Risk // Compliance
9/25/2013
01:52 PM
100%
0%

You Are Not Over Budget -- You Underestimated

When forces align to underfund IT projects, they guarantee an ugly finish

We all know horror stories of IT projects that run over budget, deliver the wrong result, or simply fail to cross the finish line at all. I bet you've been involved with such projects.

Even if businesses and governments rarely admit it publicly, IT disasters are more common than IT successes, and it's a rare project that actually delivers a great solution on time, within budget.

No single type of project is immune. The victims include software development, hardware upgrades, compliance efforts, security measures, and, in a twisted irony, even audits of other IT projects.

If the failure of these toxic projects weren't bad enough, their failure spreads in a ripple effect -- or a tsunami effect, considering the potential loss -- since late, overbudget projects likely have operational, compliance, and security shortcomings. This creates corrective projects, with their own risks of budget and schedule issues, to address the failures of the original, late, overbudget projects.

Generations of new approaches in project management, years of new technology, and thousands of new project tools have attacked the problem, but the chronic failure to deliver on time and within budget persists.

The problem is so common that nontechnical management has become almost universally skeptical of all IT projects. Many would rather buy a used car from a shady lawyer than commit to another large IT effort. Who can blame them?

So why do IT projects continue to run late and over budget? Why are we apparently powerless to correct a problem we have defined so thoroughly? Are we not learning the right lessons? Is the pace of technology overwhelming our ability to implement it? Are we just stupid?

I suggest that we can't solve this problem because we are trying to solve the wrong problem. Many, if not most, of these failed projects are, in reality, neither over budget nor overdue. It's much more likely that they are underestimated, not only for cost but also for time required.

Before they even start, these projects are destined to fail to meet either budget, time tables, or benchmarks.

The worst part of this problem is that everyone is complicit in this conspiracy of accepting, and contributing to, an appallingly high amount of failure.

Nontechnical management and staff often do not understand the "magic" of IT, so they focus their pressure on two things they do understand: cost and scope.

Many in management dislike the very nature of IT in business -- the seemingly endless demands for funding, like a hungry teenage boy who always wants another pizza. Out of frustration, these managers start drawing the line on cost without due consideration to the lowered odds of success. Or for a given cost, they cram in more requirements -- you know, to "get their money's worth."

Technical professionals are equally responsible and in a lot of different ways. The worst is the often-fatal group-created (and group-reinforced) false optimism. "Sure, we can pull that off!" is the groupthink of an entire industry filled with smart people who seek opportunities to show others how smart they are.

Some others allow their underestimated projects to become bloated because they are genuinely powerless to say no.

Everyone involved is at least sometimes guilty of poorly matching deliverables to realistic cost. If the project budget increases, so does the scope. The odds of delivering successfully drop accordingly, and everyone was a contributor in building a booby trap for themselves and their co-workers alike.

When outsourced bidding is involved, you get a deadly mix of 1) intentional low-ball bidders (win on price, hit them with change fees); 2) inadvertent low-ball bidders (they genuinely don't understand their under-estimated winning bid may put them out of business); and 3) decision makers who are not equipped to evaluate bids using success as a metric.

In fact, in bid situations, low-cost-limited success usually beats higher-cost success.

This problem will only be resolved when IT and non-IT leaders learn to be grown-ups about cost, time, and realistic expectations. To save real time and money requires uncommon professional discipline. In the end, it may be too much to ask of people.

Glenn S. Phillips agrees with Walt Kelly, "We have met the enemy, and he is us." Glenn is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.