When a California court issued an order to Apple to help the FBI break into the iPhone used by one of the perpetrators of the San Bernardino, Calif., massacre, Sen. Lindsey Graham (R-S.C.), a counterterrorism hawk who in December called on tech companies to stop selling devices that encrypt information, switched sides.
“I thought it was that simple,” Graham told Attorney General Loretta Lynch during a Senate hearing. “I was all with you until I actually started getting briefed by the people in the intel community.”
The public battle waged between the FBI and Apple put the spotlight on encryption and data privacy. According to Chris McClean, an analyst at Forrester Research, that’s a good thing. Now, ordinary people not only know what encryption is — many know enough to argue whether the government should be able to dismantle the technology during investigations. Informed citizens could, he said, push progress in the privacy debate faster than the government can.
The FBI dropped its case against Apple on Monday, saying it accessed the contents of the iPhone. But a larger discussion over privacy and encryption has just begun. Congress is making moves toward legislation that addresses the government’s investigation powers and citizens’ right to protect their information. Sen. Mark Warner (D-Va.) and Rep. Michael McCaul (R-Texas) are pushing for a commission to study digital security and privacy issues and then make recommendations to Congress. But, McClean said, it might not matter much.
He explained using a two-word phrase you may recall seeing plastered on news shows a few years ago: pink slime. That’s the unflattering nickname for processed beef used as a food additive in school lunches. (ABC News did a series on the stuff, and the rest is history.)
“This wasn’t the [U.S. Department of Agriculture] coming down on the manufacturer saying, ‘You can’t serve this to our children.’ They actually said, ‘We give this a thumbs-up,'” McClean said. “But once average citizens saw that, that went viral and they shut it down. Two or three of the companies that created that product were out of business within a couple of months.”
Customers and the privacy debate
McClean sees the same thing happening in the encryption and privacy debate. What happens if the feds petition other companies with people’s information in their databases for intel — cell phone providers, utility companies, makers of home-automation systems? Apple took on a powerful government agency. Will other businesses do that in the name of customers’ privacy?
They might, if customers expect it. Apple’s public opposition to the FBI may have given consumers the push they need to start asking tough questions of the companies that serve them. Once they start digging into privacy policies and asking how their data is being collected and how it’s being used, they may find practices they don’t like — and then voice their displeasure.
“Every company now is a data company,” McClean said. “Your grocery store, your hospital, your bank — they’re all data companies. It will be really interesting to see how much consumers are putting pressure on those types of companies to see whether or not they would stand up the same way Apple has.”
When the FBI dropped its court case against Apple — an order to the tech company to help break into an iPhone in the San Bernardino, Calif., murder case — it left behind unresolved data privacy issues concerning millions of mobile device users.
The bureau sought the help of a partner it did not identify to crack the encryption on the iPhone used by one of the two shooters, Syed Rizwan Farook, but how did it do what Apple, its maker, has said would be hard even for it?
Who’s got the goods
That’s one of many things we just don’t know, said Forrester Research analyst Chris McClean. For example, the hackers could have found a weak spot in an old device — the iPhone 5C used by Farook and owned by his employer, the San Bernardino county government — that Apple has fixed with updated security features.
Or it could have found something else.
“We may hear details later that there’s maybe something more fundamental as a flaw that allows people to break into iPhones, and Apple still doesn’t know what it is,” McClean said. “If there are details that come like that, there would be a larger concern for sure.”
One theory is the FBI can use the key on other phones in other investigations. But federal agents would have to have it in their possession before using it.
Unless the hackers “made a whole lot of money off it,” McClean said, they probably didn’t hand the decryption method over to the FBI. They might do better to sell it to someone else — say, another government.
“I think that there would be an enormous price that they could put on an exploit like that,” McClean said.
A closer look at data privacy issues
A second, longer-term issue pits the ability of government to do investigations against citizens’ right to protect their data.
