ASP.NET Security Consultant

I'm an author, speaker, and generally a the-way-we've-always-done-it-sucks security guy who specializes in web technologies and ASP.NET.

I'm a bit of a health nut too, having lost 50 pounds in 2019 and 2020. Check out my blog for weight loss tips!

Aligning business and IT strategy is wrong-headed

Published on: 2011-12-04

Up until recently, I've been talking (and thinking) about how to align IT and business strategies. I've come to realize that this is the wrong approach for one simple reason: it implies that IT and the rest of the business have separate strategies. What we need to do is make the strategies of the IT department and each business function different aspects of the same strategy. That won't be easy, though, given the disparate goals of each group. To get an idea why, let's look at strategies and approaches that are common in the IT industry:

  1. Do extremely high quality work, because software outages and security leaks reflects poorly on the team and can lead to long hours at unexpected times
  2. Focus on creating methods that elicit the best requirements from the business stakeholder and minimize changes, such as Agile and Scrum
  3. Create methods and tools that make technology-centric functions (like creating a new server or writing code) more efficient and less time-consuming

These strategies are not business-focused, they're technology focused. To see why, let's examine them:

  1. It is often the case that doing the absolute best work possible isn't appropriate for a given situation. Technologists often want to do more work than necessary up front to avoid problems which they believe reflect poorly on them. (And yes, there's a sense of pride emphasized in the wrong place, too.)
  2. In most of my consulting experiences, the customer wants to keep the costs low as much as possible. This is understandable to a point, but in order to cut costs, the requirements gathering process gets neglected, causing poor user experiences and costly rework.
  3. I think it's great that technologists are continually working to improve their craft. It's great that we're able to deliver more functionality with less work because of these efforts. But the focus on understanding and using software is coming at the expense of knowing and understanding business needs.

So how is aligning IT and business strategy wrong-headed? Because it implies that IT and business strategies are different strategies that need to be brought together when we should be finding ways of making the two the same strategy. IT and business need to work together in order to find the right balance between cost, security, efficiency, performance, and all other aspects of software development. How would the above scenarios change with a different approach?

  1. Create software whose quality reflects the need of the moment. Single-use, non-mission-critical software doesn't need to be as robust as high-use, mission-critical applications. Always have a cost/benefit analysis in mind when deciding how robust to make your application.
  2. Instead of focusing on gathering the requirements from the business leader, we as technologists need to do a better job of gathering requirements from the actual end user. Knowing your customer is critical to getting the user experience right the first time.
  3. We need to make sure that we aren't just focused on delivering better code, though, and be sure we're focused on delivering better software. To start, there should be as many user groups focused on software usage as there are on software writing.

So how do we make this happen? Both business stakeholders and technologists are contributing to the problem by pushing their own agendas over the good for everyone. Merely telling technologists that they need to be more business focused, or the business stakeholders that they need to be more tech-savvy, is more likely to elicit negative feedback than it is to solve any issues. I like the idea of breaking up IT so it is no longer its own separate department. In that case, we would still need a corporate IT department that would set company-level policies and procedures, but most of the work would be done by technology professionals within each department. This way the people doing the actual technology implementation would be more familiar with their subject matter, reducing communication problems and the technology-first mentality. Giving more people in technology business training and business positions couldn't hurt, either.

This article was originally posted here and may have been edited for clarity.