I’d like to know what others think of this prediction, but, appropriately, there seems to be no way to comment on this article.  Presumably this is because you should be commenting on it around the water cooler, not with the dinosaurs still working at Starbucks.

First, here’s what Ms. Kellaway predicts for this year:

In 2012 the following will be back in fashion: the landline, the jacket, the commute, the handshake and above all the office itself.  Out of fashion will be the virtual office in which employees sit hunched over laptops in their local Starbucks, joined to their colleagues by webcam and e-mail. Instead, working life will start to resemble its old self before the internet was invented. Employees will turn up to work at predictable hours five days a week, and will comport themselves with greater formality than before. Face-to-face meetings will be preferred to video conferences; ideas will be exchanged not by tweet, but by the coffee machine.

And as for the power of social software to help connect new workers to others that know the tricks of the trade or where information is, forget it.  You’re stuck with whoever is physically within 100 yards of you:

Managers will start to realise that remote working has been disastrous for spreading corporate culture, and that in particular it has made it difficult for younger workers to pick up the tricks of the trade. With no one to copy, they have failed to adjust well to the world of work. The new formality will suit the young: they will turn up to work smartly dressed and have no option but to immerse themselves in the corporate culture and learn from those above them in the pecking order.

OK, I’ll admit my bias upfront.  My team and I cover all the technologies Ms. Kellaway derides (web conferencing, e-mail, microblogging, social networking) as well as the new ways of working they enable.  It’s actually refreshing to see someone arguing for the status quo.  Her bio says she “pokes fun at management fads and jargon.”  But I strongly doubt we’ll look back on the first decade of the 21st century and say “remember that fad where workers thought they could collaborate virtually and everyone was sending emails?”  I have worked virtually for 14 years now at three different companies and while there are disadvantages, the advantages have won out.  I voluntarily go into the office about once a week for various reasons, which seems to fit my ideal blend of old style and the virtual style of working.

One has to remember the drivers that made these technologies essential to the corporate tool belt.  To say they are fads means also believing these drivers were fads:

• Globalization: The odds of everyone you need to be successful being present in the same office are increasingly remote.  And I’ll also lump flexibility and outsourcing in the supply chain into this category as well.  Good luck getting everyone you need in the same place, five days a week, from 9-5.
• Increased organizational agility: The need to respond quickly to events.  While the status quo allowed quick creation of physical war rooms, it’s far more common to need to gather intelligence, ideas, and buy-in from a distributed virtual workgroup at all hours of the day.
• Broader talent pooling: I hire research analysts and I am quite happy to be able to draw from a nationwide (or worldwide) talent pool since we work virtually rather than the best analyst I can find within 30 miles of my location (no offense to one of my analysts who, coincidentally, does live within 30 miles of me!).  For generalized jobs it may not matter, but a corollary to this driver is increased job specialization.
• Work/life flexibility: The jury is out on whether anytime/anywhere mobile access helps the worklife balance or hinders it.  But there is no doubt this technology has introduced flexibility that wasn’t possible back when I had to babysit 2am production releases in the office (loneliness is having to wave your arms around every 10 minutes so the lights don’t turn off on you). 

As for culture, I’m not sure the degree to which 1970’s office culture or social-technology-enabled Gen Y culture will win out, but it will be some blend of the two.  There are certain people who make a good impression when leading, arguing, persuading, or connecting in person, and there are others who are more persuasive using virtual technologies.  It’s nice to give the virtually persuasive folks a louder voice and I think the diversity of views and approaches is paying off. 

If there’s a sudden resurgence of office workers voluntarily dressing in suits and ignoring virtual teammates then I’d predict that to be a short term fad, not the other way around.

So you might be wondering, the guts of what? This previous week an effort on the part of myself, Michael Maoz and Adam Sarner was finally published and it gets into the guts of peer-to-peer customer community software. (Gartner clients see Critical Capabilities for Peer-to-Peer Customer Community Software.) This piece of research gets into the insides of peer-to-peer community software, outlining what clients are looking for and how good of a job some popular vendors in the space are doing at providing both what is considered to be an industry standard and that which is innovative.

A little sneak preview you ask? Then I will comply…

…you asked for it! Alright, alright. So in the note we identify four capabilities and then break each of those down further until we can differentiate one gut splattering from the next. The four critical capabilities are: content creation and curation, member management, knowledge management system and agile social platform. For the actual, clean dissection of these capabilities, you will have to read the note, but I can tell you this: even the strongest community vendors have room for growth in the area of agile social platform.

So here is the action item I give to you coming our of this research and having done a bit of detective work surrounding the Total Cost of Ownership of Social CRM for Customer Service SaaS solutions (Gartner clients): know what you’re looking for, know what you can and can’t live without based on your business use case, and ask questions! In speaking to a variety of vendors, I do believe that most if not all are sincere in wanting to deliver the best product they can to their end users, but like my landlord once scolded me, “if I don’t know something is wrong, I can’t fix it.”

College Jenny had bigger things to worry about than mold on the ceiling, like laying out on the docks of the river all day.

And now I have an ask of anyone reading this. What are your biggest gripes with community functionality? You don’t need to list the product you’ve used, keep it general. We’ll open it up to internally-facing and public-facing communities you’ve been a part of. If there are no responses, I will assume everyone is 100% happy with the software they’ve used in the past or are using now.

However, one item I ordered before Christmas finally arrived this week! I know what you’re thinking; fortunately it wasn’t a Christmas present or I’d be in big trouble! Though I was relieved that it had arrived, I couldn’t help wondering what had gone wrong from a process perspective! I had placed the order with an e-commerce site and the delivery was due before Christmas. The order went through fine and was dispatched shortly afterwards, but then something clearly went wrong, when the logistics company tried to deliver the product.

This is a classic example of process pain points occurring at “hand-offs” between a business and its supplier. When I chased up the supplier to find out where my purchase was, it turned out that my telephone number had not been passed on to the logistics company so they couldn’t phone me to arrange a delivery. However they did have my address so given I waited 6 weeks for the delivery, it would have been better to send me a letter via “snail mail”!

I can think of several ways in which the use of BPM could have avoided this scenario:

• Visibility of the end-to-end process so that everyone understands the part they play, the key process inputs and outputs and the process and sub-processes they should follow
• Accountability for the process outcomes – in this case two key process outcomes were passing on the customer details (from e-commerce site to supplier and then supplier to logistics) and the delivery of the purchase. Who should have been accountable for this – the supplier, the logistics company or the e-commerce site? Ultimately I ended up taking responsibility for it because I had to chase up the order! Business process governance can prevent this by clarifying role interactions and revealing who is responsible for deciding how the process should be improved and redesigned in the future.
• Adaptability to changing circumstances, especially if something goes wrong like not having a customer’s phone number. Alternative options should be available via sub-processes to verify if other details were available and could be used e.g. email or delivery address, rather than nothing happening at all. If there are no contact details, or the given details are incorrect, an alert should be sent back so that someone can resolve the situation. This is where related areas like business activity monitoring and business rules management can also play a part in helping business to run smoothly.

Fortunately this e-commerce retailer was smart enough to reach out to me for feedback on the supplier and this is where the social BPM element comes into play. How many times does this situation arise without the retailer’s knowledge and consequently they might lose ? This is why it’s so important to invent ways to capture feedback from people who consume your processes, (especially external, customer-facing ones) so you can identify and eliminate any process painpoints or disconnects that could potentially damage your business.

I shall certainly help out by giving back my feedback to them this weekend, but I’m not sure if I would use that supplier or e-commerce site again…would you? On a more positive note, at least the delivery was free!

Working with a number of peers across Gartner, we set out to identify the underlying issues behind these common problems and develop an alternative approach that could break this cycle for clients. We recognized that one of the underlying issues for clients is that they have taken a “one size fits all” approach to managing their applications. It didn’t matter whether the app was your core ERP system or a trade funds management application – they were applying the same investment strategy and governance approaches. They were also looking at consolidating more and more functionality into integrated suites –without really understanding what that meant from an agility standpoint.

We developed our Pace Layered Application Strategy framework to help clients think a little differently about their application portfolios. The premise is relatively simple – that a one size fits all approach does not work and that you need to look at applications in the context of the business value they provide for the organization and how their rate of change differs as a result. Do the applications support standard, foundational business processes (Systems of Record), non-standard differentiating processes (Systems of Differentiation) or new, experimental processes (Systems of Innovation). The applications in each of those categories have different requirements and rates of change, and the pace layer model prescribes unique governance approaches to each to allow for maximum flexibility.

