The IoT Deluge

It was amusing to hear at a conference earlier this year, how one speaker had hacked into an acquaintances home network of smart devices and used this to scare the living daylights out of him one night, just to demonstrate the point that you need to firewall your home networks adequately. However, despite stories about peoples kettles and fridges being harnessed for use in Distributed Denial of Service (DDoS) attacks, the means for implementing Internet of Things (IoT) security frameworks already exist. If you go to any IoT event, someone will be promoting their IoT security platform. It's just that there is some catching up to do with the installed base of old unprotected SCADA systems and first generation "smart devices" to ensure that they are properly protected. As most of them were deployed with scant consideration of security.

Recently, it has become increasingly obvious that reality is beginning to set in about IoT exploitation. Businesses which want to exploit IoT in any meaningful way need to set about heavy duty industrialisation of key capabilities. Depending upon the business scenario in which you wish to exploit IoT, you may or may not have control of the end devices. In most cases you won't. So your solution may need to take into account different APIs for integration and different levels of security. It also needs to take into account that at any point in time, a significant part of the overall population of devices that you are communicating with may not be working for any number of reasons.

You also need to take into account the shear volume of data. IoT exploitation inevitably means large, fast growing volumes of data which has to be captured, sanitized, stored, analysed or exploited and managed according to relevant policies. However, many applications may need to take into account issues to do with geography; network bandwidth is not uniform within a county, let alone between countries. At sea it may be  extremely low compared with land. Legal jurisdictions can impact what is permissable from a privacy or even data export perspective.

However, key to scalability is the means to manage an IoT network. Each IoT device used by your solution will generate large volumes of data itself. Whilst attention to date has been focused on the application data, the volumes of event data for the devices, networks, associated installations and security devices could potentially drown the volumes of application data involved. Managing this data so that you can control the overall performance of the solution and optimise business outcomes, is a problem vastly larger than that which most IT organisations struggle with today. Automation is the only answer. Automation which brings all the data together, intelligently analyses it and visualises it for analysis is needed. IoT adoption, usually means changing your business model to do things differently and more intelligently. This cannot happen if you are not capturing and fixing problems as they happen as well as anticipating problems based on trend analysis. So Automation of monitoring and analysis is key. So automated monitoring is not just a nice thing to have because the DevOps boys told you it is trendy. Automation is key to survival. It has to deal with both operational and security incidents, and it has to be integrated across your whole environment. Point solutions are not good enough.

Fortunately, there is a new generation of tools which do this. They do it across hybrid cloud environments and deal with multiple protocols. Analysis of experience to date indicate that not only do they lead to dramatically shorter resolution times to problems (e.g. quarter to a third of previous times using traditional approaches), but to reductions in incidents (by similar margins) and therefore significantly reduced loss of value when problems occur. 

DIGITAL DECEPTIONS & ACCELERATION

It has been a great week for special events. Trump did the unspeakable and pulled off the Presidential contest in the US. Who would have forecast it?

Away from politics, there has been great excitement with the announcement that Dubai could host the debut of HyperLoop One's radical transit technology, linking to Abu Dhabi in 12 minutes and implementing Elon Musk's vision of near supersonic pod transport.

Sitting over a glass of Moldovan Wine (yes Moldovan) at the World Travel Market, in London's Excel, I casually bumped into one of London'd start up kings, Razvan Patrascioiu, see http://bit.ly/2fydFf4 , who is working on his new venture to ensure that London's visitors get to really enjoy the great restaurants that have become part of the capital's landscape. Later over Slovakian and Israeli wine on other stands I mused on the power of wine to connect people, especially in the digital world. So anyone who is remotely keen on this idea should check out the Chief Wine Officer on LinkedIn and Twitter. This is still my favourite digitaly enabled marketing vehicle and remains extremely effective at connecting CIO level people with technology providers.

Anyway, anyone who actually read my post about digital vikings, will know that digital entrepreneurs face defensive business fortifications which can derail their asymetrical attacks on new markets. This week Facebook halted the deployment of a Fintech Insurance app aimed at correlating facebook behaviour with driving behaviour. Facebook will not release the data to be used in the app. It's against their policy. Additionally, Uber was told that under UK law, their drivers are effectively employees and entitled to minimum wages and holiday pay. This just goes to show, that you need to able to respond quickly to set backs and if you cannot anticipate problems, at least plan to implement in ways that adapt to changes in circumstance and don't burn all your funds at once.

Finally in a great demonstration at the ACM Conference on Computer and Communications Security Hofburg Palace, Vienna, Austria, researchers from Carnegie Melon demonstrated how special glasses could be used to fool commercial facial recognition systems. For example a male test subject wearing the special glasses was recognised as actress Milla Jovovich..

