In early January, we launched the internal nominations process for identifying Cool Vendors candidates. After a month of interaction, we finally reviewed and selected from a list of over 400 vendors. Unfortunately, many Vendors want to know how they can apply for Cool Vendors’ selection. The answer is that they cannot apply directly. Instead, analysts within the Gartner community are the only ones who can nominate a vendor for selection. In addition, we get asked frequently why large vendor with nice products (e.g. IBM, Apple, or Google) are not listed. The answer is simply that we are trying to highlight little-known vendors who are relatively small (1-100 million in annual revenues is ideal even though we allow exceptions).

The next stage is to move from selection to writing of the notes. This will happen during February and March, culminating with the publishing of the pieces in April. This year, we will do a look back to previous Cool Vendors selection in a retrospective piece. We will examine some key statistics about Cool Vendors as a whole over the years since 2004.

With almost 1500 Cool Vendors listed since 2004 the Cool Vendors process has benefitted many companies by allowing them to be seen by vendors looking for acquisition targets, investors seeking a new investment opportunity, and enterprise customers trying to find vendors to work with. Cool Vendors is a great resource for mining innovation.

So, keep an eye out as Cool Vendors reports begin to hit the street over the next few months.

This opportunity ends on March 2nd, so don’t get caught posing  

See the link for all the BPM Summits for 2012 http://blogs.gartner.com/jim_sinur/2011/12/01/book-the-dates-in-your-diary-for-the-upcoming-bpm-summits/

• Sebastian Anthony, “Google Drive: Dropbox killer or mediocre also-ran?“, Extreme Tech, February 9, 2012.
• Matt Warman, “Google Drive cloud storage coming ‘soon’,” The Telegraph, February 9, 2012.
• Chris Davies, “Google Drive incoming to take on Dropbox and iCloud,” SlashGear, February 9, 2012.

I’m currently writing a report on mobile file synchronization services, so this news immediately caught my eye. The interesting part will be to see if Google Drive is at all enterprise-oriented (e.g., includes APIs for integration, includes an enterprise dashboard for IT, and integrates with Microsoft Active Directory). I talk to a lot of Gartner clients who are looking for an enterprise alternative to Dropbox. If Google Drive is consumer-oriented, Google is missing a huge opportunity.

While putting together three key portfolios for growth and development is a very good start, the new vision is not immune from major risks, and it is key for the new government to deal with them earlier rather than later. Here are a few personal tips.

• Spend better, not more. Although funding is required to improve infrastructures (and indeed almost 70 million euro are already earmarked for broadband development in some of the regions), the government needs to engage the private sector from the very beginning. The development of smart city infrastructures and applications is an expensive endeavor, which is going to benefit commercial enterprises, ICT service providers as well as citizens. It is not fair that only the latter have to pay the bill (through taxes and public spending). The government should pursue he establishment of public-private partnerships, where the private sector demonstrably shares both risks and rewards on most of these investments. Public funding should be focused on improving the performance of government services and operations as well as on transforming them through technology.
• Challenge the previous wisdom. In a cash-constrained environment, the government will be tempted to leverage as much as possible from previous initiatives and services. However, as it is establishing a new, longer term vision, it should also look at some of them critically enough to check whether they are sustainable or if they make sense in the future scheme of things. In particular the so-called “certified email” (PEC in Italian) as well as programs like the identity card may need to be reconsidered, given the modest uptake and the questionable value in a future where people want to have choice rather that being given only one solution.
• Learn from leaders’ mistakes. Being a latecomer to some of these themes is an advantage and not a disadvantage, as many technology providers and consultants keep saying. All areas of concern – broadband deployment, smart cities and open government – are fraught with disillusionment: understanding both the critical risks and the key success factors is of the utmost importance. Learning from the issues with existing smart city programs and better understanding why open government is struggling in many places where it has been adopted early is key to prioritize scarce resources. Unfortunately lobbies from the local technology sector and academia seem to push toward a me-too attitude, trying to mimic what others have been doing, irrespective of whether they have been successful or not. .
• Develop internal skills, without relying too much on vested interests. Over the last few years there has been a gradual loss of competencies through downsizing and transformation of relevant agencies. Such competencies need to be rebuilt, and should not be outsourced. Also, the ministers and officials who have been tasked with the digital agenda should exercise extreme care in listening to the suggestions and proposals coming from organizations that have a vested interest in greater public spending on this sector. Proposals coming with a clear risk-reward sharing component should be looked at more favorably, while the less specific requests for building infrastructure or provide seed funding should be carefully scrutinized.

The government is certainly on the right path by stressing the importance of digital technologies to support growth and dramatically improve government efficiency. However both the strategic objectives and the execution plans need to be bold enough to create a clear fracture with the past, put capable government officials in the driving seat, and push the local technology sector to share risks and opportunities rather than enjoy public funding.

Among the analysts covering application development, we’ve have had a lot of discussion lately on the development practice known as “Mobile First”. The recent conversations centered largely around this article on Forbes concerning the development of ESPN’s video applications, and their own use of the Mobile First concept. Opinions among the analysts vary on the subject. Any practice with “first” in its title is rightfully suspect, because on the surface, it implies a universal best practice or silver bullet with no context on what is actually occurring inside an organization. But on a closer look, this is a pretty common-sense approach to designing web applications.

Luke Wroblewski coined the term in this post, and has now written a book by the same name, which I finished  a few days ago. Some takeaways:

• The mobile explosion is in the books. It’s likely that in the near future, you’ll have more potential mobile users than desktop users. Why would you want to alienate them?
• Designing for mobile imposes constraints. Constraint is a good thing for the user experience, because it forces you to evaluate the value and priority of your use cases.
• The new capabilities for mobile (geolocation, touch, phone integration, cameras, accelerometers) can support new and innovative use cases. You can’t take advantage of them if you start with desktop use cases. (Of course, you can’t easily adapt the resulting application for the desktop, either.)
• Content is more important than navigation on mobile. It needs to feature even more prominently. Navigation has to be streamlined, expected UI behaviors need to be obvious, and actions should be highly contextual.
• Progressive enhancement — scaling a web app’s layout and features to suit the accessing device — can be an effective way to adapt an application to multiple platforms.

When a team sets out to build the client side of a web application, they have to start somewhere. Historically, that meant building for the desktop, and later adapting the application with new templates to server a mobile-friendly interface. This approach rarely delivered positive results, in part because the use cases for the application were created for the desktop. You’ve seen these in the wild when you land on a web site with a mobile phone: They’re easier to read and use, but don’t offer much by way of value or even enable the features you want to access. Great mobile web applications are designed specifically for mobile. How well those results can be adapted for non-mobile devices is debatable, and depends largely on the type of application and mobile features that were used.

It’s worth noting that the concept is finding its way into specific implementations for application development frameworks. Some are using the jQuery mobile libraries to enable easier progressive enhancement. More on that another time.

To be clear, we’re talking about web applications here. You might think, “well we’re doing native app development, so this doesn’t apply.” However, if you have a web site (and you probably do — check on it, at least), you have a web application. If you have a URL that can be accessed from a mobile web browser, then that URL is getting shared via emails, IMs, tweets, and other sites. Are mobile users who follow that URL getting a positive impression of your brand? Your chances at “yes” are far better if you designed the app specifically for mobile, whether you tackle it first or not.

They need something light, free (their budget doesn’t take a hit), and collaborative.  We’re talking simple streamlining and improvement here, not a wholesale process change.  Basically, someone with a higher level interest in all the activities wants a place to go to see how everything is progressing.  And if something goes off the rails, they’d like to be proactively notified.

This sounds like one of those use cases that’s ripe for IT-assisted end user computing.  It’s simpler than case-specific software, but needs a little help from IT to make generalized end-user software work.

The typical approach is to do this via email or maybe a spreadsheet.  There are whole categories of software for project management and Project and Portfolio Management software, but those are much larger in cost and learning curve than the non-PMO folks asking me are looking for.  But the clients I talk to have outgrown the email or document approach and want something a little better.

