Develop application portfolio and acquisition processes to protect the business

Through the use of well-enforced policy, organizations can provide a structure by which individual units can make decisions while still maintaining strong centralized databases used for decision making.

A story: One day, I walked into my office and found a box in my chair.  Attached to the box was a Post It note with this written on it: "We need this deployed within two weeks."  Upon opening the package, I discovered a product that would require much, much more than two weeks to deploy and that would seriously disrupt the established project schedule.  I sent the package back to the business unit with a note of my own.  "Let's do this a bit more intentionally."  Fortunately, I had very good relations with the head of the business unit and we worked out a solution that was agreeable to both sides and that handled the application acquisition and implementation in a more controlled way.

This is just one story about what could have turned into a very ugly confrontation and the potential for this kind of situation is increasing with each passing day as vendors continue to simply bypass IT and go straight to end users with the products and the promise that "IT doesn't even need to be involved!"

Companies tend to go through centralization/decentralization cycles when it comes to Information Technology organizations.  In the mainframe days, IT was very centralized.  As the era of the local area network emerged, the cycle began to move more toward a decentralized model where individual departments built their own environments for their individual purposes.  As that model became more chaotic, CIOs were hired to corral and consistently leverage an organization's technology resources in ways that were more central, more coordinated and more controlled.

The cycle is definitely continuing and we're seeing a lot of this happen right now.  There are three phenomena that are pure evidence of the ongoing decentralization of IT:

  • Bring Your Own Device (BYOD). BYOD is a user-driven event that is forcing IT departments to support devices that may not have been supported in the past.
  • Consumerization of IT. There's more to consumerization of IT than just seeing consumer-level devices being brought into the organization. Instead, I see consumerization of IT as a step beyond that. Individual departments in many instances are empowered (or think they're empowered in some cases) to simply buy software and technology services that meet their individual, defined goals. In many cases, I've seen this kind of activity allowed without input from IT. This is exacerbated by the rise of cloud-based/hosted services that are easy to acquire.
  • Cloud computing. Cloud computing is making it easier to acquire applications. For many end users, that is music to the ears since it can be difficult sometimes to acquire the tools that are perceived to be necessary to get the job done.

Personally, I'm a believer in getting the right tools into the right hands, but I am not a believer in all-out chaos.  Organizations need to take steps to protect themselves from a potential application onslaught that could happen if there are no checks to control the application portfolio and the acquisition of new systems.

Data is an organization's biggest asset.  It helps companies manage every aspect of the organization from sales to manufacturing to marketing and more.  As such, it's critical that data be protected.  In this context, I mean that data should be protected against being splintered, made inconsistent and made difficult to manage.  Before an organization starts acquiring a bunch of different data-based services, there should be clear data governance in place.  Governance should include a data life cycle, which needs to include information about all of the various points at which data is managed in the organization.  The documentation should identify what systems are considered authoritative and do everything possible to ensure that there is always an easily accessible "single version of the truth."  Nothing in worse at decision time when a decision maker is handed two decision memos that have differing information simply because they were pulled from different systems.

Now is the time to collaboratively develop clear application acquisition policies that are designed to make sure that these things don't happen.  In addition, every new system acquired by a business unit is an opportunity to experience security issues.  Ensure that this doesn't happen by including in your acquisition policies requirements for a security review.

As IT is further decentralized in this way, it's up to the business to make sure that the Enterprise Service Bus is robust and flexible enough to be adapted to changing needs as new applications come on board.

To summarize and expand - Through existing governance structures, develop clear software and service acquisition and ongoing management policies.  Include in these policies:

  • Security requirements. Ensure that vendor systems meet your company's requirements and any regulatory compliance requirements that are necessary in your industry.
  • Data ownership. Make sure you own your data when it's appropriate! The contract that you sign should stipulate that your organization owns the data that is managed by the vendor. Obviously, some services won't need to include this provision, but never skip checking this step.
  • Integration requirements. Manual integration is not an answer. It's error-prone and inefficient. All new services should adequately and in an automated way integrate with existing systems. Never allow a new system to introduce massive inefficiency or create "data islands" that are potentially inconsistent.
  • Federated authentication requirements. I'm a big believer in the user experience. A good user experience makes people happier and can increase security. In the case of acquiring a bunch of disparate third party systems, see if it's possible that vendor systems can authenticate against your internal authentication systems. This way, regardless of what happens, IT continues to control access to key business systems and users retain their single set of access credentials. Better yet, see if third party systems can be made a part of a single sign on solution or integrated into your portal.
  • The CIO must sign off on all new software or software service acquisitions.


Times are changing but that doesn't mean that user-driven decisions should create chaos in an organization.  Through the use of well-considered and well-enforced policy, organizations can provide a structure by which individual units can make decisions while still maintaining strong centralized and consistent databases used for decision making.

By Scott Lowe

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...