Risk //

Compliance

9/25/2013
01:52 PM
100%
0%

You Are Not Over Budget -- You Underestimated

When forces align to underfund IT projects, they guarantee an ugly finish

We all know horror stories of IT projects that run over budget, deliver the wrong result, or simply fail to cross the finish line at all. I bet you've been involved with such projects.

Even if businesses and governments rarely admit it publicly, IT disasters are more common than IT successes, and it's a rare project that actually delivers a great solution on time, within budget.

No single type of project is immune. The victims include software development, hardware upgrades, compliance efforts, security measures, and, in a twisted irony, even audits of other IT projects.

If the failure of these toxic projects weren't bad enough, their failure spreads in a ripple effect -- or a tsunami effect, considering the potential loss -- since late, overbudget projects likely have operational, compliance, and security shortcomings. This creates corrective projects, with their own risks of budget and schedule issues, to address the failures of the original, late, overbudget projects.

Generations of new approaches in project management, years of new technology, and thousands of new project tools have attacked the problem, but the chronic failure to deliver on time and within budget persists.

The problem is so common that nontechnical management has become almost universally skeptical of all IT projects. Many would rather buy a used car from a shady lawyer than commit to another large IT effort. Who can blame them?

So why do IT projects continue to run late and over budget? Why are we apparently powerless to correct a problem we have defined so thoroughly? Are we not learning the right lessons? Is the pace of technology overwhelming our ability to implement it? Are we just stupid?

I suggest that we can't solve this problem because we are trying to solve the wrong problem. Many, if not most, of these failed projects are, in reality, neither over budget nor overdue. It's much more likely that they are underestimated, not only for cost but also for time required.

Before they even start, these projects are destined to fail to meet either budget, time tables, or benchmarks.

The worst part of this problem is that everyone is complicit in this conspiracy of accepting, and contributing to, an appallingly high amount of failure.

Nontechnical management and staff often do not understand the "magic" of IT, so they focus their pressure on two things they do understand: cost and scope.

Many in management dislike the very nature of IT in business -- the seemingly endless demands for funding, like a hungry teenage boy who always wants another pizza. Out of frustration, these managers start drawing the line on cost without due consideration to the lowered odds of success. Or for a given cost, they cram in more requirements -- you know, to "get their money's worth."

Technical professionals are equally responsible and in a lot of different ways. The worst is the often-fatal group-created (and group-reinforced) false optimism. "Sure, we can pull that off!" is the groupthink of an entire industry filled with smart people who seek opportunities to show others how smart they are.

Some others allow their underestimated projects to become bloated because they are genuinely powerless to say no.

Everyone involved is at least sometimes guilty of poorly matching deliverables to realistic cost. If the project budget increases, so does the scope. The odds of delivering successfully drop accordingly, and everyone was a contributor in building a booby trap for themselves and their co-workers alike.

When outsourced bidding is involved, you get a deadly mix of 1) intentional low-ball bidders (win on price, hit them with change fees); 2) inadvertent low-ball bidders (they genuinely don't understand their under-estimated winning bid may put them out of business); and 3) decision makers who are not equipped to evaluate bids using success as a metric.

In fact, in bid situations, low-cost-limited success usually beats higher-cost success.

This problem will only be resolved when IT and non-IT leaders learn to be grown-ups about cost, time, and realistic expectations. To save real time and money requires uncommon professional discipline. In the end, it may be too much to ask of people.

Glenn S. Phillips agrees with Walt Kelly, "We have met the enemy, and he is us." Glenn is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.