IT Audit

It is an experience I have had several times, and about which I have developed a clear understanding over the last fifteen years. Nothing has changed. The criticality of the problem ranges always from inefficient use of resources to the possibility of an imminent loss of all data. In this regard, I am often asked the question – how did you know it was going to happen? My answer is that I have statistics directly from each device and monitoring system. I acquire information about users from access control systems and the tasks they perform, I personally communicate with department heads, and I have some information about users: their level of knowledge, efficiency and problems over request ticket systems.   

This audit was an exception. What follows is a formal presentation I made to the company owners in their office. 

The failure within IT to understand what is really happening is epidemic. This leads companies to misjudge their specialists and mismanage their teams. People who run companies think in terms of buying resumés, diplomas and other documents that appear to show employee skills but don’t allow them to achieve their business goals. In order to do this, you need to hire a specialist who can problem solve. You see your current CIO as a person who can explain everything in a meeting, an educated and clever guy who can write code and maybe even hack the Pentagon. But that’s an imperfect understanding of where security risks come from nowadays. In truth, I am glad that we found so many problems last month that haven’t caused any damage yet and just provide a lesson. I think it would be good to get them off the payroll, which could open up all kinds of interesting possibilities for the company, not only for today but for the foreseeable future. *

I can point to social skills as a central problem in the IT sphere, and a highly qualified team may not comprise positive, cooperative and communicative people. That is just one factor amongst many. For example, let’s pretend we have a team that has to update some infrastructure this weekend. The team has been together for a few years and has solved many problems together. The question is: what happens if the day before the update, one member has a birthday party, a second is invited to a parent-teacher meeting at his child’s school, while a third has been detained by traffic police and is going to attend court to challenge the fine? Even if they all come to work and begin the update, their efficiency would be affected and the result would be below average. Here we come to the term ‘Fundamental attribution error,’ which refers to situations where we plan something but achieve less because of something that lowers our expected outcome (sometimes overrated). It happens regularly with this team.. 

Summary: Social psychology and statistical analysis provide methods and parameters that can improve organizational processes, but they won’t do the actual work. Additionally, it is very closely related to practice. College students can vigorously discuss the theory of depressive realism, but struggle with ‘regression towards the average’ because of lack of life experience. Even if you have had social psychology in your educational background, I definitely recommend you revisit it to clarify what is happening in your team, company and life.   

Additionally, let’s look at the real-life story that may be found using the phrase “Microsoft Azure outage in Brazil caused by typo”. In short, a team deletes the company’s Latin American region customer data and spends 10 hours restoring it because of a problem with the backup system, and it was all patched up. LIke many IT departments, they probably just went out and celebrated without considering the source of the problem. In this case it can be described in social psychology terms like “illusion of control.” You could write an entire book on this single event. 

* Moneyball, 2011. Statistical evaluation of baseball players (applied to IT specialists).


admin Avatar