Two Capitol Hill lawmakers, Sen. Mark Warner (D-Va.) and Rep. Michael McCaul (R-Texas) are trying to build a commission that would study digital security and make recommendations on how Congress should balance security and privacy issues. And a group of private-sector executives and former government officials are pushing for a separate initiative to address the matter, called The Digital Equilibrium Project.
That’s the right way to go, McClean said, as long as the members understand the technology they’re going to be examining. They can learn, he said, since the groups will include technology experts among their members, and other, outside experts can help them understand things like passwords and how encryption works.
But doing an extensive study of technology is a race against the clock. McClean fears that by the time any commission is done working, mobile devices will have biometric features — which identify authorized users by their physical characteristics — and stronger encryption, making them even harder to crack.
“So all of the technology issues that we may discuss over the next year may be moot before they finally come up with any kind of guidance,” he said.
But commissions can still do good on data privacy issues. They just need to be equipped with the right people asking the right questions, McClean said. They’ll have to discuss the various types of data that investigations might want to examine as well as the types of data that users of mobile devices have the right to keep private. They would also do well to look at aspects of European privacy law, such as the “right to be forgotten,” which creates a legal duty to destroy or hide information if requested. In Europe, people are considered the owners of their private information.
“I don’t think we have that kind of viewpoint in the U.S.,” McClean said. “Hopefully, we get enough experts that understand all of the ethical, legal, technology boundaries.”
Bill Michels, CEO and founder of Aripart Consulting, cautioned attendees at CPO Rising Summit in Boston on Tuesday that chief procurement officers (CPOs) have a very short window of time in which to make their mark at a company: The average tenure of a CPO, he said, is less than five years. And the terms of engagement are brutal: Corporate mandates to reduce costs in the supply chain set up procurement officers for failure since costs can’t be reduced year over year indefinitely without a breakthrough change, which is hard to achieve.
The problem, he said, stems from the need to ensure that supplier margins are sustainable over the long term. “You don’t want to run the supplier out of business. We want suppliers to reinvest in the business and innovate, continue to give us improvements year over year and we need them to be healthy to be able to do it,” Michels said.
But, he said, CPOs still need to reduce costs. “Here’s where you’re most vulnerable as a CPO,” he said. “Unless you can come up with ways to come up with innovation, breakthrough, change the specs, change something, you’re not going to do it.”
By the third year of a CPO’s tenure, “if you haven’t changed out your team, your process or the way you’re going about it, or educated management on the value [of the procurement team], you’re in a danger zone,” Michels said.
Value can be demonstrated by protecting the supply chain as a whole and supporting business imperatives to make more money. One example: A biotech company that Michels worked with was less concerned about cost reduction and more concerned about making sure that its supply chain continued to function.
“[Management said], ‘Build me a risk management system that works,'” Michels said. “They built a predictive model of all their suppliers and their supply chain. They identified which suppliers were going [to fail].” As a result of that analysis, the biotech company’s board of directors made a decision to spend $100 million to protect its supply chain, since that supply chain was feeding a $7 billion business. That decision obviously resulted in money being spent rather than saved, but because the expenditure protected the company’s ability to continue making money, the board of directors quickly approved of the expense.
Michels predicts that value will trump price in the future. Citing a 2014 study from the Institute for Supply Management, he said that CEOs are looking for CPOs who can deliver shareholder value, integrate the company’s supply chain, capture innovation and speed the process of getting products to market. CPOs who focus on cost reduction at the expense of these other key requirements will be the first ones looking for a new job.
Beyond the need to deliver value to the company rather than simply cutting costs, chief procurement officers also need to prepare for digital disruption. Michels told the story of a client of his who’d envisioned using artificial intelligence to identify suppliers around the globe, help produce RFIs and RFPs, and then make sourcing recommendations. He said that much to his surprise he learned that there’s a project underway at Stanford University to deliver such a capability through artificial intelligence.
