The Ethical Challenge of IT Silos

"In the light of digital transformation, information and technology (I&T) have become crucial in the support, sustainability, and growth of enterprises.”¹

Enterprise governance of information and technology (EGIT) and business-IT alignment are crucial to create value and achieve the goals and objectives of IT. The IT operations team is pivotal as it serves as the final test of user satisfaction and quality of IT services provided. Therefore, it is essential to establish a strong IT operations team dedicated to delivering value. However, navigating the complex maze of people, processes, and technology is challenging, particularly given the unpredictable nature of the human factor.

The human factor encompasses technical skills and capabilities; however, it is easily influenced. This highlights the need to focus on the behavioral aspects of the IT profession. Given society’s significant dependence on IT for various needs, ranging from healthcare to communication, it is imperative to recognize the importance of key behavioral traits in IT professionals, such as caution and analytical ability, good judgment, and the ability to take responsibility for decisions and actions. These traits can be applicable to all professions, but in the field of IT, they can significantly contribute to a broader understanding of the big picture. Regardless of the specific IT team, having these traits can foster collaboration and prevent the formation of silos.

Internal organizational silos and politics are not unique to IT, but they can significantly impact delivery capabilities and compromise the IT value chain. An IT code of ethics should be added to existing organizational codes and monitored as part of governance and controls to establish guidelines and expectations for ethical behavior within the IT profession, fostering a culture of collaboration, integrity, and value delivery. Several professional codes of ethics exist, including those compiled by ISACA,² the Project Management Institute (PMI),³ and the International Information System Security Certification Consortium ((ISC)2),⁴ but they are limited to specific IT roles.

To ensure an organizational culture devoted to delivering value and to mitigate issues arising from IT internal silos, departmental-management preferences, and internal politics, it is imperative that any code of ethics explicitly address and discourage behaviors that can hinder collaboration and create barriers between departments. By establishing guidelines that promote transparency, cross-functional cooperation, and the shared goal of value delivery, an enterprise can foster a more cohesive and effective IT environment. If such a culture exists, it permeates day-to-day IT operations and plays a crucial role in meeting or even exceeding end user expectations, which is considered the holy grail when measuring the quality of IT services.

The subtle impact of internal IT silos and organizational dynamics can be linked to the overall IT ethical environment in an organization. Signs of this impact become evident when evaluating the handing of day-to-day IT operations and IT team member behavior. A survey of IT behavioral traits was conducted in collaboration with ISACA’s Atlanta Chapter (Georgia, USA). The respondents were IT professionals at various levels, ranging from senior executives to analysts, who represented multiple industries. The survey was conducted between Q2- Q3 of 2023, with questionnaires sent to approximately 500 IT professional across multiple industries and job levels. Notably, an overwhelming 78% of respondents expressed concerns about competing priorities among IT stakeholders, despite the importance of having a common goal (figure 1).

Although the sample size was small, these results indicate a culture that is likely to have a detrimental impact on IT’s ability to deliver in four areas: communication breakdown, mistrust and lack of collaboration, resistance to change, and decision making.

Communication Breakdown

Although it may make business sense for a particular department to prioritize certain initiatives, it is crucial to consider whether its priorities align with the enterprise’s overall direction and goals. Similarly, an operational task that appears significant to one team may not align with the goals of another team. It is important to ensure alignment and collaboration across teams to avoid conflict and maintain a unified approach to the achievement of organizational objectives. Another survey found that “more than half of top-tier managers (68%) admitted that miscommunication with the IT department or IT security team resulted in at least one cybersecurity incident in their organizations.”⁵ Real-life examples of communication breakdowns due to individual-team-departmental goals having a narrow focus rather than having a visible tie to broader goals are becoming increasingly prevalent. Indeed, “goals may cause systematic problems in organizations due to narrowed focus, unethical behavior, increased risk taking, decreased cooperation, and decreased motivation.”⁶

The objective of this ecosystem of IT units is to work together toward a shared goal. However, if collaboration and trust between teams are lacking, service quality may be compromised.

In the ISACA Atlanta Chapter survey, 40 percent of the respondents confirmed that departmental preferences have a noticeable impact on IT service quality and user experience. This narrow focus on departmental preference can limit transparency among teams; instead, an open and transparent alignment of goals can foster strong intrateam communication.

