Business Value

Preparing IT for Flu Epidemics

Question: Are there ways we can prepare for a large percentage of our technical support staff out with H1N1 flu?

With the heightened interest in how to respond to the H1N1 pandemic, every organization should be considering how to manage production support operations in the face of high absenteeism rates that could exceed 30%. Because the illness often hits suddenly, staff members could be sick or home caring for a family member and unable to work. Temporarily losing key individuals, such as system administrators and DBAs, can be traumatic without proper planning and redundancy. A good response plan should focus on assuring that necessary skill sets are available when needed. The following suggested approach is a good start towards making sure you are covered:

• Identify the critical functions and performance timeframe. This information may have already been gathered as part of a business impact analysis. If not, draw up a simple list of the functions or tasks and how time critical they are.
• List the skills and knowledge required to perform critical functions and the staff that possesses them. These might include UNIX administration or knowledge of a custom finance application. Management and the operational staff will know.
• Identify the primary and secondary staff members who can provide backup for each task or skill. In particular, identify critical skills that are possessed by only one staff member. Gaps such as these are the biggest risks.
• Develop a plan for backfilling those critical skills. This may include documenting procedures and training other staff members or locating an outside resource to provide the skill on a temporary basis.
• Practice running operations using backup staff and documentation. This validates the ability of the backup staff to perform the tasks and also provides on-the-job training and job enrichment opportunities
• Plan for working at home (WAH). In many organizations, technical staff members are already required to be available 7×24, so the mechanisms are in place.
• Develop a contingency plan for reducing workload when absenteeism is high. Discuss with senior management the possibility of performing only minimal system changes and delaying major deployments to reduce risk and maintain system stability. Given the possible business implications of such a plan, buy-in from all stakeholders is essential. Define conditions and triggers for putting the plan in action.

Having to deliver services without a full staff is a situation that every organization encounters sooner or later. It can be triggered by events other than a flu pandemic. Preparing for it will make your organization more resilient and provide unexpected benefits.

About the Author

John McWilliams, JH McWilliams & Associates, Business Continuity Consultants

Distributed Enterprise Data Risks

Question:  With all the talk about data on the cloud, is it possible to build a distributed enterprise architecture that addresses the issues of security and cost effective delivery without compromising business integrity?

For example, let us say you are relying on a major retailer’s supply chain system for inventory control and tracking.  The retailer represents 60% of your annual sales.  They have intimate knowledge of all your costs and are squeezing you to cut your overheads further.  It almost looks like they have better business intelligence tools than you do.  You are uncomfortable with the relationship, but are afraid pulling out will have disastrous effects on your core business and profits. The board is nervous and Wall Street is not treating your stock price kindly.  Too many companies are finding themselves in exactly that situation as they find they are required to share more data with their business partners.  Yes, there are cost efficiencies to be found by taking this approach, but there is also the substantial risk of loss of control.

Data integrity, security and confidentiality have long relied on a combination of network and application based security.  As long as the data was secured on local systems using role-based account access combined with strong firewalls, the thinking was that corporate data was well secured.  As enterprise architectures get more complex and the supply chain more integrated, the data is increasingly stored in massive data warehouses and SOA’s.  To add even more complexity more enterprises are using the cloud as a way to augment their internal systems or sharing information with their business partners.  Data is increasingly spilling out to the cloud with little or no thought given to the security implications for the enterprise.  With the recent news about credit card fraud and identity theft on a massive scale, companies are and should be worried about protecting and securing their data.

At the basic level that means that companies need to understand where their data resides, who is using it, how they are using it and most importantly, why are they using it.  Some of the many security issues that the new distributed architectures might mean to the enterprise include such questions as:

• Just what does data security mean in new contexts where you no longer have full control over the systems?
• How is responsibility for data integrity and confidentiality assured if there are multiple parties involved in the chain of authority?
• Do private clouds avoid or solve the problem, or do they make it more complex to manage as companies increasingly have to interface with business partners and customers on the cloud?
• What types of architectures and mechanisms can be implemented through the systems and to assure full data integrity and confidentiality?
• What are the best approaches to protecting the most sensitive data, particularly in the face of increased regulations and audit requirements?

