From the Ask Tom mailbag:
Question:
I work for an insurance company as an IT administrator. I have difficulty getting anything done because the people lack interest. They do not realize how much the business hinges on IT. I have tried introducing standard policies like email, AUP, DRP, a disaster recovery plan, but they just have no interest despite the importance. These are business critical policies that need to be in place in any organization. I have tried all I can and put simply, I am annoyed and tired. What should I do? How can I make them see the importance of IT? How can I make them cooperate? Please advise.
Response:
This is a conundrum about any kind of policy or procedure, whether it is administrative, a manufacturing process or a safety procedure. Some people in the organization just don’t seem to care about your silly policy, when there are a ton of reasons why. I am going to give my readers a chance to respond before I jump on the bandwagon. -TF
First off, nobody is going to listen to him unless the organization itself realized that IT is an important department on which the success of the organization depends on a whole. For this, each department has to know how their functioning depends on the IT department. To communicate this is the job of the senior management and this guy is helpless here.
Unless, the role & purpose of IT department is communicated clearly, whatever this guy tries to introduce will be seen as an overhead to normal work for the rest of the company.
Action plan for this guy:
Since the organization does not understand how important his role is, he needs to communicate its importance. For this, he needs to do a risk analysis which should include:
1. Things that are at risk by not having a certain policy for example: email
2. The probability of the risk actually occurring
3. The monetary loss that can incur for that risk.
Once he communicates the findings to the top management, I am sure things will change for better and he will be taken more seriously.
Hi Mr.Foster.I often visit your blog and learned that you are skilled at management. And we are a famous management website from China. Could you agree me to translate you article above into chinese and releas it on our website? If you agree please emial me to lanfangwu918@hotmail.com. I am looking forward to your reply. Best wishes!
Simply put, the answer is to “create interest”. Interest comes from realising the benefits of a policy. And a policy gets put into action by reinforcing this behaviour over time.
At the same time, many policies though seemingly important are actually not so and the employees have developed a resistance for them over time. This also needs to be eroded before any work can be done.
I echo Mukul’s comment with a little more emphasis on management’s role. As a CEO of a software comapany, I have found that my employees really listen to these types of policies when I personally send them out. In this IT administrator’s case, he may not be able to get the CEO of the organization to send out an e-mail requiring everyone to comply, but maybe the CIO/CTO would do so. Someone at the C-level needs to ensure that everyone in the organization reads, understands and follows the policies of the organization. It is their responsibility to communicate how these policies help the firm achieve the corporate goals, whatever they might be (enhanced revenues, lower costs, lower risks, higher employee satisfaction, etc.).
It’s got to be top down!
WJL
I’ve been in IT for 10+ years now and this is a common situation. At first I was in the same boat, but looking at the situation from the users’ perspective changed my view.
IT supports the organization. Unless your business is IT, your job is to enable the users to do their jobs.
As such, your users will never care about the policies. At best the policy does nothing for them. At worst, it gets them in trouble or fired. There is no upside for them to have a policy.
As Mukul Gupta said, management is interested in the policies, so stop trying to sell to the users. They’re never going to care and you just lose credibility by continuing to beat the drum.
You do, however, have the ability to influence the users. You can help them do things the right way. You can build trust with them by helping them. Never, ever, ever wave the policy in their face, you just lose credibility.
The most important thing to do is to write the policy with the user in mind. This is incredibly obvious in all other areas of the business, but for some reason IT people never see beyond their own cube when writing policies. It’s always about what’s easier for them to support, or “there can be only one standard” mentality.
There can be more than one standard. The user that works from home 95% of the time is different from the user that works from home 5% of the time and probably needs different hardware. Wireless is out there and yes it brings on security concerns, so help the users set it up the right way rather than setting up roadblocks. People ARE going to use the email and Internet for personal use, so deal with it. I’d rather put in a proxy cache to save Internet bandwidth, or go to bat for more bandwidth than I would implement email and web filters.
Once I got over all of that and realized people just want to do their job I understood my role and became much happier.
Sean
Write up a plan and cover your butt. If your their IT guy it hings on you reguardless of how may times they tell you no. Ya know partially unplugging a hard drive to give them a good scare of data loss?……Its harmless and it gives a good pitch to the un-educated. If you are the only one who understands then real life education is sometimes the best method. Come one put on the fake pregnancy suit and tell me if you learned something.
This guy is a victim of his own succes: the stability of the current IT instrastructure. Often only managers know how much money is earned on daily basis. They are the first to convince. By drawning the infrastructure and the process flows over the different IT components, gives them a visual view of were the “hot spots” lie. If you mention the time it will cost IT to fix an outage and the related business outage. They wil translate that time in to money. Eyes will open… Speak in a language they understand. Don’t forget to include the cost of labor hours when workers can’t do their job because IT’s down.
IT paves the way…
I have also meet such situation many times when I carry out these IT policy, I do understand your feeling. However from another side to view these policy , end-user don’t care about how the policy is critical to business because they can’t think the future invisable things. Actually , I also think some of our IT policy is really silly for common user although these IT policy is nessinary.
My suggestion is to make senior managment to support the decision on IT policy,let top management realize the dangerous without these policy ,instead of saying importance of them,then make sure the policy to be executived.
Importance of IT ? Just forget it,common user only concern on how to use IT to work, just like sometimes we care about ourselves cold more than the nuclear issue much.
Hi,
I agree with Mr Mukul suggestion that CEO kind of element to be involved in the implementing the policies of importance and CEO will move a bit only if he/she find it is really useful for the organization development either in process improvements, time saving and thereby off course revenue/money saving. Apart from this I understand that this is purely a change resistance case where the guy in question can implement the easy adaptable policies first and slowly having the taste of its advantage to all he should go further for tougher one. Certainly this may take more days but it is a very useful. So guy don’t worry and just follow it and you will find at the end of day you are the big winner by winning the battle of waterloo.
B’Bye
I agree with those who say that this must be top down. C-level management or someone who has oversight over both IT and the user community must first understand the risks, and then strategies for managing that risk.
I also agree with the guy who suggested you call their bluff. That said, in order to do that you are taking a risk. This is an exercise that you can do with management’s approval, to test preparedness.
I worked in healthcare many years ago, and was responsible for IT provisioning for a single department (200 users). We actually staged downtime without users being aware to test there preparedness to continue patient care activities when the system was unavailable.
In the insurance industry, it is the loss of productivity and information that is the risk. No one is going to die. Call their bluff. Ask senior management what they think would happen if a critical IT resource were to “go up in smoke”. How would the organization cope? Then ask them for an opportunity to prove it without the risk of losing data. Guaranteed, the results will get their attention. You will have policies.