IT is the keeper of a company's information. The integrity, security and accessibility of the information is essential to the continued stable and efficient operation of the company. IT provides the means to access the company's information, search it, select from it, update it, store it, encapsulate it, and otherwise manipulate the data, in all of its forms.

To fulfil this charter, IT must have sole control over the system's implementation and the resulting integrity of the data. Otherwise, the information system cannot deterministically meet the requirements already placed on it implicitly by way of its existence as a company information system.

Because of the absolute importance of the information to the company, the information system that holds and presents the data is first and foremost a concern of the company's owners and employees; only secondarily does the system need to adhere to management whim. As a corollary, IT's responsibility is first and foremost to the information system itself; only secondarily is IT responsible to management. This is a unique quandary of the IT department; other organizations within the company do not suffer from this dichotomy.

Because of its unique responsibility as keeper of the information systems, IT cannot allow management to override their better judgement, were the implementation of an executive decree to bring into question the basic security or integrity of the company's data. In this sense, management does not have a "big red button" to make IT do what they say [and screw the consequences]. A company that comes to operate like this is bound to encounter massive failures of their information system, because they ignore the wisdom of the people best qualified to understand the impact of changes on the system integrity.

It is my belief that providing a secure and correct IT system is a moral obligation, and professional ethics require absolute defiance of management if they are being shortsighted by ordering IT to do something which jeopardizes the integrity of the information system.

HOWEVER, because of the inherent and absolute authority of management, and because -- theoretically -- they represent (often by election) the will of the shareholders and employees, management must be made to agree with any position taken by IT; otherwise, an impasse would result, and consequent inaction. Without management, IT has no mandate or authority over the data they manage. In fact, IT does not in any case own the data they manage (excepting perhaps the subset of information that is their creation), or even have the right to read it; they have merely been delegated management responsibilities.

For this reason, it is the responsibility of IT to convince management of the fallacy of any decree that threatens the information system, should this occur. IT does not exist in a vacuum and management must be on board. Communication and understanding, rather than mutiny, is advocated here.

If all else fails, it may be preferable to accede responsibility to another team. Obviously, this would represent a catastrophic failure to communicate between IT and the executive team. Under normal circumstances this probably would not ever happen.

IT must be aware that the only requirement that trumps management decree is the integrity of the information system. Any other aspect -- e.g., what it stores, how it is accessed, how it is searched, what searches are available, which data is available to whom -- is in no way determined by IT.

The role of management is, ideally: (1) to provide the requirements for what the information systems need to provide; (2) negotiate a budget for its implementation and maintenance, (3) dictate metrics used to quantify aspects of the information system; (4) provide feedback.

Note: this is just rambling...it's not necessarily how I think.