and extract value from
the opportunities provided by innovative information technologies. In-
formation is there – in fact today we have access to so much of it that we
don’t really know how to come to terms with it.
318 Crossing the executive digital divide
What can be expected over the next few years – and what opportunities
does this open to those aspiring to be Winners?
Electronics and various forms of ICT will find their way into an increas-
ing number of devices and activities. Enormous amounts of research are
taking place in the ICT industry and in academic circles on new materi-
als for ICT, on new concepts (for example quantum and microbiological
computing) and on new applications and uses for ICT.
Three things we can expect with reasonable confidence are:
• The further development of electronic commerce in all its forms,
Business to consumer (B2C), Business to Business (B2B), Business to
Government (B2G), Consumer to Consumer (C2C), as well as the
growth of tailor made products for individual customers as it is al-
ready possible to order and purchase made-to-measure clothing over
the Internet as well as to create custom music compilations that are
downloaded or burnt into a custom CD.
• “Deep computing” to bring about the computing power to make sense
of all the data. Progress has been made in creating supercomputers
with a power never before achieved (the GRID project) and using this
power to solve highly complex problems, such as weather forecast-
ing. In future, it is likely that such deep computing will be used to
analyse, aggregate and explore other massive databases – for exam-
ple how much information does a government hold about its popula-
tion? Tax records, driving licences and car ownership, property own-
ership, health records, criminal records and so much more. Current-
ly these are in separate databases, often incompatible, but “big broth-
er” may well be coming thanks to ICT developments.
• Quality content for sale. The growing popularity of the World Wide
Web in the mid 1990s created a thinking model that information is
and should be free. While nobody denies the wonderful freedom of
speech which exists on the Internet, information providers – publish-
ers, news agencies, researchers, artists and many others are seeing
their copyright and intellectual property being appropriated and
misused without recompense. When a simple mechanism for collect-
ing money in small amounts (smaller than credit card companies are
prepared to accept) become established, it is likely that more and
more of the quality content available on the Internet and its World
Wide Web will no longer be free.
What are the barriers to becoming a winner?
Crossing the executive digital divide 319
When you go into the future, take plenty of money with you
Appendix
1
Key questions
A listing of all the questions raised at
the beginning of each chapter
Key questions
This appendix lists all the key questions at the beginning of each chapter.
• What have we learned about the impact of ICT in the “real world”?
• Should ICT investments make a difference, and if so, how much?
• How do organisations and people react when confronted with dis-
ruptive change?
• What are the challenges facing the non-ICT executive?
Chapter 9: Managing ICT projects for success, quality and reduced risk
• What exactly is risk and what are the factors that determine it?
• What is the scope of risks associated with ICT?
• Why should an executive be concerned with ICT-related risk man-
agement?
• What are the steps needed to manage risk?
Action points
This appendix presents a complete list of all the action points given at the
end of each chapter.
An old proverb states that “When there is a will there is a way”. This is
particularly true for ICT and bridging, or at least narrowing, the Execu-
tive Digital Divide is one step that should help.
Executives who take a serious interest in ICT and see it as a strategic tool
and are also prepared to lead the organisational change that follows such
implementations will be better equipped to gain value out of the signifi-
cant investments involved than those who don’t.
Taking a greater interest is necessary but not sufficient. The executive
also needs a good awareness of what ICT can deliver and what it cannot
yet do, understand the issues that need to be addressed, be good at risk
management and not least, ensure that the right people are engaged to
deliver results that make a difference.
If your organisation’s ICT performance, business impact and value for mon-
ey seem fine: Congratulations! You are among the Winners of the ICT Board
game (not a crowded place). The challenge now is to remain at this level.
If there appear to be doubts, concerns or problems about performance,
costs or in difficulties in assessing the value added by ICT: Things will
not get better by themselves – the reverse is more likely. In these circum-
stances, executive action is necessary to diagnose the true nature and ex-
tent of the problems in order to take appropriate corrective action.
When a SWOT analysis is insufficient and the financial data on costs and
benefits is inconclusive, incomplete or incomprehensible, it is recom-
mended to carry out a series of audits of the ICT function, specifically:
• A technical audit if there are performance problems and/or
• A financial audit if the true costs of ICT are unclear and/or
• A board level review of the benefits delivered by ICT in the last few
years, and, if these are unclear or undefined, the development of a
new strategy to change the situation.
330 Crossing the executive digital divide
and, in parallel, conduct an assessment of skill gaps for the people who
use the computer systems and ICT facilities of the organisation – part of
the problem could be their inability to exploit the tools put at their dis-
posal due to lack of training or other essential ICT skills.
Other audits that may prove necessary if the outcome of the previous au-
dits gives cause for concern may include:
• Compliance with national legislation relating to ICT (data protection,
privacy, cybercrime, health and safety at work, etc)
• Compliance with policies relating to the use, misuse and abuse of
ICT
• Information security audit
Find out if there are indications that your organisation is spending more
than it needs to on ICT – despite cries from the ICT function that they
are “not spending enough”.
Crossing the executive digital divide 331
Find out if the expenditures incurred on ICT are well aligned with the
business objectives of the organisation – what’s the value of a World Class
infrastructure if the computer systems are inadequate to support busi-
ness activities or management decisions?
