Structuring IT Teams for Value

Author picture

Tim Timchur, Managing Director, 365 Architechs, is a qualified accountant, cybersecurity professional and governance and risk management expert.


Sign up to the Digital Disruption to receive the latest news and updates

Structuring IT Teams for Value


Many small and medium organisations have an internal IT team while others completely outsource this function. This article discusses factors that should be considered when deciding to make a change, or whether by making the other decision, you just continue to do what you’ve always done.



Let’s start by looking at the typical functions a modern IT team performs, keeping in mind that you may have individuals performing one, many or all these roles:


End User Support

Some might call this the help desk, and its likely that support issues will range dramatically in complexity, from simple queries like resetting a password, to very complicated problems that may require escalation to a vendor.  Support teams there typically split there resources in Level 1, 2 and 3 members. 


Level 1 is usually the most junior resource, often with little experience and no qualifications. Great Level 1 support team members are enthusiastic, want to help users, have a thirst for knowledge and understand that there is a lot they don’t know.


After some time in the role, Level 1 resources often proceed to Level 2.  At this stage, they have normally completed some qualification, and are on the path to lots more study. They typically resolve most issues that Level 1 isn’t able to, and commonly combine their tasks with that of a System Administrator, or SysAdmin.


Level 2 resources really don’t like working on Level 1 tasks.


They can also be relatively expensive, so dealing with a call from a user to say they’ve lost their mouse, isn’t a good use of their time.


Years ago, before cloud computing became mainstream, Level 2 resources spent an inordinate amount of time managing servers. This effort has been greatly reduced for organisations who have largely transitioned to SaaS cloud applications. Note the distinction between SaaS and IaaS clouds. Some businesses have moved their servers into the cloud in an IaaS model, without realising the true benefits of the SaaS cloud model. If you still have lots of servers in your office or a data centre, you probably still need these resources. If not, you’re probably ecstatic with the cost savings, improved availability and stronger resilience.


But even Level 2 resources don’t know everything. Level 3 team members are often experts in specific systems. You may or may not require this level of expertise.  And you might need lots of them, depending on how many different applications you have. See Article: You have too many apps.


Level 1, 2 and 3 are all technical resources, so as the team grows, it important to have someone to manage these resources  – to allocate work, approve leave, discipline where required and otherwise manage the team.  This IT Manager, would typically provide reporting to management, engage with members of the management teams, executive team and potentially the Board.  They would develop budgets, approve expenditure and may or may not have come from a technical IT background.



One step up from the IT Manager, is the Chief Information Officer.  CIO’s think and act strategically. Operational day-to-day issues remain the work of the IT Manager while the CIO thinks about how technology can be leveraged within the business to manage risks and exploit opportunities. They are all about generating value for the organisation and in constant pursuit of emerging opportunities and innovative solutions.


If it’s more than a job for one, the CIO role may be split up into a CIO and a CTO (Chief Technology Officer).


Cybersecurity and Information management

There are other common C-level executive role, the CSO (Chief Security Officer) and CISO (Chief Information and Security Officer) with an obvious on cybersecurity but also information management in the case of the latter.


Within larger security teams, there are of course many different individual roles, but a question arises for small and medium-sized organisations, as to who owns security?  For some organisations, this can be the finance team, legal team, company secretary or a dedicated team.  Concerning however, is how many organisations simply don’t have any resources dedicated to this function.


Too often, cybersecurity is assumed to be the role of the IT team, whereas few if any IT staff have ever been trained in the complex art of defending against and responding to cyberattacks.


Information management – managing the information life cycle is another skill set often expected of IT teams.  It requires detailed understanding of the information life cycle – of retention policies, storage, records management and document management systems.  Recognising data as an asset, working with database administrators and data scientists, and building a team of business analysts is a long way from the typical career in IT.


With artificial intelligence, robotic process automation, machine learning and business intelligence are no longer on the horizon but an integral part of many organisations strategic focus, it would be naïve to expect general IT team members to have skills in these areas.


Oh and if you are going to do any form of projects, best that you have a project manager and change manager on the team.


Insource vs Outsourced Models

With so many skill sets required, it is unlikely than many individuals are going to be able to fill many of the roles described above.  So how can SME’s possibly afford to do so?  The answer is to outsource some or all of these functions to businesses structured to provide services to fill the gaps as required.


Challenges with outsourcing include managing costs, ensuring that everything is covered, and providing a level of governance oversight.


A question for all organisations, is to what extent is technology, cybersecurity, information management and data privacy a core function of our business?


Oh that’s right, where haven’t even touched on the skills required regarding data privacy.  Managing personally-identifiable and sensitive information, conducting privacy impact assessments and understand consumer data rights aren’t typically the expertise you would expect to find in most IT roles.


But you don’t want to outsource everything right?  The one thing that should always be retained in-house, is governance.  Some form of Board IT committee, management IT steering committee or other form of oversight should always ensure that the six principles identified in ISO 38500 (Governance of IT) are being addressed adequately and appropriately in any organisation.  Those principles are:


  • Responsibility
  • Strategy
  • Acquisition
  • Performance
  • Conformance
  • Human behaviour


By all means, bring in some external expertise to this committee, but there should always be representation from management in some capacity within this group.


Technology Resources are available

365 Architechs provides all the above skill sets in an outsourced model and available to your organisation, to work together with internal teams and other external providers to ensure all bases are covered.