Blockchain Frenzy

You cannot pick up a business publication these days without seeing something written about Blockchain or Bitcoin. Blockchain has pushed Big Data, IoT and Digital Business Models onto the sidelines. This has been accompanied by a huge rush to invest in the technology and thousands of start ups being established, hoping to exploit the technology.

Yet if you read the articles written about Blockchain, it is difficult to get your head around the subject. Recently, I read a comment by a Consultant who specialises in Blockchain noting his complaints about the complete gibberish being published about it. So I decided to educate myself on the subject and was relieved to find an introductory talk on the subject being run by the Business Information Systems Group of the BCS. 

What I learnt was:

- Blockchain is a protocol for a Distributed Ledger;

- It creates read only transaction records which are cryptographically protected by Hashing;

- Transactions are contained within time-stamped blocks; each block is hashed; the blocks are chained together in such a way that their hashes are based on their position within the chain;

- The main parties participating in the transactions get complete copies of the chains;

- Parties can only view the records which relate to them;

- The ledger can deal with anything of value and does not have to be limited to money;

- It is possible to apply some conditional business rules via "smart contracts".

The speaker has a great web site www.distlytics.com on which he has provided some good resources for learning more. It's worth a visit.

Put together, this makes for a highly resilient (to fraud or denial of service attack) means of exchanging value or valuable assets without the involvement of trusted 3rd parties. It also provides confidentiality, traceability or provenance by default. So there are many innovative initiatives and opportunities around it. Removal of the need for a trusted 3rd party would remove the need for brokers in certain types of transaction, whether it is financial, commodity or asset based. The provenance trail could be useful in art dealing or international antiquity import and export; conveyancing of property deals could become a thing of the past and so on.

There are some issues. Some are regulatory. For example tax and treasury authorities typically do not like the unmonitored and invisible to them. There also is potential for the use of the technology for criminal purposes on the so called dark web.

However the key issue at present appears to be scalability. The scale of duplication in very large markets is likely to be unsustainable, unless new concepts are added. It appears that existing implementations are only able to sustain modest transaction rates for comparatively small sizes of market. The duplication involves significant overheads on transactional complexity, network traffic and storage.

So if Blockchain is going to involve, there is a need for a standards body or user body to evolve the protocol for performance, APIs etc. At present this is interesting as the original protocol was floated by someone or collection of people using a pseudonym. So at present there appears to be no authoritative owner to legitimise such a body.

It will be interesting to see what happens next and how market forces will shape the evolution of Blockchain.

Platform Schizophrenia

This year I became aware that there are two definitions to Digital Platforms. Whilst I had been meandering around in IT Space thinking that digital platform meant services like AWS and Azure, our friends in Marketing Space had decided that digital market places were Digital Platforms. So to them ComparetheMarket.com, Deliveroo.com and Uber.com are platforms. 

Anyway moving on from this diversion, it has for some time been a surprise to me that amazon has dominated IT thoughtspace and the market for PaaS based Digital Platforms, whilst belatedly Microsoft pushed into the market with Azure. 

In recent projects I have been involved with both AWS and Azure as well as all sort of fun with the OSS tools which are available on them. To traditionalists coming across the database as a service offerings available is quite amazing. I was also blown away when a Solution Architect who had no experience of Neural Networks was able within 2 weeks to knock up a fully working and trained prototype of a Machine Learning application on Azure.

So it has become increasingly interesting to see that Google, one of the most born in the cloud companies going, has recently started promoting its services. One has to ask why did they wait so long, especially as they have always made much of the fact that their products are all architected around a SOA concept and the ability to expose themselves as services, both internally and externally.

Oracle and IBM have also appeared actively in the market place this year promoting their own special blends. 

The thing about this is that they all have really good stories to tell. You will note that I am not stating any preferences, as to be honest, anything I say about them today will already be wrong tomorrow as this is an ever faster moving situation. Today's facts will be obsolete tomorrow.

So what does it all mean to the average business trying to go Digital?

Firstly, the means are there. You have to be comfortable with the fact that terms and conditions are what they are. You need to examine the pricing and understand how this would play out in some key real world applications. However there is plenty available to "Free Your business from the Tyranny of Infrastructure" and Focus on Value. If you choose reasonable sensibly, you will be able to scale costs with business activity and exploit platforms which support Agile and DevOps so you can move quickly and lightly in the pursuit of opportunities. All the major vendors are investing significantly in security and if you dig deeper, most offer localisation options if data cannot move outside certain jurisdictions. Additionally there are industry certification schemes which many providers are signed up to. So a lot of inhibitors have been addressed.

The key issue is going to be how much do you insulate yourself from the risk that you may need to change platform provider. Business Performance, Legislation, Pricing etc. will change with time. So you may need an exit plan. Therefore, some thought needs to be given to insulating yourself from future supply threats. Where your application is going in for short term gains, e.g. a new financial instrument which will only be around for a a few months or perhaps a couple of years, this is not a problem. But if you are locking yourself into a platforms specific machine learning solution for years, you may need to think how you would deal with problems if the platform vendor ceases training.

