This paper examines two interconnected aspects of IT acquisition management. The first section argues that acquisition planning must be treated as a master strategic exercise, where careful attention to quality, cost, schedule, performance, and supportability helps organizations avoid deficiencies that could undermine long-term business goals. The second section reflects on risk analysis within the acquisition process, distinguishing between technical, operational, and management security risks that are relatively straightforward to identify and measure, and less predictable threats — such as cyberattacks, hacking, and unfamiliar vulnerabilities — that organizations frequently overlook or underestimate due to cognitive bias and overconfidence in existing security measures.
The decision to perform an acquisition must be approached precisely as though one were planning for a military campaign. In a military campaign, the success of the battle depends on the initial planning and input. The better this is done, the greater and more effective the results will be, and the strategist will, hopefully, win the battle.
A similar situation exists with the influence of acquisition decisions on the strategic business goals of an organization. Cost overruns, schedule slips, and performance shortfalls can all be seen as potential obstacles that stand in the way of achieving optimum strategic success. The person performing an acquisition must begin with a clear understanding of the IT risks involved and what can be done to prevent them. They must know the program-specific risks and formulate a strategy to enhance their ability to avoid these risks in the ever-changing landscape of strategic deployment and program environments.
The acquisition must be thoroughly planned before decisions are made. If the basics are secure and in place, subsequent business strategy is likely to run more smoothly, since it will be free of problems such as data leakage and other complications that may have arisen without the planning that should have gone into the system from the outset.
The decision-making that needs to go into an acquisition encompasses the following factors:
Given that each of these factors is thoroughly examined, assessed, and resolved, the IT system can be expected to operate in a reliable, cost-effective, and problem-free manner, preventing future issues that might otherwise arise. This allows the organization to execute its projects more effectively, better satisfy its clients, hold the organization together more cohesively, and achieve timely, quality-rich collaboration that is free from IT errors.
Care taken during the acquisition process prevents deficiencies from creeping into the system and affecting operations later on. Deficiencies may include incorrect terms, repetitive terms, or erroneous information. They may also compromise the safety and security of data.
There are also cost-related deficiencies, where the cost of system acquisition is insufficiently planned, causing the system to accrue further expenses later on. This can impact strategy significantly, as the organization may find itself continually investing more money into the system than it can actually afford.
Furthermore, deficiencies in the system may necessitate a complete revamp at a later stage. This distracts the organization from advancing its core business concerns and consumes a significant amount of time on issues that could — and should — have been addressed much earlier. In other words, faulty and deficient acquisition planning is likely to have adverse effects on the organization's strategy in more ways than one.
Acquisition strategy has been described as a master plan, a road map, a blueprint, and a plan-to-plan-by for achieving program goals and objectives (GSAM Version 3.0). The more carefully and scrupulously the strategy is thought out, the more smoothly and fault-free the subsequent execution will be.
All major software development strategies carry some possibility of failure. Careful planning of the software acquisition has the potential to reduce that risk. It serves as a guide for planning and controlling the program, for foreseeing future problems, and for attempting to prevent them. It also serves as a framework for integrating functional activities that are important for the entire operating system — not just for individual pieces of hardware or software. In short, awareness and knowledge of future strategic goals should be built into the acquisition process so that, carefully and mindfully planned, the acquisition stage guides and supports the strategic business goals of the organization.
The risks most likely to be identified and accurately measured include the following categories:
1. Problems with technical security, namely:
2. Possible problems with operational security, namely:
Risks associated with management security — namely the maintenance and ongoing upkeep of the system — would also likely be identified and measured correctly. These categories are well-defined, frequently documented in established frameworks such as the NIST Risk Management Guide for Information Technology Systems, and relatively straightforward to assess within a known system environment.
"Unpredictable threats and cognitive blind spots in risk analysis"
Always verify citation format against your institution’s current style guide requirements.