There are several options as I see it:

• Collaborative list: Custom lists (like those in SharePoint) are a straightfoward approach to allow the project owners to update their own list items with status, % complete, tag them with categories.  You can attach documents if needed.  And they usually provide for auto-notification through RSS or email when rows change.
• Collaborative spreadsheet: There are several cloud-based spreadsheets (e.g., Google Apps, Zoho, Smartsheet even has Gantt charts) that allow for collaborative editing without having to email an actual file around or worry about changes being overwritten.  An enterprise-level one (security, de-provisioning if users leave the company, backup, etc.) is strongly preferable to just using free consumer services of course.  The ability to enter long-form descriptions and attach file is more limited, but spreadsheets require no training.
• Wiki: The idea here is to create a kind of “living status report”.  Type up the status report once as if you were creating a Word document summarizing how all the projects or tasks are going.  But do it in a wiki and open it up for editing so it can now be kept continually up to date instead of having to create new versions each week/month with the date appended to the filename.
• Blog: If more of a newsletter approach than a status report is appealing, blogs can be used by all the project owners to post entries when milestones are hit and tag them with the different projects, organizational units, team members, topics, skills, or whatever you like.  The entries are articles, like in a newspaper, talking about what has happened on the project and offering a sense of completion and praise for a job well done.  RSS readers allow interested parties to subscribe to the blog as a whole, or specific tags within it based on their interests.
• Social networking: If an internal social network is being used, such as IBM Connections, project managers can just post updates when milestones are hit and tag them for future concatenation into status reports.

There are probably more as well as more creative options become available.  These options generally forfeit the regular filing of a status report form that can be mined in case something goes wrong.  But how often do you really go through the old status reports?  These options usually have logging of changes that can help somewhat for auditing purposes, but would be difficult to use in a large environment.  What you gain instead is a single version of truth and collaborative entry that avoids any concatenation or summarizing effort.

Are there any other ideas you’ve used?

Having a theme is good, but putting that theme into action is much better.  This post offers a simple tool for assessing the degree to which technology amplifies the enterprise.  The tool is a simple matrix, shown below, consisting of four parts.

• The business strategies your organization is pursuing.  These make up the row and column headers of the matrix.
• The technologies your organization will use in executing these strategies.  These make up the diagonal cells, shown in black in the figure below.
• The amplifiers that represent the direction and guidance needed to achieve the strategies.
• The distortions representing decisions, approaches or direction that will detract from the strategy

These are organized into a matrix that provides a quick view on the connections between strategies, technologies, amplifiers and distortions.  This matrix is a little different in that it concentrates on the relationships between strategies rather than between strategy and technologies or projects.  This view is deliberate and helps highlight the interdependences among the various elements rather than trying to isolate one aspect against another.

Creating the matrix involves the following steps:

Start with the business strategies and use them to populate the row and column headings.  Because you are looking for business results, you need a matrix that takes strategies and compares them against other strategies. This is important as amplifying the enterprise involves achieving strategic objectives in combination rather than isolation, particularly in terms of the use of technologies like mobile, cloud, analytics and social.

Next put the key technologies into the diagonal cells to connect technologies with specific strategies. Focus on the technologies that you expect to have the greatest impact on the strategy.  Just the vital few so that it is easy to see why you are investing and paying attention to a particular technology.

Now in the white areas describe the amplifiers or the things you need to do to accelerate achieving both strategies. Remember amplification is strategy in combination, so what are the things you have to get right in order to achieve two strategies, particularly in the context of the technology.  Avoid listing the projects, programs or completion of tasks in these areas.  You already have ways to manage that and besides saying “complete the implementation of mobility solutions,” says nothing about the qualitative aspects of doing that right.

Next, in the red areas list the things you need to avoid, the actions, directions of mindsets that hold back results.  These are the distortions that hold back your strategy.  Focus on the things that inhibit the various strategy combinations.  Do not list ‘doing a poor job’ as a distortion as that is obvious.

Finally, look at the cell values and ask yourself if the amplifiers look right, the distortions capture the things you might get wrong and can you explain how the technologies contribute to the strategies, enhance the amplifiers and will eliminate the distortions.

The figure below provides a worked example of the tool based on the top three business strategies found in the 2012 CIO Survey.

Creating an enterprise amplifier involves more than building the right technology.  It requires executing the combination of strategies and technologies in the right way.  The information in the amplifiers cells seeks to capture that information as well as the distortions to avoid.  Taken together, this single simple matrix provides a way to look at the interaction among strategies, technologies, amplifiers and distortions that represent the interconnected nature and complexity of an operating enterprise.

I would suggest creating this tool as guidance for strategy planning, execution and ongoing management processes to keep everyone focused on the same result – amplifying the enterprise.

IaaS environments – such as the well-known ecommerce-retailer-turned-cloud-provider as well as other cloud service providers (CSPs) – offer an interesting challenge that I call “IaaS conundrum.” To remind, when procuring IaaS resources, the organization essentially buys an ability to deploy their own virtual machines on a public provider network. That means that the cloud customer controls everything from the OS up (and usually has no way of affecting the lower layers) while the cloud provider controls everything under the OS down (and usually does not mess with upper layers).

Herein lies the conundrum: as the cloud customer wishing to monitor the security of your IT assets, do you really NEED access to below-OS layers of the cloud stack?

Two possible answers are:

YES: in physical environments, the enterprise controls the data center, the hardware management and physical access control. The only people who can affect the server at the “below the OS” layers are essentially trusted system administrators. Public cloud deployments create an opaque layer that is not controlled (by definition) and thus MUST be monitored by the cloud customers. In addition, a new cast of characters with “superpowers” – CSP administrators – can affect your environment at the lower layers. These “superheroes” do not serve you – they serve their CSP masters.

NO: just as most security monitoring of physical assets starts at OS (think syslog, anti-malware, access control, application security monitoring), it is OK to accept that monitoring will start at the OS layer. Most of the monitoring tools – as well as security tools in general – have not yet grown to understand virtual and cloud environments, thus notions like “hypervisor security” or “cloud stack introspection” are essentially alien science to them. On top of this, it is challenging, if not impossible for a provider to de-multiplex security monitoring data from shared environments.

What do you think?

If you move anything important to the public cloud, would you require that your provider enable such access for ongoing monitoring?

Alternatively, would you prefer that the provider accept the responsibility for security monitoring of your assets?

Maybe, you have another party – think MSSP – that can take over such security monitoring responsibilities?

Previous cloud security monitoring related posts are:

• Cloud Security Monitoring for IaaS, PaaS, SaaS
• More On Security Monitoring of Public Cloud Assets
• Cloud Security Monitoring!
• Many Faces of Application Security Monitoring (briefly touches on cloud applications)

I’ve seen a few examples, but the “email charter” is one of the better and more organized attempts I’ve seen.  Unfortunately, these email etiquette screeds suffer from the problem that they focus on email. 

I’m convinced that you can’t solve email overload by just addressing email.  Email is just one part of the overall information workplace that consists of many communication and collaboration mechanisms (technical and non-technical).  If doing certain things in email is a no-no, then where should you do them.  Here are examples from the email charter and my response:

• “Quash Open-Ended Questions”: Fine, then what is the appropriate time, method, process to ask open ended questions?
• “Give these Gifts: EOM NNTR”: Maybe there’s a better technology for sending short messages?  There’s several, including one actually named “short message service”!
• “Slash Surplus cc’s”: Agreed, but what do I do when I want to let lots of people know I’m fully open to informing them and acknowledge that any one of them may be very interested in what’s going on?
• “Tighten the Thread”: OK, this one is on the right path.  It mentions the etiquette breach(“it’s rare that a thread should extend to more than 3 emails”) and then suggests an alternative (channel switching to a phone call instead). 

This advice usually lacks an understanding of the need even if you don’t like the medium with which it was addressed.  Yes, sometimes people want others involved in determining the point or action items rather than encapsulating it up top in the first sentence.  Sometimes people need to communicate very short messages.  Sometimes they want to have unstructured, open ended discussions.  Sometimes they want to let a large group of people know they are included and can be informed if desired.  Sometimes they want to quickly deliver a multi-megabyte presentation to a group of people  Just telling peers that these make for annoying emails and to “stop it” is not productive.