About the Author

Beth Cohen, Luth Computer Specialists, Inc.

Agile – The next big thing?

Question:  What is behind claims that agile methodologies can increase software development productivity 10-100 times over traditional approaches?  Is this for real?

I just spent a week with a wildly enthusiastic international crowd of 1400 agilists attending August 2009 Agile Conference in Chicago.  As far as they are concerned, agile is set to become the standard development methodology in a few years.  I agree that there is much merit to what the agile community is saying.  Certainly, better communications between product owners and developers is always desirable, daily meetings and the idea of breaking the work into short manageable chunks called iterations are bound to improve any project’s velocity.  But I am skeptical of any claims for such dramatically increased productivity.

If you dissect what the agile folks mean, the high productivity numbers become suspect.  For example, one case study involving a Danish software company looks great at first glance, but looking more closely at the methodology, each iteration requires the work be pre-staged so that it is ready for the development effort.  All the pre-staging is magically not counted.  By breaking the work into smaller chunks and working closely with product owners, there is less wasted effort in building unwanted features.  This is all true, but to call the abandoned features unproductive is somewhat disingenuous. Indecisive management is a fact of life and going agile is not going to fix it.

Unfortunately, I also see agile software development quickly getting a reputation for creating new ways to overwork already over burdened knowledge workers.  It is all well and good that the agile principles are based on 40 hour work weeks, but so are the PMI (Project Management Institute) recommendations.  We all know how well those are adhered to.  The Scrum folks even have the audacity to call their iterations sprints.  You cannot run a project marathon as a series of sprints without serious burnout.  Since the developers on the team participate in work estimates, there is even more pressure to blame the workers if they fail to meet projections that are unrealistic to begin with.  At the conference, one session on metrics suggested that the team not share information on team productivity with management in case the numbers were misconstrued.

In conclusion, I find much in agile methodologies attractive and just plain good common sense.  However, any claims that seem to be too good to be true, should be viewed with skepticism.

About the Author

Beth Cohen, Luth Computer Specialists, Inc.

Widgit Company - A Cloud Security Parable: Part 1

Question:  Everyone is singing the praises of cloud computing, or at least all the vendors who are trying to sell services.  Just how safe is my confidential data on the cloud anyway?

To put cloud computing business security risk in concrete terms, I will tell you the parable of the Widget Company and Cloud Computing. Has anything like this happened to you?

Once upon a time, Widget Company, a $300 million dollar global company in the plastic widget business, decides to outsource their Oracle ERP application platform to Cloud Co., a cloud vendor who provides on-demand Oracle database services.  The CFO encourages the board to approve the cloud outsourcing project because it is projected to reduce support costs for their Oracle application by 20%, allowing the company to grow while avoiding an investment in a large, new and very expensive Oracle system.  The board signs a two year contract for services with the agreement that the cloud vendor is responsible for paying the annual Oracle maintenance contract.  Both the legal and finance departments’ review the contracts and give their blessings.

At first everything seems to be working and management is pleased with their decision.  Then reality sets in.  After three months, users increasingly complain server access is slow.  Cloud Co. responds to the complaints by first informing Widget’s IT department that their DSL Internet connection is probably not large enough for the anticipated user load, so they upgrade to a higher speed connection that increases their network connectivity costs by 30%.  When the increased bandwidth still does not fix the problem, Cloud Co responds by applying a patch recommended by Oracle.  After the installation of the upgrade, Widget Company finds that one of their mission critical applications is no longer compatible with Cloud Co’s offering and several months of customer data is lost due to the problems.  Oracle claims no responsibility because the application does not meet their development standards.  Productivity and staff confidence in the application plummet.  After the two companies’ lawyers argue for a while, Widget decides to pull out of the contract, which still has a year to completion.  Cloud Co. agrees to end the contract.