He also suggested that the Internet of Things will have a major impact on the supply chain. “We’re going to have connected suppliers who are going to be able to transfer demand all the way through the supply chain automatically, and we’re going to wind up having perfect inventories and perfect solutions. I think the IoT is going to change your life,” he said.
Apple won’t be forced to build new software that would let the FBI into the iPhone used by one of the shooters in the San Bernardino, Calif., attacks. The bureau withdrew its legal action against the tech company Monday, and the FBI-Apple case is closed — for now.
Here’s a possible future chain of events: Apple will patch any vulnerabilities that allowed the unnamed “third party” helping the FBI access encrypted data on the phone, the FBI will be locked out of another iPhone in another investigation — and the feds will be back in court demanding that Apple help it break into the device.
A win for the feds would send chills down George Do’s spine. The CISO for Equinix, a Silicon Valley provider of data center space, said that if Apple is forced to comply with the order, it would set a “dangerous precedent” — his words as well as Apple’s — that would alter how companies do everything from plotting security strategies to just doing business. (Do spoke to me before the FBI-Apple case was dropped.)
“It would turn our whole world upside down,” Do said. “Depending on where this falls, it has the potential to change things very fundamentally.”
In the FBI-Apple case, the bureau said the software — essentially a new version of the iOS operating system — could be made for just the one phone, and then Apple could discard it. But CEO Tim Cook has maintained there would be nothing stopping the government from demanding that Apple unlock other devices as well.
If law enforcement agencies have that kind of power, companies that make, say, security software or mobile devices, will have to change the way they build their products. Encryption, no matter how strong, will no longer be best way to keep data from prying eyes, Do said.
“They’ll have to find ways around those challenges to manage risk — and that’s going to be hard,” he said.
Consumers of that software, like Equinix, would be affected, too, Do said. Encrypted security tools may no longer be the go-to software for infosec teams. It may also force them to make tactical shopping choices — especially if a certain software or hardware company is known to be in the government’s line of sight.
“Maybe we choose the company that’s less on the radar than a big, giant Apple, right?”
If a cyberattack extinguished the power to the electrical grid in Wisconsin, leading to a prolonged blackout, Maj. Gen. Donald Dunbar would have a lot of work to do. He’d have to turn the wheels of the state’s cybersecurity response strategy. He’d have to mobilize the National Guard he commands to help utility companies quickly get the power back on and emergency teams get to people who need immediate assistance.
Before he could do any of that in the hypothetical future, though, he needs to ensure that there’s communication and cooperation among public and private sectors in the state.
“Because I don’t pretend for a second that the state of Wisconsin or the National Guard is going to come riding in on a white horse in a cyber-event and save the day,” said Dunbar, who is the senior adviser to the Wisconsin government on cybersecurity matters. He spoke to an audience of business and IT executives at the recent Fusion 2016 CEO-CIO Symposium in the state’s capital, Madison. “We all have personal responsibility; we have corporate responsibility when it comes to cyber.”
The U.S. runs on private industry, Dunbar said, and to get it running again after a power grid failure, corporations need to work with the state government on disaster recovery preparations.
Public and private sectors, activate
The first thing companies need to do is tell the government whether they would need help in case of a power-crippling cyberattack, Dunbar said. The banking industry, for instance, invests heavily in cybersecurity and wouldn’t need much assistance from the National Guard. “It’s not on my radar screen.”
But many other businesses, communities and infrastructures are in the state’s line of sight — but the people in charge of them need to speak up so Dunbar knows what resources should go where. He said the state is now in talks with grocery store chains about their power-generation or backup capabilities. The National Guard may be able to ensure delivery of generators in populated areas to “get the power on and keep people fed in the community while the broader recovery happens.”
It’s a challenge to figure out the right chemistry of government and private sector involvement, Dunbar said. And there’s no finish line. He contrasted his present mission of ensuring readiness in the face of constant cybersecurity threats with flying in his early days in the military.