Face it: these different conversational needs exist and if email isn’t the right way to do them, then the right answer isn’t to lengthen, shorten, reword, and re-address the message to shoehorn it into your ideal email.  The right answer is to treat the message need as valid and describe what other channel should be used instead. 

If you’re trying to give advice to information workers, rather than an email etiquette primer, spend that time instead advising them to log into their IM tool every morning and keep the presence status up to date, making use of discussion forums for long conversations, using wikis and document libraries instead of attachments, using blogging or social networking to keep people informed without long cc lists.

Moreover, recognize that every organization has a different mix of culture, behavior patterns, information needs, and technology.  I’d rather see advice that helps organizations craft their own responses to their information environment (like my attention management conceptual architecture) rather than a stock set of rules that can’t possibly take an organization’s expectations, needs, and capabilities into account.

Leveraging Rules Agility for Cost Savings:

The company has embedded business language and decision table rules into their software products for risk-based pricing and automated decisioning for tasks such as assigning interest rates, automating decisions for evaluation loan applications, and providing explanatory messages to loan officers and service reps. This allows the software provider and all the institutions, the capability to change polices and rules on the fly. This saves costs on changes.

Leveraging  Rules to Identify Revenue Opportunities:

One of their innovative uses of rules is for cross selling products based on credit report information for each of the served institutions

• The software application pulls a credit report and parses out payments and balances on existing loans and credit cards, and stores this information in collections within a .NET object (not the only technology option, but a good one).

• Rules run on each member in the collection of loans to evaluate savings when compared against the institution products

• Rule results are displayed graphically for business users, showing information including the type of instrument (e.g., Platinum Visa), monthly savings, payment amounts, and the priority of the cross-selling opportunity.

Net; Net:

Organizations are going to be pushed hard to not only show cost savings, but revenue opportunities going forward. Leveraging key technologies can allow of innovative solutions. This is just one example.

The above success story has been summarized and made anonymous to get the essence of the success documented quickly. The source of this success story is a technology provider named InRule Technology.

Ultimately the larger story for both the Super Bowl and Super PACs is about corporate influence. Super Bowl ads may be expensive, but the cost per second per viewer is on par with any other TV show. Moreover, due to social media these Super Bowl ads often take on a life in the Twittersphere, on YouTube and in Facebook after (and even before) they air, thereby enabling a business to reach a much larger audience than those viewing the ad when it aired. Many businesses also use the power of social media to actively engage potential customers by drawing them to their website or Facebook page. Think: Danica Patrick. Similarly, US elections are expensive, and reaching voters today also requires a social multichannel approach. Super PACs now provide the unbounded means for individuals and corporations from anywhere on the planet to influence US elections. So if your business wants to and has the financial means to reach a large swath of both consumers and voters, the Super Bowl and the Super PAC have got you covered.

Here’s a summary:

Increasing Agility Through Software Development Life Cycle Infrastructure

Every organization that creates software must ensure that the infrastructure supporting its development process is robust and applicable to the needs of the team. In this guidance document, Research Director Sean Kenefick assists you in assessing and updating your software development life cycle (SDLC) infrastructure to match the needs of modern development teams.

But what about mobile access to general-purpose knowledge infrastructure and end-user development of collaborative apps?  Once you get past all the security issues, how will the end users actually be able to access content and collaborate on their devices?  Solid mobile device management, development, and information protection does not mean you have achieved collaboration endpoint independence. There’s still a gap for general purpose and end-user developed collaborative applications.

Increasingly, the most valuable work in organizations cannot be automated with process-centric applications (such as ERP and CRPM) or custom transactional applications.  The work is de-routinized: ad hoc, tacit, non-repeatable.  Your job is to figure out what your job is to meet ever-morphing organizational goals.  For de-routinized work, general purpose knowledge infrastructure and end-user developed collaborative apps are essential.  These include flexible tools such as collaborative spreadsheets, e-mail, social networking, wikis, blogs, and quick methods for business users to develop simple collaborative apps (lists, forms, libraries, newsletters) that don’t require IT involvement.

Gartner’s Tom Austin wrote in “Watchlist: Continuing Changes in the Nature of Work, 2010-2020” that work will be de-routinized since “The core value that people add is not in the processes that we can automate. The core value lies in non-routine processes, uniquely human, analytical or interactive contributions that result in words like "discovery, innovation, teaming, leading, selling and learning."  Indeed, a Gartner Strategic Planning Assumption is that by 2015, 40% or more of enterprise work will be "non-routine," up from 25% in 2010. This concurs with a McKinsey study that showed the importance and growth of tacit work.

So if mobile workers in de-routinized roles are to be productive, they will require their mobile workplaces to support these technical needs.  Accordingly, those in charge of assembling their mobile ecosystems and designing mobile workplaces (and hopefully there is a real person doing that!) must also evaluate how users will create and access general purpose knowledge infrastructure. 

• Will the end-user developed collaborative apps created on the intranet be accessible from their devices or will they remain a bottleneck?
• Can the pace of forming, querying, informing communities be maintained while moving in and out of formal offices, or will social networking ebb and flow based on travel schedules?
• Will mobile workers have equal opportunity to contribute to collaborative work products, or will deliverables unevenly favor the views of office-bound peers?
• Will general-purpose enterprise communication tools work on the range of devices commonly used by employees, or will they be forced to choose between the general-purpose apps they need and the devices they want? And who will win?
• Will a mobile workplace be designed that integrates general-purpose knowledge infrastructure in a contextual manner that limits views to just what is needed, or will complex desktop-based navigation and window switching be forced onto tiny screens?
• Do the existing set of knowledge infrastructure support the mobile form factors and devices that will be used?  If not, do the existing products need to be tweaked, front-ended, enhanced with 3rd party add-ins, or supplemented by mobile alternatives?
• Will creation of work artifacts (such as starting new documents, new spreadsheets, new discussion forums) be endpoint independent, or are mobile devices relegated to viewing and tweaking artifacts created back at the office?

These are just a few of the questions that will be left over after the custom mobile development, mobile content security, and mobile device management issues are dealt with.  Better to prepare now then to get to the mobile finish line and realize it’s just the start of another race.

Whilst here at Gartner Towers we may lack the popular following of Nostradamus, we do try to anticipate how the industries and markets that we cover will change over time – Our current prophecies for Product Support can be found in “Predicts 2012: Product Support Market Will Weather the Cloud-Based Storm and Emerge Driving Value“.

Prediction can be very useful. Although often it isn’t. It can also be highly distracting. But providing it is based upon an appropriate evidence base and a statistically relevant analytical model constructed to take account of likely failure modes, inter-dependencies and historical performance data then it can even, dare one say it, be useful.

Predictive Support services are slowly beginning to come to market. The ability to predict and prevent system failures and problems will become paramount in the future as analytics excellence becomes the battleground for support providers. The relative accuracy of analytical models and their ability to narrow the predicted window of failure to something usable will differentiate support offerings. Predicting system failures 3 seconds in advance is practically useless. Predicting system failures 30 seconds in advance is marginally better. A predictive warning of 3 minutes plus opens up a whole heap of non-egg-boiling-related possibilities. Predicting that an issue will occur between 2pm and 4pm next Wednesday afternoon is incredibly useful.

The following graphic shows some of the many potential ingredients of the predictive support analytical pie…

Note: Some “ingredients” are only available from specialist suppliers and consequently not all analytical pies will taste the same. Ommiting some of the ingredients may or may not affect the culinary integrity of the pie and its ability to satisfy those with a hunger for prevention-based services

Analytical models will incorporate a wide variety of data feeds. The hunger and perceived need for more and more data upon which to perform statistical analysis will lead to high levels of over monitoring and over collection in the short term with a gradual scaling back of data requirements as providers learn what it is that they actually need to track in order to predict issues with the levels of accuracy that they actually need. Organizations that are overly focused on developing the perfect analytical model with 100% accurate predictions at the component level will be overtaken by providers willing to play the odds and offer commercial terms based around less detailed / granular models that deliver sufficiently accurate predictions to be able to initiate appropriate actions to avoid or mitigate service impacting events.