The response to this research has been extremely positive, and we have been working over the last 12 months to develop a deep body of knowledge on the concept, how to get started, and how to evolve the strategy over time. I am really excited about the launch of a special report on Pace Layered Application Strategy http://www.gartner.com/technology/research/pace-layered-application-strategy/. This landing page is an excellent resource for those looking for more details on how to adopt pace layers. Please feel free to reach out and ask questions or to suggest additional research on pace layers.

I’ve seen some CSPs make some very good strides lately in terms of improving websites and publishing architectural and security related information.  One particular aspect where the industry has seen very little improvement is transparency with audits.

A common discussion for me at Gartner has centered on SAS 70 Type II audits, and now SSAE 16 / SOC 1 reports.  The latter has replaced SAS 70 and having an SSAE 16 audit and SOC 1 report completed by an independent third party is table stakes for competing in the public cloud services market.  There are many problems with the SSAE 16 audit, namely that CSPs still get to designate which control objectives an auditing agency verifies.  If a CSP does a poor job at logical access security, they could choose not to have the third party audit them against that control.  It seems unfair and a loophole.  As such, customers actually do need to see the SOC 1 report and must sign a confidentiality agreement with each provider to do so.  That does not scale well.

But why a confidentiality agreement?  Why don’t CSPs simply publish their SOC 1 report online?  I’ve spent the last month talking to a number of CSPs about this.  I get the token response that it would divulge sensitive security configurations that if published would put the cloud service in jeopardy of being attacked/exposed.  My response to that is, “Ok, but let’s get creative.”  I have not been able to understand why a CSP cannot publish a summary report listing each of the controls that were audited and the relative findings for each objective.  There is a stark difference in mentioning that a third party confirmed security surveillance cameras are in place versus actually listing each physical location of all individual cameras.

Well after having several in depth conversations with many providers, I believe our cross hairs need not focus on the CSPs as much as the auditing agencies.  More than a few of the CSPs have apparently gone to their auditing agency and requested the right to publish the SOC 1 report publicly.  All providers that have done this were denied that ability.  The auditing agency holds the copyright to the report and the legal agreements of the audit restrict the CSP from publishing without auditor consent.

A few providers claim they have gone further and have asked the auditor if they can takes portions of the report and publish as an executive summary or FAQ to highlight for customers the controls and summarized results.  Again, those providers were not able to obtain the rights to do so.

What are these auditing agencies / large consulting companies needing to hide?  If they truly are independent, third parties, why can’t they stand behind their report publicly?  If not the entire report, why not a summary of findings?

Providers are not 100% absolved of any responsibility here either.  Even if the auditing agency refuses to release any information from the report, the provider should still publicly list the controls that the provider asked the auditor to look after.  That would be a big step for many providers and would at least start to level-set the playing field for customer evaluations.  Furthermore, the best CSPs will put more emphasis on obtaining ISO 27001 certification, which does provide a base standard for controls.

I would love to hear from you on this.  Are you a customer that is tired of signing agreements simply to confirm controls?  Are you a provider that wants to publish more information but are restricted by auditors?  Are you an auditor that would like to have a deeper discussion?   Please contact me.

The Electronic Frontier Foundation has formerly requested that this hot potato be allowed to fester indefinitely, announcing yesterday “EFF formally requested the preservation of the data seized when the U.S. government shut down Megaupload.com and related sites in January of 2012, notifying the court and attorneys involved in the case that Megaupload’s innocent users deserve a fair process to control and retrieve their lawful material.”

I also agree that innocent users deserve a fair process, although it is difficult to envision what that could be.  What I don’t agree with is the part about ‘data seized’.  As far as I can tell, its still sitting in its original servers in multiple data centers belonging to Carpathia, Cogent, and some number of additional hosting firms. The DOJ did not seize it at all–they just took multiple steps to ensure that the service would be inaccessible:

• They took possession of Mega’s domain names, making it impossible for customers to access it.
• They froze Mega’s financial assets, making it impossible for them to pay the hosting providers.
• They arrested Mega leadership on criminal charges, ensuring that they would be focused on staying out of jail, instead of figuring out how to restore their file storage services.

Mega’s staff are under arrest at worst, and unpaid and looking for work at best.  Mega’s hosting firms are stuck with thousands of idle servers, mostly filled with toxic digital waste of bootlegged movies and pornography.  Carpathia has strongly suggested that they do not have administrative access to these servers (although they haven’t explicitly said so).   It would be nice to think that any legal content would be provided to the 50,000,000 or so people to whom it belongs, but its difficult to envision the practicalities.

Without providing any public suggestion of how it should be done, in a letter to the DOJ on Feb 1, the EFF formally requested that the DOJ take possession of the poisonous potato.  Described as a matter of fairness, with Constitutional overtones, this preservation step would presumably be a  financial one, but not a physical one.

For the DOJ, theirs was a hugely visible act which immediately encouraged several Megaupload competitors to change their practices. It sent a clear message that ‘the USA will not tolerate Internet IP piracy.’  Given the huge level of citizen push back on SOPA and PIPA, its easy to envision growing pressure to change US policy.

For the hosters, this digital hot potato represents an immediate loss of income, and a potential PR disaster. Just leaving the Mega servers in place represents an ongoing expense, actually turning them on and serving their content would represent an even bigger expense. Coming up with a mechanism to allow ‘legitimate’ users to collect their data while excluding illegal content seems a practical and legal rat hole, with endless potential to attract lawyers from the DOJ, the EFF, foreign governments, and the entertainment industry. It isn’t difficult to envision that they would eventually be on the receiving end of some sort of class action lawsuit.

For the EFF, this is a PR gift, representing their biggest ever opportunity to play hero for millions of impacted Megausers.  I don’t blame them for making hay in this sunshine.  Cloud computing not only means that the criminals and innocent bystanders are sharing the same virtual premises, but the scale of cloud computing ensures an astounding amount of collateral damage. This isn’t the 1920s, and today’s digital G Men can’t shoot a bootlegger without also hitting an innocent bystander.

For the bootleggers and porn pushers, this probably represents no more than a minor setback. 

For some number of individuals and small businesses, too naive to have understood the relative risks and benefits of the public cloud computing model, this probably represents a permanent loss. The EFF is actively soliciting the names and details from impacted users, and it will be interesting to see what data is provided on the number of individuals claiming that their only copy of their personal property is trapped in Megalimbo.

For me, this is an endlessly fascinating story, resulting in some of my best Gartner blog readership stats. Aside from sheer drama of the event, though, it raises important questions about the role of government within the Internet, the liabilities of a provisioning model that relies on a chain of providers, and whether the leverage of this computing model is creating monster sized services that are too big to allow to fail.

On one of the panels I moderated on APTs, Dave Merkel from Mandiant put it best. “You are compromised, get over it”. Others in the US Government have come to the same conclusion.

We spend far too much of our information security budget on increasingly ineffective mechanisms designed to prevent intrusions including network and host-based solutions, firewalls, IPS and antimalware systems. Does that mean we give up on these Not at all. What we need are new capabilities in other areas.

Assume you’ve been compromised. How would you know? We don’t spend nearly enough on systems that help us to better detect a compromise after it has occurred. We can’t keep pretending that we can keep the bad guys out.

Where are net new investments needed? Here’s just a few of the specific areas I discuss in my research.

• More monitoring. Lots more. At all layers of the stack – packet, flows, sessions, transactions, applications, user activities – all of it.
• More context-awareness. To separate meaningful anomalies out from a sea of monitored events will require more context – identity, application, content, location, time of day, reputation and so on.
• Big data and analytics brought to information security. Information security is becoming a big data problem and we need the systems, algorithms and new sets of security skills to derive insight from this.
• Higher levels of automation. To free up time to focus on the really important stuff, security professionals have got to get out of the day to day programming of security policy enforcement points. Program policies? Yes. Program quintuples? No.
• Cloud-based security policy enforcement. If we don’t own the device or the network (think 3G, 4G etc) then we can’t always rely on traditional network and host-based security controls for protection.
• Applications that are designed to be securely operated and used from inception. DevOpsSec must and will become a reality.
• A shift in thinking from Security Information and Event Management to delivering Security Intelligence

I believe information security infrastructure is at a critical inflection point. The status quo isn’t cutting it. Changes are needed.

Are the vendors up to it if it means we spend less for increasingly ineffective legacy solutions they are selling us? (The good news is that we’ll spend more in the other areas highlighted above if they’d make these types of advancements)

Are we up to it? Are we prepared to admit that we are currently on the losing side of this battle and make the types of process, technology and mindset changes above?