In the end, however, we have always faced these problems. Finding a totally vendor agnostic solution has always been too complicated and too costly. So its time to get comfortable with not being in total control. The System of Systems concept of de-optimising components to integrate and optimise the overall performance of the Big System applies. You just need to understand your risk appetitie, your risks, how you want treat them, what you will accept, what you need to insure against and get on with it. The risks of not doing so are far greater.

Cyber, Robots, Digital, Oktoberfest, Gosling and Demming - all in one week

This week was eventful. It started with the announcement that the UK's National Cyber Security Centre had at last opened its doors, see: http://bit.ly/2dpPZJH. This was long announced and is an essential plank in safeguarding the UK's Digital Infrastructure and Capability. My concern is the glacial pace at which progress has been made here and the comparatively small amounts of funding that the Government has assigned to fund it.

Then someone posed a picture of a man shaking hands with a robot at AT Kearney's Digital Business Forum with the caption "Next gen employee greets legacy employee". This displayed typical 1930s thinking about the value of people drawing from the legacy of the original R.U.R. play Rossumovi Univerzální Roboti (Rossum’s Universal Robots) written by the Czech writer Karel Capek in 1920. In the play, a factory owner attempts to replace his high versatile human workers with mechanical machines, totally undervaluing the creativity and inspiration that people bring to the workplace. Digital models are largely about delivering this value not implementing mindless mechanisation. So perhaps the caption should have been about valuable human talent supplanting inappropriate technology.

Anyway, the highlight of this week was the IPexpo event in London. This had a wide array of suppliers and speakers. Notable about the event was the desire to celebrate Oktoberfest complete with free beer and people dressed in Bavarian costumes at 4:00 pm on the first day. Many of the suppliers were also offering beer at other parts of the day. It was a strange example of how modern "fun oriented" culture of digital start up companies is affecting the mainstream and making us weirdly 1960s and modern all at the same time.

James Gosling presented a captivating key note talk on liquid robots covering his current involvement with Marine UAVs used for data collation in remote seascapes and the IoT practices needed to make this work. The UAVs themselves are very cool, capturing wave energy and converting it into propulsion.  The techniques for transferring data from the middle of oceans, where there is very poor bandwidth available even from satellites, were also very interesting with the same data being transfered by differnt networks and routes to increase the reliability and speed of data transport from the UAVs to the place where it is analysed. The interesting point that he made was that Scalability is a relatively trivial issue for IoT. Security and reliable Availability are much more important.

Two other talks were really good. Mathew Skelton (skelton Thatcher Consulting) gave an illuminating talk on anti-patterns for continuous delivery (aka DevOps). He confirmed my viewpoint that typically you need roughly 1 operations person working continuously with each Product Team, to avoid the bottleneck that some traditional ITIL shops have introduced with undersized change management functions.

Derek Weeks also gave a well researched presentation on the use of Opensource software and how modern software product development practices have now become highly analagous with manufacturing and supply chain practices. He presented interesting statistics on how much open source code contains security and legacy debt bugs. His premise being that Deming's (the father of Quality Management) recommendations to reduce the number of suppliers and quality assure bought in products can raise productivity in the adoption and exploitation of Open Software.

GDPR Bricks and Mortar Defence or Digital Viking's Inspiration

GDPR - the General Data Protection Regulation - is the next wave of personal data privacy regulation from the EU and is expected to go live mid 2018, i.e. pre-Brexit. This generally tightens up privacy requirements in a number of areas and has been a theme of discussion at a number of Cyber Security events this year, including today's InfoSecurity Magazine event.

Anyone interested in "Things Digital" should ask themselves, will this act as a regulatory defensive wall for old fashioned Bricks and Mortar / Industrial Age companies to shelter behind, or is it a new discipline or challenge for digital Vikings to embrace?

A couple of today's speakers made some interesting observations and comments: 

• GDPR means that you need to know the What, Where and Why of Personal Data, especially customer data;
• Regulation should not drive data security, Security Should Drive Regulatory Compliance;
• There is a strong case for Digital Companies to adopt Social Digital Responsibility as Part of their Brand.

In a way, it should be easier for purely Digital companies to do this, as they are mostly starting from scratch with few of the problems of IT Estate Sprawl that many established companies have, with legacy systems, infrastructure and the typical complications inherited from previous defunct strategies as well as mergers and acquisitions. 

Also, in a previous blog, I mentioned that many digital companies actually regard this data as part of their IPR. So addressing GDPR (& other jurisdictional requirements) should be core to their business activity. Although future approaches toward collection and explicit consent may have to be sharpened up to meet the new requirements.

The implication is that Digital company that plans and builds Privacy Protection in from Day 1, will actually be building its own competitive advantage over traditional companies who mainly will be playing catch up.

