You Are Not Special

It is not my intention for this to sound harsh, but I think that it has to be said: “You are not special.”  And by “you” here, of course, I mean your business.  The organization that you, as an IT practitioner, support.  For decades we have heard complaints about how modern education systems attempt to make every student feel unique and special, when awards are given out schools attempt to find a way, especially with elementary students, to make sure that every student gets an award of some sort.  Awards for best attendance, posture, being quiet in class or whatever are created to award completely irrelevant things in order to make every student not only feel like part of the group, but to be a special, unique individual that has accomplished something better than anyone else.

This attitude, this belief that everyone is special and that all of those statistics, general rules and best practices apply to “someone else” has become pervasive in IT now as well, manifesting itself in the belief that each business, each company is so special and unique that IT industry knowledge does not apply in this situation.  IT practitioners with whom I have spoken almost always agree that best practices and accumulated industry knowledge are good and apply in nearly every case – except for their own.  All of those rules of thumb, all of those guidelines are great for someone else, but not for them.  The problem is that nearly everyone feels this way, but this cannot be the case.

I have found this problem to be most pronounced and, in fact, almost exclusive to the small business market where, in theory, the likelihood of a company being highly unique is actually much lower than the large enterprise space of the Fortune 100 where uniqueness is somewhat expected.  But instead of small businesses assuming uniformity and enormous businesses expecting uniqueness the opposite appears to happen.  Large businesses understand that even at massive scale IT problems are mostly standard patterns and by and large should be solved using tried and true, normal approaches.  And likewise, small businesses, seemingly driven by an emotional need to be “special” claim a need for avoiding industry patterns often eschewing valuable knowledge to a ludicrous degree and often while conforming to the most textbook example of the use case for the pattern.  It almost seems, from my experience, that the more “textbook” a small business is, the more likely that its IT department will avoid solutions designed exactly for them and attempt to reinvent the wheel at any cost.

Common solutions and practices apply to the majority of businesses and workloads, easily in excess of 99.9% of them.  Even in larger companies where there is opportunity for uniqueness we expect to only see rare workloads that fall into a unique category.  Even in the world’s largest businesses the average workload is, well, average.  Large enterprises with tens of thousands of servers and workloads often find themselves with a handful of very unique situations for which there is no industry standard to rely on.  But even so, they have many thousands of very standard workloads that are not special in any way.  The smaller the business not only the less opportunity for a unique workload but the less chance of it occurring on a workload by workload basis because they have so many fewer workloads.

One of the reasons that small businesses, even ones very unique as small businesses go, are rarely actually unique is because when a small business has an extreme need for say performance, capacity, scale or security it [almost] never means that it needs that thing in excess of existing standards for larger businesses.  The standards of how to deal with large data sets or extreme security, for example, are already well established in the industry at large and small businesses need only leverage the knowledge and practices developed for larger players.

What is surprising is when a small business with relatively trivial revenue believes that its data requires a level of secrecy and security in excess of the security standards of the world’s top financial institutions, military organizations, governments, hospitals or nuclear power facilities.  What makes the situation more absurd is that in pursuing these extremes of security, small businesses almost always result in very low security standards.  They often cite needs for “extreme security” for doing insecure or as we often say “tin foil hat” procedures.

Security is one area where this behavior if very pronounced.  Often it is small business owners or small business IT “managers” who create this feeling of distrusting industry standards, not IT practitioners themselves, although the feeling that a business is unique often trickles down and is seen there as well.

Similar to security, the need for unlimited uptime and highly available systems, rarely needed even for high end enterprise workloads, seem an almost ubiquitous goal in small businesses.  Small businesses often spend orders of magnitude more money, in relationship to revenue, on procuring high availability systems compared to their larger business counterparts.  Often this is done with the mistaken belief that large businesses always use high availability and that small business must do so to compete, that if they do not that they are not a viable business or that any downtime equates to business collapse.  None of these are true.  Enterprises have far lower cost of reliability compared to revenue and still do considerable cost analysis to see what reliability expenditures are justified through risk.  Small businesses rarely do that best practice analysis and jump, almost universally, to the very unlikely belief that their workloads are dramatically more valuable than even the largest enterprises and that they have no means of mitigating downtime.  Eschewing both business best practices (doing careful cost and risk analysis before investing in risk mitigation), financial best practices (erring on the side of up front cost savings) or technology best practices (high availability only when needed and justified) leaves many businesses operating from the belief that they are “special” and none of the normal rules apply to them.

