Confessions of an IT Director

What do you do here?

What Do you do?

I posed the question on LinkedIn the other day and for my 16 twitter followers (side note: I have GOT to get more followers)… “What is valuable (IT) information to bring to a monthly MOR (Management by Objectives and Results) meeting? What kind of metrics/KPIs do you think the senior management wants to see?”

That was my sort of “LinkedIn” version of wondering aloud what sort of metrics executive management wants to see. 

Let me explain

Anytime I can throw a “Princess Bride” reference in, I’m going to.

My current place of employment is owned by private equity. So every month there is a (monthly) internal, and external MOR meeting (Management by Objectives and Results). The internal one is with the CEO and Leadership, the VPs and Directors of their respective departments. The meeting itself is a good 2 to 3 hours (depending on the month) long. Each department is expected to contribute a few slides to a PowerPoint deck that sum up objectives and results for their department. After the internal MOR, the top end leadership (CEO, VPs) take the deck, make whatever changes, and deliver a similar deck to the Board of Directors for the PE company. Usually the operational stuff is considered superfluous, and the BOD is really only interested in the financials… sales, forecast info, EBITA, etc…. Their primary focus is how profitable the company is, because when they decide to sell the company, that’s the marker. “We’re flipping a house” is a common phrase said around here.

The presentation deck for the internal MOR is usually 130 or so slides long, with the last 15 or so slides being appendix slides. The IT department slides (my slides) come in around slide 100. The final department prior to the appendix slides showing all the financial datasets, etc. 

So, a recap. 15 to 20 people have been sitting in a small-ish office for nearly 3 hours, and it’s my turn to present. When I was first briefed on this particular exercise, I was told to prepare 4 or 5 slides. That was pretty much it… no real direction on what they wanted to see, because I honestly don’t know that they knew what they wanted to see. Everyone is a little stir crazy due to being cooped up in the office listening to data going on and on and on… and then there’s IT, a department people don’t really understand to begin with. What DO you do?

Therein lies my problem. Get too technical, and people don’t understand and tune out. Nobody wants to know the issues you had in switching the routing from the old firewall to the new firewall, or the details in the open case with Cisco because one of the switches wasn’t passing traffic, or how this old version of one of the ERP modules isn’t compatible with the new version of the ERP, and so you’re in negotiation with the vendor to provide an updated file. It’s the teacher from Charlie Brown.

The other way isn’t great either. Don’t give any real info, and people start asking, “What about my issue from…. _______?” and, better yet, people start reporting IT issues to me that I wasn’t aware of (which invariably precedes the question, “Why didn’t you know about this” Cause it wasn’t reported.) Then I’m talking about a purchasing clerk’s computer and when it’s up for refresh, or why the credit card processor was slow at 11am, or why the new sales guy doesn’t need 64gb of RAM.

I gave less information once, and one of the bosses called me into his office afterwards and told me I missed my opportunity to “showcase my wins”. “Wins” are subjective. What is it he considered wins?

Worse yet are the PowerPoint slides – best “data” I can give is ticket counts… opened, closed, categories… etc. Not a great metric, because if you didn’t know… a ticket can constitute 15 minutes or 15 hours, depending on what it is. Some tickets are closed immediately after opening them, and some stay open for weeks with a variety of variables, priority, type, resources needed… etc. 

But… it’s the best I have to offer right now. There are multitudes of tools (for $$$) out there that can deliver automated reports on system health, bandwidth usage, top talkers, and potential trouble spots… but… “We’re flipping a house”. Granite countertops, but galvanized piping. 

So I strive to stay on that narrow road. Ticket counts shows the stakeholders that IT is busy, but they don’t really show what IT is doing. Don’t give too much attention so I don’t put everyone to sleep, but give enough so that people feel that IT is doing something. 

But, at the end of the day – I don’t have an answer. If someone out there has found a winning formula, a KPI that energizes the organization and gets executive management engaged into IT direction, then please forward that my way. Until then, I’ll keep throwing stuff on the screen showing that IT is doing something, even if they don’t understand WHAT it is.

Knowing what you don’t know… (I TOLD YOU!)

I told you so!

I tend to be a competitive guy. BUT, as I’ve gotten older I realize you don’t know what you don’t know, and normally, people are okay with that. As a matter of fact, I consider it one of my strengths, the fact that I’m aware of my areas of weakness and have cultivated relationships and resources to help me in those areas. I can’t do something for you? Don’t fret, I’ve got a guy. However, a large part of the IT director gig is being a generalist.. A person who knows just enough about everything to orchestrate and execute on strategy and vision, someone who can be both strategic and tactical, dealing with today and 5 years from now. I have to have the ability to deal with IT items on a company P&L sheet, but also be able to roll my sleeves up and troubleshoot why a monitor won’t turn on. 

Thus, being an “IT guy” (or normal guy who’s proficient in IT) inherently develops a “know it all” attitude that isn’t always positively received by…. Well…. Anyone. In all my posts thus far, I’ve referenced Jimmy Fallon’s character on Saturday Night Live, “Nick Burns, your company’s computer guy”  As funny as the bits are (because they’re rooted in somewhat exaggerated truth), you hear a consistent theme, that the end users Nick Burns is servicing don’t like him. “I don’t like that guy,” one of them says. Even the theme song talks about how first (Nick) will fix your problem, and then he’s going to make fun of you. 