It's strategy Jim, but not as we know it ...

A friend of mine who was a leading light in the development of Information Strategy and Architecture practices in the 80s and 90s, retired a few years ago. The key driver being his disillusionment with organisations who said that there was no time for developing strategy.

In the time since then, Enterprise Architecture has enjoyed a considerable re-birth and growth, everything has gone digital and organisations have started to publish strategies which read more like marketing guff expounding bland benefits, than anything which informs the reader or directs action.

A couple of things have brought this to mind recently. the first was that I picked up a copy of Richard Rumelt's "Good Strategy Bad Strategy", in which he emphasises the need for a situation diagnosis of what is needed to succeed, proposing an integrated and coherent policy which addresses this, and a small set of supporting actions. This is a great read and worth while for anyone interested in Business Strategy.

Yesterday, I went to very stimulating talk about post merger integration by Henry McNeill at the British Computer Society. Afterwards as we huddled around the wine and sandwiches, several key themes came out:

• Many companies are still not aligning acquisition activity with business strategy;
• There was violent agreement that clarity of the aims, target state and value proposition of an acquisition is imperative for successful integration;
• Participation of IT from due diligence onwards, provides an ideal opportunity for IT to show how it can help the business articulate and deliver against a strategy for the exploitation of the newly acquired business. Sadly, many organisations are still bringing IT in on Day 1 after deal completion and missing opportunities to mitigate risks and address early integration opportunities quickly. Some still take years to work out what to do with them.

This brings me to the point of today's commentary. My experience has been that almost all business strategies are usually incomplete and fail to unify the senior management of the business. IT needs a coherent exposition of Strategy which identifies the "game changing" opportunities or risks in the business market place to be able to prioritise its investments, define what common capabilities are needed and to support effective innovation. Working with business leaders at C suite and direct report level to "elicit the real business strategy that they work to" and agree the opportunities is valuable to the business as a whole. It's often a great way to get everyone to understand each others problems and can help unify purpose.  However, its got to be continuous to support the ever shifting business environment as businesses go Digital and Agile. Strategy has to take a Fail Early, Refactor and Learn approach to continuously calibrate its diagnosis, unifying policy and action plan. There's a role for the CIO in this.

The Way of the Digital Leader

What Makes a Digital Leader Great? For many years now it has been clear that other C Suite and senior managers have been increasingly impatient with the efforts of the Information Function to deliver innovation. At the same time it is vitally important to deliver existing services robustly and drive down costs as globalisation and digital delivery increase competition and customer expectations.

In parallel there has been long been a strong movement to "Manage IT as a Business-within-a-Business" or what I call "The Business of IT" (TBIT). Recently this has morphed into a trend for describing the CIO's role as being the CEO of IT. This is important as one of the key roles of a CEO is to think and act in the 3 functional dimensions of his organisation: Control the Business, Do the Business and Support the Business. This is key to building an integrated senior management team which acts coherently with the same unity of purpose. Failure to achieve cohesion will undermine the success of any investment in IT systems, as the business will fail to exploit the potential value.

At the same time there are initiatives such the TBM Council's work on developing "Technology Business Management". This focuses on the conversations that the Information Function must have with other parts of its Business. Key to this is agreeing upon and demonstrating value and cost with transparency.

However for TBIT to be successful, the "Right Value" needs to be identified. Whilst the CIO cannot do this on his/her own, the CIO needs to be stongly plugged into the Business and its Market. Understanding of how the Business Operates, its strengths and weaknesses and the issues that it faces is a start. Understanding the trends within the market place and positioning of key competitors is another milestone. But overall, there needs to be understanding of the customer's needs, desires, frustrations and experience, as well as anticipation of how they may change. Lastly, there needs to be empathy which identifies who else deals with your customers, in a non competitive but complementary manner, and how they could collaborate with you to deliver more.

One more plank is widening the sources of innovation to exploit capability and knowledge that existing partners can bring to the Business and networking with other sources of ideas, e.g. former colleagues from the Business, analysts and academic thinkers.

If I put this together, the answer to the question may include a leader who:

- has good social skills (or at least works on them) and networks with key internal and external stakeholders,

- looks outward and understands the "big rules of the market place",

- builds an effective team which can deliver and gets on well with each other,

- works well with the rest of the C Suite and their teams,

- is lucky enough to work in a business with a healthy collaborative culture.

So just as digital enterprises are moving to understand each customer's individual needs better and make customer interaction more human, the digital leader needs to focus on empathy for success.

 

Are You Ready for Digital Disaster?

We all know that we should have a Disaster Recovery / Business Continuity Plan. Yet most of us have worked in businesses where this is a convenient afterthought. Even when businesses have them, active testing of them is often patchy at best. Many businesses aspire to do this at least once a year, fail to meet this target and even if they do, they then brush a lot of things under the carpet.