Overly aggressive and intrusive marketing is not my idea of an improved online experience. However, when I visit a news portal it should know that I’m a science junkie and have never read a sports related article in my life. When I visit a technology vendor’s website, it should remember that I’m an analyst, not a consumer. It should present me with technical and functional details rather than shill the vendor’s products.  With a little user history and the judicious use of metadata, its really not that hard. Unfortunately, this just doesn’t seem to occur to most website publishers and that treasure trove of tracking data is wasted. 

The missed opportunity is even more tragic when mobile devices enter the picture (and at this point, mobile devices ARE the picture).  A smart phone or a tablet bends over backward to tell a website where it is, what it can do and what type of content it wants.  You can and should do more with that information than simply serve up a stripped down version of your homepage.  If I visit a public transit website from my iPhone, chances are I’m not looking for annual pass options or a history of the Portland bus system.  I want to know where the nearest stop for the 96 express is located and when the next bus arrives (and I don’t want to install a dedicated app to do so!).  When I visit that same website from home, it should know that I always seem to ride the 96 and that I usually just miss it.  That little bit of tacit information, gleaned from my history and mobile habits, can facilitate a tailored online experience that goes beyond micro-segmentation to make true personalization practical.

When I access an online resource from a mobile device, I want quick, targeted information relevant to my immediate situation. When I access that same resource from my desktop, I want more details, more options and more aesthetics. Most importantly, I want the two experiences linked together into one, ongoing, conversational relationship.  If I have to reintroduce myself every time we meet, chances are we are not going to become friends. A comprehensive cross-channel strategy can leverage user history and contextual information to provide a cohesive experience across devices and across sessions. If this is the goal of your tracking cookies and beacons, its okay to be a little evil.

However, what is “application security monitoring” (ASM)? As I am pursuing my second research project this quarter – one related to SIEM technology futures – I am coming across people attaching the “ASM” label to various technologies and processes. Specifically, these are:

• “We have a web application firewall (WAF) – thus we do ASM” (if “firewall” = “monitoring” and “web applications” = “applications,", then maybe it is indeed ASM)
• “We collect application logs” (which, in reality, means “some application logs” that often nobody understands; also notice the word “collect” contrary to “analyze” here. And what about application context?)
• “We have a tool that analyzes application transactions for fraud” (this sounds like one specific use case of security monitoring inside the application, but what about others?)
• “We decode network traffic up to an application layer” (which likely means that you do NSM right, in contrast to doing application security monitoring)
• “We have a DAM” (which means that requests that the application makes to its database can be looked at; such requests do not constitute the entire pool of security-relevant application activity)
• “We convinced our developers to implement application telemetry useful for security” (this sounds like it will enable application security monitoring; however, what happens with that data after it is generated?)
• “The tool we have can monitor all system calls and API calls made by the running application” (same question: is there any capability, in that tool or another, that helps make sense of the information deluge?)

In your opinion, do any of the above constitute application security monitoring on their own?

Personally, I doubt it. At best, ASM might mean “all of the above” or “many of the above," but I think a few components needed to achieve ongoing visibility of all security-relevant activities inside off-the-shelf and custom applications have not even emerged yet. It may be that security has to outgrow its network roots first and get some application DNA implanted.

The theme that also seems to emerge in my research is that unlike with NSM, answering “what happened?” (example: “error 945842 on application XYZ”) is comparatively less important than answering “what it means?” (example: “security control failed to prevent malicious activity at application XYZ that is important for our business”). Thus, we need to both collect more telemetry AND context, as well as build tools to make sense of that data!

Thus, both enterprises and vendors have work to do in the coming years!

The ECI provides European Citizens the ability to present legislative initiatives directly to the European Commission provided they have a million signatures from EU citizens in a representative set of countries. Links at the end of this post provide the details.

Rather than creating a large and complex program, the ECI’s basic structure revolves around open source software supporting registering an initiative and submitting signatures for validation.   That may not sound like much, but in an environment of social media and technology it gives EU citizens the basic interfaces to engage the formal structures of the European Commission and the rest is up to them.

In preparing for and participating in the panel a number of thoughts came to mind on the nature of technology, public policy and the future of direct citizen participation.

• The ECI is correct in conceiving of social media as the ‘technology’ for creating an environment for the initiative. Incorporating social media into the citizen centric strategy not only recognizes the reality of social media in society, but also encourages direct citizen action and innovation without prescribing a platform or approach.

• Social media platforms, like Face Book, Google, Twitter, etc. provide a platform with the scale and reach necessary to engage the large and diverse EU citizenry.

• Social media’s communications capabilities are well suited for sharing the depth of information associated with a strong citizen initiative.  I can imagine these sites holding more than just calls for support.  These sites can become key educational, documentation and discussion sites.  Imagine video’s that document conditions and situations, position papers that outline aspects of the initiative and debates where the community forms and reforms the initiative prior to its submission.  Those are the types of collaborative capabilities that can drive strong, positive and participatory policies and initiatives.

The open, participatory and self initiated aspects of social media tools match up well with the principles associated with the ECI.  These same aspects have the potential to change the nature of public discourse, government transparency and the like.  A few thoughts in these areas include:

• Social media in public policy can change the nature of policy development toward building solutions rather than supporting stances.  This creates the potential to shift the policy development process from a basis of exchanging single issues or interests based views to multi-lateral working discussions to craft an initiative prior to the ECI process.  This has the potential to change the nature of NGO’s and other policy influencers moving them away from advocacy for a position toward collaborating to solve a problem.   Call me naïve, but if all social media does is raise the volume of single interest, single views then we are poorer for it.

• Changing the level of transparency and participation in EC/EU deliberations concerning successful initiatives.  The current process, as I understand it, involves closed deliberation and consideration of initiatives that complete the ECI process.  I believe that the participation and transparency required for the front part of the ECI process, will lead to similar requirements in the deliberation and decision making of policy makers to not only use the content generated in the initiative process but also to engage the community in deliberations and discussions.  It is hard to open the front end of a process and make it more transparent and keep the back end closed.

• The ECI can be seen as part of a range of legislative processes and approaches.  Viewed in this context, the ECI plays an important role in submitting initiatives that should compliment rather than compete with other approaches and channels.   Recognizing the uniqueness of the ECI process should allow it to have different features and performance expectations as not every process is best to address all policy challenges and issues.

• Much of the ECI process will be ‘do it yourself’ in terms of citizens taking direct responsibility to organize, discuss, debate and develop their initiatives and tools.  There are few prescribed rules for the ECI, which opens the door for creativity and innovation in the policy development and debate process.  Sure it would be nice to have prescribed content policies, platforms, and premade tools as some at the meeting asked for, but such pre-structuring of the environment can also pre-structure the nature of the debate and set operational limits.  A practical and innovative way of being neutral is to be open and lay down a few clear rules, processes and tools which the ECI has done.

The ECI has many of the characteristics associated with successful mass collaboration. We identified these characteristics in researching how large organizations apply social media to achieve meaningful results for the book, The Social Organization.  Having a compelling purpose, just enough structure and the right level of sponsorship are all critical for success.

The launch of the ECI last week represents the first mile in a new approach to direct citizen involvement in the legislative process.  Submitting legislation is also the last mile for many in the policy arena as ideas turn into proposed rules and laws. How these two connect and collaborate using social media is something I look forward to observing in the future.

Related links

European Citizens initiative Web Site

European Citizens Initiative Face Book Page

In 2012 Gartner speaks of the nexus of forces – cloud, social, mobile, and information – yet for security staff this could be a dark place to stand like deer in the headlights. Consumerization and compliance are at loggerheads. What happens when an unstoppable force meets an irresistible object? Will it mean the end of confidentiality as we know it?

Before I get into this I must give due credit to my colleagues. What I’ve loved about working at Burton Group and now Gartner is that I stand on the shoulders of giants. This blog post was originally inspired by Bob Blakely’s posts on the the end of secrecy. And I would not even be doing this if another colleague, Eric Maiwald, hadn’t been inspired to take up Bob’s original topic as a potential 2012 Catalyst session.

So what does this perplexing notion actually mean? It can’t be that we just give up and stop data protection efforts. But it does mean that we have to change our paradigms. We should try to centralize data access with server-hosted virtual desktops and enterprise content management systems. But this can only partially hold back strong tides of data dispersion. We can monitor the flow of information with DLP. But malicious users will often evade surveillance – this in an old game of low assurance.

