The IT industry has many standards covering topics such as software asset management, IT service management, disaster recovery, business continuity, information security... there's a long list of BS / ISO / IEC documents running into thousands of pages. Likewise ITIL, PRINCE, PMP, formal development methodologies, etc.
They are almost all very large and comprehensive; they are highly structured and require significant commitment and investment in order to implement them. For the busy IT directors of large enterprises these standards and methodologies form excellent off-the-shelf blueprints of how to get it right.
A team can be set up to address a particular governance issue, and given the appropriate manual or standard, suitable training and possibly support from an external specialist consultant, the team can get on with addressing the issue knowing that at the end of the process they will have implemented a robust and comprehensive solution.
This is very laudable, adoption of standards and best practices significantly helps to ensure that crucial considerations are not omitted, and it helps big organisations to avoid making big mistakes. But as I was reminded recently, the world is not made up of big organisations. We do not all work in major corporates, we do not all have large IT teams able to take on the likes of BS 25999 (Business Continuity Management).
In reality, more than half of UK private sector income, and over half of private sector employment, is from businesses with fewer than 250 employees. These small and medium-sized enterprises generally have small IT teams - perhaps a handful of people, or a single IT person. Some have no dedicated IT resource at all; they outsource everything to a third-party on the basis that they don't have the critical mass to justify the cost of a single talented IT generalist.
These small firms, which according to the UK's BERR Department make up 99.9% of all enterprises, cannot practically implement the standards and best practices which we have invented for the management of IT, and many of the IT firms to whom they may outsource the problem are small businesses themselves, employing fewer than a dozen multi-talented technicians. Like their clients they do not have the depth of resource to adopt and implement our standards and best practices.
Our current regime of standards and best practices, designed to protect organisations, investors, customers and employees from the consequences of critical omissions and failures, is critically flawed. Our development of all-encompassing standards suited to the needs of large public sector organisations and major corporates misses the point. It provides guidance to those organisations whose resources and pockets are already deep enough to solve the problems addressed by the standards. It fails to address the needs of the majority of businesses, employees and customers. We need a different standards regime.
We need standards and best practices that are scalable and stratified, targeted at the smaller enterprises who cannot afford an IT team of 30 or 3,000. Simple, basic standards that can be read and digested in a couple of hours, and implemented with resource that is measured in man-days, not man-years. We need management strategies that are appropriate for the lone "IT manager" - the sole, do-it-all, IT dogsbody who keeps the systems going for a 12 person advertising agency or a small chain of estate agents. We need standards for the real world.
Our current standards have been developed by collaborations of public sector organisations and major corporates, supported by expert consultants. The learning from these sources has been wrapped up by the BSI and government. Unfortunately, these bodies are so different in scale from the typical SME that it is hard to see how they can comprehend the nature of the challenges and pressures faced by smaller organisations. Nevertheless, as IT becomes ever more complex and pervasive, we desperately need standards "for the rest of us".