Blog

From IT to Business

Jan 07, 2009
Martin Kuppinger

The topic of IT-Business Alignment isn't really new. It is discussed for years right now. And several software vendors, mainly in the area of "Business Service Management" claim to solve the threats in that area. But, honestly: I believe that we are, in most cases, far from a real IT-Business Alignment. I have blogged several times around this, topic (here, here, here, and here).

But let's start with my definition of what IT-Business Alignment is: IT does what the business requires - not more, not less. That includes aspects like the ability to efficiently respond on new business requests, the ability to report on and enforce business controls (including all the GRC requirements), and the efficiency of IT itself in the sense of a streamlined, lean IT organization.

There are, from my view, two main steps to go:

  1. Reorganize IT
  2. Implement a consistent control layer between Business and IT
From my perspective, the lessons we've learned from outsourcing and outtasking are a good basis for IT reorganization. Strategy has to be in-house - that is the core part of the IT department. Other parts might be done inhouse as well, but organized in own "centers" with clearly defined SLAs. An IT organization which consists of a strategy/architecture department for guidelines, a GRC department which focuses on all relevant controls, and some decentralized IT knowledge in business organizations (define the requirements for applications and other IT services) might be the lean approach. That requires the competency for guidelines and strategies, including a strong influence on sourcing decisions. But IT itself would be pretty small. The "doing", e.g. running systems can be done inhouse - there is no need to outsource this. But in that case, these are seperate departments which act, like described above, like external entities (or like the internal facility management or corporate security or any of these internal service providers).

The layer between IT and Business is, from my perspective, an GRC layer which goes well beyond Identity and Access Management related GRC approaches and well beyond BSM/ITSM, providing a consistent framework for business controls for IT.

For sure we can't change an organization immediately. There are several prerequisites:

  1. The CIO role has to change, clearly focusing on that IT-Business Alignment, with the responsibility for GRC as main task.
  2. You will need architects and strategists for the central department.
  3. You will need persons with a good IT understanding in the business departments.
  4. You will need managers which can really manage the IT "centers" as business managers.
  5. GRC tools have to go beyond just IAM or BSM support, moving towards real platforms.
Thus it is a long way to go. But I strongly believe that we have to go that path, for more efficient organizations and to reach the target of IT-Business alignment.

Latest posts by Martin Kuppinger
Passwordless Authentication 101
Enhancing Zero Trust in a ServiceNow Environment
Thales Acquires OneWelcome: Beyond CIAM
The Changing Market for Access Control & Risk Management for Business Applications