We can attempt some stronger techniques as I advised in my restricted zones blog entry – stop assuming that we can win the futile battle to 100% protect our endpoints and instead get more hard core about building fortresses, or secure zones, around our most critical data. Done correctly, this can reduce the magnitude of worst case consequences but still doesn’t represent a 100% compliance solution.

Yet compliance is a many-sided coin. It needn’t be achieved solely through security technologies. We can change the game by changing business processes; for example, some organizations have stopped storing credit card numbers. Our organizations can also use business process outsourcing, corporate subsidiary structures, and other business approaches to transfer risk or manage it in creative ways.

Creativity will be essential if the nexus of forces coupled with an ever-more challenging threat and regulatory landscape really brings the end of confidentiality as we know it. I recently heard the CISO of a large financial institution muse about “What we would do if all our controls still prove ineffective against the threats?” He spoke of then using business and information management techniques in the realm of espionage – counter-intelligence, deception – consciously and systematically varying the timing, audience, completeness, and accuracy of information flows, watching what happens, and adapting. This is not actionable yet – no more than a thought experiment. But could it represent the shape of things to come in the not too distant future?

• A. Oh my gosh!  How can these information assets be protected?
• B. Oh my gosh!  How am I going to be able to find anything or notice anything important?
• C. Oh my gosh!  How can I make money by creating technology products to ride this wave?
• D. Oh my gosh!  How can I make sure my target consumers notice my product messaging in all this noise?
• E. Big deal.  This has been happening since Gutenberg and we have always adapted.
• F. That’s why I don’t use computers.

From your response, I think I can tell who you are:

• A. You are an information security, legal, identity, or privacy practitioner
• B. You are an overburdened information worker, the IT owner of information systems, or a researcher in human computing interfaces (HCI), augmented cognition (AugCog), or user interface/experience design (UI or UX)
• C. You are a software vendor (or pharmaceutical researcher for 5-Hour Energy!)
• D. You are in marketing, probably trying to increase sales for a discretionary product
• E. You are a pundit
• F. You are a Luddite

Seriously though, I’m amazed at the number of narratives that launch in different directions from this common “information everywhere” starting point.  And each role has difficulty seeing the other angles. Take me for example – through my research and writing on enterprise attention management, I live in bubble B (how to find and notice important stuff).  Most people I read and interact with on this subject are also in bubble B, so it becomes easy to forget there are so many people that are equally focused on their angle.

As another example, when I met with a bunch of “context aware computing” analysts, they were almost entirely focused on helping service providers utilize context (starting with location based services) to hit consumers with the right message at the right time to increase their sales (choice D).

Information proliferation will continue so it’s important to recognize all of the response vectors, ranging from opportunity to threat.  Preparation is the best defense.

It comes as no surprise to me that a public cloud provider can suffer an unforeseen incident that impacts millions of people. I admit to surprise over the form and scope of the Black Swan Event experienced by Megaupload last month.  The extent of the enterprise use of their service also comes as a surprise.

In an interview yesterday with Bloomberg, Palo Alto Network’s Nir Zuk  explains that Megaupload was the most widely used file sharing service within the enterprise. While this was a short and perhaps misleading interview, specific details on enterprise usage of cloud-based file sharing systems can be found in Palo Alto’s Application Usage Risk Report.  My read of the latest version of this report is that Megaupload is indeed the largest bandwidth consumer within the enterprise  (enterprise being those orgs that buy Next Gen Firewalls), with Dropbox being the #2 bandwidth hog.  Megaupload traffic appears in 57% of enterprises, which is quite a lot, although 5 other vendors appear in a higher percentage of enterprises.  Dropbox wins that race,with their traffic detected in 76% of enterprises.

In one fell swoop of the black swan, users in over half of enterprises suddenly lost all access to one of their highest bandwidth external services. While this particular case probably came as a relief to a lot of IT managers,  not all of the Megaupload traffic represents bootlegged multi-media content. The service did have a reputation in the power user community for being fast and scalable, attracting people who had a legitimate need to share their own bulky content.  Hopefully, most of the enterprise users savvy enough to recognize it for those advantages, were also prudent enough to avoid using it as their primary storage for important files.

This is still far from being a full replacement of the current government portal Directgov, but gives a pretty good idea of how things will develop. At face value, it doesn’t look better than many other government web sites, although it is said to provide more effective search capabilities. It provides categories to browse from, popular terms or services and then, for each category, a mixture of information people may be looking for and some services. The style of interaction does not look dissimilar from many other web sites, and it does not even provide the ability for people to tailor it to their needs (like redbridge i does for instance).

But the beauty of Gov.uk is supposed to be under the hood. As a review on the FT Tech blog puts it

Early testing on 2,000 people by civil servants cut by a third the time it took people to find information or complete a task. In some cases, dozens of pages have been whittled down to a multiple-choice process to guide users to their particular destination

If this is confirmed, it is well worth a suboptimal (at least for now) user interface. Also, what is being praised is the unusual development style, which is definitely closer to a start-up or one of the tech giants in Silicon Valley rather than a traditional government institution. The profile and resume of most developers in nothing like the usual government IT person.

There is an excellent review provided by Alex Howard, who also hints to the technology used. One thing that is missing though .- and this also pointed out in Alex’ article – is a clear path to making sure services and information on the new site can be used by multiple intermediaries.

There seems to be an inherent contradiction. On the one hand the UK government is pushing for open data and working to gov.uk as a platform. On the other hand the effort so far seems to be focused on making sure that people only use it. But wasn’t this Directgov’s initial idea? And hasn’t time proven that – especially with evolution toward web 2.0 and social media – people want to be in control of the channel and application they use to interact and transact with government?

UK politicians and government executives keep talking about citizen-centricity, and yet they seem to miss what it really means.

Case in point: In the e-government space, the UK government said many times that intermediaries are important.

The first intermediary policy that I ever saw in the world came actually from the UK in 2003. It was assuming (well before the term web 2.0 was invented) that people may wish to choose a different entity than a government organization to conduct government business (e.g. an insurance for health care, a bank for tax returns, an association for applying for school, and so forth). However their portal development strategy did not really apply that policy.

More recently (in 2007) they have been at the forefront of what would become the government 2.0 movement, and when I met Directgov executive two years ago I was told they were planning to support intermediaries and not act as the only point of contact. And yet, there has not been any visible development. A little over a year ago a Directgov review confirmed the ambiguity between being a service wholesaler or a retailer

Now, with the government pursuing more savings, there is an even greater momentum to close down existing government web sites and consolidate everything into a single web site of sort, which I assume is what gov.uk is the beta version of today.

So, what happened to the idea that people may get greater value from choosing a more natural contact point to interact with government? If there is value in allowing organizations to leverage open data to create dashboards and applications, why shouldn’t it be the same for services and information hosted by gov.uk? Why should I use it to know my council tax (this is one of the services they provide), if I’d rather use my council web site more frequently?

I am pretty sure that the techies at the GDS will tell that the gov.uk architectures supports it, that they just have to define the API, and that as everything is open source and cloud-based, it is almost a “piece of cake” (well, of course they would be more cautious, but as they are young and cool I have no doubt they would pull it out).

The problem is that this is not just a technical issue. It is a design issue. It is about asking yourself from the outset “is my web site the best way to deliver this service to a citizen? And, if not, how do I figure out the best channels and engage them?”. From what I read, there has been a lot of user involvement in designing the site: but I am not aware that there has been much effort invested into looking at a broader set of use cases and options.

So, what is Gov.uk going to become, when it grows up? A platform or yet another government single-point-of-contact?

Below is a graphic that I have used with clients for the past 2 or 3 years as a tool to help them understand what their value is and how to let other people understand the support value proposition. It is equally applicable to any product or service but for the purposes of today we will look at it from the support perspective.

The four main axes show the pillars of customer value… Cost reduction, Revenue generation, Quality improvement and Risk mitigation. In between these foundational themes we have secondary aspirations that can be used to influence and convince prospects, customers and consumers of product or service value.

Using these themes, providers can plot out what they believe their value is.  Remembering that customer value comes in many forms and shapes…

So what exactly is the product support value proposition? And perhaps more importantly, how should you convey it?

