Much has been written on how technologies move thru the commoditization curve; from new innovations to mature systems. Some of our clients are struggling with a new twist resulting from this repeating, but increasingly rapid, trend. The level of skill expected and required for mature information systems is so high that it becomes difficult to hire staff with the mandated expertise to satisfy more than one role. So, how can your company respond to this challenge?
While there are many brilliant workers with wide experiences and, more importantly, the ability to quickly embrace new concepts and technologies, they may be disqualified because they lack industry required credentials. In other words, it’s difficult to find people with the necessary depth demanded by today’s increasingly diverse information technology (IT) industry. For a large IT department, this is not a problem. But for small and medium sized businesses this is a huge challenge. How can you locate and hire people with deep strength across a diverse range of technologies and skill sets?
We are seeing this imbalance mostly with the network security administration role and with computer programming for mobile tablets and smart phones, such as Android tablets and iPhone’s. In the case of network security, people who support PC’s and provide general user support are also expected to be super-experts on the latest network hacker threats…which often originate overseas from penetration experts who are sponsored by organized crime or even foreign governments. The work force is expected to match up to specialists with the latest training and threats to firewalls and devices from persons with ill-intent who are often times outside the bounds of U.S. law.
To illustrate this issue, consider this job posting from the web site www.dice.com; DICE position identifier 417589 as shown on September 6, 2011 for a Business Systems Analyst. I repeat; this is a posting for a business systems analyst; someone who designs IT systems. Check out the amazing list and range of required skills; most of which are unrelated to systems analysis.
- 3+ years risk management in a public accounting firm
- COSO framework
- HIPAA (health related) compliance
- Sarbanes-Oxley compliance
- PCI-DSS (credit card security related) compliance
- “Deep database expertise” with all of
- MS Access
In addition to these required skills, the client desires:
- Certification – CISA: Certified Information Security Analyst (sic: the posting contains error on the CISA designation description)
- Certification – PMP: Project Management Professional
- Certification related to SQL
- Certification related to MS Access
- Certification related to Oracle
- Certification in Microsoft Office suite of applications
Out of the billions of humans on the planet, there are probably less than a hundred people with this precise skill set. This job posting is surprisingly typical, and thus contributes to the point of this article. It’s not just that the hiring company wants someone with a broad range of skills, it’s that the candidate should have certifications and “deep” experience in so many areas. What are the odds that such a candidate will be found? The probabilities are very small. And, so the employer will be forced to divide these responsibilities among more-than-one person or take other steps as outlined below.
Why Is This Happening?
- IT is getting more complicated! Way back in the mainframe days, a company’s systems were indeed complicated but they were likely purchased all from one vendor; IBM being the default. At least it was clear which skill set was required. Then came personal computers running Windows, then the famous 3-tier client-server architecture, which required skills in at least 4 technologies. More recently, with the adoption of wide-spread internet, smart phones and pads, we are seeing an explosion in the number of end-user computing devices which must be supported. While this growth in mandated technologies is not necessarily exponential, it certainly is increasing by the decade.
- Regulatory and governing bodies expect perfection! Twenty years ago you could explain to the CEO (as I did) and the Audit Committee of the Board (if IT actually had any kind of access to the Board) that the new system was implemented, but there were still 6 high priority and 30 other defects that are being addressed in the near term. While you would get verbally rebuked for this…you would still have your job. Since then, there have been multiple scandals, a major banking-driven recession and lawsuits against directors. That same list today would virtually assure your termination. What are the odds that in 2011, with our current climate in Washington D.C. and the courts, anyone would allow going “live” with a system with 6 known high-severity defects? The expectations are higher today, and the risks greater.
- The ever-faster movement into new technologies cuts the learning time for existing staff. They must either learn the new technologies faster or get out of the way of outside experts. In either case, it’s harder to retrain existing staff to embrace new technologies in the required timeframes.
- This point may be controversial, so I apologize in advance! As the need for more specialized skills becomes more acute, the professional associations and societies which attempt to guide them are spinning out ever-more certifications. While this seems to have short term benefit, such as more revenue for the sponsoring organizations and seeming relevance to company needs, the long term impact of these new certifications is confusion and dilution of their market value. Take for instance the association which I particularly appreciate and am a long-time member, the Information Systems and Control Association (ISACA). This organization has been very helpful over the years and, historically, they promoted two certifications; one for the person who implements controls, the CISM, and one for the person who audits, the CISA. But these two well-understood certifications have doubled into 4 much-less understood ones. The organization has reached out to the IT Director with CGEIT, and sideways into the CISA/CISM with a special certification that only addresses the risk assessment portion of those other two certifications (CRISC).