“You put the airplane in the hangar, you’re done. Well, there’s no getting done here,” he said. “It’s 2016. Long after we have departed this earth, this will be a problem for the people on the planet.”
Patrick Schiffman agreed that businesses and government need to team up and develop ways to respond to a widespread failure of the power grid. He’s IT manager at Nord Gear Corp., which produces motors and industrial components used in everything from conveyor belts to Ferris wheels. Together, he speculated, the public and private sectors could come up with creative strategies. Perhaps the government could give companies subsidies to build solar facilities; that way, they could operate without special assistance during a power outage. Or maybe the transportation industry could help the government get supplies to needed locations.
“It’s good that the discussion is happening versus, ‘Oh, we’ll be OK. We’ll figure it out when it happens.’ That’s not the answer,” Schiffman said.
Meantime, Nord Gear is making its own preparations for unforeseen events. The company is working to implement a cloud-based disaster recovery system, Schiffman said, “that will take our infrastructure, resources, our processes and be able to relocate them so we have business continuity of people, places and things,” he said. The company has six locations in North and South America.
“We’re assuming not all of them are affected at the same time because if they are, I’m not caring about the company anymore, right? There’s a bigger disaster that’s out there.”
The problem: Leatherman Tool Group Inc., a manufacturer of multifunction tools and knives based in Portland, Ore., updated its 20-year-old, DOS-based ERP system with Microsoft Dynamics AX, increasing the complexity of the system from one physical server to nine virtual machines. The upgrade to Microsoft Dynamics AX tied systems together that were previously siloed, enabling the company to better track products across the warehouse — from assembly to packaging to shipping. But it also created a new problem: slow data center performance, according to Dameon Kirchherfer, database and systems administrator at Leatherman.
The strategy: Because the new ERP system is dealing with an uptick in data volume, data movement and data complexity, performance issues were not unexpected, Kirchherfer said. In advance of the implementation, Leatherman purchased new hardware and back-end storage to mitigate those issues, but the data center performance issues persisted anyway. And the added complexity of the system made it difficult to pin down where the bottlenecks were occurring. The network and CPUs, for example, appeared to be functioning smoothly. “So we started our search into how we could speed up our data center,” he said.
The results: Leatherman turned to PernixData. Initially, the software helped reduce data latency by caching “hot traffic,” or traffic that needed to be moved the most frequently, closer to processors and RAM, according to Kirchherfer. And, it turned out, data latency was a symptom of another problem: The CPUs, which had been running at 50% utilization before the PernixData installation, couldn’t handle the speed at which the system needed to run. “So we upgraded our CPUs,” Kirchherfer said, providing Leatherman with improved performance speeds. Today, Leatherman uses PernixData’s infrastructure analytics product Architect to keep tabs on data center performance.
Blockchain technology — perhaps the hottest topic in the financial tech community — has finally made it on the radar of the U.S. Congress, but it’s been a long haul, much more education is needed and time is of the essence. Banks are scrambling to avoid disintermediation by the technology, according to U.S. Rep. David Schweikert, R.-Arizona.
Schweikert — who spoke at last week’s DC Blockchain Summit in Washington, D.C., and serves on the House of Representatives’ Financial Services Committee — said he has been following cryptocurrencies and Bitcoin for a number of years. The DC Blockchain Summit was hosted by Georgetown University’s McDonough School of Business.
“I will make the argument right now that only six or seven of my brothers and sisters [in Congress] even understand the basic mechanics of the distributed ledger,” Schweikert said. To combat that knowledge gap, when The Economist published a cover story about blockchain technology last October, the Financial Services Committee bought dozens of copies of the issue to distribute to members of Congress, Schweikert said.
Schweikert suggested that banks and other financial services companies are “scared to death” that blockchain technology will put them out of business. “If you’re in the money transfer business, if you’re in the credit card infrastructure business, if you’re the old processing systems, is this technology basically your disruptive threat?” he said.