Full details and worked examples can be found within “Marketing Essentials: How to Convincingly Articulate the Product Support Value Proposition“. To paraphase a very small fraction of the fantastic insight, guidance and advice contained within this brilliant research note (and I say that as a completely biased party ) I would recommend a focus upon:

• Incident avoidance / Pain prevention – People don’t just want a support provider who is good at fixing things when they fail. They would much rather have a provider that helps them to avoid the pain and inconvenience in the first place.
• Internal cost reduction – How you help them to spend less on support related activities.
• Product or service value extraction – Getting the biggest bang for their technology investment buck
• Improved understanding – Of their environment, their operations, their product or service usage and how they compare to others
• Better end user experience – Helping them to help their users to be more productive

When you talk in terms similar to those outlined above, and refrain from falling back on well worn cliches about “protecting ones technology investment” and wafer thin sliced support services descriptions of what it is that you do and how you do it, you will begin to connect with customers in a more meaningful way… And connecting with customers is key. Because without that connection you will always only be the folks that they call when things go bad.

After all, who really wants to hang out with the perennial harbinger of doom and destruction?

TRKFAM!

• On average, over 40% of customers resolve their issues in the online community
• Of those 40%, 30 – 50% also solve the problem there – which means an overall reduction of 15%+ of all service cases.
• The average ROI on a peer-to-peer community has been 100% within 15 months. Try that with your ERP or SFA or HCM!
• Overall customer satisfaction grew, while time spent interacting with the Brand went up

If you want to see an in-depth case study and are a Gartner client, you can check out some new research at: http://www.gartner.com/resId=1910415  .

We will have several more of these at our Customer360 Summit this March in Orlando (http://bit.ly/gLhUKZ ).

I had a great call with a client this morning where we were discussing forums and knowledge bases and her company’s next steps. I said that now might not be the best time for her to discuss results because the program was still midstream. She laughed and said, “You know what? I don’t know if we’ll ever be out of midstream.”  I am always touched by the IT folks who work hard for companies that can hardly recognize their effort, who look forward at the possible and are not handcuffed by the past.

John F. Kennedy, who was my idol by reasons of proximity temporal and physical, said, “For time and the world do not stand still. Change is the law of life. And those who look only to the past or the present are certain to miss the future.” And it is truly a mystery and a testament to people’s dedication and commitment that they often work so long and hard for rewards that largely accrue to others. We need all be grateful that they do.

Thank you all, as always, for sharing your stories – successes and challenges.

If it is truly the case that Carpathia is hosting 25 Petabytes of Megaupload customer data, and that is only part of what has become inaccessible through the 19 January Department of Justice shutdown of Megaupload.com, then this represents the biggest cloud incident by orders of magnitude.  (See my blog entry How much of your data is lost at Megaupload for the full story)  

It isn’t easy to balance the desires of the entertainment industry against the baby pictures and small business records belonging to millions of naive Internet users inside and outside the USA. I’m entirely sympathetic to the frustrations of the DOJ, whose simple anti-piracy act resulted in such incalculably high levels of collateral damage.  

In an interview with PCMag.com, a DOJ spokesperson explained ”It is important to note that Mega clearly warned users to keep copies of any files they uploaded..”   Readers of this blog, Symposium and Summit attendees, and Gartner clients have heard me give this same advice far too many times: “do not store important data in somebody else’s cloud without keeping a copy somewhere else.”   Yet individual users, just looking for a cheap and convenient place to park files, insist on not following this sound advice. The DOJ and I remain mystified at this widespread lack of policy compliance and good sense.

The good news is that the Electronic Frontier Foundation is also willing to leverage this incident for all its worth. Today they announced that with Carpathia’s support, they are going to think really, really hard about how to solve the difficult problem of separating out the huge amounts of illegal content, and getting what’s left back in the hands of several million users, only a few of whom actually paid for this wild ride.

Futher good news is that Megaupload’s US Attorney, yet another party who deeply feels the users’ pain, has said that both Cogent and Carpathia will maintain the material for at least 2 more weeks. Although they are apparently not obligated to do so, and almost certainly won’t get paid for it, Cogent and Carpathia might yet figure out a way to provide access to the non-pirated content, through a web-based front end that they apparently don’t control.

I’m going to go out on a limb and predict that we have not yet heard from all the parties who can leverage an incident like this.    Its not a question of whether or not there will be a lawsuit–its a question of how many there will be. Maybe Congress can come up with a data amnesty bill.

My serious suggestion is that IT decision makers leverage all the media attention around this unfortunate incident and use it as an opportunity to figure out what their users are up to, and help their users recognize that a carefully selected and paid for service is better than something they are likely to dig up on their own. Gartner customers looking for advice on meeting the needs of users for external file storage should take a look at my latest research, How to Control File Synchronization Services and Prevent Corporate Data Leakage.

It should not be surprising, then, to find that it took quite a while to create a world-class chess playing computer. But, in 1997, IBM’s Deep Blue computer finally won a six-game chess match against world champion Garry Kasparov. At first, it was thought that this meant the death of professional chess. However, what has happened is that the leading grandmasters (and amateurs alike) have turned to computer software available on the desktop to help them better understand where there are new unexpected “variants to the patterns” which lead to even more complex, dynamic and exciting games between humans playing face to face (or via the internet with an agreement to not use computers during the game).

In February 2011, we saw the next generation of computers like Deep Blue when IBM’s Watson beat the two greatest reigning champions of the US game show Jeapordy. It accomplished that through capabilities like pattern recognition and knowledge stored in parallel processors. It is now being used by IBM at client beta sites to explore other possible commercial usages.

So, why an I telling you all this? We are entering an age where the information explosion coupled with ever-increasing computer speeds and parallel processing is changing the face of where organizations will need to invest in innovation for business improvement opportunities.

Innovation Through Pattern-based Thinking: With the explosion of new types of “big data” available from social and cloud sources we are seeing emerging business improvement opportunities for new roles like the “data scientist” enabled by computers that can see “new patterns and variants of the patterns” for this information and other related information the organization already has available. The pendulum is swinging away from business process improvement through traditional application development to information-based opportunities for business improvement through computer-aided analytics. This is an emerging trend which will be increasingly realized over the next 3-5 years and probably exploding into more general mainstream use thereafter.

Just thought you might want to know…..!

Gartner clients who would like to learn more about this topic should find the following two research notes of interest:

Analytics and Learning Technology: CIOs, CTOs Should Rethink Art of the Possible
Emerging Information Use Cases Challenge Traditional Information Environments

• Just telling someone what they should not do doesn’t automatically help them understand what they should do. In cut and dry situations – the ones we’ve all been through a dozen times before – it is easy to infer that if the sign says “stay off the grass” it means we should use the paved path instead (although I do remember how that slogan was co-opted during my college years to mean something else). With social media, inferring the positive action that is desired from the negative action that is forbidden is not always so easy. Will every employee know how they can avoid violating applicable copyright laws and statutory requirements? Can they list the five signs that indicate when they are not appropriately safeguarding company assets?
• Another reason a policy written with more don’ts than do’s is problematic is the knee jerk reaction it elicits from most people. It causes the rebellious teenager in all of us to emerge, the one that screams “you just try and stop me . . . ” If you doubt this, just take your policy home, have your teenager read it and wait for the heavy sigh and eye rolling.
• Lastly, legalese confounds interpretation. It’s similar to how some people respond to math problems. Throw some some “heretofore” “affected party” and “aforementioned” statements into a document and otherwise literate people’s eyes glaze over. The language used in the social media policy needs to be precise but not stilted. Remember, in most sizable organizations, English will not be everyone’s primary language.

So what should a well-written policy look like? Here are a few tips:

If you are writing or revising your social media policy, here is a database with examples you may find useful. I hope it saves you some work.

When you are done, let me know what you come up with.

The Situation:

Imagine an influx of complex work that requires specific advanced skills at specific times. I am ware of several implementations where organizations are faced with the daunting task of keeping the skills up to date in real time while dynamically allocating work based on incoming streams, incoming events, timing based SLAs, and temporary chokepoints.

The Answer:

Several organizations, that I am aware of,  have BPM technology that evaluates the complexity of the work (case) and assigns work to the best person with the skills necessary to complete the case or a portion of the case. When the best resource is not available, the next best resource is selected (maybe just completed training with no experience). When the work is accomplished and the case is judged to be a high quality state, the resource skills inventory is annotated to now include the latest experience for that resource. If a case gets hung up it also goes through the same triage process.

Net; Net:

This is a great use of BPM that leverages data driven allocation and near real time updating. While this is not intelligent business operations, per see, it’s on the road to applying more experience(represented by dynamic data) to work allocation and intelligence.

The above success story has been summarized and made anonymous to get the essence of the success documented quickly. The source of this success story is from two technology providers (Appian and Kofax/Singularity). Each have customers leveraging this approach.

