Leadership | Sten Vesterli's Blog

Rational Decision-making

January 26, 2026January 26, 2026IT LeadershipDecisions, Leadership, Risk

As an individual, you are free to make emotional decisions. You can decide to evict some software product from your laptop because you don’t like the vendor’s nationality or stance on today’s hot-button social issue. As an IT professional, you can even set up an open source solution that does almost the same (though invariably with worse UX) in a few days.

But as an IT leader, you are expected to make rational decisions. That’s why you don’t throw out all your Amazon, Microsoft, or Google Cloud on a whim because you are unhappy with U.S. policy. The rational choice is to minimize your risk. That means building new systems outside U.S. clouds so you don’t add to your problems. And migrating away from disfavoured platforms in an orderly, cost-effective manner.

Sovereign Cloud

January 21, 2026January 21, 2026IT LeadershipCloud, Leadership, Risk, Sovereignty

You need to create a delay between a foreign government ordering your cloud provider to cut you off and the actual cutoff. The longer you can make this period, the better. The new AWS European Sovereign Cloud (ESC) is Amazon’s way of offering this. That is a cloud solution running on hardware in Europe, staffed by Europeans, organized under a European daughter company.

That does not protect you against Amazon being compelled by the U.S. government to hand over your data, but all important data should be protected with keys you hold, outside your cloud provider, anyway. But it does make it likely that AWS Europe would contest an order to shut down the service, and that AWS Europe employees would not cut you off at the whim of a foreign dictator.

Because the probability of this happening is still “Rare” (edging towards “Unlikely”), you do not need to act on this risk now. But it is prudent to ensure you have time to react if it should happen.

Risk Evaluation

January 19, 2026January 19, 2026IT LeadershipContingency plans, Leadership, Risk

Do you have a paper map in your car? No, why would I need that?

If you are a Verizon customer in the U.S., you were just reminded. A large chunk of their network was down for half a day, leaving frustrated customers depending on their atrophied geographical memory. Verizon says the culprit was the usual botched network upgrade, not evil hackers. Some Europeans are better prepared, having routinely been subjected to Russian jamming of GPS and Galileo navigation.

When was the last time you revisited the risk evaluation of your critical systems? The threats are changing and increasing, and your risk evaluation from one year ago no longer applies.

Excel Addiction

January 9, 2026January 9, 2026IT LeadershipGuidelines, Leadership

It’s not your data, it’s the company’s data. That’s why it belongs in a database or some other kind of managed data store, not in your personal Excel files. But it turns out to be very difficult to break a 40-year habit of circumventing Central IT and hacking something together with a few macros.

There is any number of well-documented disasters caused by excessive Excel use, including during the Coronavirus pandemic, where the UK health authorities used an old version to track infections. It took days before anybody noticed that the number of cases was stuck at exactly 65,536.

Everybody is talking about having an AI policy. You need that. But you also need a data policy. And part of that policy is going to be placing limits on Excel.

Digital Sovereignty

January 7, 2026January 7, 2026IT LeadershipCloud, Leadership, Risk

You need to think about Digital Sovereignty. Unless you are in the U.S., of course. For everybody else, this is a very salient topic. Especially for us in Denmark these days.

This doesn’t mean that you have to free yourself from every American cloud provider. But it does mean there is a new item in your risk evaluation: Ending up on the Office of Foreign Assets Control (OFAC) blocklist.

Likelihood is Rare (1) for almost everybody. But if Impact is Catastrophic (5), you end up with a medium risk: Mitigate if cost-effective.

Switching costs almost always make it not cost-effective to transition a running system. But when you are building anything new, you don’t have switching costs. And an effective mitigation is to avoid using U.S. providers.

Buy more, goddammit

December 4, 2025December 4, 2025IT LeadershipBusiness case, Cost/Benefit, Investment, Leadership

The reason you fail is that you are not spending enough. Said the vendor.