First generation predictive models won’t necessarily prevent incidents. This is particularly true in the software support arena where it is currently impractical to swap out a defective piece of code during run-time. However, predictive analytics still has a massive role to play in software support. One of the biggest problems facing providers when supporting complex software environments is the lack of evidence surrounding any particular failure or crash. When it all hangs, the data that you need to help troubleshoot the issue and prevent it happening again is typically lost. Prediction will enable the automatic initiation of low level logging immediately prior to system failures. This will capture valuable data that will speed the diagnosis and resolution phase as well as providing a basis upon which to develop preventive actions.

But prediction isn’t just about avoiding system outages. It has many many more uses than this. Some of these uses relate to the customer experience, others will help improve the operational performance of the support provider and enable it to make better commercial decisions. “Emerging Technology Analysis: Predictive Support Services” describes 9 use cases for predictive analytics within a support services context in detail.

The real question about prediction is not how you can achieve it. You can. But what you would do with those predictions if you could make them? The mathematicians, statisticians and analytical modellers will deal with the technicalities of creating meaningful and accurate predictions. Business leaders must then decide what it is that they intend to do with them thereafter!

Prediction is just another tool. And we should always remember that a fool with a tool is still a fool. But if we use the tool wisely then perhaps just maybe the future will be ours…

TRKFAM!

Really?

I had the honor of reviewing a transformation program and providing a health check.  The program is ambitious; technology intensive, process demanding, and can truly redefine the rules of the industry.  But there is a catch, the transformation program had progressed to a point where it had raised serious business issues, but the program and its sponsor did not have the authority to answer.

Sitting at this crossroads, the teams did what they could, keeping busy until there was a decision from the executive level.  The health check became necessary as the program sat stalled for more than six months and instead of creating pressure for decisions, it created calls to cancel the transformation.

It was clearly time for the executive team that sponsored the effort to step in and make some hard choices.  In the report recommending that action, among other recommendations, the Executive Team came back with the following reply:

“Why are you not telling us more about IT and where it has failed?  Why are you talking about where they are going wrong?  Why are you saying that we need clearer business direction, your just covering for IT and their failings.”

When I pointed out that there were several highly critical points in the report related to IT, which had little effect.  All the executive team heard was that there needed to be more business direction.  Their reply:

“If you say we haaave to be involved then please know that we are tired of having to make every decision.”

I was not surprised.

I was stunned.

Here was a major multi-multi million-dollar transformation program that had done the work, found the tough issues, gone as far as it could and now needed active executive sponsorship in the form of some hard decisions to go forward.

The executive team commented that their job was to be ‘above all of this’, to think strategically, and to be visionary rather than making operational level decisions.  The only problem was that the open issues were not just operational; they were strategic in the sense that the answers would determine the performance profile of the company in the future.

As I reflected on the meeting a few things became clear.

• The executive team assumed that saying it is should be so is the same as making it so. “We said yes, so we consider it done.”

• The executive team did not see making hard decisions as an expression of their leadership.  They wanted to remain ‘above it all’ and not create winners and losers on an issue.  They believed that you demonstrated leadership by guiding without getting their hands dirty.

• The executive team was ready to criticize the decisions or direction others had taken but they did not have the time, energy or political will to lead in creating that future.  “I can tell you what your did wrong, but its not my job to help you make it right.”

• The executive team did not welcome evidence to the contrary nor recommendations on how to move forward that required their active participation.  I will listen if you confirm my suspicion, your motives are suspicous if you do not say what I expect to hear.

These reflections give the impression of an incapable executive team.  But that is not the case, this team runs one of the most successful, global, industry leading companies in their market.

So what gives?

These executives were giving the level and type of sponsorship that had worked in the past.  Their responses, comments and attitude was appropriate for the type of relatively incremental, back office, administrative changes that have dominated the executive agenda for the past 10 years or so.

The level of sponsorship that worked when we talked about IT.

While the quality of that sponsorship was fine for then, it is totally in appropriate for the types of changes we are doing now.

The level of sponsorship required when technology becomes greater than IT.

Executive sponsorship needs a significant upgrade as the demands for transformation have outstripped current sponsorship models.  Enterprises are going through real and deep change, like this one, requires direct executive action, decisions and direction.  Not delegation.

If figuring out how your business needs to operate to create value is not part of the executive team’s job, then I do not know what is.

What are the changes, if any, you are seeing in the type, nature or level of executive sponsorship?  Not just for technology, but for any transformation.

The two best presentations of the day came from retailers at opposite ends of the e-tailing spectrum. At one end, Staples, the #2 internet retail according to the Internet Retailer 500 (http://www.internetretailer.com/top500/list) and seller of all things office supply (and, soon of SMB services – see below). At the other end, Newbury Comics, a Boston – based purveyor of music, comic books, and apparel, and for more than two decades one of the things that makes Boston a great town to live in.

Staples: According to Brian Tilzer, VP of E-Commerce at Staples, 40% of Staples’ sales touch their web or e-commerce sites. To keep pace with their projected growth Staples is looking to expand its web and e-commerce team from around 700 associates today, by 3X, or about 2,100 professionals total. To support this growth in personnel, and to attract the right kind of talent, Staples also announced plans to open a Cambridge research center and innovation hub. (Note to real estate professionals and headhunters: Not so confidential rumors have it that Amazon is looking to open a Cambridge-based R&D center early in 2012 to fuel – guess – digital research and development. With Microsoft’s R&D Center already established in Cambridge there is a real-time land and talent rush going on in Cambridge, which is an interesting, if somewhat sad, counterpoint to some of the job and real estate trends in other parts of the country).
Staples also plans to spur substantial revenue growth by providing office solutions and services (think: payroll services, web and hosting services, payment services, and related Cloud-based applications for SMBs) through its web properties to fuel future growth and augment their staple (sorry) business in office supplies.
Core Takeaway: Think Digital commerce.

Newbury Comics: The best part of the day for me was, by far, the fireside chat with Mike Dreese, CEO and founder of Newbury Comics(http://www.newburycomics.com) , and Scott Dirsner of the Boston Globe. First, if you don’t know anything about Newbury Comics, it used to be the place to go for records you couldn’t find anywhere else: Think – Punk, Ska, Thrash Metal, and Imports (Full disclosure: I am one of the few people around that still buys CDs. At a store. Almost always Newbury. I rip my own MP3s. Go figure). Today they sell alternative lifestyle stuff, which roughly translates to “We sell fun stuff to people that like music and comic books, and are likely to like other fun stuff.”
Newbury is a privately held company and as such has the luxury of being candid and honest about what’s going on behind the covers. Plus, it is pretty hard to imagine Mike as being anything less than candid about what he thinks. Really refreshing, especially when it runs across the grain of most conventional e-commerce thinking. Revenue: About $75 Million last year, with about 1/3 of that online. Comments from Mike:
When he first started selling records and comic books “…scarcity was our friend” because they sold things you couldn’t find anywhere else. Punk LPs imported from England. Japanese comic books. They charged a premium for this. Still do.
They do a lot of e-commerce selling, not only through their own site, but through Amazon and eBay. How do they maintain their margins? Scarcity – selling product you can’t find easily anywhere else. This is sometimes risky: sometimes edgy products fail and you end up eating the inventory. A few pay off.
“I don’t really care about mobile commerce.” He does, of course, he just doesn’t have to support mobile devices on his own web site. Most of Newbury Comics’ mobile presence is provided for them through their 40,000 Facebook followers, 320k social media contacts, and through affiliate sales on Amazon and eBay. Which, of course, all support mobile. Why invest money in building mobile when someone else he can sell through has already done it?
He expects the majority of their brick and mortar stores will go away, and a majority of the business will go to the web and e-commerce.  Why do you still see so many Newbury Comics stores in strip malls around the Boston area? Because there is lots of mall space available, partly due to the recession, partly due to other competitors moving their business to the web. Of course.
Core Takeaway: Question conventional wisdom.