Like many file sharing services, Megaupload was merely the top link in a Chain of Providers.   According to AP  ”A letter filed in the case Friday by the U.S. Attorney’s Office for the Eastern District of Virginia said storage companies Carpathia Hosting Inc. and Cogent Communications Group Inc. may begin deleting data Thursday…..The letter said the government copied some data from the servers but did not physically take them. It said that now that it has executed its search warrants, it has no right to access the data. The servers are controlled by Carpathia and Cogent and issues about the future of the data must be resolved with them, prosecutors said.”   The letter, which is not indexed on either the DOJ or Federal Court web site,  apparently allows the providers  to delete the data, but does not necessarily require them to do so.  Given that Megaupload’s financial assets are frozen, their hosters certainly have strong financial incentive to reclaim all that floor space (Carpathia is reportedly storing 25 Petabytes for Mega, and it comes as no surprise that the DOJ didn’t attempt to seize 1000 servers).

Without a running front end application, there’s no mechanism allowing customers to log in and access their data. How else could anyone make any sense of the millions of files stored at Carpathia and Cogent?  Depending upon the support arrangement for the servers, hosting providers likely have no need to know what is stored or how to access it. This was made clear in a press release this morning ”Carpathia Hosting does not have, and has never had, access to the content on MegaUpload servers and has no mechanism for returning any content residing on such servers to MegaUpload’s customers. ” (They also explicitly denied awareness of any sort of instruction for a Feb 2 deletion) 

I sincerely doubt that any Gartner clients have formally contracted with Megaupload (let alone some of their sleazier porn-related sites) as a cheap (no pun intended) form of collaboration or file backup.  But I am certain that individuals within thousands of organizations, having decided that it was a useful service that their own IT departments refused to provide them, had uploaded corporate data into Megaupload.  If that data wasn’t backed up, it is almost certainly gone for good. This is neither the first nor the last case in which a SaaS provider disappeared overnight, effectively taking all of its customer data with it, but it may well be the largest data loss from a SaaS provider.  The fact that the data is still extent, yet inaccessible, must be especially frustrating to those who have just lost their sole copy of family photos or corporate documents.

I was going to say that as a best practice, companies that store significant amounts of pirated or otherwise illegal content should be avoided.  Then I realized that this is virtually impossible. Carpathia and Cogent, like Amazon and any other hosting service provider, always have huge amounts of illegal and unsavory content within their infrastructures.  At least in this case, it reportedly was stored on dedicated servers, not multi-tenanted ones. Let me be more precise and suggest avoiding multi-tenant SaaS offerings that are likely used by pirates.  Freebie web sites that provide public file sharing are almost certainly chock full of unsavory content, and are obviously not suited for enterprise use.

This might be a good time to figure out  if your users have been uploading your corporate data to Megaupload or some other freebie file sharing site.  It should also serve as a reminder that accessibility to data within a SaaS provider is dependent upon the ongoing viability and competence of that provider. If you have important data within a service provider, you need a contingency plan in case that provider disappears.

Schaut man aber hinter die Kulissen, wird man gleich feststellen, dass Investitionen in Grüne IT neuerdings nicht mehr in der Prioritätenliste von Entscheidungsträgern auftauchen. Laut einer Gartner Umfrage, die das strategische Investitionsverhalten von Rechenzentren in Deutschland für 2012 untersucht, zeigt sich , dass man sich von dem Trend zu energieeffizienten – “grünen”- Teillösungen in Deutschland ablöst und eher auf Lösungen zusteuert, die auf Standards basieren und IT und Betrieb umfassen. Diese verwalten zusätzlich zu betrieblichen Energiekosten auch noch die gesamte Resourcenführung in der IT und Rechenzentrumlandschaft. Die Möglichkeit der Kalkulation von synergistischen und unternehmensweiten Resourceneinsparungen im Zusammenhang mit steigenden Energiepreisen wird von fast der Hälfte aller Befragten als einflussreicher Faktor in der Rechenzentrenplanung angegeben. Daher kann man davon ausgehen, dass sich der Markt für Einzellösungen der grünen IT kräftig abkühlen wird. Keiner darf an dieser Stelle mehr geschockt sein. Bedeutet dies das “AUS” für Grün?

Eins der wichtigsten Merkmale hier ist die Änderung der Definition “Energiemanagement” im Rechenzentrum. Die Tendenz geht dahin, dass man sich vom grünen Abdruck einer einzelnen Technologie und produktspezifischen Ansätzen wegbewegt, da solche Einzelansätze oft nicht standardisiert sind. Gerade Standardisierung von solchen Berechnungen zum Vergleich der Reduzierungspotentiale ist aber wichtig, damit man nicht nur abteilungsbezogen, sondern unternehmensweit ökologische und betriebswirtschaftliche Ziele vergleichen und verknüpfen kann.

Im Klartext heißt dies, dass die grüne IT in den nächsten Gang schalten wird, vor allem unter den Gesichtspunkten der Energiewende in Deutschland. Energiemanagement als Systemlösung wird ein wichtiger Bestandteil von kostenwirtschaftlicher und nachhaltiger Geschäftsplanung in Deutschland sein. Keiner wird es sich langfristig erlauben können, nachhaltiges Wirtschaften zu umgehen. Das Risiko der Kostenkontrolle, der Verlust von Innovationspotentialen und der Imageschaden würden einfach zu hoch werden.

Und so bleibt die grüne IT – nachhaltig – grün.

Well, the wait will soon be over.  Microsoft just announced the Office 15 technical preview, so some workers will be able to see the new features in the Summer.

Before we actually find out what is in Office 15, I’d like to say what I think should be in Office 15.  I don’t mean piddly features here and there (why doesn’t paste as unformatted text have a hotkey out of the box?), but a major rethinking of what the office suite is.

I’m currently working on an update to my 2008 document “Content Authoring in the Enterprise 2.0 Age.” This document argues that commonly used content creation tools such as word processors and spreadsheets are being challenged by Enterprise 2.0 trends: collaborative authoring, content reuse, living documents, freshness preference, and content landmines. Organizations that respond to these next-generation content creation trends will be better positioned to create and disseminate the information that forms the core of their businesses.  I go on to show how “core authoring needs” (the “document” as container, solo authoring, copy/paste reuse, collaboration via e-mail or tracked changes) are being expanded those 5 Enterprise 2.0 authoring trends.

Armchair pundits like to speculate whether Microsoft will ever lose its incredible dominance in Office suites.  My answer was given in a series of content creation seminars I did a a few years ago:

If Microsoft is ever dethroned in the content creation market, it will not be because they were beat on features or marketing … it will be because of a fundamental shift in the content creation market for which they failed to adapt.

In other words, it is not Vendor X that will beat them by being cheaper or more feature rich.  It’s Suite X that will beat them with a different set of technologies that addresses a unique but growing subset of content creators.  There is a fundamental shift in how content is being created.  It has bubbled up from old concepts such as collaborative editing and been picked up by web 2.0 and its Gen Y adherents who think in rapidly produced, hyperlinked, searchable content chunks instead of ponderous, static, e-mailed documents.

To do that would require a fundamental reworking of the Office suite, probably splitting off a new product suite to better capture this small, new, growing target market.  By carving out space for a new product, they build incremental revenue, plant seeds for a new small but rapidly growing franchise, and better compete with innovative vendors unencumbered by entrenched bureaucracy and sunk costs.  As a bonus, this would help mitigate the bloat and complexity of Office by separating out features that will be unused or confusing for many core Office users. 

But this is what I recommended for Office 14 (see my 2009 posting What Microsoft Office 14 Needs: A New, Separate SKU) and it didn’t happen then either.  It’s risky.  They would be playing with a very large revenue stream to compete against a set of needs/vendors that aren’t really a threat right now. 

I feel these needs are percolating beneath the surface and if and when they ever catch fire, they will do so more quickly than Microsoft’s 3-4 yr product cycle can defend against.  I think it would be wise at some point to start a new franchise that addresses a new market and a new way of authoring, without abandoning the existing suite of course.  In the meantime, content authors (which is everyone) should familiarize themselves with all the alternative forms of content that now exist beyond word processing doc, spreadsheet, presentation, and email.

Open government supporters insist that the movement is alive and kicking, but it is fair to say that, if it is a revolution, it is going very slow and is testing the patience of those who are fighting with shrinking budgets and financial sustainability issues in government organizations around the world.

Taking a look at the open government plans published by US federal agencies, and the related dashboard, it is quite apparent that most plans have not been updated since their first version, and there is very little information about progress and what has been accomplished.

Of course there is still a lot enthusiasm elsewhere, and every week there are new jurisdictions joining the race to openness, but how long will that enthusiasm be maintained before open government delivers on its promise?