Schweikert pointed to blockchain technology’s potential to enable peer-to-peer value transfer between people — without requiring a bank or government to enable or execute the transaction — as an enormous threat to community and regional banks. This threat is especially pronounced when you consider that there are many millions of people in the world who up until now have been “unbankable” — without access to a bank account and therefore unable to participate in a credit-based economy. With blockchain technology, cryptocurrency and a mobile phone, these people can join the economy without ever doing business with a bank, representing a huge lost opportunity to financial services companies.
And it’s not just banks that face disintermediation, he said; any company that acts as a middleman in financial transactions is at risk. “Say you want to sell stock,” he said. “Could I buy it directly from you and never have to have it land in another platform?”
Schweikert said that while banks’ biggest problems used to revolve around regulatory compliance requirements, today the biggest threats they face are cryptocurrencies.
He finished up his talk with a call to action for audience members, many of whom are advocates of blockchain technology. “What I will beg of you is, for those of you who have relationships with those of my kind, those of us who get elected and think we already know everything: Educate us on the upside here before — and I don’t have a delicate way to say this — before the control freaks find some way to destroy the incredible good this could do to our economy and the incredible good this could do for our world.”
SAN FRANCISCO — The debate on privacy vs. national security triggered by the recent Apple/FBI controversy lit up RSA Conference 2016, provoking sharp disagreement among panelists at one well-attended keynote. Leading cryptographer Adi Shamir said Apple had “goofed” and should have complied with the FBI, while data encryption expert Moxie Marlinspike applauded Apple’s stance, arguing that the company is performing a civic service by defying a court order.
The remarks came during Tuesday morning’s Cryptographers’ Panel, made up of pioneers and experts in the field of cryptography, which also included Martin Hellman, Professor Emeritus of Electrical Engineering at Stanford University, and Whitfield Diffie, cryptographer and security expert at Cryptomathic, both of whom received the 2015 A.M. Turing Award, or what moderator Paul Kocher of Rambus described as “the Nobel Prize for computer science.”
At the center of the panel discussion: the federal court’s ordering of Apple to help the FBI unlock the iPhone of one of the shooters in the Dec. 2, 2015, San Bernardino, Calif., terrorist massacre by creating new software to access the iPhone’s data. The FBI argues that refusing to do so compromises national safety, while Apple argues complying would create a “backdoor” that could set a precedent for creating systems to circumvent security.
The panel’s question: What impact will the possibility of technology companies being compelled by courts to create a tool that circumvents the security of their products have on national safety?
Most of the panel sided with Apple, saying that it would compromise national security.
MIT professor Ronald Rivest, who also heads the Cryptography and Information Security research group at MIT’s Computer Science and Artificial Intelligence Laboratory, said that compelling tech companies to provide extra keys or providing ways to dismantle their products’ security mechanisms is a can of worms unless Congress passes legislation that addresses thorny questions.
“Suppose we lived where this compelling can be done. Under what circumstances can this be done? How is the tradeoff done? Can anyone be compelled to do anything? Congress has to pass the law,” said Rivest, adding that the greater good of the country depends on both strong security and citizens’ right to have private conversations.
Hellman agreed, but added that he sympathizes with the FBI’s frustration and understands that its interest is not just in getting access to the data on a particular device, but with preventing crime.
“I think [FBI Director] Jim Comey is wrong, but we need to have a discussion on what is right for the country as opposed to what’s right for individual agencies,” he said.
Shamir, professor of computer science at the Weizmann Institute of Science in Israel, was alone in opposition, saying that while he is aware of the possibility of this case setting a precedent, the FBI is asking Apple to do something very specific.
“The FBI will give Apple a particular phone … to do something Apple is capable of doing,” he said. “It has nothing to do with placing backdoors in millions of phones throughout world.”
Shamir added that he believes the FBI has the advantage over Apple in this instance and that the tech giant made several “goofs.”
