Organizations have historically relied on IT for technical systems execution and, with the rise of websites and associated digital operations, that norm continued. Aspects and whole policy areas have been delegated to IT under the guise of requiring technical expertise. In reality, business goals and requirements ought to drive both policy and execution. 

It is unlikely that IT will understand the digital customer user experience needs well enough to be able to drive system requirements that meet those needs. For example, IT can ensure that a tax filling system has 100% up time with redundancy, and that will come with an associated high cost. However, if the system is used to support seasonal tax fillings, then it may be an unnecessary and inappropriate use of resources to support 100% availability all year round. 

IT is a part of the business and executes to the objectives and performance goals of the organization. As such, it should not be silo’d and left to create requirements and set policy in a vacuum. Instead it should be integrated as a partner into the policy range definition process, and allowed to participate as a lead in appropriate subject areas—including data privacy, storage and localization, and data breach. However, the policy definition should only take place in collaboration with business units and in alignment with organizational digital priorities and trade-offs.