For many years the key concern has been a major fire, followed by lesser concerns about flooding, terrorist attacks and other major natural disasters. Statistics suggest, that in the UK the typical rate of major fires is around once per hundred years of a data centre's operations. This is actually a very high high rate. Although in actual practice the more frequent major incidents which disrupt operations tend to be caused by more mundane things such as loss of power from the grid, major network switch failures within the the data centre or loss of telecommunications coming into a data centre.

Many businesses have been content to make minimal investment in preparations and accept the risk. They have mostly got away with this despite urban myths about the high percentage of businesses, suffering major incidents, which go out of business. Though if you personally have ever lived through such an incident, you would not want to do so again.

This complacency is looking increasingly out of place as enterprises go digital. For one thing, operations become impossible to deliver with failure, for another the increasing frequency of "Cyber Attacks" means that the old cosy assumptions are no longer valid and not only may operations be disrupted but valuable information or IPR stolen and an enterprise's reputation destroyed along with customer confidence.

The increasing pace of change inherent with modern digital business, based on Agile and DevOps styles of continuous change, also mean that an annual test is laughable as recovery plans will never be up to date if annual refresh thinking continues to dominate. This will also exacerbated by use of multiple SaaS, PaaS and IaaS services. As although each one used may increase the theoretical resilience of the enterprise's systems, it also complicates the inter-dependencies between them.

Business and IT Management Teams need to actively engage in preparing for major disasters and incidents. This means several things need to be addressed:

- capturing all changes to the systems and process lanscape, especially adoption of SaaS services, so that current architecture is documented, understood, risk assessed and continuously revised in recovery plans;
- regular incremental testing of recovery plans to address changes to the systems landscape;
- conduct of scenario "war games" to evaluate responses to different types of threat, taking into account that under Murphy's Law key people may be unavailable when a major incident occurs;
- regular review of major 3rd party services that the enterprise relies upon for the suitability their response capabilities and likely behaviours;
- media training of all senior executives and managers who may be called upon to represent the enterprise in the event of an incident, taking into account that some of them may have been incapacitated by the incident or away from the business.

Not many of us work in enterprises where all this happens, but most of us need this now.

Death of the CIO

Over the last thirty years I have read the orbituaries of many IT professions.

I cannot count the number of times that I have read of the death of the programmer as some new type of tool was supposed to make everything so easy that programmers would soon die out. 4GLs (or Fourth Generation Languages were supposed to do it in the early eighties, Workflow in the nineties and more recently rules engines). Each time the promoted nemesis has turned out to be more difficult to use than its promoters sales pitches would have you believe. Each time some other technological progression or change has introduced new complexities which need detailed technical knowledge. Always there have been things that these tools can not do, requiring specialist programmers to address short commings.

Likewise, the analyst was supposed to be killed by RAD and then Agile developers, yet we need them even more than ever.

Architect, too have been in the line of fire. At the end of the nineties, as the first internet boom took hold, we were told that there was no time for strategy and we were advised to stop worrying about architecture. Then in the late noughties the current fad for enterprise architecture took off again. So it was not a surprise that I was invited to a debate about "Whether Agile is killing the Architect" a few months ago. Everything is cyclic and Agile only really works well when the overall architecture is pre-planned, unless of course the solution is so trivial that it does not matter.

So it is no surprise then that we often see pundits trying to stir the pot with assertions that the CIO will die out. The most recent justification being that Chief Marketting Officers have stolen the "Chief Digital Officer" crown.

Interestingly enough, a recent global survey run jointly by a well know recruitment agency in partnership with a big 4 consultancy, showed that there is a resurgence of CIO roles here with an increasing proportion of them taking on the role of Chief Digital Officer.

This is unsurprising really, given the range of skills needed to be an effective CIO. They are quite different to those required to be a Chief Marketing Officer and what we are really witnessing is the end of another fad, as the CIO's role adjusts to deal with the new opportunities and challenges involved to shifting to a digital business agenda.

Does Anyone Remember the I in IT?

I entered IT in the era of proprietary methodologies and the ascendancy of "Information Engineering". Since then much has changed and everything has become "Digital". Yet increasingly, I have noticed that people who have entered in the last 10 year don't appear to understand data or information.

The IT profession has been caught between Object Oriented thinking, COTS dogma and the assumption that everything is now available "as a Service". Whilst at the same times our colleagues in other disciplines just ask for more innovation, business insight and new capability, whilst we are struggling to keep the lights on with operational services and legacy infrastructures.

In the last 6 months I have been to events where the discussions have revealed the dangers of this lack of focus on information. At one event, everyone confessed that they had lost control of customer data. Most organisations do not have a single source of the truth for customer data that they can trust. In many cases, customer data is littered across many systems, is incomplete, untimely, incoherent, duplicated with inconsistencies or just plain wrong.

