In response to Simon Moores' opinion that overworked IT staff are burning out.
In my experience, the things that cause IT bosses headaches are:
- Having too many systems, with only a working knowledge of each
- End-users thinking that "to work in IT" means "to know every facet and characteristic of every system that ever has, does, or is about to exist"
- Non-IT managers who do not listen to problems because they often do not understand them or do not believe they are genuine
- Budgets for tools that save time getting knocked back
- When IT is not regarded as a profit generating cost centre, but a resource drain
- The ever-present threat of outsourcing
- Scaremongering disaster recovery and security firms ramping up the paranoia stakes
- Too little understanding of the legal implications of IT, data storage, employee e-mail and internet access
- Users' attitude to disc space and e-mail storage
- Too little time to organise and stay ahead of the markets and technology.
However, the IT management of the mid to late 1990s needs to take come blame:
- Bad management of IT spend (I witnessed £25m being squandered over a year on a "vision" in a firm where the annual turnover was £12m)
- Bad attitudes of IT staff towards business users
- Over recruitment and extended use of contractors for permanent roles
- IT staff more interested in the latest technology than actual business requirements
- OPM (other people's money) syndrome on purchasing.
All these examples cost firms too much money and create an impression of IT that makes business managers suspicious. As for illness, the only time the job made me ill was a badly handled (by the employer) downsize/outsource/redundancy programme. For a fit 30-year-old, I am not sure that constant chest pain from Monday to Friday is a good sign.
Graham Jones of Integralis said implementing BS7799 is not as hard as many think.
I think obtaining the BS7799 security standard can only be a good thing.
The factors that cause problems are nearly always time and resources. As an IT manager, I can say that it is hard enough to get the time and resources (or the overtime) authorised just to get security to a comfortable level. Therefore, achieving the standard is probably a pipe dream, especially for the SMEs out there.
A method I am considering for devoting more time to security and achieving BS7799 is to integrate this into a training programme. The trainees receive half a day or a day a month to study, and in return they find the areas where improvement is needed. It is not a great solution but it is a start.
Andy Smith, technical services manager, Bounty Euro RSCG
Overall I agree with your piece on BS7799, but to say "the notion that obtaining certification is a time-consuming exercise is misguided" is slightly misleading.
Getting to the position where certification can be obtained is time-consuming, rather than obtaining certification once in that position.
There is a difference. In large organisations it would probably be easier to manage the process by having individual business units certified as opposed to a whole organisation.
The process of gaining certification need not be an expensive one. It is simply a matter of taking the existing policies and procedures and bringing them in line with the BS7799 framework.
Robin Laidlaw, director, Iconium