Is Bimodal IT a Useful Concept for Security?
Facing the complexity of modern organizations and their increasing difficulty adapting to business, technology and social change, pundits coined the term “Bimodal IT”. In 2014, IT analysts such as Gartner’s have based much of their work on Bimodal IT as an analytical framework.
According to Rod Trent at Windows IT Pro “Bimodal IT is the concept where two distinct IT methodologies exist in the same company, sometimes in two separate teams. The Agile IT team handles the growing needs of the business while Traditional IT continues doing the day-to-day work of ensuring the business technology functions appropriately and securely. Agile IT rolls out today’s updates, changes, and quickly evolving technologies, while Traditional IT continues to develop the long-term plans and goals, manages technology budgets, and takes a disciplined approach to deployments.”
But Wired’s Jason Bloomberg disagrees with the bimodal IT concept, asserting that its based on a misunderstanding of agile methodology, which itself embraces a stepwise approach. Bloomberg argues that instead of maintaining an ossified Traditional IT, organizations should transform it in a stepwise manner to an Agile IT.
An intelligent security architect should be able to hold two equally convincing but contradictory ideas in mind at the same time and make sense of them. In my view, whether or not to embrace bimodal IT as an architectural approach depends on your time horizon as well as context:
- Traditional IT often cannot be transformed over the short term. Bimodal IT may be a good rationalization for setting free those parts of the organization that are more flexible, or entering new business areas and operating modes, to follow an Agile IT methodology.
- Over the long term, bimodal IT shouldn’t be used as an excuse to delay transforming Traditional IT structures after they begin to outlive their usefulness.
- For medium to high risk information systems, Traditional IT embodies more proven methodologies and may tend to stick around.
What do you think? When it comes to security and risk management, is Traditional IT more appropriate for medium to high risk situations? Or will we evolve to more secure forms of Agile IT? Can an old dog learn new tricks?