I’d like to know what others think of this prediction, but, appropriately, there seems to be no way to comment on this article.  Presumably this is because you should be commenting on it around the water cooler, not with the dinosaurs still working at Starbucks.

First, here’s what Ms. Kellaway predicts for this year:

In 2012 the following will be back in fashion: the landline, the jacket, the commute, the handshake and above all the office itself.  Out of fashion will be the virtual office in which employees sit hunched over laptops in their local Starbucks, joined to their colleagues by webcam and e-mail. Instead, working life will start to resemble its old self before the internet was invented. Employees will turn up to work at predictable hours five days a week, and will comport themselves with greater formality than before. Face-to-face meetings will be preferred to video conferences; ideas will be exchanged not by tweet, but by the coffee machine.

And as for the power of social software to help connect new workers to others that know the tricks of the trade or where information is, forget it.  You’re stuck with whoever is physically within 100 yards of you:

Managers will start to realise that remote working has been disastrous for spreading corporate culture, and that in particular it has made it difficult for younger workers to pick up the tricks of the trade. With no one to copy, they have failed to adjust well to the world of work. The new formality will suit the young: they will turn up to work smartly dressed and have no option but to immerse themselves in the corporate culture and learn from those above them in the pecking order.

OK, I’ll admit my bias upfront.  My team and I cover all the technologies Ms. Kellaway derides (web conferencing, e-mail, microblogging, social networking) as well as the new ways of working they enable.  It’s actually refreshing to see someone arguing for the status quo.  Her bio says she “pokes fun at management fads and jargon.”  But I strongly doubt we’ll look back on the first decade of the 21st century and say “remember that fad where workers thought they could collaborate virtually and everyone was sending emails?”  I have worked virtually for 14 years now at three different companies and while there are disadvantages, the advantages have won out.  I voluntarily go into the office about once a week for various reasons, which seems to fit my ideal blend of old style and the virtual style of working.

One has to remember the drivers that made these technologies essential to the corporate tool belt.  To say they are fads means also believing these drivers were fads:

• Globalization: The odds of everyone you need to be successful being present in the same office are increasingly remote.  And I’ll also lump flexibility and outsourcing in the supply chain into this category as well.  Good luck getting everyone you need in the same place, five days a week, from 9-5.
• Increased organizational agility: The need to respond quickly to events.  While the status quo allowed quick creation of physical war rooms, it’s far more common to need to gather intelligence, ideas, and buy-in from a distributed virtual workgroup at all hours of the day.
• Broader talent pooling: I hire research analysts and I am quite happy to be able to draw from a nationwide (or worldwide) talent pool since we work virtually rather than the best analyst I can find within 30 miles of my location (no offense to one of my analysts who, coincidentally, does live within 30 miles of me!).  For generalized jobs it may not matter, but a corollary to this driver is increased job specialization.
• Work/life flexibility: The jury is out on whether anytime/anywhere mobile access helps the worklife balance or hinders it.  But there is no doubt this technology has introduced flexibility that wasn’t possible back when I had to babysit 2am production releases in the office (loneliness is having to wave your arms around every 10 minutes so the lights don’t turn off on you). 

As for culture, I’m not sure the degree to which 1970’s office culture or social-technology-enabled Gen Y culture will win out, but it will be some blend of the two.  There are certain people who make a good impression when leading, arguing, persuading, or connecting in person, and there are others who are more persuasive using virtual technologies.  It’s nice to give the virtually persuasive folks a louder voice and I think the diversity of views and approaches is paying off. 

If there’s a sudden resurgence of office workers voluntarily dressing in suits and ignoring virtual teammates then I’d predict that to be a short term fad, not the other way around.

So you might be wondering, the guts of what? This previous week an effort on the part of myself, Michael Maoz and Adam Sarner was finally published and it gets into the guts of peer-to-peer customer community software. (Gartner clients see Critical Capabilities for Peer-to-Peer Customer Community Software.) This piece of research gets into the insides of peer-to-peer community software, outlining what clients are looking for and how good of a job some popular vendors in the space are doing at providing both what is considered to be an industry standard and that which is innovative.

A little sneak preview you ask? Then I will comply…

…you asked for it! Alright, alright. So in the note we identify four capabilities and then break each of those down further until we can differentiate one gut splattering from the next. The four critical capabilities are: content creation and curation, member management, knowledge management system and agile social platform. For the actual, clean dissection of these capabilities, you will have to read the note, but I can tell you this: even the strongest community vendors have room for growth in the area of agile social platform.

So here is the action item I give to you coming our of this research and having done a bit of detective work surrounding the Total Cost of Ownership of Social CRM for Customer Service SaaS solutions (Gartner clients): know what you’re looking for, know what you can and can’t live without based on your business use case, and ask questions! In speaking to a variety of vendors, I do believe that most if not all are sincere in wanting to deliver the best product they can to their end users, but like my landlord once scolded me, “if I don’t know something is wrong, I can’t fix it.”

College Jenny had bigger things to worry about than mold on the ceiling, like laying out on the docks of the river all day.

And now I have an ask of anyone reading this. What are your biggest gripes with community functionality? You don’t need to list the product you’ve used, keep it general. We’ll open it up to internally-facing and public-facing communities you’ve been a part of. If there are no responses, I will assume everyone is 100% happy with the software they’ve used in the past or are using now.

However, one item I ordered before Christmas finally arrived this week! I know what you’re thinking; fortunately it wasn’t a Christmas present or I’d be in big trouble! Though I was relieved that it had arrived, I couldn’t help wondering what had gone wrong from a process perspective! I had placed the order with an e-commerce site and the delivery was due before Christmas. The order went through fine and was dispatched shortly afterwards, but then something clearly went wrong, when the logistics company tried to deliver the product.

This is a classic example of process pain points occurring at “hand-offs” between a business and its supplier. When I chased up the supplier to find out where my purchase was, it turned out that my telephone number had not been passed on to the logistics company so they couldn’t phone me to arrange a delivery. However they did have my address so given I waited 6 weeks for the delivery, it would have been better to send me a letter via “snail mail”!

I can think of several ways in which the use of BPM could have avoided this scenario:

• Visibility of the end-to-end process so that everyone understands the part they play, the key process inputs and outputs and the process and sub-processes they should follow
• Accountability for the process outcomes – in this case two key process outcomes were passing on the customer details (from e-commerce site to supplier and then supplier to logistics) and the delivery of the purchase. Who should have been accountable for this – the supplier, the logistics company or the e-commerce site? Ultimately I ended up taking responsibility for it because I had to chase up the order! Business process governance can prevent this by clarifying role interactions and revealing who is responsible for deciding how the process should be improved and redesigned in the future.
• Adaptability to changing circumstances, especially if something goes wrong like not having a customer’s phone number. Alternative options should be available via sub-processes to verify if other details were available and could be used e.g. email or delivery address, rather than nothing happening at all. If there are no contact details, or the given details are incorrect, an alert should be sent back so that someone can resolve the situation. This is where related areas like business activity monitoring and business rules management can also play a part in helping business to run smoothly.

Fortunately this e-commerce retailer was smart enough to reach out to me for feedback on the supplier and this is where the social BPM element comes into play. How many times does this situation arise without the retailer’s knowledge and consequently they might lose ? This is why it’s so important to invent ways to capture feedback from people who consume your processes, (especially external, customer-facing ones) so you can identify and eliminate any process painpoints or disconnects that could potentially damage your business.

I shall certainly help out by giving back my feedback to them this weekend, but I’m not sure if I would use that supplier or e-commerce site again…would you? On a more positive note, at least the delivery was free!

Working with a number of peers across Gartner, we set out to identify the underlying issues behind these common problems and develop an alternative approach that could break this cycle for clients. We recognized that one of the underlying issues for clients is that they have taken a “one size fits all” approach to managing their applications. It didn’t matter whether the app was your core ERP system or a trade funds management application – they were applying the same investment strategy and governance approaches. They were also looking at consolidating more and more functionality into integrated suites –without really understanding what that meant from an agility standpoint.

