This may sound insulting but the fact is that almost all companies are not really competent to buy, manage and handle the lifecycle of technology for the enterprise. In most cases they are incompetent at security aspects of physical infrastructure. If you have already invested in some physical infrastructure it may not be cost-effective to eliminate it but you should seriously consider the real need for each addition to the physical infrastructure you manage.
Why almost all companies should NOT be managing the technology they use:
1) Do not know which technologies in many cases are the most cost effective, easily managed, best tools to use
I have been in companies that simply buy the most expensive fastest servers (financial industry) as if they were buying sports cars. Which router do you buy? What is the best choice of hardware memory, CPU speed, number of CPUs for your organization? Assuming you buy the hardware for a specific application what happens when that application changes and different hardware is needed? Do you need SDN would it be helpful? Most companies make these decisions because of a relationship with a specific vendor or some individual who has become infatuated with a particular technology. Few have the discipline to make the choice taking into account the full cost of the choices they make.
2) Do not know how to manage the lifecycle costs and usually have not considered the full cost of technology maintenance in their calculations.
What happens when that shiny box you bought is 3 years old and there are dozens of newer boxes 5 times more powerful? How do you handle situations where you have high maintenance costs for a technology? Do you keep maintaining it or move to something with less maintenance costs? What happens if you have to keep this technology 10 or 20 years in the company? How do you handle integrating it with new technology, keeping it alive?
3) Do not know how to share the resources or may not even have the ability to share the technology effectively.
You buy or have bought expensive new technology. Do you know how to share this technology within your organization to get the most cost effectiveness? In many cases it may simply not be possible to share the technology across your organization sufficiently to gain maximum cost savings. Have you fully considered the costs of wasted servers, wasted hardware sitting idle much of the day or underused? The energy or environmental cost as well as the financial burden.
4) Do not know how to maintain the technology they purchase or decide when it is a good idea to sunset a technology and move on. They will continue using antiquated technology well beyond its intended lifetime.
Most companies if they use a technology successfully will keep that technology around virtually forever. Many older companies are still running IBM mainframe software for critical business functions. This costs them billions in many cases per year. While in those cases it may be justifiable to keep that technology alive no sane CIO should consider repeating this and investing in technology today that will be costing billions years and years from now considering that there is NO NEED to do this. With the cloud you can minimize those kinds of longer term dependencies. You may find it hard to unravel old decisions that were justified and continue to be worthwhile but most companies can choose shared resources that they put the maintenance burden on a separate organization to be shared among many companies.
Most companies don’t manage their hardware or software maintenance well leading to more downtime, unexpected outages and more cost than they need.
5) They do not know how to manage the security of the technology they have and frequently have attacks and losses due to badness, i.e. poor practices, poor maintenance, lack of knowledge or employee training.
Security in today’s age of government spying and hacking from all over the world is a tough sophisticated job. Most companies experience dozens, even more than 100 security incidents a year. The average company patches critical software with security patches 30-60 days after the vulnerability was discovered. This 30-60 day window means essentially that most companies are effectively completely vulnerable to sophisticated attackers. It is expensive and hard to train employees on best security practices, to monitor and track every possible avenue of loss.
6) Not competent to interview and assess who to hire to do 1-5.
Even if after reading all this you decide your business requires you to purchase technology and manage it yourself are you competent to hire the right people to do the jobs above? Do you even know the right questions to ask? How are you sure they are doing the best job? The best practices are being employed well? How do you manage such assets? What if you lose such assets? I have worked at companies whose job was to provide security technology or banks where they had high standards for security or needs to maintain technology competence yet they frequently fell below the bar. Hiring and retaining the talent needed to do these tasks at a high level is nontrivial.
Most companies are not in the business of technology and it is a waste of their time and energy to manage technology. Most companies are not technology companies although more and more need to consider technology as a key part of their business that doesn’t mean they need to manage the technology they use.
In this age of rapid evolution of technology and the connected business almost every business deals with technology as an important part of their business but that doesn’t mean they need to own everything, manage everything. You should very carefully consider which things you consider worth making the significant investment to own or manage technology yourself.