There is still a chance for open government to prove its value, before being marginalized, and it is to create a clear connection with problems that jurisdiction and agencies need to solve. This implies that open government must be redirected from simply increasing transparency to fighting crime and tax evasion, improving health and education, reducing the cost of government. And that open government experts do no longer limit themselves to enabling the wisdom of the crowd and the creativity of application developers, but take ownership of how open data can and will solve specific problems, and be accountable for those solutions.

But this is a completely different ball game, isn’t it?.

Both approaches have their pros and cons and, until recently, the market for these tools has evolved separately with different vendors and solutions. Even when a single vendor offers both DAST and SAST solutions, they have not historically been integrated.

In the latest research for clients – Gartner Magic Quadrant for Dynamic Application Security Testing – one of the criteria we looked at was whether or not the vendor’s solution provided Interactive Application Security Testing (IAST). Specifically, we are looking for ways that application security testing solutions combine dynamic and static techniques to improve the overall quality of the testing results. The information gathered by this instrumentation agent gives the hybrid solution an inside-out view that complements the outside-in view of a purely DAST solution — for example, identifying the specific line of code where a security vulnerability occurred, or providing detailed visibility into code coverage. There are a couple of ways that Dynamic and Static testing techniques can be integrated and made to be interactive:

1) The web application platform (IIS, Apache, or other) can be instrumented to observe the application as it is being tested dynamically.

2) The web application can be instrumented via injected code (.NET, Java, or other) so that it can be observed during dynamic testing

3) The output of a static code/binary analysis could be used to create and “tune” the dynamic test that is subsequently performed.

4) The results of observing an application under dynamic test or in use could be used to modify the dynamic test that is being performed in real time. In this way, the dynamic test can be made much more “intelligent” in how it tests an application. This is exactly the approach used by Quotium – a vendor we wrote up in 2011 as a Gartner Cool Vendor.

Multiple DAST solutions now provide IAST capabilities.  Some of the vendors evolving their offerings in this direction and offering IAST include Acunetix, HP, IBM, NTO, Parasoft and Quotium. However, most IAST solutions also requires that an agent be deployed on the application platform, which relegates the technique largely to QA and also requires that the vendor explicitly support the platform or language being instrumented (such as PHP, Java or .NET/ASP).

Look for IAST capabilities in your next evaluation of Dynamic Application Security Testing solutions.

Associates have to accept a code of ethics that stipulates their independence from existing political parties and other concerns that might distract them from defending collective interests. Transparency and participation are said to be at the core of the new party to make sure ideas and plans are developed collegially.

Interestingly enough, the party’s brand new web site and Facebook page do not carry any information about the background for this idea, who the actual promoters and current roles are, nor is there any evidence yet that this information will be released any time soon.

Although this is a small example, it says a lot about the difference between preaching and adopting transparency. While some caution in embracing full transparency by established organizations is understandable (as they try to understand the potential disrupting impact on the mission, operation and structure), such caution is much more surprising in a brand new entity that claims its difference from previous ways of doing politics and centers its messaging around participation.

Transparency is a great tool, but comes with a high price: the loss of control. If our clients, citizens, voters see through our walls as in a glass house, so  that they can tell us what is wrong, what to change and who to change, are we ready to take their advice? Are we ready to disrupt our plans? Are we ready to step aside?

The common wisdom is that social media is disruptive only for traditional organizations. The reality is it can disrupt each and every one of us. Are we willing to listen?

UPDATE: Less than 48 hours after its creation the Facebook page of the newly formed party “Insieme Italia” has removed the ability for Facebook users to post comments, and allows only posts from the administrator, claiming that this measure was requested by Facebook Inc. Here goes transparency.

I believe it is the business analyst.

But not the type of business analyst we have today.  That type of business analyst was a junior position in IT.  The one responsible for gathering requirements from their business peers.  The one focused on building application solutions and contributing to projects.  The role provided an entry point for new hires into IT.

I started my career in IT as a business analyst in part because a business analysts did not have to be a technician, they could learn the technology while working with the business.  Methodologies and IT processes supported this type of business analyst by defining formats, tools and techniques for requirements gathering and analysis.

This type of business analyst is still required, particularly in consulting and service provider organizations where the focus is on implementing new solutions.  That role is diminishing in captive IT organizations that need greater experience, knowledge and context to create value in today’s complex, cost conscious and cycle time driven world.

CIOs are rebuilding the business analyst role, not as an entry point for new hires but a leverage point for experienced IT professionals.  These CIOs are redeploying experienced I&O professionals, developers, managers etc. who are able to translate what they know into the best way to move the organization forward by building on and adapting what you have rather than always requiring developing a new solution.

CIOs need experienced business analysts because the nature of IT project decisions is changing.  Traditionally the major business decisions revolved around budget authorization for projects.  Secure the budget and the focus moves to starting the project as business analysts get to work completing requirements.

Increasingly, enterprises and CIOs do not have the resources or time to continuously create new solutions.  This changes the role of business analyst from introducing new solutions to solve issues toward a greater emphasis on redeploying existing solutions to new issues.  The value proposition for business analysts with the experience, ability and interest in reuse is strong. Reuse not only reduces risk and cost, but also reduces cycle time by up to half.

An experienced professional as business analyst has the ability to thrive in this environment as they have one or more of the following characteristics:

• They know if the company has addressed a similar business issue in the past and the potential to reuse those solutions to fit new situations.
• The actual structure of information, interfaces and relationships between systems.
• The real performance of existing applications, data and infrastructure, providing a more accurate assessment of capacity, performance and
• Prior change requests and updates to applications
• Vulnerabilities, risks and weaknesses that may be exacerbated by the new solution.

Not every experienced IT professional can make the transition to becoming a business analyst.  The new business analyst has to be solution focused; in the sense that they are looking for ways to make things work rather than focusing on all the ways it cannot work.  Fortunately it is relatively easy to figure out if someone is solution focused.  Simply ask the following question:

We want to do “X” in the business.  What do you think?

Then listen to their response.  If they talk about how it would not work, could not work, or how poorly positioned the company is, then they are not solution focused.  On the other hand, if they start to discuss how it might be possible if we change X, Y, Z etc., then you have found someone who is looking to create solutions.

Re-building the role of business analyst creates new capabilities for amplifying the enterprise based on recognizing the value of experienced and solution focused IT professionals already within your organization.  Moving from a requirements focus to a solutions focus is an essential part of that transformation both for IT and for the analyst role.

Now of course these are all interesting questions but they do little to forward the cause of the support industry. So let’s park them for now and look at how we (or you) compare against the best of the rest. You could evaluate your portfolio and internal processes against your peers using the mini case studies within “Gartner’s Fantasy Football Product Support XI, Summer 2011”… You could use the Gartner Product Support Maturity Scale (as first defined within “Market Insight: Introducing the Gartner Product Support Maturity Scale”) as a framework to understand your relative level of service maturity. Or if you are feeling particularly brave, you could ask your most important and vocal customers to use the cosmo-quiz style assessment as laid down in “How Proactive Is Your Support Provider?” to determine where and how you need to improve.  All of these assessments are valid and useful. But they do not tell the whole story, for that you must look inwardly and reflect on your particular position in the firmament of your organization. Are you the shining star, the twinkling jewel or the vacuous black hole? Only you can tell for sure.