We developed our Pace Layered Application Strategy framework to help clients think a little differently about their application portfolios. The premise is relatively simple – that a one size fits all approach does not work and that you need to look at applications in the context of the business value they provide for the organization and how their rate of change differs as a result. Do the applications support standard, foundational business processes (Systems of Record), non-standard differentiating processes (Systems of Differentiation) or new, experimental processes (Systems of Innovation). The applications in each of those categories have different requirements and rates of change, and the pace layer model prescribes unique governance approaches to each to allow for maximum flexibility.

The response to this research has been extremely positive, and we have been working over the last 12 months to develop a deep body of knowledge on the concept, how to get started, and how to evolve the strategy over time. I am really excited about the launch of a special report on Pace Layered Application Strategy http://www.gartner.com/technology/research/pace-layered-application-strategy/. This landing page is an excellent resource for those looking for more details on how to adopt pace layers. Please feel free to reach out and ask questions or to suggest additional research on pace layers.

I’ve seen some CSPs make some very good strides lately in terms of improving websites and publishing architectural and security related information.  One particular aspect where the industry has seen very little improvement is transparency with audits.

A common discussion for me at Gartner has centered on SAS 70 Type II audits, and now SSAE 16 / SOC 1 reports.  The latter has replaced SAS 70 and having an SSAE 16 audit and SOC 1 report completed by an independent third party is table stakes for competing in the public cloud services market.  There are many problems with the SSAE 16 audit, namely that CSPs still get to designate which control objectives an auditing agency verifies.  If a CSP does a poor job at logical access security, they could choose not to have the third party audit them against that control.  It seems unfair and a loophole.  As such, customers actually do need to see the SOC 1 report and must sign a confidentiality agreement with each provider to do so.  That does not scale well.

But why a confidentiality agreement?  Why don’t CSPs simply publish their SOC 1 report online?  I’ve spent the last month talking to a number of CSPs about this.  I get the token response that it would divulge sensitive security configurations that if published would put the cloud service in jeopardy of being attacked/exposed.  My response to that is, “Ok, but let’s get creative.”  I have not been able to understand why a CSP cannot publish a summary report listing each of the controls that were audited and the relative findings for each objective.  There is a stark difference in mentioning that a third party confirmed security surveillance cameras are in place versus actually listing each physical location of all individual cameras.

Well after having several in depth conversations with many providers, I believe our cross hairs need not focus on the CSPs as much as the auditing agencies.  More than a few of the CSPs have apparently gone to their auditing agency and requested the right to publish the SOC 1 report publicly.  All providers that have done this were denied that ability.  The auditing agency holds the copyright to the report and the legal agreements of the audit restrict the CSP from publishing without auditor consent.

A few providers claim they have gone further and have asked the auditor if they can takes portions of the report and publish as an executive summary or FAQ to highlight for customers the controls and summarized results.  Again, those providers were not able to obtain the rights to do so.

What are these auditing agencies / large consulting companies needing to hide?  If they truly are independent, third parties, why can’t they stand behind their report publicly?  If not the entire report, why not a summary of findings?

Providers are not 100% absolved of any responsibility here either.  Even if the auditing agency refuses to release any information from the report, the provider should still publicly list the controls that the provider asked the auditor to look after.  That would be a big step for many providers and would at least start to level-set the playing field for customer evaluations.  Furthermore, the best CSPs will put more emphasis on obtaining ISO 27001 certification, which does provide a base standard for controls.

I would love to hear from you on this.  Are you a customer that is tired of signing agreements simply to confirm controls?  Are you a provider that wants to publish more information but are restricted by auditors?  Are you an auditor that would like to have a deeper discussion?   Please contact me.

The Electronic Frontier Foundation has formerly requested that this hot potato be allowed to fester indefinitely, announcing yesterday “EFF formally requested the preservation of the data seized when the U.S. government shut down Megaupload.com and related sites in January of 2012, notifying the court and attorneys involved in the case that Megaupload’s innocent users deserve a fair process to control and retrieve their lawful material.”

I also agree that innocent users deserve a fair process, although it is difficult to envision what that could be.  What I don’t agree with is the part about ‘data seized’.  As far as I can tell, its still sitting in its original servers in multiple data centers belonging to Carpathia, Cogent, and some number of additional hosting firms. The DOJ did not seize it at all–they just took multiple steps to ensure that the service would be inaccessible:

• They took possession of Mega’s domain names, making it impossible for customers to access it.
• They froze Mega’s financial assets, making it impossible for them to pay the hosting providers.
• They arrested Mega leadership on criminal charges, ensuring that they would be focused on staying out of jail, instead of figuring out how to restore their file storage services.

Mega’s staff are under arrest at worst, and unpaid and looking for work at best.  Mega’s hosting firms are stuck with thousands of idle servers, mostly filled with toxic digital waste of bootlegged movies and pornography.  Carpathia has strongly suggested that they do not have administrative access to these servers (although they haven’t explicitly said so).   It would be nice to think that any legal content would be provided to the 50,000,000 or so people to whom it belongs, but its difficult to envision the practicalities.

Without providing any public suggestion of how it should be done, in a letter to the DOJ on Feb 1, the EFF formally requested that the DOJ take possession of the poisonous potato.  Described as a matter of fairness, with Constitutional overtones, this preservation step would presumably be a  financial one, but not a physical one.

For the DOJ, theirs was a hugely visible act which immediately encouraged several Megaupload competitors to change their practices. It sent a clear message that ‘the USA will not tolerate Internet IP piracy.’  Given the huge level of citizen push back on SOPA and PIPA, its easy to envision growing pressure to change US policy.

For the hosters, this digital hot potato represents an immediate loss of income, and a potential PR disaster. Just leaving the Mega servers in place represents an ongoing expense, actually turning them on and serving their content would represent an even bigger expense. Coming up with a mechanism to allow ‘legitimate’ users to collect their data while excluding illegal content seems a practical and legal rat hole, with endless potential to attract lawyers from the DOJ, the EFF, foreign governments, and the entertainment industry. It isn’t difficult to envision that they would eventually be on the receiving end of some sort of class action lawsuit.

For the EFF, this is a PR gift, representing their biggest ever opportunity to play hero for millions of impacted Megausers.  I don’t blame them for making hay in this sunshine.  Cloud computing not only means that the criminals and innocent bystanders are sharing the same virtual premises, but the scale of cloud computing ensures an astounding amount of collateral damage. This isn’t the 1920s, and today’s digital G Men can’t shoot a bootlegger without also hitting an innocent bystander.

For the bootleggers and porn pushers, this probably represents no more than a minor setback. 

For some number of individuals and small businesses, too naive to have understood the relative risks and benefits of the public cloud computing model, this probably represents a permanent loss. The EFF is actively soliciting the names and details from impacted users, and it will be interesting to see what data is provided on the number of individuals claiming that their only copy of their personal property is trapped in Megalimbo.

For me, this is an endlessly fascinating story, resulting in some of my best Gartner blog readership stats. Aside from sheer drama of the event, though, it raises important questions about the role of government within the Internet, the liabilities of a provisioning model that relies on a chain of providers, and whether the leverage of this computing model is creating monster sized services that are too big to allow to fail.

On one of the panels I moderated on APTs, Dave Merkel from Mandiant put it best. “You are compromised, get over it”. Others in the US Government have come to the same conclusion.

We spend far too much of our information security budget on increasingly ineffective mechanisms designed to prevent intrusions including network and host-based solutions, firewalls, IPS and antimalware systems. Does that mean we give up on these Not at all. What we need are new capabilities in other areas.

Assume you’ve been compromised. How would you know? We don’t spend nearly enough on systems that help us to better detect a compromise after it has occurred. We can’t keep pretending that we can keep the bad guys out.

Where are net new investments needed? Here’s just a few of the specific areas I discuss in my research.

