The more things stay the same, the more they change.\nThat\u2019s not exactly how the saying goes, but it is the phrase that should be engraved over every door leading to IT. It\u2019s certainly better than \u201cAbandon all hope, ye who enter here.\u201d\nNot a lot has changed since our early days, when IT was EDP and programmers were the high priests of the glass house.\nExcept for everything.\nLuckily, much of the fundamental wisdom of the early days of IT still applies, just in a different, modernized guise. Here are 11 old-school principles that will guide you through next-generation IT, and the fundamental differences in the ways you should apply them.\n[ Learn the 12 'best practices' IT should avoid at all costs. | Check out our State of the CIO 2020 report on the challenges and concerns of CIOs today. | Get weekly insights by signing up for our CIO Leader newsletter. ]\nIt\u2019s never just about how good the technology is\nOld version: \u201cNobody ever got fired for buying IBM\u201d\nNew version: Open source can provide the same advantages\nThe technology you buy is a long-term commitment on your part. You need it to be a long-term commitment on the supplier\u2019s part, too.\nTo play it safe, IT used to buy from big vendors. Now? Not only can open source be just as safe, sometimes you can get it from IBM or other big vendors.\nNot every open source technology has a broad enough base of support, but many do. If PHP, for example, will do the job, would you look at Java twice given its awful security track record? And yet Java is supported (perhaps \u201cprovided\u201d would be more accurate) by Oracle, one of the biggest software companies in the world.\nThis isn\u2019t entirely new, either. The open-source-like SHARE library dates to the 1970s, after all.\nGood information security starts with good physical security\nOld version: Keep the hardware locked away\nNew version: It doesn\u2019t have to be your locked room\nWe\u2019ve always kept the hardware locked away, limiting data center access to a small number of employee badges and keeping automated logs of who enters and when. It\u2019s just that now, not every locked room is our own.\nFor SMBs especially, there are alternatives, ranging from co-lo facilities to full cloud.\nBut don\u2019t pocket all of the savings from not building out your own data center. Invest some of it in a low-latency, high-bandwidth network connection to your offsite provider. Even better: Apply another old-time principle \u2014 never have just one of anything. Make that two connections, with points of presence on opposite sides of your building, so a back hoe can\u2019t take your business down by digging a hole in an inopportune spot.\nKnow the threats\nOld version: Inventory security threats and implement countermeasures\nMiddle-age version: Lock down the desktops and guard the perimeter\nNew version: Harden the assets. Guard the perimeter, too\nBack in the day, thwarting security threats mostly meant timing out CICS sessions so hackers couldn\u2019t dial in and inherit them. Then came PCs, distributed systems, the Internet, and lots more threats. We responded by locking down desktops and guarding the perimeter with increasingly sophisticated firewalls.\nMany still think the best countermeasure is to lock everything down and not let anyone be creative. But businesses live and die on innovation, and innovation means more than new products to sell. It means creative thinking, and the implementation of that thinking, everywhere in the business.\nThese days we should spend more time hardening the assets than the perimeter, and even more time actively supporting users, because the biggest threat is a workforce that isn\u2019t allowed to innovate.\nTesting software means more than just putting code into production and seeing what happens\nOld version: Maintain three environments \u2014 dev, test, prod\nNew version: Move a lot of testing to the cloud\nRegression and stress testing separate the pros from the amateurs. They always have, and they still do. Regression testing makes sure new stuff doesn\u2019t break old stuff. Stress testing makes sure everything will perform well enough when everyone starts banging away at it.\nIT, being professional, maintained at least three environments \u2014 development, test, and production. That meant buying three of everything. And maintaining them, too. Ouch!\nNow, even when you maintain your own data center, spinning up a test environment in the cloud often makes more sense because you only have to pay for it while you need it. Depending on your production environment it can work quite well for regression testing, too.\nStress testing? Not yet. Too many variables, at least for the time being.\nControl changes to the production environment\nOld version: A formal change control process\nNew version: A formal change control process\nWe\u2019re long past the days when developers could just slam their new code into production. There\u2019s a process to go through. Nobody actually likes the process, but it isn\u2019t about liking the process. It\u2019s about making sure the change doesn\u2019t disrupt production, and if it does disrupt production, it\u2019s about making sure there\u2019s a back-out plan.\nThink the cloud changes things? It does. It makes change control harder because now, if you aren\u2019t careful about how you manage your cloud providers, they just might slam their changes into production without going through your process.\nIt is, after all, their infrastructure.