By approaching all technology needs from the assumption of being special, businesses that do this are unable to leverage the vast, accumulated knowledge of the industry.  This means that businesses are continuously reinventing the wheel and attempting to forge new paths where well trodden, safe paths already exist.  Not only can this result in an extreme degree of overspending in some cases and in dangerous risk in others but it effectively guarantees that the cost of any project is unnecessarily high.  Small business, especially, have the extreme advantage of being able to leverage the research and experience of larger businesses allowing smaller businesses to be more agile and lean.  This is a key component to making small businesses compete against the advantages of scale inherent to large businesses.  When small businesses ignore this advantage they are left with neither the scale of big business nor the advantages of being small.

There is no simple solution here – small business IT practitioners and small business managers need to step down from their pedestals and take a long, hard look at their companies and ask if they really are unique and special or if they are a normal business with normal needs.  I guarantee you are not the first to face the problems that you have.  If there isn’t a standard solution approach available already then perhaps the approach to the problem is wrong itself.  Take a step back and evaluate with an eye to understanding that many businesses share common problems and can tackle them effectively using standard patterns, approaches and often best practices.  If your immediate reaction to best practices, patterns and industry knowledge is “yes but that doesn’t apply here” you need to stop and reevaluate – because yes, it certainly does apply to you.  It is almost certainly true that you have misunderstood the uniqueness of your business or you have misunderstood how the guidance is applied resulting in the feeling that those guidelines are not applicable.  Even those rare businesses with very unique workloads only have them for a small number of their workloads and not the majority of them; the most extremely unique businesses and organizations still have many common workloads.

Patterns and best practices are our friends and allies, our trusted partners in IT.  IT, and business in general, is challenging and complex.  To excel as IT practitioners we can seek to stand on the shoulders of giants, walk the paths that have been mapped and trodden for us and leverage the work of others to make our solutions as stable, predictable and supportable as possible.  This allows us to provide maximum value to the businesses that we support.

11 thoughts on “You Are Not Special”

  1. It is only a first step to lament about the situation. It could only change if widely acknowledged best practices would exist and be freely available.

    These practices are not (yet) widely acknowledged and often intentionally not made known for security reasons.

  2. Industry best practices are not hidden. The issues that I see, and lament about, are not ones that are hidden. Practices are security are never hidden, security by obscurity is neither a best practice nor secure. But high availability, risk analysis, good practices…. these are all broadly available. Many communities, for example, discuss these and publish them (and vet them) daily. There is much written on best practices and most practices are pretty well established and agreed upon. The biggest issue is that more official channels, like universities, do not participate in the industry and are completely unaware, typically, that standards are discussed and published. This undermines much of this effort, but the information is out there.

  3. So Mr. Miller, please go ahead an tell me, on what URLs a noob like me can find a comprehensive set of best practices how to securely run a data center.

    Thank you!

  4. Best practices are not yet gathered as a single, definitive source. This is true in all industries. Large vendors and standards bodies tend to produce these over time. In the 1990s, Microsoft produced a great number of these for IT, many of which have now been passed down as legend and sadly, only partially understood so they have skewed over time. (See my article “1998 Calling…”)

    Today the biggest collections of best practices are communities like SpiceWorks or MangoLassi where IT experts regularly discuss practices and vet them to ensure that they are updated, realistic and broadly considered. The IT industry desperately needs more oversight as the university system, which produces best practices for most industries, has failed so dramatically that utilizing it itself could be considered not to be a best practice.

    One of the goals of this publication is to often public accumulated knowledge after it has been heavily vetted in such communities.

  5. You show a very special understanding of “best practises”.

    For engineering in electronics, aviatics etc. this means a set of publications containing the aggregated consensus.

    I said that this is not available for IT, you contradicted, but then you proved my point.

  6. But I provided sites with aggregated consensus, published information. It might not be in the handiest form factor for you, but it meets all of your stated requirements.

  7. To make those practices handier, I have been working to publish many of those aggregated, vetted consensus information here so that people can find the data in a more singular location rather than pouring through what amount to RFCs, practically, in which the data is arrived at.

  8. I highly reccomend a book, The Practice of System and Network Administration by Thomas Limoncelli and Christina Hogan. It doesn’t tell you what technology to use, or how to configure it, but it does discuss what services are necessary, areas of responsibility, tactics for getting buy in from users and management, etc. It should be required reading for all IT persons. You won’t find a chapter on how to configure Active Directory, but you will find a chapter discussing the merits and pitfalls of centalized account management and another on centralized management of machine configuration.

    http://everythingsysadmin.com/

  9. This is an issue that comes up often when we talk to customers and prospective customers.

    We offer a self-service, cloud-based solution that should cover 90% of the diagramming needs of most SMBs. However, many of our SMB customers feel that their edge case is so strong that they cannot use our product unless we customize it just for them.

    In reality, most of these SMBs should not (and cannot) pay us for custom development work. Do you have any suggestions for how we can reframe the conversation around how SMBs should adapt their needs to existing tools, rather than the other way around?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.