• More monitoring. Lots more. At all layers of the stack – packet, flows, sessions, transactions, applications, user activities – all of it.
• More context-awareness. To separate meaningful anomalies out from a sea of monitored events will require more context – identity, application, content, location, time of day, reputation and so on.
• Big data and analytics brought to information security. Information security is becoming a big data problem and we need the systems, algorithms and new sets of security skills to derive insight from this.
• Higher levels of automation. To free up time to focus on the really important stuff, security professionals have got to get out of the day to day programming of security policy enforcement points. Program policies? Yes. Program quintuples? No.
• Cloud-based security policy enforcement. If we don’t own the device or the network (think 3G, 4G etc) then we can’t always rely on traditional network and host-based security controls for protection.
• Applications that are designed to be securely operated and used from inception. DevOpsSec must and will become a reality.
• A shift in thinking from Security Information and Event Management to delivering Security Intelligence

I believe information security infrastructure is at a critical inflection point. The status quo isn’t cutting it. Changes are needed.

Are the vendors up to it if it means we spend less for increasingly ineffective legacy solutions they are selling us? (The good news is that we’ll spend more in the other areas highlighted above if they’d make these types of advancements)

Are we up to it? Are we prepared to admit that we are currently on the losing side of this battle and make the types of process, technology and mindset changes above?

Overly aggressive and intrusive marketing is not my idea of an improved online experience. However, when I visit a news portal it should know that I’m a science junkie and have never read a sports related article in my life. When I visit a technology vendor’s website, it should remember that I’m an analyst, not a consumer. It should present me with technical and functional details rather than shill the vendor’s products.  With a little user history and the judicious use of metadata, its really not that hard. Unfortunately, this just doesn’t seem to occur to most website publishers and that treasure trove of tracking data is wasted. 

The missed opportunity is even more tragic when mobile devices enter the picture (and at this point, mobile devices ARE the picture).  A smart phone or a tablet bends over backward to tell a website where it is, what it can do and what type of content it wants.  You can and should do more with that information than simply serve up a stripped down version of your homepage.  If I visit a public transit website from my iPhone, chances are I’m not looking for annual pass options or a history of the Portland bus system.  I want to know where the nearest stop for the 96 express is located and when the next bus arrives (and I don’t want to install a dedicated app to do so!).  When I visit that same website from home, it should know that I always seem to ride the 96 and that I usually just miss it.  That little bit of tacit information, gleaned from my history and mobile habits, can facilitate a tailored online experience that goes beyond micro-segmentation to make true personalization practical.

When I access an online resource from a mobile device, I want quick, targeted information relevant to my immediate situation. When I access that same resource from my desktop, I want more details, more options and more aesthetics. Most importantly, I want the two experiences linked together into one, ongoing, conversational relationship.  If I have to reintroduce myself every time we meet, chances are we are not going to become friends. A comprehensive cross-channel strategy can leverage user history and contextual information to provide a cohesive experience across devices and across sessions. If this is the goal of your tracking cookies and beacons, its okay to be a little evil.

However, what is “application security monitoring” (ASM)? As I am pursuing my second research project this quarter – one related to SIEM technology futures – I am coming across people attaching the “ASM” label to various technologies and processes. Specifically, these are:

• “We have a web application firewall (WAF) – thus we do ASM” (if “firewall” = “monitoring” and “web applications” = “applications,", then maybe it is indeed ASM)
• “We collect application logs” (which, in reality, means “some application logs” that often nobody understands; also notice the word “collect” contrary to “analyze” here. And what about application context?)
• “We have a tool that analyzes application transactions for fraud” (this sounds like one specific use case of security monitoring inside the application, but what about others?)
• “We decode network traffic up to an application layer” (which likely means that you do NSM right, in contrast to doing application security monitoring)
• “We have a DAM” (which means that requests that the application makes to its database can be looked at; such requests do not constitute the entire pool of security-relevant application activity)
• “We convinced our developers to implement application telemetry useful for security” (this sounds like it will enable application security monitoring; however, what happens with that data after it is generated?)
• “The tool we have can monitor all system calls and API calls made by the running application” (same question: is there any capability, in that tool or another, that helps make sense of the information deluge?)

In your opinion, do any of the above constitute application security monitoring on their own?

Personally, I doubt it. At best, ASM might mean “all of the above” or “many of the above," but I think a few components needed to achieve ongoing visibility of all security-relevant activities inside off-the-shelf and custom applications have not even emerged yet. It may be that security has to outgrow its network roots first and get some application DNA implanted.

The theme that also seems to emerge in my research is that unlike with NSM, answering “what happened?” (example: “error 945842 on application XYZ”) is comparatively less important than answering “what it means?” (example: “security control failed to prevent malicious activity at application XYZ that is important for our business”). Thus, we need to both collect more telemetry AND context, as well as build tools to make sense of that data!

Thus, both enterprises and vendors have work to do in the coming years!

The ECI provides European Citizens the ability to present legislative initiatives directly to the European Commission provided they have a million signatures from EU citizens in a representative set of countries. Links at the end of this post provide the details.

Rather than creating a large and complex program, the ECI’s basic structure revolves around open source software supporting registering an initiative and submitting signatures for validation.   That may not sound like much, but in an environment of social media and technology it gives EU citizens the basic interfaces to engage the formal structures of the European Commission and the rest is up to them.

In preparing for and participating in the panel a number of thoughts came to mind on the nature of technology, public policy and the future of direct citizen participation.

• The ECI is correct in conceiving of social media as the ‘technology’ for creating an environment for the initiative. Incorporating social media into the citizen centric strategy not only recognizes the reality of social media in society, but also encourages direct citizen action and innovation without prescribing a platform or approach.

• Social media platforms, like Face Book, Google, Twitter, etc. provide a platform with the scale and reach necessary to engage the large and diverse EU citizenry.

• Social media’s communications capabilities are well suited for sharing the depth of information associated with a strong citizen initiative.  I can imagine these sites holding more than just calls for support.  These sites can become key educational, documentation and discussion sites.  Imagine video’s that document conditions and situations, position papers that outline aspects of the initiative and debates where the community forms and reforms the initiative prior to its submission.  Those are the types of collaborative capabilities that can drive strong, positive and participatory policies and initiatives.

The open, participatory and self initiated aspects of social media tools match up well with the principles associated with the ECI.  These same aspects have the potential to change the nature of public discourse, government transparency and the like.  A few thoughts in these areas include:

• Social media in public policy can change the nature of policy development toward building solutions rather than supporting stances.  This creates the potential to shift the policy development process from a basis of exchanging single issues or interests based views to multi-lateral working discussions to craft an initiative prior to the ECI process.  This has the potential to change the nature of NGO’s and other policy influencers moving them away from advocacy for a position toward collaborating to solve a problem.   Call me naïve, but if all social media does is raise the volume of single interest, single views then we are poorer for it.

• Changing the level of transparency and participation in EC/EU deliberations concerning successful initiatives.  The current process, as I understand it, involves closed deliberation and consideration of initiatives that complete the ECI process.  I believe that the participation and transparency required for the front part of the ECI process, will lead to similar requirements in the deliberation and decision making of policy makers to not only use the content generated in the initiative process but also to engage the community in deliberations and discussions.  It is hard to open the front end of a process and make it more transparent and keep the back end closed.

• The ECI can be seen as part of a range of legislative processes and approaches.  Viewed in this context, the ECI plays an important role in submitting initiatives that should compliment rather than compete with other approaches and channels.   Recognizing the uniqueness of the ECI process should allow it to have different features and performance expectations as not every process is best to address all policy challenges and issues.

• Much of the ECI process will be ‘do it yourself’ in terms of citizens taking direct responsibility to organize, discuss, debate and develop their initiatives and tools.  There are few prescribed rules for the ECI, which opens the door for creativity and innovation in the policy development and debate process.  Sure it would be nice to have prescribed content policies, platforms, and premade tools as some at the meeting asked for, but such pre-structuring of the environment can also pre-structure the nature of the debate and set operational limits.  A practical and innovative way of being neutral is to be open and lay down a few clear rules, processes and tools which the ECI has done.

The ECI has many of the characteristics associated with successful mass collaboration. We identified these characteristics in researching how large organizations apply social media to achieve meaningful results for the book, The Social Organization.  Having a compelling purpose, just enough structure and the right level of sponsorship are all critical for success.