\nWaterfall ought to work, but agile actually does\nOld version: Informal back-and-forth between biz managers and programmers\nNew version: Scrum: Informal back-and-forth between biz managers and programmers, only with a book of rules to follow\nLong before formal development methodologies drained the fun out of IT, business managers used to wander over and ask, \u201cCan you get the computer to do this?\u201d The programmer would try something, show it to the business user, and they\u2019d iterate until it was right.\nThey didn\u2019t call it agile. They called it \u201chaving a conversation about what the computer should do,\u201d but it was agile, nonetheless.\nThen waterfall methodologies came along. They\u2019d work, too ... if business managers could perfectly envision a complete working system and describe it precisely. But they can\u2019t, so we lost 30 years of productivity.\nEnter Scrum, which takes iteration and interaction, and adds enough methodology to drain most of the fun from IT that other versions of agile had put back in.\nRelationships precede process, and relationships outlive transactions\nOld version: Managing relationships with other top execs is a key part of the CIO\u2019s job\nNew version: Managing relationships with the rest of the business is a key part of everyone\u2019s job\nBefore businesses are anything else, they\u2019re collections of relationships. With good relationships, everything can work. Without them, nothing can.\nBack when businesses were strict hierarchies, the CIO managed relationships with the other top execs, and that was enough. If the other top execs didn\u2019t trust the CIO, IT couldn\u2019t succeed. It was as simple as that.\nBut every time any member of the IT department interacts with anyone else in the business, it affects the business\/IT relationship. It isn\u2019t just about the CIO and other execs. If the rest of the business doesn\u2019t trust IT, IT can\u2019t succeed. If it does, everything about IT is easier.\nNot easy, but easier.\nIntegrate, because interconnecting 'islands of automation' takes a lot of stupid out of business processes\nOld version: Gradual accumulation of custom-programmed batch interfaces\nNew version: Service bus or equivalent with engineered real-time interfaces\nEven newer version: Integrating with non-IT-driven SaaS solutions, too\nWhen humans rekeyed information from computer-generated reports into data-entry screens, IT realized one of its most important responsibilities was integrating disparate systems to keep data synchronized.\nSo it built interfaces. Lots of them. All custom-batch ETL.\nNow there are so many it\u2019s a hard-to-maintain mess. So smart IT invests in a service bus, or something similar, and engineers its interfaces too, because just piling one on top of the other means the shiny new tech re-creates the same old tangle.\nToday, lots of IT is happening outside the IT department, mostly in the form of SaaS brought in by business managers as islands of automation. Eventually they\u2019ll get tired of having their staff rekey data into it. Be ready for them.\nIT exists to support the business\nVersion so old it\u2019s a clich\u00e9: No technology for technology\u2019s sake\nNew version: Provide technology leadership\nTechnology for the sake of technology is a bad thing. That doesn\u2019t mean IT should limit its role to processing work orders. It has to go way beyond this and provide technology leadership.\nAny IT department that fails to provide technology leadership \u2014 to suggest and discuss, not just to accept and deliver \u2014 is failing at a fundamental level.\nTechnology leadership also means supporting managers and users who are ready to buy or build their own technology. It\u2019s time to recognize that \u201cshadow IT\u201d is a good thing, because it increases IT bandwidth.\nSure, there are risks. Anything worth doing has risks.\nIT must help everyone in the business succeed with all of their technology, not choke off anything that\u2019s \u201cnot invented here.\u201d\nProjects need plans\nOld version: Waterfall means distinct phases, stages, deadlines, and milestones.\nNew version: Even with Agile, projects need deadlines and milestones.\nWaterfall projects don\u2019t fail because they have organized plans. They fail because real-world projects are always exercises in continuous learning, not orderly progressions from high-level requirements to detailed blueprints.\nAgile deals with the reality of continuous learning. That doesn\u2019t mean business leaders can approve project proposals that provide no estimate of scope, effort, and budget. It does mean they have to accept that continuous learning means plans won\u2019t be fixed and shouldn\u2019t be fixed \u2013 they will and should evolve to fit the team\u2019s evolving understanding of the situation.\nWhich is what happened in successful waterfall projects too, only without all the drama.\nIt\u2019s about business change, or else what\u2019s the point?\nOld version: IT is the major driver of change throughout the business\nMiddle-age version: IT is the biggest barrier to change in the business\nNew version: IT is the major driver of change throughout the business\nWhen computers were new and shiny, business executives counted on them to drive change everywhere by making business processes quicker and cheaper while cutting way down on manual errors.\nThat lasted until IT had to support so many interconnected systems that doing anything new was time-consuming, expensive, and risky. Its reliance on waterfall methodologies didn\u2019t help either.\nWe\u2019re finally breaking loose again. Between agile, better integration tools, and non-IT IT, information technology is starting to drive change again instead of following along after it.