Core business management is not an IT function.  Even if you’re a “systems” shop, like Cisco, the people responsible for uniting your business personnel in cyberspace aren’t the ones directing business operations.  They do not get to steer the ship, and if they do, you can be sure it will be a rough crossing.  IT can no more make core business purchasing decisions than HR can.  These are support functions in an organization, but sometimes that gets forgotten.

The problem being that IT doesn’t know the business.  No matter how hard they try they can not share the exact same viewpoint nor face the same risks as a core business unit, and any direction comes from self-interest.  This is normal, natural, and nothing to be upset about.  It is upsetting when reality is ignored, and systems are purchased by people who aren’t the responsible business unit.

We’re not saying that IT shouldn’t make IT purchasing decisions, because that’s the exact opposite problem.  But they need to simply be advisory when it comes to core business systems and the business unit responsible needs to be the one making the ultimate decision, even if it goes against IT advisement.

The rub being that this only works if the business unit is in capable hands and held responsible for any mistakes in decision making.  In many cases it isn’t, and this leads to a clash of wills when there’s a senior IT person that really does genuinely know better and advise against it.  Of course, such a senior mind should be capable of persuading any recalcitrant business unit, but sometimes things don’t work out, and the business pays the price.

At any rate, as much as reasonably possible, the business needs to decide what to buy and IT’s role is to support it and advise during purchasing.  This has a beneficial effect for IT by removing them from the decision, almost entirely, and leaving the responsibility with the business where it belongs.

What’s important from the 20,000 foot view is that no sabotage come into play.  If IT implements something the business didn’t want, they need to support it and not undermine the effort.  The reasons for implementing it were solid or it wouldn’t have happened, and if that’s not the case, there’s bigger problems than the failed system.  The opposite also holds: IT must support the business purchases wholeheartedly.  Any whiff of antagonism must be rooted out and squashed or the blight may persist and grow.

Business cannot ignore IT input.  If IT makes a case for cost effectiveness over form, then it’s real and it goes into the profitability model.  It cannot be disregarded or IT ends up covering hidden costs that undermine success.

So purchasing delineation needs to be clear.  Business systems are the responsibility of the business heads and IT is the responsibility of IT, and business cannot make decisions without IT.  IT can make decisions on IT purchases without the business, unless it impacts them.

Keeping the purchasing in line and distinctly defining responsibility is critical to accountability and success, and muddying the waters by having different business areas intermingle purchasing decisions with IT is a guaranteed path to failure.

What’s this got to do with security or forensics?  Well, there’s the policies that get generated which end up being reivewed as part of the audit process, but more importantly, inefficiency and waste in a business, as characterized by poor purchasing habits, leads to system duplication and financial difficulties.  More systems equals more attack surfaces and more potential forensic sources.  Financial difficulties means security needs get cut (second only to training).  So in a roundabout way, purchasing has a real, discernable impact on security and forensics.

So don’t neglect those purchasing policies during your next non-financial regulatory inspection.  They’re important.