Widget Company’s management and IT department breathe a sigh of relief until they realize that the data backup from Cloud Co.  will take months of costly integration to re-implement on the old servers - which are fortunately still running, just in case.  However, Widget incurs additional costs when they discover they need to upgrade their Oracle licenses and pay for a year of back maintenance to get critically needed support.

Six months later Cloud Co goes out of business - Widget was not the only company unhappy with their services.  Eight months later, a Widget Company sales associate reports that their main competitor seems to have insider information about Widget’s customer list.  After a bit of legal discovery, Widget’s management discovers that after Cloud went out of business their assets were sold to a salvage company that resold the old backup tapes to a shady operation in the Ukraine, which then sold the customer list to their competitor.  At this point after spending over $500, 000 in sunk costs and with little hope of successful legal actions against the guilty parties, Widget’s management team is completely fed up, fires the CFO along with most of the IT department, and vows never to try cloud computing outsourcing ever again.

About the Author

Beth Cohen, Luth Computer Specialists, Inc.

More Clouds with a Chance of Storms

Question:  What exactly are the top security issues that cloud vendors need to address?

Somehow I am getting a sense of déjà vu on cloud security.  Don’t get me wrong folks, but the cow is already out of the barn.  After all, more than 69% of all consumer Internet users have used at least one cloud service in the past year and that doesn’t include the nearly 100% of all consumers who are using web mail services such as Gmail, Yahoo and others of their ilk.

On the other hand, businesses and enterprises are not rushing to jump on the cloud computing band wagon in the same kinds of numbers.  So what is holding companies back from taking the very real advantages that cloud offers?  We can argue that business requires a higher level of security and validation than the average consumer, but the simple answer is really a large dose of inertia, fear and doubt.  That is, all the usual reasons that businesses use as excuses to wait for the consumer products and service to prove their worth before committing precious corporate IT resources.

In a survey conducted by IDC in August 2008 and June 2009, concerns about security topped the list of challenges for 88.5% of the respondents, followed closely by performance (88.1%) and availability (84.8%).   Clearly security is a major impediment to a cloud architecture implementation for many organizations.  It will need to be properly addressed before cloud architectures will be fully embraced by the business community.

Cloud security issues can be divided into three major categories, business, regulatory and technical.  Business issues generally can be quantified as risks to the business in whatever form.  Major business concerns for the enterprise include:

• Legal issues related to the control and protection of intellectual property and sensitive business information
• The difficulty of establishing end to end business data validation
• Regulatory issues related to data ownership and proper handling procedures
• A perception of increased potential for data and business loss
• Risk of reduced data or systems availability
• Proper integration of the mix of secured data residing both in the cloud and on the internal corporate networks

The major global regulatory issues that influence technical and business decisions around cloud computing architectures include:

• Rising consumer data protection laws around the world
• PCI Compliance and the need to ensure end to end data protection
• Banking regulations

It is clear that many of the business and regulatory issues can be addressed with properly secured cloud architectures, applications, networks and systems, but cloud and network security is quite complex.  It encompasses such diverse disciples such as networking, application development, database architectures and designs, hardware architectures, and systems design.  Many standard network security best practices developed for the enterprise are inadequate to handle the new cloud architectures.  However, by taking a network services approach to the architecture of cloud services, there are many advanced methods that can be used to address cloud security issues and allay most if not all of the business owners concerns.

About the Author

Beth Cohen, Luth Computer Specialists, Inc.

Mapping Application Disaster Recovery to Business Requirements

Question: Now that my organization has acquired space at a  remote co-location data center and we’ve installed hardware, where do we need to consider in setting up recovery for our critical business applications?

While it would be impossible in this forum to go into all the possible strategies that you could employ for application recovery, it will describe the areas that you should consider when developing a recovery solution for your company.

Before thinking about any technology, disaster recovery is really more about business risk management.  As such it is important to start by meeting with the business owners of each application to identify the recovery requirements such recovery time objective (RTO), recovery point objective (RPO), end user workload, and whatever other applications or services are required by the application. In short, understand the main parameters of your recovery solution from the business perspective first. Keep in mind that the business owners may not be familiar with the technological underpinnings of the application, so involve the application support staff to ensure a full understanding of the recovery requirements so that the managers can make reasonable decisions based on what is achievable with the current technology and architectures.