The launch of the ECI last week represents the first mile in a new approach to direct citizen involvement in the legislative process.  Submitting legislation is also the last mile for many in the policy arena as ideas turn into proposed rules and laws. How these two connect and collaborate using social media is something I look forward to observing in the future.

Related links

European Citizens initiative Web Site

European Citizens Initiative Face Book Page

In 2012 Gartner speaks of the nexus of forces – cloud, social, mobile, and information – yet for security staff this could be a dark place to stand like deer in the headlights. Consumerization and compliance are at loggerheads. What happens when an unstoppable force meets an irresistible object? Will it mean the end of confidentiality as we know it?

Before I get into this I must give due credit to my colleagues. What I’ve loved about working at Burton Group and now Gartner is that I stand on the shoulders of giants. This blog post was originally inspired by Bob Blakely’s posts on the the end of secrecy. And I would not even be doing this if another colleague, Eric Maiwald, hadn’t been inspired to take up Bob’s original topic as a potential 2012 Catalyst session.

So what does this perplexing notion actually mean? It can’t be that we just give up and stop data protection efforts. But it does mean that we have to change our paradigms. We should try to centralize data access with server-hosted virtual desktops and enterprise content management systems. But this can only partially hold back strong tides of data dispersion. We can monitor the flow of information with DLP. But malicious users will often evade surveillance – this in an old game of low assurance.

We can attempt some stronger techniques as I advised in my restricted zones blog entry – stop assuming that we can win the futile battle to 100% protect our endpoints and instead get more hard core about building fortresses, or secure zones, around our most critical data. Done correctly, this can reduce the magnitude of worst case consequences but still doesn’t represent a 100% compliance solution.

Yet compliance is a many-sided coin. It needn’t be achieved solely through security technologies. We can change the game by changing business processes; for example, some organizations have stopped storing credit card numbers. Our organizations can also use business process outsourcing, corporate subsidiary structures, and other business approaches to transfer risk or manage it in creative ways.

Creativity will be essential if the nexus of forces coupled with an ever-more challenging threat and regulatory landscape really brings the end of confidentiality as we know it. I recently heard the CISO of a large financial institution muse about “What we would do if all our controls still prove ineffective against the threats?” He spoke of then using business and information management techniques in the realm of espionage – counter-intelligence, deception – consciously and systematically varying the timing, audience, completeness, and accuracy of information flows, watching what happens, and adapting. This is not actionable yet – no more than a thought experiment. But could it represent the shape of things to come in the not too distant future?

Recently my wife and I were dining at a restaurant. We left, reached the car parked down the street, and realized she left her pocket book (with a fair amount of cash and an iPhone in it) back at the restaurant.  I drove her back to retrieve it.  As she was inside, I decided to use the “Where’s my iPhone” App to establish the phone’s location.  Surprise!  That little bouncing blue ball was NOT in the restaurant, but moving up the street about a block away!  I called the cell number – no answer.

I rushed into the restaurant, pulled her out, jumped in the car, and gave pursuit.  All this time we were furiously sending “Play Sound” messages, while she navigated us towards the moving blue ball.  We catch up to it at a nearby intersection, double park, jump out of the car at opposite corners – hoping to hear the phone and grab the thief.

Surprisingly, the regularly spaced 10 second updates had suddenly started clocking up to 30 second, 1, 2, 3 minutes “last updated”.   Someone turned the phone off.  That sinking feeling of lost drivers license, credit cards, cash, and iPhone suddenly started setting in.  What to do now?

After about 5 minutes, my phone rings – caller-id is her cell.  “Did you lose a pocket book?”.  “Yes we did – where are you?”.  “ We’re parked in front of your house”.  When we retrieved the pocket book – everything intact – the person who called explained how they found it on the street, picked it up, looked at the drivers license, and decided to go to the house to drop it off.

Yeah, maybe.  What was clear was whoever took the pocket book from the restaurant didn’t have any intention of returning it.  I suspect they were spooked by the eerie “where’s my iPhone” sound going on continuously from the phone – and either threw the pocket book down, or had a change of heart and called us.

What’s the BYOD lesson?  Now imagine that the Modus Operandi in the event of a lost corporate phone is “call the help desk” – where centralized tracking and/or remote wipe could be initiated.  Some thief would probably be much richer now.

By putting that power in the hands of the user  the responsibility and authority for management of that device became the individual – not a monolithic corporation.   Flexibility and speed of response was key – and delegating management of the device to individuals (not without some monitoring) is clearly where the world is going.  Central command and control is over.   Companies hire PEOPLE with an expectation of commitment and dedication.  Enterprises are, in fact, no better than the trust and commitment that employees bring.  Should there be checks and balances? Sure!  Should employees be clear what their responsibility and authority is? Absolutely!   Unfortunately that doesn’t stop some vendors – and companies- to think “lock down” and “manage centrally” – to the point where they negate any sense of commitment by an employee.  Anything less than an increased emphasis on individual control and authority in the realm of managing personal devices is just a road to disenfranchisement.

That’s why BYOD will succeed, and Mobile Device Management will morph into something less control oriented.

• A. Oh my gosh!  How can these information assets be protected?
• B. Oh my gosh!  How am I going to be able to find anything or notice anything important?
• C. Oh my gosh!  How can I make money by creating technology products to ride this wave?
• D. Oh my gosh!  How can I make sure my target consumers notice my product messaging in all this noise?
• E. Big deal.  This has been happening since Gutenberg and we have always adapted.
• F. That’s why I don’t use computers.

From your response, I think I can tell who you are:

• A. You are an information security, legal, identity, or privacy practitioner
• B. You are an overburdened information worker, the IT owner of information systems, or a researcher in human computing interfaces (HCI), augmented cognition (AugCog), or user interface/experience design (UI or UX)
• C. You are a software vendor (or pharmaceutical researcher for 5-Hour Energy!)
• D. You are in marketing, probably trying to increase sales for a discretionary product
• E. You are a pundit
• F. You are a Luddite

Seriously though, I’m amazed at the number of narratives that launch in different directions from this common “information everywhere” starting point.  And each role has difficulty seeing the other angles. Take me for example – through my research and writing on enterprise attention management, I live in bubble B (how to find and notice important stuff).  Most people I read and interact with on this subject are also in bubble B, so it becomes easy to forget there are so many people that are equally focused on their angle.

As another example, when I met with a bunch of “context aware computing” analysts, they were almost entirely focused on helping service providers utilize context (starting with location based services) to hit consumers with the right message at the right time to increase their sales (choice D).

Information proliferation will continue so it’s important to recognize all of the response vectors, ranging from opportunity to threat.  Preparation is the best defense.

It comes as no surprise to me that a public cloud provider can suffer an unforeseen incident that impacts millions of people. I admit to surprise over the form and scope of the Black Swan Event experienced by Megaupload last month.  The extent of the enterprise use of their service also comes as a surprise.

In an interview yesterday with Bloomberg, Palo Alto Network’s Nir Zuk  explains that Megaupload was the most widely used file sharing service within the enterprise. While this was a short and perhaps misleading interview, specific details on enterprise usage of cloud-based file sharing systems can be found in Palo Alto’s Application Usage Risk Report.  My read of the latest version of this report is that Megaupload is indeed the largest bandwidth consumer within the enterprise  (enterprise being those orgs that buy Next Gen Firewalls), with Dropbox being the #2 bandwidth hog.  Megaupload traffic appears in 57% of enterprises, which is quite a lot, although 5 other vendors appear in a higher percentage of enterprises.  Dropbox wins that race,with their traffic detected in 76% of enterprises.

In one fell swoop of the black swan, users in over half of enterprises suddenly lost all access to one of their highest bandwidth external services. While this particular case probably came as a relief to a lot of IT managers,  not all of the Megaupload traffic represents bootlegged multi-media content. The service did have a reputation in the power user community for being fast and scalable, attracting people who had a legitimate need to share their own bulky content.  Hopefully, most of the enterprise users savvy enough to recognize it for those advantages, were also prudent enough to avoid using it as their primary storage for important files.