Beneficial Intelligence

Good Enough

June 18, 2021 Sten Vesterli Season 2 Episode 18
Beneficial Intelligence
Good Enough
Chapters
Beneficial Intelligence
Good Enough
Jun 18, 2021 Season 2 Episode 18
Sten Vesterli

In this episode of Beneficial Intelligence, I discuss how to choose what is good enough. 

How do you know when something is good enough? That requires good judgment, which is unfortunately in short supply. 

IT used in aviation, pharma, and a few other life-and-death industries are subject to strict standards. We can lean on standards like the GxP requirements that anyone in the pharma industry loves to hate. However, in the general IT industry, we have lots of standards, but none of them are mandatory. That's why each week seems to bring a new horror story of an organization that believed their IT was good enough and found out it wasn't. 

Southwest Airlines learned that first-hand this week. On Monday, they couldn't fly because the connection to their weather data provider was down. On Tuesday, they couldn't fly because the connection from airports to the central reservation system was down. If you don't know who is supposed to be on the plane, you can't fly. They ended up canceling more than 800 flights over two days. 

Obviously, the CIO of Southwest Airlines decided that a single network was good enough. That can be a valid business decision. But you need to make a full comparison. On one side is the cost of redundant network connections and data sources. On the other side is the loss resulting from canceling 800 flights and delaying thousands more. This outage probably cost them around $20 million. If you believe the risk of a $20 million network outage is 0.1%, standard risk calculation says you can only spend $20,000 to avoid it. But if the risk of an outage is 5%, it is worth spending $1 million on redundant connections or other alternatives. 

Everybody in your IT organization who makes major architectural decisions have to know what constitutes "good enough." There might be hard regulatory requirements about data security, privacy, and access control. But there are also judgment calls based on estimates of risk probability and impact.  As CIO or CTO, it is your job to teach your organization how to determine what is good enough. 

 

Beneficial Intelligence is a weekly podcast with stories and pragmatic advice for CIOs, CTOs, and other IT leaders. To get in touch, please contact me at [email protected]

Show Notes

In this episode of Beneficial Intelligence, I discuss how to choose what is good enough. 

How do you know when something is good enough? That requires good judgment, which is unfortunately in short supply. 

IT used in aviation, pharma, and a few other life-and-death industries are subject to strict standards. We can lean on standards like the GxP requirements that anyone in the pharma industry loves to hate. However, in the general IT industry, we have lots of standards, but none of them are mandatory. That's why each week seems to bring a new horror story of an organization that believed their IT was good enough and found out it wasn't. 

Southwest Airlines learned that first-hand this week. On Monday, they couldn't fly because the connection to their weather data provider was down. On Tuesday, they couldn't fly because the connection from airports to the central reservation system was down. If you don't know who is supposed to be on the plane, you can't fly. They ended up canceling more than 800 flights over two days. 

Obviously, the CIO of Southwest Airlines decided that a single network was good enough. That can be a valid business decision. But you need to make a full comparison. On one side is the cost of redundant network connections and data sources. On the other side is the loss resulting from canceling 800 flights and delaying thousands more. This outage probably cost them around $20 million. If you believe the risk of a $20 million network outage is 0.1%, standard risk calculation says you can only spend $20,000 to avoid it. But if the risk of an outage is 5%, it is worth spending $1 million on redundant connections or other alternatives. 

Everybody in your IT organization who makes major architectural decisions have to know what constitutes "good enough." There might be hard regulatory requirements about data security, privacy, and access control. But there are also judgment calls based on estimates of risk probability and impact.  As CIO or CTO, it is your job to teach your organization how to determine what is good enough. 

 

Beneficial Intelligence is a weekly podcast with stories and pragmatic advice for CIOs, CTOs, and other IT leaders. To get in touch, please contact me at [email protected]