Lack of self-awareness is a common human foible, and it seems to be one of the characteristics that AI leaders are hired for. Kellen O’Connor, leader of AWS’s Northern European business, is an example. Interviewed at AWS re:Invent in Las Vegas, he dismisses the clearly documented failure of almost every AI initiative by saying that the customers are not thinking big enough. They need to apply AI to business-critical functions and let AI agents loose.

Translated from AI hype to plain talk: Yes, our software hasn’t proven any business benefit yet, and the way to achieve business benefit is to buy more of it. Good luck with that chain of reasoning in the CIO’s office.

Believe the user, not the vendor

October 7, 2024October 9, 2024IT LeadershipLeadership, Quality, User Experience

If the users say the system doesn’t work and the project sponsor says it does, believe the users. IT history is full of stories of malfunctioning systems being covered up – the most egregious case is one where 900 British postmasters were falsely convicted of theft and fraud because the Post Office’s fancy new IT system didn’t work. Look up “Horizon IT scandal” for that sad story.

Those with careers and positions to save will go to extraordinary lengths to deny any problems. The people who told the truth about the Vietnam War were the draftees who did not have a military career to protect.

What is your process for monitoring issues with the software your business is running? Do not rely on the number of tickets raised with the service desk. There is unavoidable friction involved in raising a ticket because the IT people will want screenshots and exact software versions. The average user has no clue which version of the internet browser he is using and has more important things to do. If you don’t have a simple system like the four-smiley button panels in shops and airports, you do not know if your software works for the users.

Investing and Throwing Money

October 4, 2024October 9, 2024IT LeadershipBusiness case, Leadership

There are three ways to spend money on new technology. Two good and one bad.

Trying it involves spending a small amount of money and time to determine if it has reached a maturity that can be useful in the organization.
Investing in it involves preparing a business case outlining expected business benefits and then spending a lot of money implementing it at scale in the organization.
Throwing Money at it is just like investing but without the business case.

I am always amazed when I see CIOs declaring that they are investing in some fancy new technology (AI these days) but failing to articulate any specific business goals when asked. That’s not investing; that’s throwing money.

A Teachable Moment

July 25, 2024IT LeadershipCompetence, Leadership, Learning

We remember stories. And the Crowdstrike-caused massive Windows outage is a good story.

If you work in Delta Airlines IT, you won’t forget this story anytime soon. As millions of passengers are stranded and separated from their luggage, you will probably see your CEO hauled in front of Congress for public shaming.

If you are responsible for some of the around 10 million Windows computers that Crowdstrike, in their incompetence, managed to bring down, you are also likely to remember.

But if you dodged the bullet this time, the whole debacle will become just another tech story in your news feed and quickly forgotten.

However, there are lessons to be learned about canary deployment, robustness against poisoned data, and undocumented software dependencies. To ensure your organization makes the most of this opportunity, have someone read the Crowdstrike Preliminary Post Incident Review and tell the story at your next department meeting. Have them tell everyone why it happened and why it couldn’t happen to you. Or why it could have happened to you, but for the grace of God.

A continually learning organization needs a way to make knowledge stick in its people’s brains. Storytelling is an excellent way to do that. Always be on the lookout for good stories.

Blocking AI is an Unwinnable Battle

May 23, 2024IT LeadershipAI, Leadership, Productivity

Using AI is not cheating. It is a way to become more productive. You pay your employees because they perform tasks that create value for the organization. So it makes sense to let them use the best tools available to do their jobs.

Just like some schools are trying to prevent students from using AI, some companies are trying to outlaw AI. It won’t work. Research shows that 47% of people who used AI tools experienced increased job satisfaction, and 78% were more productive. You can’t fight such dramatic numbers with a blanket prohibition. If you try, your employees will use AI on their phones or in an incognito browser session while working from home.

By all means create rules about how and where employees can use AI, and explain them thoroughly. But trying to ban AI is futile.