Although IT project overruns (cost and schedules), incident root cause analysis, and consistent user dissatisfaction are routinely evaluated, the underlying real root causes of incidents or IT project overruns might not be formally reported or discussed openly, but they are likely well known within informal circles. The root cause may be related to vendor favoritism, production incidents caused by unapproved or untested changes, or misalignment of intrateam priorities. In the ISACA Atlanta Chapter survey, the respondent comments shed light on the gaps in internal communications that influence the overall effectiveness of IT operations:

• Priorities of head office IT vs. remote facility IT; federated budget vs. local budget
• Program initiatives that may not align with organizational strategies
• Business vs. information security priorities
• Regional instances of applying the same solution with different approaches vs. one global solution
• User ease of use vs. system/data security; speed of completion vs. completeness of assessment
• Compliance and security vs. speed to market and profitability

Mistrust and Lack of Collaboration

Many enterprises have several departmental units within the IT function. They may include infrastructure, operations, help desk, compliance-risk management, security, end user computing, analytics, integration, project management office (PMO), and cloud operations. Each of these departments often consists of multiple teams, such as data center operations, virtualization, Windows, Linux, and network teams within the infrastructure department.

The objective of this ecosystem of IT units is to work together toward a shared goal. However, if collaboration and trust between teams are lacking, service quality may be compromised. Lack of collaboration often leads to duplication of work within the IT department. For example, the US government’s Federal Integrated Business Framework (FIBF) addresses the issue of cost transparency, noting that “Disparate attempts over the years to define IT Cost Transparency Standards have led to overlap, duplication of effort, and a lack of clarity on how to represent IT services and manage spend[ing]. The IT Cost Transparency Taxonomy establishes a common standard that translates IT policy into practice and facilitates the effective and efficient delivery of IT services.”⁷

The ISACA Atlanta Chapter survey responses related to duplication of work within IT indicate that it is a significant issue attributable to departmental silos (figure 2).

As shown in figure 3, follow-up comments from respondents reveal common traits with regard to duplication of work in organizations.

Resistance to Change

IT is often described as being centered around change—transforming the way businesses are run and maximizing their value. The success of IT depends on continual improvement and innovation, as exemplified by the plan, do, check, act (PDCA) methodology. Embracing new products, new services, and process improvements is an ongoing reality within the IT culture. However, the existence of organizational silos and departmental preferences can hinder the adoption of change, impacting IT’s agility. The Project Management Institute (PMI) notes that “It is the responsibility of change drivers to foster the change culture whether it is IT related changes or an Organizational change. Ethical leadership is a key component to change adoption.”⁸ But according to one ISACA Atlanta Chapter survey respondent, “Large departments are unwilling to change and cling to outdated methods and ideologies that hinder the organization.”

Some key indicators of the symptoms of resistance to change are shown in figure 4.

There are various ways to address these symptoms, but the key driver for mitigation might be the adoption and evidence of ethical leadership that permeates all levels of the organization.

Decision Making

Decision making and taking responsibility for the decisions made go hand in hand. The PMI’s Code of Ethics captures this well: “Responsibility is our duty to take ownership for the decisions we make or fail to make, the actions we take or fail to take, and the consequences that result…. We fulfill the commitments that we undertake—we do what we say we will do.⁹

If there is consensus that silos negatively affect the quality and purpose of IT, then anything that fosters or endorses a silo culture, such as IT teams’ behavioral traits, can be regarded as an ethical concern within the realm of IT.

Doing the right thing is a common approach to decision making, but achieving a consensus on what constitutes the right thing can be challenging due to departmental silos and differing priorities. It is beneficial if the concept of the right thing is aligned with the enterprise’s goals and priorities and what is best for both users and the business.

Despite advancements in tools, data collection, and analytics, decision making has not necessarily become easier. An abundance of data points can make the decision-making process overwhelming. Artificial intelligence (AI) can assist with this by converting data into actionable information. However, as described by the data, information, knowledge, wisdom (DIKW) model, personal and organizational experiences and preferences are still paramount.

Dashboards and scorecards play a crucial role in IT operations, but it is important to recognize that these metrics may not always provide an accurate reflection of the decision-making process. As the ISACA Atlanta Chapter survey responses reveal, many respondents find these reports and dashboards only partially useful (figure 5).

Cumulative Impact

Each of these key areas (communication breakdown, mistrust and lack of collaboration, resistance to change and decision making) has an impact on IT capabilities and operations and the businesses served. The most realistic and visible impact is on IT operations and its ability to sustain fit-for-purpose services.¹⁰ As an example, outages, particularly major ones, continue to be a daunting reality. However, a significant number of outages result from a lack of transparency, poor reporting mechanisms, and management failures, in addition to numerous unreported incidents.¹¹ Addressing these issues is vital to improve incident management, enhance transparency, and mitigate the impact of IT incidents on business operations. To restore IT service and operations, regardless of the scale of the incident, swift communication, decision making and collaboration are key. On the other hand, silos within an IT organization can impede the service resolution, quality, and subsequent impact to business-user experience.

As revealed by the survey, certain shortcomings can impact IT effectiveness, regardless of an enterprise’s nature, size, industry, or location. Therefore, IT governance must make a conscious effort to be vigilant in identifying and responding to possible trouble spots, as outlined in figure 6.

