How Do You Know What Your IT Department is Really Doing?


How do you know that the decisions they make and the actions they take are in the best interest of your business? Are you often uncomfortable with answers you get from your IT staff or not quite sure you buy in to what they are telling you and feel like there might be a better way to do something? Do you often wonder if your company’s critical data is being backed up or if you could recover in the event of a disaster or interruption to your operation? Is your IT department left to their own devices – in other words, do you have any checks and balances in place that can validate what they do and how they do it? If you answered yes to any of the above questions, it’s a good idea to take action now and assess your systems and network so you can be in control.

Most Small-to-Medium sized businesses (SMBs), today, require the same capability in Information Technology as that of a larger company. However, many smaller companies often do not have a sufficient budget to support the required IT infrastructure. When a company does not have a sufficient budget, it often leads to a home grown IT department (an employee assigned from within the company) or hiring individuals without the proper training and experience – sound familiar? As your company evolves, applications and business processes that rely on IT increase and require a more complex IT infrastructure. This puts an even greater strain on your IT staff that may not have been qualified for the job to begin with.

Over the past 18 years, IT assessments have by far been our most popular engagement. It’s often the first service we provide in a new relationship, whether it is to begin an outsourcing arrangement or to provide a health check on the network and its associated systems. It is the quickest way for an organization to gage the state of its environment and know if there are problems that need to be addressed. An IT assessment is perhaps the single smartest investment a business can make. As a business owner and IT professional, the findings of these conducted assessments are very concerning, leaving me compelled to write this article and stress the need for business owners and senior management to take initiative and understand what is really going on within their IT department. Ultimately, you are responsible.

 Signs to watch for. An assessment is a wise investment, at any time, and you should budget for at least one annually, especially if you are not currently in some type of support arrangement where an outside firm is working with you on a regular basis. There are some signs that you should pay attention to which will motivate you to move on this. The two types of signs you would most likely encounter are glaring performance issues and others that are not so glaring – what I would refer to as subtle or passive aggressive.

Glaring signs will be evident in every day performance of the IT systems and you will notice things such as slow or unavailable applications, quirky workarounds and intermittent performance with simpler applications such as printing and email. You may also notice that seemingly simple administrative tasks are taking a long time, such as setting up a share on the server and granting access for a group of end users.

Other signs will be more subtle and you have to learn to trust your instincts—it’s not in your head. Acting on your suspicions will likely be the single smartest move you make in your company with regard to IT. Be observant as to the lack of documentation and short answers with no detail or back-up. Also, pay attention to IT staffers who are defensive or cut you off, take a long time to get back to you with answers, are generally evasive or avoid certain matters and make you feel as if a problem or situation is too complicated for you to understand. If you pick up on any of these signs, there is most likely a deeper underlying issue.

One last sign that is the most dangerous is when you have a person that can elaborate in great detail about something but it still doesn’t make sense to you. In those situations, the IT person may very well believe what he or she is telling you is the case but it just doesn’t make sense to you. Always make certain to pursue the situation until you fully understand it.

What we typically find. In greater than 80% of our assessment engagements we find inadequate IT practices and the majority of these companies are unaware!  For the majority, they have left the IT staff to their own devices, meaning they have not put in place any type of control framework that would promote best practices and provide a means of checks and balances. We typically find inadequate or ineffective backup strategies, no business continuity / disaster recovery plan, lax security measures, absence of industry accepted best practices, and inconsistent procedures. This means that the IT staff is usually in over their heads and flying by the seat of their pants—or in react mode.

Why are they operating like this? Many tell us that there isn’t enough time and that they don’t have enough resources. Others tell us that what they are doing has always worked and that they never had a problem so why change.

What you can do about it. The best way to uncover what is really going on within your IT department is to have an assessment conducted by a reputable IT consulting firm. This assessment should be a technical review of your IT network and systems. It is important that you request an assessment and not an audit. Although the assessment will typically look for evidence of controls and adherence to a set of specifications or control framework, it should be a valuation of your practices and not an audit from a security risk perspective. The main objective should be to provide you with a professional opinion and insight as to the technical soundness of your IT environment from the perspective of conventional practices utilized in the industry.

If you have a feeling of uncertainty about your company’s IT practices, trust your instincts and act on them. The biggest mistake you as an equity stake holder or senior manager in the company can make is to do nothing. Don’t put it off—you owe it to yourself and your company to take control.


Mike Polce is the President and Principal Consultant with M. A. Polce Consulting. For questions or comments, Mike can be reached at

Share with Your Network

Join Our Newsletter

Download the "How Strong is Your Cybersecurity Culture?" Checklist!