Ensure that the business objectives of your organisation are known and
understood by those responsible for ICT strategy.
Strengthen ICT governance mechanisms to enable ICT to deliver the ap-
propriate quality of projects and services with acceptable track record and
costs.
Focus the work of the ICT governance body on alignment and value is-
sues.
332 Crossing the executive digital divide
Demand that ICT strategies be regularly updated and that they reflect the
input of all constitutent parts of the organisation.
If your in-house ICT organisation does not use (or comply with) ISO 9001,
the Information Technology Infrastructure Library, COBIT, or equiva-
lent guidelines, ask why this is the case – is it likely that your ICT people
can do better without such established best practices than with them?
If your ICT service provider, in-house or outsourced, is certified to com-
ply with ISO 9001 and is regularly audited, you are doing well.
If not ISO 9001 certified, but the performance of your systems, networks,
help desk and contingency planning is generally considered as accept-
able, you are doing well and may wish to consider conducting a process
level assessment based on the COBIT guidelines.
If neither of the above two situations apply, it would be appropriate for
you to take action, starting with an in-depth diagnostic (Chapter 2) fol-
lowed by an action plan to avoid unpleasant surprises in the future.
Chapter 9: Managing ICT projects for success, quality and reduced risk
Brainstorm potential risks to identify them, assess them and take appro-
priate actions.
If risk has not been well managed, consider applying the benevolent rule
that “Once is a mistake. Twice is a coincidence. Thrice is either careless-
ness or incompetence”, then act accordingly. Clearly there will be situa-
tions where a mistake should be dealt with before a “coincidence” oc-
curs.
Recognise that there is a real risk of loss of business and money as a re-
sult of shortcomings in information systems and the internal controls
built into them.
334 Crossing the executive digital divide
Executives should ensure that there are clear and well disseminated pol-
icies, supported by consistent organisational behaviour with regards to
all forms of cybercrime. This behaviour should extend from formulation
of deterrence policies to sanctions and redress.
Those responsible for information security should be required to learn
how “bad guys” think and operate and incorporate appropriate defences
against external and internal threats.
Cybercrimes committed by an expert will be essentially undetectable.
The role of tests, audits and security certification must be seriously con-
sidered if the organisation’s information assets are valuable.
Monitor the results of the tests of contingency plans and ensure that the
lessons learned during these tests are discussed and reflected in the
plans;
Make available the financial and human resources needed to make con-
tingency planning workable and sustainable. This is often a major issue
for organisations;
Recognise the importance of communications during an emergency –
with the workforce, with their relatives and close ones, with vendors, cli-
ents, the media, etc., and act accordingly to ensure that poor communi-
cations do not lead to a loss of image and reputation
Be clear about the objectives for seeking an outsourcing option. The over-
all track record of ICT outsourcing is pretty good and reducing costs is
not the only reason for pursuing this path.
Remember that the people carrying out activities suitable for outsourc-
ing have a vital interest in preventing this from happening and that their
views are likely to be biased.
Executives must work with their Chief Information Officer, Legal Coun-
sel and Internal auditors to ensure that the organisation is fully aware of
its legal obligations and that suitable programs of work are put in place
to ensure compliance.
Policies concerning all aspects of compliance with legislation must be de-
veloped, circulated to all relevant personnel and acted upon in terms of
336 Crossing the executive digital divide
Acknowledgements
The preparation of this book was greatly helped by the many people who
willingly gave their thoughts, time, candid comments and material help
at the many stages of preparation of this book. I particularly wish to
thank my friends, listed in alphabetical order:
Stefano Baldi, Italian career diplomat, currently in New York, with
whom I had the pleasure of co-authoring several publications and con-
ference papers
Keith Inight, UK Technical Directorate, Atos Origin, Nottingham, U.K.
Andreas Christoforides, Director, United Nations International Com-
puting Centre, Geneva, Switzerland
Paul Dooley, Chief Information Officer, United Nations System Joint
Staff Pension Fund, New York, U.S.A.
Jovan Kurbalija, Director of the de Diplo foundation and his teams in
Geneva and Belgrade for their assistance with graphic design, typeset-
ting and the general business of getting the book published
Guido Maccari, Head of Information Technology and Network Services,
Organization for Economic Cooperation and Development (OECD), Par-
is, France. It was his suggestion that there should be a version of the book
“Crossing the Executive Digital Divide” that was short enough for a busy
executive to read while travelling.
Dr. Elöd Polgar, Chief Executive of Critical Skills Consulting, Adjunct
Professor at Webster University, both in Geneva, Switzerland
I also with to thank the following for agreement to use copyrighted ma-
terial
Elsevier, Chapter 15, on Outsourcing, is a shortened version of the arti-
cle on outsourcing written by the author for the Academic Press Encyclo-
pedia of Information Systems, published in 2003.
MISTI (UK) – Chapter 10, on Risk Management, is largely based on a pa-
per presented at their AudIT 2005 Conference, in London, May 2005.
Gennadi Obukhov, for permission to use his graphic of the tango danc-
ers in Chapter 7, Strategies that work. More of his work can be found at
http://propro.ru/go/gallery/ html/us2000.html.
342 Crossing the executive digital divide
Crossing the executive digital divide 343