At another event it was made clear that Digital Businesses regard customer data and data about their preferences, behaviour, buying patterns etc. as their most valuable Intellectual Property Right. At the same time legislation in multiple jurisdictions is making it essential that organisations control, protect and manage their customer data.

When you look at core capabilities for Digital businesses it is also clear that getting to grips with customer identity management is also essential. In fact, this is just one dimension of engagement. Truly digital businesses manage all their stakeholder interactions, internal and external, with customers, partners, regulators, employees and prospective talent digitally. Then there are the challenges of integration and obtaining insight from Business Intelligence and Big Data.

If you put this altogether, Information has to be back on the menu for IT attention. The model however has to be changed. Just as with Finance, budgets are devolved within a governance framework to other functions, certain information management tasks need to be devolved from IT to the people who gain the most benefit from the information.

Are You A Digital Viking?

The Vikings were famous for travelling light, moving fast and raiding unpredictably. Where they encountered problems or set backs, they rapidly learned from their setbacks, changed approach and attacked with even more vigour. Their main motivations were to gather as much silver and gold as they could, as well as to obtain and settle on arable lands. As a result they spread extensively over Europe and towards North America. Russia, the Baltic States, Britain, Ireland, France, Greenland and Iceland were all impacted and shaped by them and their trade networks reached out into the islamic world. Key to their success was not just the simplicity of their approach, but also their discipline and the passion with which they pursued their goals.

In many ways this parallels what is being seen with modern digital businesses and the agile approach that they take to product development. It seems that every week we read of or start using a new digital service or business which is attacking entrenched market places, disrupting well entrenched businesses and overturning market places, by inventing new business models and re-writing market place business rules. Mostly this is as a result of trying to understand what customers value and address customer business experience. Then they pursue multiple rapid developments resulting in quick evolution of products and gaining insight into what works in their market places. Key to this is the scalability which is achievable by keeping things simple. If he were alive today, Stalin might have rewritten his observation about quantity to say that "Simplicity has a Quality all of its own".

So how does an entrenched business learn to fight back. The vikings were defeated by Alfred the Great who focused on a number of key strategies: he fortified the major towns so that the population could retreat behind stone walls and take their treasure with them; he blocked major rivers with stone bridges which were easily defended and difficult for viking long boats to get past; he developed a navy to patrol and intercept them and he developed a trained army which could fight them on an even footing when he lured them into battlefields of his own chosing.

So what does this teach a traditional bricks and mortar business with much of its capital tied up in assets? The first thing is that many of the modern digital vikings are slow to conform with all regulatory requirements. So a business should look at how it complies and try to optimise between meeting regulations effectively and doing so in as simple a way as possible. This raises the barrier to entry and acts as a defensive wall.

The second issue is that many of the new entrants are actually offering a new market service. They connect customers and suppliers in a value added manner. Existing businesses need to get together with competitors to develop their own market services. This is like building a navy to head off the vikings before they get to shore.

The third measure must be to build agile (and then DevOps) product development capability so that traditional products are continuously revolutionaised so that it is difficult for a new entrant to beet an existing product. (This is like building a capable army).

Finally, existing companies must protect their own IPR and customer related data. They must then build BI (and then big data) capability which can be used to develop new insight into customer behaviour and what works for customers. It may also help identify what additional services could be sold alongside existing products to optimise business value. This may involve building new collaborative relationships with other enterprises who sell different things to the same customers, so that they can then bring new digitally enabled value propositions to customers. Getting there before a new entrant, effectivel denies them access to the market and is similar to building a stone bridge across a river to deny a long boat access to the rest of the river).

MAD Chickens

Does Your Business Fail To Act Boldly with Acquisitions?

Many of us have been involved in someway with Mergers, Acquisitions and Disposals (MA&D or sometimes know as M&A). We all know that there is a low success rate with acquisitions, as more deals result in destruction in value for the acquiring party than those which increase value. Indeed, I often think of the vintage 60s film "It's a Mad, Mad, Mad, Mad World" as an allegory for a badly executed acquisition.

Historically businesses have tended to treat acquisitions one-dimensionally, with some just regarding them as legal deals and others as a financial transaction. Only recently have management teams begun to take a multi-disciplinary view to MA&D deals, but still they seem to have a blind spot around managing change or the importance of IT integration.

Overcoming Obstacles To Change

There's a critically important phase during the first 6 months or so of a completed transaction where the conditions for success are established or not. During this point it is essential to sow the seeds for successful cultural integration. That is we need to establish the emotional connection between the people within the acquired company and the acquiring company (note even in mergers and join ventures there is normally a dominant partner, so I am assuming acquisition in all instances for simplicity). We also need to establish management control, demonstrate to customers that we are integrating and going to offer something more, and to ensure business continuity. I call these the Cs (culture, continuity, customer interface and control).