From here, design your recovery solution while considering the following:

• Server power - How much processing power will be needed by the recovered application at the DR site? Will the DR site support production only or will development activities also be occurring there?
• Replication - How much data has to be available at the DR site, how fresh will it need to be, and how will it get to the DR site?
• Network - How much network capacity will be needed to support data replication and end user access to capacity and what protocols should the network support?
• End user access - How will the users of the application access it while running at the recovery site?
• Application installation and code management - How do you ensure that the latest version of the application is available at the DR site?
• Application recovery process - What will be the step by step process for recovering the application? Who will execute the recovery process?
• Change control - How do you ensure that changes to the production version of the application are reflected in the DR environment?
• Testing - How will you test the resources at the DR site and the recovery process?

In designing your recovery solution, think of it as an on-going resource that must be managed with the same attention as your production environment. That’s because it might someday be your production environment.

John McWilliams, JH McWilliams & Associates, Business Continuity Consultants

Part 2: Consumer Driven Business Innovation

Question:  Recently you wrote how the consumer market is the major driver of innovation.  How can you say that when IBM and HP are constantly developing new products for the enterprise?

Last time, I talked about how the consumer markets are driving innovation.  This week I will follow up on those ideas and look into the reasons for this continued trend.  In a nutshell it can be summarized as available resources and reduced risk tolerance by businesses.

Since 2001, the business market has bifurcated into two very divergent directions, the large enterprise sector and everyone else.  The usual suspects, IBM, HP, Oracle, etc. continue to cater to the large enterprise, profiting on million dollar contracts and cozy deals.  None of these companies make money on revolutionary products.  They are best at creating better, more feature-rich versions of existing products that appeal to their generally risk-adverse enterprise customers.

Revolution and true innovation rarely, if ever, comes out of established companies.  They have so much invested in their existing products; they cannot afford to jeopardize their enterprise customer base comfortable with the status quo, in the risky pursuit of something revolutionary. No, the most fertile ground for true innovation is going to remain with companies that have nothing to begin with and therefore nothing to lose.  Look to the well documented history of the development of the computer hard-drive for a perfect example of how companies selling better products with more storage and features lost the marketing war to emerging companies with cheaper, smaller alternatives with fewer features.

Apple Computer is the rare exception that proves the rule; and their famously wild relationship with Wall Street is well-known. Apple has clearly bet heavily on the consumer market as their future direction.  The only company that seems to be able to defy my predictions and successfully develop their products to the entire spectrum of the business market, while maintaining a large consumer base at the same time, is Microsoft.  Starting with their brilliant idea to package a common set of desktop automation tools into Microsoft Office, which has now been installed in over 800 million systems worldwide, and continuing with their latest office productivity tools, SharePoint and Communicator, Microsoft remains very much in command of the business desktop.  Their products uniquely appeal to consumers, small business and the enterprise alike, yet, I would argue that most of their innovation - such as it is, is focused on the broad mid-sized business market, rather than the consumer (with the exception of Xbox) or the enterprise.

Ironically, the smart IT vendors, such as Cisco, HP and Microsoft, figured out long ago where the innovation was coming from and regularly snap up promising startups with the intention of incorporating their ideas into their product offerings.  Despite this understanding, these companies continue to struggle to translate all the great intellectual property they purchase into products that appeal to their risk adverse enterprise customers.

Beth Cohen, Luth Computer Specialists, Inc.  IT infrastructure consulting services.

Looking for Business Innovation in all the Right Places

Question:  Where are the next major innovations in IT going to be coming from?  With the continued squeeze on businesses to run more efficiently, what do you see as the biggest market drivers?