First, he argued, Apple made the argument that it is technically unable to help the federal agency with the investigation, but the argument failed because the FBI was able to point out specifically how Apple would be able to do so: create custom iOS software that would bypass or disable the iPhone’s security mechanism that limits how many times incorrect passwords can be entered.
“[Apple should] put out a new, updated system that will really prevent the FBI from [compelling Apple] to help them in the future, so that it is really able to make the argument,” Shamir said.
The second mistake Apple made, he said, is picking the wrong battle in what has been an ongoing issue while the FBI picked the ideal one to force its position.
“Almost everything is aligned in favor of the FBI. Even though Apple has encountered this in other previous cases, they decided not to comply this time,” he said. Apple should have complied this time and waited for a better “test case,” one in which its odds are better, Shamir added.
Marlinspike, founder of Open Whisper Systems, a nonprofit company that develops encryption software, aligned with the rest of the group.
Had FBI officials been able to access the data on the device, they likely would not have found much – there probably would not have been anything incriminating on the device; plus, the FBI already has a wealth of evidence, he said.
“The FBI already has all the certified call logs from cell phone carriers. It already has access to [the phone’s] iCloud backup,” said Marlinspike. “What the FBI seems to be saying is, ‘We need this because we might be missing something.’ … And the FBI seems to be saying we should consider their surveillance capability as something that is for our social good, and I don’t necessarily think this is true,” he said.
He put the Apple vs. FBI dispute on par with the legalization of marijuana and the legalization of gay marriage.
“How do we know we wanted to legalize marijuana if no one had been able to successfully consume marijuana because our laws had been perfectly enforced? … These developments would not have been possible without the possibility to break the law,” he said.
Kevin Cochrane was on the line from Paris. The chief marketing officer at Jahia Solutions, a Web content management software provider, Cochrane had a vendor pitch to make — but not before prosecuting a case for consumer privacy rights.
Cochrane, who’s been a CMO at Agari and at Open Text, and before that, the vice president of digital marketing at Adobe, believes a new age of Web content management is upon us — a “third wave” as he puts it.
Today, companies can no longer simply point customers the way to their online brands and goods, as they did in the first wave of Web content management. Nor is it enough to offer targeted, pertinent, personalized goods and services to customers, as businesses learned to do in the second wave. In 2016, it’s incumbent upon companies to take hold of the entire customer experience.
“That means taking responsibility for every customer interaction, online and off, whether directly through an employee or indirectly through a web site, to ultimately determine the lifetime value and happiness of the customer,” Cochrane said.
Managing the customer digital experience includes protecting consumer data and ultimately, in his view, enabling consumer privacy rights. “This is about making certain that we’re transparent about the consumer data we have, why it is delivering value to the consumer and putting consumers in charge of their digital lives,” he said.
Content management software in three waves
So what’s the pitch? In the Jahia world view of the Web content management software market, this third wave follows much the same pattern as the previous two: disruptive technologies change the conversation between consumers and the brands they do business with.
Browser, personal email. The market for Web content management software — the first wave — was created in 1999 following two technology disruptions: the advent of the modern Web browser and the rise of consumer email. Companies could build a web site and marketers could reach consumers in their homes with links that took them to that web site. By 1999, consumers were beginning to appreciate the convenience of shopping online. “And companies realized they needed to move from traditional marketing activities to marketing online,” Cochrane said.
Facebook, the iPhone. The market for Web experience management software — the second wave — was created in 2009, “again after three years of digital disruptions,” Cochrane said. In 2006, Facebook opened up to the world, and people didn’t have to be a student at Harvard to build digital social connections with family and friends. A year later the iPhone debuted, followed by the worst consumer financial crisis since the Great Depression.
“Marketers recognized that consumers didn’t just want convenience. They wanted immediacy in terms of feedback from their family and friends on their smart phone before making the critical decision to part with their hard-earned cash in a turbulent economy,” Cochrane said. Web experience management was all about targeted experiences on mobile devices and social networks.