A “C” level person for a company I used to work for had a talk with me once, when I was younger in my career, and called me a “bull in a china shop.” He was attempting to coach me because I had rubbed people the wrong way. “You walk around here acting like you know everything, because you probably do know everything,” is what he told me. I was frustrated because my new colleagues (I was new to the company) just operated so much slower than I was accustomed to. I had just left a company where everything was urgent. They wanted it done, and they wanted it done yesterday. So this new company, where everything was a quarter speed (“Oh you can give me that budget proposal a week from Friday”) was jarring, in all the wrong ways. I tried to change the culture by example, kicking off and accomplishing so many “wins” (in my eyes) but all that did was cause my colleagues angst, because they didn’t operate my way. Looking back, it put me on the outside with those I worked with, and I never fully recovered from that position in that organization.

But what happens when we (the “IT guy” ) DO know something? When we warn and warn that if the company does not do something to remedy a problem, that the company is at risk? And then when the company ultimately decides not to go through with our recommendation (because IT is just too expensive) and pays a huge price for it when the thing we said was going to fail, does… who’s fault is it?

There was this article in the New York Times last week, about a former IT Director for a city in Florida who was fired after a ransomware attack caused the city to have to pay out almost half a million dollars ($460,000 or 42 bitcoin) in order to retrieve the key to decrypt the city’s files. It took the city weeks to recover from the attack, and shortly after the IT Director was fired. However, he claims he warned the city two years prior about this vulnerability, and proposed a system that would have kept the city from having to pay for the key. Basically, he identified a problem, proposed a solution, and the organization said no. There’s a lawsuit in progress… you can read about it here:

When Ransomware Cripples a City, Who’s to Blame? This I.T. Chief Is Fighting Back”

I’ve engaged in a couple discussions on this topic with a few colleagues. People definitely end up on different sides. “IT people” take the side of the Director, the “I told you so” approach. I tend to agree, to an extent. The problem was identified early on and a solution was already proposed. How is it the IT Director’s fault if the organization decides not to go with the proposal? And then, there is the business side of me that disagrees, because in any other walk of life, someone pays the price for a massive problem like that. Is the IT Director personally responsible for the ransomware attack? No. However, he’s responsible for the health of the system, and I can’t help but wonder what his actions were when the organization turned his proposal down. Did he throw his hands up in resignation? Did he refuse to research alternative methods? Did he provide other, possibly less expensive proposals that maybe could have mitigated some of the vulnerability? Obviously, the article doesn’t stipulate… but I know how I’ve reacted in the past, and I’m not super proud of it. We get “IT tunnel vision” because we “know what’s best.” 

I’ve been there, more times than I’d like to count. I do the research, come up with the charts, graphs, ROI, cost justification, risk analysis… and I’m lucky to get 6 minutes of hard pressed attention from executives. In the end, they deem the cost too great, don’t understand the risk, or don’t believe it could happen to them, or by the time I’m explaining the risk, their attention span has moved to another topic. 

It’s certainly easy to fall into the trap of throwing my hands up and saying, “oh well, not my circus, not my monkeys”… but that’s the catch. It IS my circus. When something goes wrong, no executive is going to say, “oh man, IT warned us about this two years ago”… heads are going to roll!

It’s also easy to say that the IT Director needs to do a better job pushing for the solutions. Someone told me, “ If you don’t want to be the IT director who ends up the scapegoat, you must insist that your employer deploy technology and training you know will protect your organization.” I laugh at that statement. What am I supposed to do? Stage a sit in? Lay in front of the CEO’s car until they approve my solution? I recently read, “The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win”  (it’s a good, unique look at the world of IT through a fictional story).. And at one point, the main character resigns over constant disagreements and unrealistic expectations from the CEO. They have it out, he resigns.. Then (SPOILER ALERT) the IT department suffers, the CEO sees the error in his ways, asks the IT Director (VP, in this story) to return, the VP gets his way, the day is eventually saved, and the VP of IT (main character) is eventually put on the track to be the next COO of the organization, due to his unique understanding of the workings of the enterprise. 

While this makes for a great book, most of us don’t have the luxury of resigning when we don’t get what we’ve asked for. Most of us have people who depend on our staying employed to live… and more realistic still, most CEOs won’t “see the error of their ways” and ask you to come back. If there’s anything I’ve learned in my days as a professional musician (yes, before IT I wanted to be a pro musician… another blog post, perhaps), it’s that if you cannot or will not do something, there’s always someone just as good as you or even better than you waiting in the wings who will do what you can’t or won’t do, for probably cheaper. 

So which side is right on the above example? The city, who fired their IT Director due to the massive breach and subsequent massive payout? Or the IT Director, who warned of the vulnerability two years prior, but got shut down? 

In my opinion? Both. And both are wrong too. It’s important to look at situations like the city IT Director, and the one I posted about my experience where I was a “bull in a china shop” and learn from them. Yes, there will always be problems (thank God for that, because that’s why I find myself employed), and I will likely still see many of my future proposals shut down. I believe IT has to do a better job of changing the “know it all” culture, and integrating themselves as normal operating pieces of the business, and businesses have to do a better job of raising the awareness, training, and competency of their integration with IT. 

The next time I’m asked to do a task that I find easy, I will refrain from calling it an ID-10-T problem (or that the issue resides between the spacebar and the back of the chair), and take the time to sit, kneecap to kneecap with someone, educate them, and in return, maybe be educated things I don’t know.. Because as much as I want to say, “I told you so…” I’m not doing my mission any favors that way. The more I do this, the more I find that this job is a small percentage technical, but a large percentage relational. A smile, nod, and genuine attention go a long way… maybe then I can start to change the culture, one “IT request” at a time… and in the end? I’m finding there’s just so much I don’t know…. And that’s okay.. Because it’ll make me better at my job.