IT is essential to this in a number of distinct but important ways, but often management teams fail to invest soon enough in all the Cs. Excuses often proferred are "it's a people based business and we don't want to scare talented people away and lose the value of the business" and "part of the price is performance related over the next N years, so we must not do anything which distorts the picture of performance". This tends to build failure in from the start.

Human Reactions to Change

If you have been through an acquisition yourself, you will know that most employees fall into one of three camps:

The Curious - who want to explore the new business and identify opportunities. These are the natural change agents and entrepreneurs within a business and usually the people you want to keep and encourage as they will create new value in the future.

The Troops - who although they may be wary of change are happy enough to follow where they are led, if only someone would show them the way. They are also the people you want to keep as they know how the business operate and deliver its value.

The Deniers - who want to defend how things used to be, defy change and block progress. Often they will willfully act to preserve their independence or even try to take over the acquirer from within. They may be the people who have destroyed value in the past (which could be the reason that the business was up for sale in the first instance). You may actually need to lose these people to assure future success of the merged new entity.

What IT Can Do To Encourage Cultural Change

Modern change management practices have shifted from trying to convert Deniers to encouraging the Curious and enabling the Troops. In this vein, then IT should be at least doing the following during the first few months of an acquisition:

(A) Ensuring that all essential service contracts and licences re reassigned or replaced; 

(B) Re-branding against the new identity in all systems and outward facing Web sites;

(C) Putting everyone onto the same connectivity infrastructure: e-mail, intranet, collaboration tools, mobile working toolsets;

(D) Ensuring that everyone belongs to the same security and access control systems: e.g. integrated active directory, security passes which work at each site where people work;

(E) Merging HR systems and payrolls, so that everyone is performance managed and paid in the same way;

(F) Establishing basic common controls for high level performance reporting;

(G) Then, launching a project (or programme) to integrate essential ERP processes.

This will not only ensure continuity of the acquired business, but enable the curious to explore and remove excuses for inaction which often prevents successful integration. It will also remove many of the subliminal "them and us" barriers which separate members of the previous historical organisations. Once this happens, then it is possible to pursue new opportunities where the combined capabilities of the 2 former businesses can be multiplied to deliver new value.

Cyber Fear and Digital Defence

How do we deal with the proposition that we are already penetrated?

Ever since the rise of the Advanced Persistent Threat and Socially Engineered Attacks the term Cyber has taken on new meanings and the IT Security industry has become one of the most vibrant sectors of the IT Industry.

At the European Infosec Event this week over 400 vendors were promoting their wares with the expectation that more than £1Bn of orders will result.

I have been to 3 such events recently and the range of issues arising has been phenomenal.

Planning and rehearsing for major events has become de rigeur with CIOs and other senior stakeholders needing to take media training. The industry has responded to Digital Challenges with a range of products providing cloud based security monitoring and encryption. Products similar to Military Battlefield Management Systems provide overarching monitoring, control and simulation systems. There is a high degree of inter-operation between many products and innovative products conduct network discovery and behavioural anomaly detection to track down new attacks using advanced machine learning and statistical analysis. There are even niche products for things such as system administrator control and user recognition via typing pattern recognition at keyboards.

However, one family of products disturbed me. There are now systems for monitoring user behaviour and predicting who is likely to cause a major leakage incident. This sort of big brother system is going to take significant effort to tune so that unfortunate false positives are avoided. Once people are used to them, they will be readily gamed. Whatever happened to actually managing and knowing the people who use your systems?

The End of Digital Adolescence

Are we growing from just talking about it to doing it?

Over the last 18 months I have attended a number of events with CxOs and other senior stakeholders from many different companies.

A key theme has been that we are all being pressed to do something, as we all work in organisations where customers, employees, business partners and senior managers expect us to be doing something and most of us have.

A key concern has been that we are all scared that we have missed something. Is there an "Unknown Unknown" that will emerge to destroy the new value that we are trying to create. We have all been thinking a lot about the subject and I think that collectively we have come to the following conclusions:

The 3 technologies that we have to get to grips with are:

• Identity Management (and subscription)
• Encryption
• Integration

The things that we should worry less about are:

• Security of the various PaaS and IaaS offerings, as the vendors who supply them spend a lot more time and money securing them than most user enterprises can dedicate or afford;
• Traditional technology selection approaches and worries about vendor lockin - the richeness, utility and value of the continuously evolving offerings obviates the need.

The things that we need to get good at are:

• DevOps - so we can move at Digital Clock Speed
• Service Integration (or SIAM) - so we can run this seamlessly from end-to-end
• (agile) Enterprise Architecture - so we don't lose track of what we've got (where we are spending money) and what we want to achieve in the future
• Security Governance - again so that we

The conversations that we have with other stakeholders in our businesses should focus more extensively on Business Value, rather than infrastructure maintenance and "keeping the lights on". But we also need to establish a different approach to projects, applications and investments, as the traditional ROI based Capital Appraisal, Invest and Forget model does not fit the continuous evergreening needed to sustain Digital Assets and keep them relevant in the face of customer demands.