Big data, IoT. “Now we’re at the forefront of the third wave,” Cochrane said. In 2013, with the popularization of big data and the availability of Hadoop, it became possible to process large volumes of consumer data for customer insights. A year later, the Internet of Things became manifest in wearables such as Fitbit and programmable, sensor-driven thermostats and security systems (e.g. NEST).
“What that meant was not only could you — in real time — process more data, you could collect more data than ever before about where the consumer is in the moment,” Cochrane said. “Consumers in the first wave wanted convenience; then they wanted immediacy. What they really want now is intimacy.” We don’t want to have to explain ourselves to a brand every time we interact with it.
Consumer privacy rights made easy?
Of course, Jahia can help do that — it sells technology that collects all this customer data, analyzes it and makes it available in real time to employees so companies can forge intimate customer relationships.
But, as Cochrane points out, customer intimacy depends on trust. So, in partnership with the Apache Software Foundation, Jahia is building infrastructure for consumer data privacy and protection — offering consumers the ability to click on a link, see what companies know about them and exercise their consumer privacy rights to delete the data permanently, anonymize it or stipulate that the data not be sold to a third party.
Sounds good, right? But will companies buy into it? “Brands that want to be leaders will be the ones to move faster and say, ‘You can trust your online experience with us; you can trust that personal engagement and intimacy because we are protecting your data,'” Cochrane said.
Consumer privacy rights as competitive advantage. I’ll believe it when I see it.
The Agile project management office (PMO) leverages the centralized portfolio management team to deliver on projects and products faster, said Michael Nir, president and founder of Sapir Consulting US and author of the book The Agile PMO. At last week’s Society for Information Management Boston chapter meeting, Nir identified four ways PMOs can do that.
Remove waste. “If there’s one thing a PMO can contribute on a portfolio level, it’s to start looking at what stands in your way of delivering value,” Nir said.
During his presentation, he identified two types of waste: process waste and project product waste. Process waste includes cumbersome documents that take a long time to create but no one bothers reading. A 30-plus page project charter is an example. Project product waste includes the development of product features no one will use.
Prioritize projects. For many PMOs, that means reworking the intake process for projects. Nir recommended PMOs apply Kanban, a manufacturing process developed by Toyota that uses visual cues to trigger an action.
One of the characteristics of Kanban is to use a pull system, enabling teams to take on projects when they’re ready, rather than a push system, which creates a queue of work.
The same technique can be applied to portfolio management by gathering all project requests and then prioritizing them into a backlog. Nir argues PMOs are in the best place to take on the prioritization task, as they have no horse in the game.
Allocate resources. If resources aren’t allocated strategically, businesses may find themselves in a classic airlines situation: If a plane breaks down or flights are delayed because of weather or a pilot becomes too sick to fly to a point where passengers have to be rerouted, an entire segment of the day’s plan collapses, he said.
“The solution is to use capacity allocation that works,” Nir said. He recommended CIOs read Critical Chain, a “business novel” written by Eliyahu Goldratt. The book takes a close look at the critical chain of project management, an approach developed by Goldratt that prioritizes resources as a major consideration for managing projects well.
Agile leadership. In a hybrid Agile/waterfall organization, executives and Agile teams aren’t speaking the same language and aren’t looking at the same key performance indicators. PMOs can be instructive in getting the two teams to see eye to eye. “You need to talk and agree,” Nir said. From his experience, that’s easier said than done. In one example from his own consultancy practice, Nir said he had to make the waterfall practitioners sit down with the Agile practitioners so that they could walk through the Agile manifesto together and negotiate basic terms.
“If we don’t do that up front, we’re going to pay for it later on by having disagreements,” he said.
In part one of this two-part blog post, Nir explains why PMOs are best positioned to become ambassadors of Agile.