Conclusion

For effective GEIT, it is a given that IT organization requires several teams that work together toward a common goal. However, for whatever reason, whenever individual team goals drift, there may be an impact on the overall purpose of IT. Perhaps a reminder of the importance of an IT code of ethics can promote collaborative culture and limit (if not eliminate) the impact of organizational silos for the organization. ISACA’s Code of Professional Ethics states that certification holders must “perform their duties with objectivity, due diligence, and professional care, in accordance with professional standards.”¹² This requirement can be extended to all IT professionals. ISACA’s code goes on to recommend “support[ing] the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including: audit, control, security, and risk management.”¹³ Ethical behavior can be added to that list.

If there is consensus that silos negatively affect the quality and purpose of IT, then anything that fosters or endorses a silo culture, such as IT teams’ behavioral traits, can be regarded as an ethical concern within the realm of IT.

Organizations such as ISACA have the breadth and depth of outreach to influence the adoption of ethical practices within organizations, such as:

• A required program on ethical behavior for new hires
• Mandatory training for new employees and refresher training for existing employees, along with mandatory annual security training on topics such as identification of silo tendency, creating an open culture to report decision delays or obvious and biased preferences, and methods to identify and report service issues that could have been avoided by better and collaborative approach
• Management’s dedication to a culture of transparency and openness, which can be measured only by unbiased external consultants and auditors

If there is consensus that silos negatively affect the quality and purpose of IT, then anything that fosters or endorses a silo culture, such as IT teams’ behavioral traits, can be regarded as an ethical concern within the realm of IT.

Although the ISACA Atlanta Chapter survey represents a small sample size, the topic of ethical behavior among IT professionals is undoubtedly an important one. The fundamental theme of ethics in IT should be woven into the formal controls and guardrails of EGIT and compliance programs. It is possible that this change is already underway.¹⁴ In fact, “The [US] Department of Justice assesses a corporation’s compliance programs and compliance cultures, where regulators seek to promote compliance programs that reward ethical behavior and penalize unethical behavior.”¹⁵ This leaves little room for the option of neglecting this issue.

Endnotes

¹ ISACA, COBIT 2019 Framework: Governance and Management Objectives, USA, http://store.images-collector.com/s/store#/store/browse/detail/a2S4w000004Ko5aEAC
² ISACA, “Code of Professional Ethics,” http://je7z.images-collector.com/code-of-professional-ethics
³ Project Management Institute (PMI), “Code of Ethics and Professional Conduct,” http://www.pmi.org/about/ethics/code
⁴ International Information System Security Certification Consortium (ISC2), “ISC2 Code of Ethics,” http://www.isc2.org/ethics
⁵ Williams, S.; “Miscommunication in IT Security Leads to Cybersecurity Incidents,” IT Brief Australia, 13 January 2023, http://itbrief.com.au/story/miscommunication-in-it-security-leads-to-cybersecurity-incidents
⁶ Doerr, J.; Measure What Matters, Portfolio Penguin, USA, 2018
⁷ United Shared Services Management, “Information Technology Services,” http://ussm.gsa.gov/fibf-its/
⁸ Karpe, A.; Rigamonti, F.; “Change Management: Empowered With Ethical Leadership,” PMI Global Congress, Barcelona, Spain, 13 May 2016, http://www.pmi.org/learning/library/change-management-ethical-leadership-10163
⁹ Op cit PMI
¹⁰ US National Institute of Standards and Technology, “Fit for Purpose,” http://csrc.nist.gov/glossary/term/fit_for_purpose
¹¹ Uptime Institute, “Annual Outage Analysis 2023,” http://uptimeinstitute.com/resources/research-and-reports/annual-outage-analysis-2023
¹² Op cit ISACA, “Code of Professional Ethics”
¹³ Ibid.
¹⁴ Adavade, S.; “Auditing the Unauditable: Ethics and Culture,” ISACA^® Journal, vol. 3, 2023, http://je7z.images-collector.com/archives
¹⁵ Grant Thornton, “The Cost of Corruption in Tech and Telecom,” 16 February 2023, http://www.grantthornton.com/insights/articles/advisory/2023/the-cost-of-corruption-in-tech-and-telecom

Rajesh Srivastava, CISA, CGEIT, CRISC, PMP

Is an industry veteran with a wealth of professional experience that spans IT consulting, data center operations, managed services, and cloud strategy and operations. He currently manages cloud strategy and operations at 3M’s healthcare revenue cycle business vertical. Having collaborated with diverse IT organizations of varying sizes, Srivastava has gained valuable insights into the core functions of IT and the day-to-day challenges in delivering them, ranging from process maturity to internal bottlenecks. He is passionate about educating and raising awareness regarding internal bottlenecks and mitigation methods to achieve overall IT service quality goals.