There are plenty of other things as well, each worthy of a blog of its own, but this is the gist of all these discussions and power breakfasts.

The End of Outsourcing?

Most of us who have been in the trenches dealing with Outsourcing Partners in the last few years are puzzling over where it all is going. 3 major forces are changing the current model as we know it:

(A) Exhaustion of the Indian (or Off-Shore Labour Arbotrage) Value Proposition;
(B) The move to Everything as a Service (XaaS) as new players offer different types of service;
(C) The death of Monolithic Service contracts, as enterprises pursue increasingly complex Multi-sourcing models.

The original attraction of the Indian model was access to a large pool of well qualified talent which was artificially cheap as a consequence of exchange rate differences. As the offshoring model was pursued, the "Unseen Hand of the Market" has moved to erode the price benefits through year-on-year wage inflation and adverse currency movements. Additionally, as demand has risen, the talent has "followed the money" impatiently pursuing promotions, increased status and the opportunity to only work with the latest technology. This has led to unfettered job hopping, resulting in the loss of knowledge and the failure of individuals to develop deep experience. This has eroded the value proposition around talent. On top of this long distance relationships carry a heavy overhead in building them up and maintaining them, and the off shore players have developed business models and practices which assume that demand will continue to build at the same aggressive rate as previously. Many enterprises are actively taking things back on shore or in house.

The move to XaaS means that many of the traditional "box shifting and box running" services which were foundational to classic outsourcing are redundant. The traditional outsourcing players are losing the core "economy of scale" type services which they used to provide to IaaS and PaaS providers. Further more, the opportunities around traditional application based services are being eroded by SaaS providers. So although there are some niche opportunities where things like European data protection legislation or defence contracting requirements offer some opportunities, most of the market is moving to platforms such as those offered by Amazon and Microsoft. 

The continuous move to multi-sourcing started in the late 90s and has gradually built up steam over the last 20 years, especially as XaaS is now becoming the norm. This should also offer opportunity to move up the food chain to offer more value added services around Service Integration. Yet there is little evidence that any of the main outsourcing giants understand Service Integration or that there is appetite within customers to pay for it.

When I look at it, even in the area of Cyber where Security Operating Centre (SOC) services are in increasing demand, it seems that new entrants from the Aerospace and Defence industry have recognised and pursued the opportunities more aggressively, building both technical capability and market credibility.

So if you are looking at your service and sourcing strategy, it's time to think about what your model is, what kind of suppliers you need and to quiz them on their vision and direction. Otherwise you may be lumbered with a failing partner.

Should The CFO report to The CIO?

Is it Time that the CFO Reported to the CIO?

Attending an industry event the other week, I was struck by the comment that "CIOs were moving out from under the shadow of the CFO". The event was presenting the results of a recent global CIO opinion survey conducted by Harvey Nash and KPMG. Other questions had focused on who is responsible for Digital Strategy and it appears that Marketing is now giving this role up and starting to hand it back to the CIO.

Any reader who has worked in the finance industry will have long ago understood that "Money is Information", reversing the old adage that information is money. Basically, since almost all currencies moved off the gold standard, money has become nothing more than a promise or just life's brownie points. Its value only exists, because we chose to assign it value as it has no intrinsic value of its own. These days it consists of little more than data stored on some medium or being transmitted from point-to-point in transactions.

If this were the only issue then the CIO's claim might be considered a little tentative. However, in the modern digital economy, many industry pundits are quoting the statistic that "80% of an enterprise's value lies within its IPR". This IPR normally being stored and managed in the form of information (or sometimes knowledge embedded within IT systems and IT enabled processes). Given that digital businesses now appear to be outstripping traditional models in terms of growth, profitability and survival, it is a good time to review the relationship in many enterprises between CIOs and CFOs, and many are beginning to question it.

Personally, I am not sure that either should report to the other. CIOs should be there to help grow and sustain enterprise value. CFOs have traditionally been there to husband and protect money, ensuring sensible separation of duties. My experience has been that CFOs tend to come in 2 types: those who control (and tend not to be that imaginative about how to grow a business) and those who are entrepreneurial (and tend to be a bit too lax about controlling money). The former type is a bad fit for IT, the latter may be a good fit for IT, but can be bad for the overall financial health of the business. 

I do think however, that there are things that CIOs can learn from CFOs, in terms of the way in which budgetary control is shared within a business, but with the CFO providing the governance framework and control. CIOs should be doing something similar with information governance, so that information quality is managed appropriately.
CIOs can give back too. Increasingly CFOs are expected to provide Management Information services based on management accounting and BI. there's a lot which CIOs can advise on there with respect to techniques for fast delivery and ensuring that information integrity is maintained.
Its time for genuine partnership to help grow the business.