My agent said ‘You’re not good enough for movies’. I said, ‘You’re fired’. ~ Sally Field
Growing up I was taught that “if it’s worth doing, it’s worth doing right”. The problem is that IT departments all over are being asked to do more with less. This leads to both more efficiency and more reliance on automation and tools. It also leads to cutting corners.
When corners are cut, the risks we face also increase. If a hard drive isn’t wiped before being put on the shelf, there are risks of both data loss and under-licensed software. When computers are purchased and not recorded in inventory until they’re deployed, there’s a risk of losing that equipment before it’s even been used. When assets are deployed without having owners or locations logged, there’s a chance the assets could be lost. Any missing steps are going to add some risks.
But what if we use drive encryption? What if the IT staff handles all facets of ordering, receiving, inventory, and deployment? What if assets never leave the building they are in? I was also taught that “an ounce of prevention is worth a pound of cure”. There is a business term called “acceptable risk”, which means that there is a level of loss that is tolerable to a business, society, and authorities based on social, political, and cost-benefit analysis.
In ITAM, best practice means just that. We do the best we can to save money and mitigate risks for our organization through process and procedure. When a change occurs and we are forced to start doing more with less, we should really do that cost-benefit analysis and decide what is our acceptable risk before we start skipping steps. Processes and procedures are “living documents”, which means they change over time to fit the environment. Part of the cost-benefit analysis should include process review to make sure we only cut steps where there is an acceptable risk.