IT consulting model flawed?
I had a discussion about IT consulting methodology while speaking about Risk Assessments at Northwestern University when a thought popped into my head regarding how the traditional IT consulting methodology is flawed.
The traditional IT consulting methodology is usually comprised of the following components:
- Assessment
- Planning
- Pilot
- Execution
- Documentation
This process has a corollary in the pure application development world referred to as waterfall development. Waterfall development is a process in which you take a set of requirements, build a plan, have a team of developers go off and write the code, test the code, and then release the product.
The main problem of the waterfall model is its inability to adapt. The waterfall project is split into separate stages and forces developers, project managers, and the end user to commitments to an outcome early on, even before the team knows how they will implement something. Changes in the waterfall project are expensive, very expensive because everything has to stop and basically start over in many places. We have seen over the past 20 years that this process doesn’t work. We see how applications consistently fail to function or perform as expected. Essentially, this means the waterfall methodology is not good for projects that have changing requirements or requirements that are not well defined or understood. Sounds like your standard IT project to me.
So why would we apply this process to IT consulting and especially to IT Security? The main reason is that the waterfall consulting methodology, if you will, does serve one purpose well – it can estimate costs rather easily because the methodology assumes everything is known upfront. Are initial costs estimates so important that organizations are willing to jeopardize the schedule and success of a project? I don’t think so. Budgets should be means to an end. Would you really consider sacrificing or diminishing the ends to hit some estimate of the means? On-time delivery and successfully meeting the changing requirements is much more important that a specific exact cost estimate. Plus, how many projects actually meet their initial budget?
The alternative approach that has emerged for us came from our IT Security practice, where the traditional methodology was completely inadequate to keep pace with the tools, threats, and techniques. The approach is quicker, iterative, much more agile and able to incorporate new learning. Now, remember, we’re talking about real IT Security here, not just the application of the latest tool, patch, or window-dressing. When we talk security, we’re not talking about the usual FUD hysteria followed by a sales pitch, we’re talking about a “bit’s eye view” of the data flow – where is it vulnerable, where does it linger, who is authorized to alter its flow, etc. We find this Agile Service Delivery , applied more broadly to IT Consulting projects, and even application development, will reduce cost, time, and increase success of critical long term projects.
Can we take the next logical step and apply this approach more broadly than just technology? Yes. The new enterprise is concerned with protecting, optimizing, and leveraging their data. To achieve those objectives the same iterative approach has been adopted through the implementation of frameworks such as ITIL that demand constant measurement and reassessment.