Unless you have been buried under a rock for the past few years, the answer to this question should be obvious.  Practically all of the revolutionary products and hot services that everyone is talking about are being developed directly for the consumer sector.  Yes, business has been happy to cautiously adopt innovations; only after they have proven themselves in the brutal crucible of the fickle mass market.  Think about all the great new products that have come out in the last eight years, wireless LAN, Instant Messaging, Web 2.0, social networking, MP3 players, PDA technology, flash drives, and cloud computing, (yes even cloud computing, which is mostly a means for Google and Amazon to recoup some of their investment in excess capacity) are all examples of technologies that originated as products designed for the consumer market that have since been adopted by the enterprise.  The truth is that there has been essentially NO IT innovation created directly for the business market for many years.  Unless you count virtualization and mass storage hardware, which I would argue are mostly reinventions of the very old ideas of the service bureau and the mainframe respectively, on faster hardware.

Looking deeper into the economics of emerging technology, it becomes obvious why innovation is coming mostly from the consumer sector.  Follow the money.  While the risks for venturing into the consumer market are extremely high, — ask Apple about the notorious Newton, a product clearly far before its time.  The rewards for catching the fancy of the consumer cannot be matched by anything in the enterprise market.  Apple’s iPhone, a far more sophisticated Newton successor, is a good example.

My crystal ball says the next big thing will be developed for and marketed to consumers first.  Small and mid-sized business customers, for better or worse, are now lumped with consumers.  Since the fragmented and notoriously cheap SMB market has always been a hard nut to crack, it is easy to see why it makes logical sense for vendors to build consumer grade products and assume small companies are willing take whatever they are given.  With the current tight economic environment, permanent transfer of corporate R&D to the startup model, and limited resources available for innovation, I expect to see this trend not only continuing but accelerating for the foreseeable future.

Beth Cohen, Luth Computer Specialists, Inc.  IT infrastructure consulting services.

Determining the Real Business Value of IT

Question:  What are some methodologies that can be used to help CIOs and other C-level executives define the business value of IT, particularly when all budgets are under increased scrutiny?

This is an excellent question.  IT managers need to be able to capture the real business value of IT so it can be demonstrated to C-level executives in support of enterprise purchases of and continued investment in IT services.  In the past, typically new technology implementations and large strategic business transformation projects were what got business executives’ attentions - partially because they are both at the highest risk of failure and offer the greatest opportunity for reward.  However, nowadays most IT executives are being forced to focus on squeezing the most efficiency out of their existing bread and butter project and operational budgets, particularly since enterprise appetites for high risk large scale projects are down.

The good news is that IT operational efficiency projects are now relatively easy to quantify by applying the standard bag of tricks, such as IRR, ROI, TCO and payback period tools. The ability to capture detailed business information in real time using business intelligence tools and LEAN manufacturing approaches can be and is being applied to measuring the value of the IT tools themselves.  This has given both business and IT management unprecedented insight into the value of a given IT process improvement tool or project.  Not only can these tools do a good job of capturing improved business productivity and efficiency, but they translate them into terms that executives can readily understand - how the tools directly affect their bottom and top lines.

For an example of the success of this approach look no further than the massive switch to virtualized IT services and all those data center consolidation projects that have all been justified by demonstrated real cost savings in both reduced capital expenditures and continued on-going operational cost savings.  The green data center movement is not capturing management’s imagination because it is cool, but because it is a terrific way to save lots of money in operational costs - in some cases as much as 30%.  The continued move toward more outsourced IT services is another way for companies to translate slippery IT budgets into more easily quantifiable bottom line expenses.  By using these tools management can gain a good understanding of how their IT dollars are actually being spent and how effective they are.  The logical next steps of improving the quality of IT expenditures are then that much easier to visualize and plan.

One last note that is often overlooked is that these metrics are all well and good at the enterprise level, but ultimately detailed metrics on human productivity remains extremely hard to measure.  It is what I call the “coffee factor”, the lost productivity due to people getting a cup of coffee because a system is slow or they are distracted by the poor user interface.  I predict that better tools for capturing this will remain elusive, but it will not be for lack of trying.

So what do you think?

Beth Cohen, Luth Computer Specialists, Inc.  IT infrastructure consulting services.