News Stay informed about the latest enterprise technology news and product updates.

Security at risk when execs, IT clash on IT purchasing decisions

IT teams and business leaders must work toward making IT purchasing decisions together to avoid security vulnerabilities and higher costs.

IT organizations and business leaders with IT purchasing power have historically butted heads when making technology decisions for their enterprises. That struggle is entering a new phase as vendors and service providers begin to target non-technical employees by making their technology easier to use and adopt. The result: poor performance, finger-pointing and, perhaps most troubling, a vulnerable infrastructure that's ripe for hacking.

Business leaders who make unilateral IT purchasing decisions without consulting with the IT organization can produce outcomes with unpleasant ramifications. Inappropriate products cause security, performance or reliability problems. Improperly vetted tools or services don't work with existing products. It's time for the two camps to improve how they understand and communicate with each other, industry observers say.  

"I've seen firsthand where the IT purchasing decision -- especially when it comes to security -- is made unilaterally by business leaders and ends up being something that IT has to pay for because the purchasing decision was a poor one," said network engineer and blogger Nick Buraglio. "Good leadership will defer to subject matter experts and not just read [a tech article] online to determine what they need."

IT purchasing decisions: Who is really calling the shots?

The conflict is escalating as cloud-based services and tools move some of IT's tasks outside of the company's four walls. As a result, some business leaders race through the technology purchasing process because many tools don't require infrastructure, and by extension, help from IT. "In today's world, a lot of tools and services are just another line item to pay for, and you don't need any software or hardware," said Ty Lim, vice president of marketing for Druva, an endpoint data protection and governance company.

But just because a product might be easier to buy, it doesn't mean it will be an appropriate choice or meet the security requirements of every enterprise. Jonathan Davis, a network engineer who works at a global manufacturer, recounts the time he was brought in to a discussion about collaboration when his company was choosing between Microsoft and Cisco for online meeting spaces. Davis and his team did a side-by-side comparison of both vendors' products and decided, based on the business's needs, that Cisco was the clear winner. When a senior business leader informed Microsoft that it would not be winning the business, the vendor responded by throwing in Lync licenses for free, and thus was awarded the contract, Davis said. "The decision was made not based on any of the testing we did, but purely because we wouldn't have to pay for the Lync licenses," he said.

"The purchasing decision makers were completely clueless about any of the technical aspects -- like the fact Microsoft Lync didn't natively support [Quality of Service] QoS at the time -- and that created massive problems across our WAN links, which probably has resulted in an extra $100,000 a year in WAN costs because we've had to implement more [links]," Davis said.

While the level of pushback between IT and business leaders will vary by enterprise environments and culture, there is most likely a good reason why business executives are in their positions, Buraglio said. "A good leader is going to surround themselves with people that are smarter than they are on the subjects that are important for that particular job description," he said. "Where you start to see problems is when these leaders don't do that, or if they were technical 10 years ago and their information is now out of date. Some [leaders] have too much of an ego to let that go."  

Technology decisions: The battle between innovation and security

IT has a corporate responsibility to secure and protect data as well as meet compliance regulations -- tasks that are generally not top of mind for every user or business leader within the enterprise. While employees and executives want to move at the speed of business, a balance must be found. "IT has to really evaluate solutions to make sure it's right for their business, and on the business side, it might feel like that process is slowing down creativity and innovation," Druva's Lim said.

More about technology and IT purchasing decisions and processes:

Anatomy of poor IT buying decisions

Security, Wi-Fi top tech purchasing decisions survey

Is your company purchasing technology based on consumer trends?

Both sides -- the business leaders who ultimately make the IT purchasing decisions and the IT organization that implements the technology -- have to work to communicate and share their respective information with each other to make decisions that are best for the business. "There's definitely a benefit to having visibility into both the technical and financial side of an organization," Buraglio said.

IT teams have a great deal of experience with evaluating products and platforms -- whether it's software, hardware or a service from a provider. "Enterprise IT [organizations]  have a stringent process for figuring out if a solution is going to meet security, network and compliance requirements, so it's important for the business heads to leverage that maturity and knowledge as much as possible," Lim said.

At the same time, IT teams need to be able to communicate their concerns effectively with business leaders by providing concrete examples of how a particular approach could fail, said Forrest Schroth, network manager at Randstad US, an Atlanta-based staffing and recruiting agency.

"IT needs to be able to say, 'If we do X, we could make money, but Y will be the vulnerability or potential impact,' and the business leaders should appreciate when an IT team explains what led to that decision," he said.

"As a rule, businesses don't want to invest in products they can't use, or breach security and cost their company money. There's been enough attention on high-profile security events in the last couple years where it's gotten easier to have the conversations with business leaders -- people are listening to us more," Schroth said.  

On the other hand, IT also needs to understand that part of innovation includes taking risks, Druva's Lim said. "Security is about taking risks and mitigating them, rather than not taking the risk at all."

Let us know what you think about the story; email: Gina Narcisi, news writer and follow @GeeNarcisi on Twitter. 

Dig Deeper on Network Security Best Practices and Products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.