Educause Security Discussion mailing list archives
Re: From Decentralized to Centralized
From: "Bowden, Zeb" <zbowden () VT EDU>
Date: Thu, 19 Mar 2009 16:25:00 -0400
To expound on your issue #1 - I think changing the funding source is an excellent idea and it would be great to hear from any other universities that have tried that. A good compromise or baby step may be to centralize IT at the college and/or institute level first; let's call this pseudo-centralized because we don't use the word pseudo enough anymore. That may allow for enough localized support of IT folks familiar enough with the business processes of the existing departments within the college. It would also jumpstart the necessary knowledge transfer between the few IT people in the department to the "few + more" at the college level. This process would hopefully give upper management enough information and background to make an informed decision on whether or not to continue the centralization process for a given college/institute. Additionally, it gets a more diverse group of people thinking about business processes outside of their little area/dept. -- thinking optimistically, some commonalities would be identified and with support of central IT at the university level there may be some large efficiency and standardization gains here. The knowledge transfer (from the few to more) is a critical reason for going to the centralized (or pseudo-centralized) model. Without it, we're getting killed by the costs associated with an IT person leaving in these smaller IT departments. Even in today's job market, you're probably talking a minimum of 2 months to replace a person and then another 2-3 months for the replacement to become productive. In a department with an IT staff of 2 - that's a 20+% reduction in work, and I that's almost a best case scenario. I don't have any numbers to back this up, but I think we see a pretty high turnover in our de-central/departmental IT staff that makes this problem much more costly than most realize. I think you're absolutely right on point #4 about forcing cookie-cutter systems on people -- so when I said "standardization" above I was that was directed more at processes than systems. Eventually that could carry over to systems and/or applications but there's never going to be a one size fits all that works for everyone, and we can't ignore those people. Zeb Bowden IT Production Lead Virginia Bioinformatics Institute -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany Sent: Thursday, March 19, 2009 3:39 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] From Decentralized to Centralized I haven't seen anyone suggest the following in their comments on this thread about "centralizing IT". I assume current action plans addresses these issues. 1. Leave the current IT positions at the depts but the funding for their positions comes from the central IT group. This solves a support problem that central IT has always had: no knowledge of how the individual business processes actually work. 2. Desktop mgt costs. Unless there's a massive replacement of PC, laptops and desktop servers with "thin" clients (whatever that is), there's still the question of managing the things. While Active Directory style mgt is nice and addresses this mgt problem, it's not applicable in all university settings. Central IT staff will have to support those outliers. This is particularly true in teaching and research labs where there are specialized computers that control lab equipment. 3. Virtualization plans. I'm sure current computer capacity at the central sites is not enough to support the added functions coming in from depts. Virtualization seems to be a way to provide this extra capacity at a reasonable cost. The market is somewhat young at the moment if not in the software technology then in the experience of the system administrators. The greyhairs who cut their teeth on old mainframe technology will now by back in demand. IBM VM system programmers, unite! You'll need a number of virtual host systems since you never want to put all critical functions on a single host system. 4. Security issues. It's easy to say that centralizing IT processes will increase security. However, point #1 shows that central IT doesn't know how the myriad departmental business processes work and that they will decide on one-size-fits-all approach that will be "efficient" from a management view but cumbersome in the office environment. Cumbersome procedures mean that people will circumvent them and that leads to a decrease in security. Yet, in order to get a good idea of how business processes actually DO their business requires a lot of time and $$ and most central IT orgs won't do that. So, we have an overall decrease in security. I'm not opposed to centralizing IT but there were valid reasons why decentralization happened. Things like not providing timely service, not being responsive to rapid changes, etc. forced the migration in the first place. -Randy
Current thread:
- From Decentralized to Centralized Sarazen, Daniel (Mar 19)
- <Possible follow-ups>
- Re: From Decentralized to Centralized Joel Rosenblatt (Mar 19)
- Re: From Decentralized to Centralized Ness, Carl J (Mar 19)
- Re: From Decentralized to Centralized Kathy Bergsma (Mar 19)
- Re: From Decentralized to Centralized Allison Dolan (Mar 19)
- Re: From Decentralized to Centralized Consolvo, Corbett D (Mar 19)
- Re: From Decentralized to Centralized Joel Rosenblatt (Mar 19)
- Re: From Decentralized to Centralized Jesse Thompson (Mar 19)
- Re: From Decentralized to Centralized randy marchany (Mar 19)
- Re: From Decentralized to Centralized Gary Bristol (Mar 19)
- Re: From Decentralized to Centralized Bowden, Zeb (Mar 19)