Re: Centralized vs. Decentralized IT

[Jim Dillon <Jim.Dillon () COLORADO EDU>]

Daniel,

 

I hate to join the chorus of "it depends" folks out there, but it really
does, on a lot of cultural issues and delivery spaces.

 

There are two primary audiences out there from my perspective, and
administrative one and an educational one, and I think we sometimes
don't balance the two properly in HEd.   One needs the leeway to
experiment and fail with some regularity, the other has regulation and
customer expectations that bind it, with little room for failure due to
obligation and regulation.  Managing those two vastly different user
communities within one organization and one service model can be
problematic as the service goals are different.

 

I'll agree with an earlier comment, when the objectives and goals of the
IT service are regular, consistent, well understood and procedural, and
when they are in support of regulatory or high scrutiny evaluation (lots
of reputation threat) then there are some good reasons for a more
centrally managed support to achieve better control outcomes and
oversight.  When the requirements are rapidly changing, reactive,
opportunistic, etc. (think academic side, not necessarily academic
administration) then the ability to let something go, work with a
prototype, and keep the discussion close to the many scattered and
unique goal setters  leans towards local management.

 

One thing central IT can provide in the academic environment is a good
forum for collaboration and communication.  I think our approach at the
CU Boulder campus is one area where we are pretty good in that aspect.
The "support community" events tend to bridge a lot of gaps and aid in
communication.  

 

The chief difficulty I note is that it is very difficult to provide
adequate analysis, strategic vision, direction, management, evaluation
in a highly distributed environment.  The skill sets that succeed in
this area are rare, complex, and poorly applied in weakly defined
functions.  Thus all the "total cost of ownership" and life-cycle roles
necessary to alleviate risk are poorly met in a distributed model, just
due to the reality of total-cost factors.   A really successful program
will help ensure that the entire life-cycle consideration of any effort
is understood going in.  What tends to happen is people build things
then have trouble maintaining the resultant life-cycle support costs.
As a result there's a lot of stinky stuff that doesn't work well and
that often becomes a burden to the central IT function due to
criticality and a lack of appropriate support.  

 

This boils down to a broadly used term, "Governance", but I think it is
too broad to really address the difficulties and complexities.  My take
is more central for administrative stuff, less, with supportive building
blocks and infrastructure (hosting, virtualization, storage, networking)
coming from the central org, and some procedural and process reality
guidance that insists on a good life-cycle cost analysis for anything
developed outside central that appears to have enterprise criticality or
sensitivity.   Easy said, tough to do.

 

Jim Dillon (Until recently IT Audit Mgr. for CU System)

 

-----------University of Colorado--------------

Jim Dillon, CISA, CISSP

Program Manager

Administrative Systems and Data Services

jim.dillon () colorado edu        303-735-5682

-------------------Boulder------------------------

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel
Sent: Thursday, August 07, 2008 1:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Centralized vs. Decentralized IT

 

Hi All,

 

Do you have any leanings between Centralized IT networks (Main IT group
responsible for IT services); vs. decentralized IT networks (Each
department is responsible for their own apps, servers and security
(Intrusion detection/prevention) with their own IT staff? Has anyone
looked at their campus and formed an opinion on the IT governance
configuration?

 

Any feedback you can provide is appreciated.

 

Thanks,

 

 

:: Daniel Sarazen, CISA, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 508-856-2443

:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
01545 : www.massachusetts.edu <http://www.massachusetts.edu/>