Are you confused? Many of us are; and you can only imagine the confusion in the marketplace with HR hiring professionals and CIO’s. The proliferation of certification credentials is not necessarily a good thing. It makes it more difficult and profoundly more expensive for an IT person to merely maintain credentials. And it tends to convey “disqualification” when someone with many years of relevant experience, but not the latest focused certification, is missing those letters behind their name. This trend forces specialization in IT.
Refine Job Descriptions
If my assumption is correct, that there is a higher-than-ever need for specific and yet diversified skills, then what is a company to do; particularly a small or medium sized business? Here are some suggestions.
There are three roles which are, as yet, minimally affected by the specialization craze. For these roles you should seek smart business people who can smell opportunities and profits…and forget all the other “pretend” or relatively short-term requirements: Instead hire someone with proven business expertise.
- VP of IT, Director of Information Technology, Manager of Information Systems; we don’t care what you call it, but the senior most IT person needs to be a smart business person and secondly a technologist. Find the person with a brilliant sense for profitability and a general adaptation to technology. Knowledge of any particular information technology is not relevant to this position. Hire a business manager with a comfort for IT and an overwhelming knack to smell-out corporate growth and profit.
- Project Manager; the benefits of hiring a person who appreciates the core value-add benefits of the role remain unchanged! Define scope, control changes, etc. These are timeless principles that transcend any particular technology. Seek someone with the Project Management Professional (PMP) designation as this certification is still very-much focused on the core steps to project success.
- Business Analyst – This role is about changing the business and moving it forward. The exact technologies required to do this should be considered less important. But the requirements of the positions seem to extend beyond short term technological needs and are based, like the IT Director, on a passion for profits. In spite of the Dice.com job description highlighted above, most persons in this role are expected to understand the business and drive growth, and not necessarily be technicians.
What To Do
Here are some ideas on how to handle the specialization evolution.
- Support innovation on new IT systems but press hard on the established ones. You should distinguish between established business functions and innovative capital expenditures. While an in-depth discussion on the capital expenditure/depreciation implications is beyond the scope of this article, there is one overriding point. While yesterday’s ideas were considered innovative, today they are commodities. Annually re-categorize all IT expenditures into one of these two buckets; Innovation or proven. Proven IT systems require a never ending drive for cost reduction, stabilization, low cost support, and low cost operation. There is no excuse for a senior IT manager to pander to IT staff who think their work is still innovative, even though it was long-ago widely-adopted. Follow the 2 year rule; after 2 years any implemented IT system requires aggressive cost reduction and stabilization approaches. Don’t continue to treat over-two-year old innovations as creative or innovative solutions.
- Select technologies that allow “develop-once” and “deploy-many” type implementations. For example, it’s possible today to develop mobile applications that can be easily (within 3 hours) recompiled to run across all major mobile devices. Write it for the iPhone/iPad and within hours also deploy it to the mega-market for Android devices. This meets everyone’s definition of “leverage.”
- Whether “good” or not, this environment is further fueling outsourcing. I am not necessarily a fan of “outsourcing” but rather a fan of results! When special skills are required a company should, obviously, first determine whether existing staff can address the need. Only when this answer is “no,” companies should consider whether specialized IT consultants can fill the need. There is always someone somewhere in the world who can address your need. But whether you should hire them triggers another set of questions which are beyond the scope of this article. You should be aware that you can hire someone with practically any specific skill these days.
Outsourcing is the “inescapable trend” that seems to affect everyone. It has almost as much power as the current hot topic; cloud-computing. While this author is ambivalent whether or not companies should outsource to the cloud, they need to do as much as possible with their limited IT expenditures and that will take some due-diligence from the IT leaders. So this trend that requires company IT departments to quickly adapt new technologies also fuels the medium term outsourcing craze. You may contact us for evaluations of specific in-house or outsource decision advice.
We expect the IT specialization trend to continue. Many industry gurus have projected that the rate of change in our world will only increase. Whether the rate of change accelerates or only continues as-is, we still believe that governmental regulations will mandate ever-more demanding skills from your IT staff. It is simply not reasonable to expect that your usual group of trusted staff can satisfy the exploding requirements. We recommend that you establish a strategy to address all stakeholder interests to mitigate the risks of shareholder value destruction.
Articles by Jerry Norton
- Implementing privacy policies
- Assessing Cloud Computing Agreements and Controls
- Accounting technology is SEC-approved, so now what?
- Cheap green servers are a pleasant surprise
This is an article reprint from the Governance Issues™ Newsletter, Volume 2011, Number 4, published on October 25, 2011
The opinions expressed herein or statements made in the above column are solely those of the author, and do not necessarily reflect the views of WTN Media, LLC. WTN Media, LLC accepts no legal liability or responsibility for any claims made or opinions expressed herein.