IT and Digital's New World Order

A common theme in many IT departments or functions is the "Them and Us" relationship with the rest of "The Business". Miles of column print are given in IT publications and by analysts on emotional hand wringing about the lack of connection with colleagues in the business and multiple surveys examine the CIO's role and status in the business as well as his or her relationship with the CEO.

Recently, however, the press has been distracted by the idea of automation and everyone being replaced by AI based automation and the supposed death of many jobs, without actually bothering to analyse the capability of AI tools. the fact is that they are both powerful and limited at the same time and it takes an aweful lot of training to get some quite basic capability out of a machine learning application. Anyone who has used Alexa (Amazon's voice based AI agent for automating your home, answering general knowledge questions and playing music) knows that you can be both delighted and frustrated by her abilities to do what you want or to get it so completely wrong that you wring your hands in despair.

In reality the things having the most impact in the UK are Brexit (because it is used as a general excuse for not making decisions and refusing to hire new staff) and the impact of XaaS and Lean. These are gradually evolving the way in which products are developed and IT works both within itself and with other people in the wider business. It's no longer appropriate to organise IT around functional siloes and gatekeeper roles, which slow down progress and frustrate our business colleagues. The move to end-to-end product teams and more integrative roles means that IT needs to shift its mentality from reclusive castle dwellers to engaged collaborators, as IT becomes a fundamental part of business operations. The rest of the business has to do this too. Because, when you look at it, most other functions suffer similar problems of angst and feelings of under appreciation.

The most difficult part of the evolving role, is how does IT relate to Business Operations once this transition has been made and IT is properly organised to align and integrate with Operations. This means that many traditional assumptions around how to implement ITIL, organise testing or approach enterprise architecture (for example) need to be revisited. People in IT need to move towards taking more interest in the business and its customers, as well as what a collaborative culture looks like. It also means that CIOs need to become more assertive (not aggressive) in engaging with their peers to understand and agree business priorities, as well as partnering internally and externally to move quicker to address urgent needs. Old ideas like "boiling the ocean" with monolithic technology change initiatives need to go. Smaller, quicker steps and daring to experiment is now the order of the day. Whilst, rigorously pursuing simplification, security hardening and IT automation in localised areas as these steps are taken is the path to earlier value delivery. This means that 2 speed IT is a misnomer, its more like 6 gear 4 wheel drive IT, which adapts to different terrain and problems.  

Does Your SOC Need Darning?

Microfocus (the new owner of much of HPE's former software division) has released the 2017 State of Security Operations Report.

This analyses the findings of analysis of the Maturity Model levels of practice in enterprise Security Operating Centres or SOCs. For those who are uninitiated, SOCs are a relatively new organisational construct within IT and are responsible for assuring that there is ongoing monitoring and analysis of an organisation's IT operations to ensure that vulnerabilities are detected, intrusions are caught and problems are rectified. Although there does seem to be a great deal of diversity in people's interpretation of the exact scope of this remit.

Maturity Models (see CMMI) typically categorises maturity in 5 levels which address process and practice standardisation as well as feedback loop control via metrics and optimisation. 1 is ad hoc, 2 is repeatable, 3 is uniformly standardised and so on. So most organisations will aspire to level 5 as an acceptable level of conformity. Though the actual scope of coverage is important too.

Many enterprises have adopted SOCs to help deal with the ongoing climate of cyber threats arising from things such as simple viruses,  spear pfishing, ransomware and Denial of Service attacks.

The report is quite sobering. Close to a quarter of the assessed organisations failed to achieve a score of even 1. only a fith appear to be making headway and the overall average score is less than 2.

The report finds that much SOC effort is wasted dealing with false positives arising from little standardisation and poor configurations of equipment. This underlines the operational hygiene issues of having accurate CMS data and consistency in build and installation. Knowing what you have and standardising as much as is practicable, does not just make it easier to operate an IT estate, but also to protect it by detecting anomalies and other problems. These are practices which not just ITIL but DevOps considers essential to robust operations and change management.

The report also shows problems with working out the right blend of insourcing and outsourcing as well as skills retention.

Overall there are signs within the report of slow but gradual maturing of approaches as well as better pooling of knowledge within organisations. But t is understandable, given the scale of issues that people face, that Splunk for instance promotes the adoption of a Lean SOC approach and gradual incremental implementation of SOC capabilities to address business priorities, 1 at a time.

Digital Adoption Framework

A lot get's talked about Digital, but there are few comprehensive approaches to adoption available for reference. 

This is why I was interested when I came across Vadrim's DAF diagram, reproduced below. Enjoy!

Cyber, Robots, Digital, Oktoberfest, Gosling and Demming - all in one week

This week was eventful. It started with the announcement that the UK's National Cyber Security Centre had at last opened its doors, see: http://bit.ly/2dpPZJH. This was long announced and is an essential plank in safeguarding the UK's Digital Infrastructure and Capability. My concern is the glacial pace at which progress has been made here and the comparatively small amounts of funding that the Government has assigned to fund it.

Then someone posed a picture of a man shaking hands with a robot at AT Kearney's Digital Business Forum with the caption "Next gen employee greets legacy employee". This displayed typical 1930s thinking about the value of people drawing from the legacy of the original R.U.R. play Rossumovi Univerzální Roboti (Rossum’s Universal Robots) written by the Czech writer Karel Capek in 1920. In the play, a factory owner attempts to replace his high versatile human workers with mechanical machines, totally undervaluing the creativity and inspiration that people bring to the workplace. Digital models are largely about delivering this value not implementing mindless mechanisation. So perhaps the caption should have been about valuable human talent supplanting inappropriate technology.

Anyway, the highlight of this week was the IPexpo event in London. This had a wide array of suppliers and speakers. Notable about the event was the desire to celebrate Oktoberfest complete with free beer and people dressed in Bavarian costumes at 4:00 pm on the first day. Many of the suppliers were also offering beer at other parts of the day. It was a strange example of how modern "fun oriented" culture of digital start up companies is affecting the mainstream and making us weirdly 1960s and modern all at the same time.

James Gosling presented a captivating key note talk on liquid robots covering his current involvement with Marine UAVs used for data collation in remote seascapes and the IoT practices needed to make this work. The UAVs themselves are very cool, capturing wave energy and converting it into propulsion.  The techniques for transferring data from the middle of oceans, where there is very poor bandwidth available even from satellites, were also very interesting with the same data being transfered by differnt networks and routes to increase the reliability and speed of data transport from the UAVs to the place where it is analysed. The interesting point that he made was that Scalability is a relatively trivial issue for IoT. Security and reliable Availability are much more important.

Two other talks were really good. Mathew Skelton (skelton Thatcher Consulting) gave an illuminating talk on anti-patterns for continuous delivery (aka DevOps). He confirmed my viewpoint that typically you need roughly 1 operations person working continuously with each Product Team, to avoid the bottleneck that some traditional ITIL shops have introduced with undersized change management functions.

Derek Weeks also gave a well researched presentation on the use of Opensource software and how modern software product development practices have now become highly analagous with manufacturing and supply chain practices. He presented interesting statistics on how much open source code contains security and legacy debt bugs. His premise being that Deming's (the father of Quality Management) recommendations to reduce the number of suppliers and quality assure bought in products can raise productivity in the adoption and exploitation of Open Software.