Support quality and value is often directly proportionate to the level of importance placed upon it by the business. When we evaluate providers, it may appear that we are solely interested in the composition of the portfolio, adoption metrics and tangible quantified customer benefits. It’s not to say that these factors are not important. They are. But they are not all important. We also look to see how the support function itself gels within the culture of the provider – How support is perceived internally and how it perceives itself… So how do we make such a subjective judgement? Well it’s a combination of many data points gathered over multiple interactions – Many of which are outlined below. I urge you and your colleagues to consider these questions and refer back to them periodically to see how your actions are affecting the way in which Support is perceived…

• Does the most senior product support executive within the business report directly to the CEO?
• Does the head of support attend all board meetings?  Are support related issues routinely discussed at such meetings?
• Are support related performance metrics included within monthly management reports? Are these metrics meaningful and focused on the needs of the business?
• Where is the head of support’s parking space in relation to other senior executives?
• Is support seen as a necessary evil or cost of doing business?  Or is it recognised as a valuable business contributor?
• Does the support function actively participate within routine business reviews? Does support raise warning flags about customer satisfaction issues to the business and provide non-renewal or product defection risk analysis?
• Are there regular interlock sessions between every aspect of the business and support to ensure requirements and constraints are fully understood?
• Is support actively involved within ongoing continuous improvement programs and/or business process re-engineering activities?
• Have key customers and product lines been identified within the support business?  Has their importance been communicated to everyone within the support function?  Could every member of support tell you the financial impact of each customer if they were to cancel? Could they tell you what the new business pipeline associated with each customer is?
• Do customer experience initiatives originate from within the support function or are they instigated from within the business itself? Is support the focal point for such activities or are they ran from elsewhere?
• Does the business understand the technical constraints under which the support function operates and any limiting factors (e.g. legacy versions, compatibility issues etc) that may prevent them from meeting the needs of the business in the short or medium term?
• Is product support seen as a tactical or strategic issue by senior management?
• Do senior executives in non-support functions accept and openly recognise the contribution that support makes to the areas under their control?
• Does everyone within the support function understand the different roles, responsibilities and dependencies of other business functions and how they combine to deliver value to customers?
• Can support management articulate the value proposition of the business that they support?  And can everyone within the support function describe what it is that the business does?  Would your front line support representatives be comfortable giving a 30 second elevator pitch about your organisation?
• Can management in areas outside of support articulate the product support value proposition?  And can everyone outside of the support function describe what it is that you do?  Would your account executives, developers, marketeers and executives be comfortable giving a 30 second elevator pitch about your support offerings?
• Is there a formal 3-5 year plan for support within the business?  Is this plan reviewed and approved by the board?  Is everyone within the business aware of this plan and its content?
• Do senior support executives review the short and long term business plans of other business functions?
• Are support representatives regularly invited to local departmental meetings?
• Is there a suitable vehicle (newsletter, open forum etc) to communicate support related information to the business?  What level of readership / subscription is there?
• Is the support section of the organisation’s intranet accessed frequently?  Does the support function have a dedicated section? Was it updated within the past 14 days?
• Does support proactively approach line of business leaders and suggest ways in which support could be leveraged more effectively in their areas?
• When was the last time a member of the support team was voted employee of the month / invited to attend an off site team building event for another department?  Are support employees eligible to win and/or attend corporate recognition events?  When was that last time that a member of support was recognised in this way?
• Does the new-starter induction program include the support function and how it contributes to the success of the business?
• Do all support staff follow the corporate dress code?
• Could every member of the support team tell you the current stock price, who the major competitors are and where your business sits in relation to them in the marketplace?
• Could every member of staff name at least one member of the support management team?  Does everyone in the business know the support helpdesk number / website URL?

Interesting and valid questions I hope you agree. Questions that will hopefully help you to understand your position a little more clearly and to initate actions to change it where change is needed. At least that is the hope anyhow.

Well that’s enough navel gazing for now. Next time, we’ll look at how we change these perceptions…

Until then… TRKFAM!

Big Data—Hey What’s the Big Idea?

First we discussed whether “Big Data” is an animal, vegetable or mineral, concluding that it has become very much a marketing term. Gartner analyst Andy Bitterer (@bitterer) jabbed, “Is Big Data nothing but a marketing play, since many organizations had ‘big data’ for a long time?’ Tim Elliott (@timoelliott) concurred, stating that “new terms arise because of new technology, not new business problems.” Esteban Kolsky (@ekolsky) thought the term was a more specific “marketing word used to describe the incredible volume coming out of social [networks].”

Yves de Montcheuil (@ydemontcheuil) suggested that organizations “have had Big Data all along but couldn’t get value out of it, except with lots of $$$,” and Gartner analyst Doug Laney (@doug_laney) agreed with a quip about Big Data being relative: “Big Data is merely data that’s an order of magnitude greater than data you’re accustomed to…Grasshopper.”

Hadoop was mentioned more than a few times as both an enabler and also a driver of big data, with Mark Troester (@mtroester) summing it up that the “hype of Hadoop is driving pressure on people to keep everything.” Some suggested archiving or even unloading data that is unused, but John Haddad (@JohnM_Haddad) and Martin Schneider (@mschneider718) both reminded everyone that data retention may depend on industry regulations and government mandates.

Some inquired about how to finding value in data so Doug Laney offered that there are two sides to that equation: 1) “looking beyond basic BI to advance analytics” and 2) “quantifying data’s potential and actual value.” Doug also summarized one of Gartner’s strategic planning assumptions for 2012: “Through 2015, >90% of business leaders say info is a strategic asset, yet <10% will quantify its economic value.” Gartner analyst Merv Adrian (@merv) admittedly had some fun with the notion of hidden value in data, asking, “Would it be a bad thing for organizations to say ‘Maybe there is value in the dark fiber of our information fabric?’”

The Art of Data Science

This led into a discussion about data science and the realization of data value. Gartner analyst Ted Friedman (@ted_friedman) wrote that it’s “good that analytics roles are becoming key, but ‘data scientist’ is a little bit elitist IMO.” Esteban disagreed contending that the term “scientist is not elitist, it defines a specific role.” Gartner analyst Carol Rozwell (@CRozwell) responded by suggesting, “But shouldn’t the average person be able to derive value from data?…[even though] some people refuse to see the truth in data.”

Nenshad Bardoliwalla (@nenshad) contended that the need for data scientists may be overblown. He believes that “Purpose-built apps can democratize making sense of Big Data for business folks without the need for data scientists (in some domains).” @Brett2point0 agreed, offering that “ideally end users should be empowered to explore their own data, seek their own insights through self-service.”

Gartner’s Doug Laney shared his analysis of current job descriptions for “data scientist” versus those for “BI analyst”. Key words in the “data scientist” job title include: design, knowledge, research, complex, learning, machine, models, problems, and performance; whereas top words used in “BI scientist” job descriptions are reporting/reports, company, technical, industry, user, sql, applications, and metrics. Tony Baer (@TonyBaer) and Doug agreed that communication is the skill that differs theoretical from applied science.

Mark Troester argued that someone needs to have “real intelligence to identify relevance and rationalize data,” and Jill Hulme (@jill_hulme) chimed that “a data scientist needs skills in math, engineering, writing, and a healthy dose of skepticism.” Adrian Bowles (@ajbowles) philosophized that a data scientist is like “a sculptor, finding a figure in material,” and that “Science is discovery, but not all who discover are scientists.”

Mopping Up with Data Quality

Finally we wrapped up with some thoughts on data quality in a Big Data context. Esteban claimed that “Big Data has compounded the [data quality] problem” and that now 40% of the data he sees now is bad. Seth Grimes (@SethGrimes) similarly lamented that “questionable data is the rule rather than the exception in my specialization areas: text and sentiment analysis.”

Yves thinks that “data volumes make it hard for traditional data quality architectures to keep up with big data.” However, Gartner’s Ted Friedman offered up another perspective that “data quality problems can be eased by big volumes in that individual flaws may have less impact when the data set is bigger.”

Mark Troester turned the idea of analytics on its head, recommending, “We shouldn’t just apply data quality for analytics, we should use analytics to help with quality.” He said he’s also “seen people so aggressive about cleansing that they cleanse away insight.”

When some participants suggested that data should ideally be cleansed at the source or when received, Doug Laney cautioned that “you can’t always cleanse data before storing it because of performance and the need to integrate and analyze it first.” Ted Friedman added that data quality is a “harder problem when organizations wish to use data they didn’t produce or don’t own it. The greater competency is assessing data quality…but that depending upon the usage and type of data, some you will still have to get nearly perfect.”

———-

Thanks again to the following individuals and organizations for their participation:
@ajbowles @arbeiza @berkson0 @bgassman @bikespoke @bitterer @Brett2point0 @briellenikaido @chirag_mehta @cpreston64 @cpydimuk @CRozwell @datachick @DataIntegrate @DavideCamera @decisionmgt @DivineParty @donloden @doug_laney @eIQnetworks @ekolsky @erao @EventCloudPro @furukama @howarddresner @iam_joshd @infanteAL @InformaticaCorp @jamet123 @JayMOza @jessewilkins @jill_hulme @johndavidstutts @johnlmyers44 @JohnM_Haddad @JSussin @juliebhunt @loranstefani @marciamarcia @merv @mschneider718 @mtroester @Natasha_D_G @NeilRaden @NekkidTech @nenshad @OhThisBloodyPC @pishabh @RobertsPaige @RomanStanek @rqtaylor @ryanprociuk @s_pritchard @seamuswalsh @SethGrimes @SocialMediaJeff @StacyLeidwinger @stevesarsfield @Tanvi_MR @techguerilla @ted_friedman @timoelliott @TonyBaer @userevents @ValaAfshar @Vivisimo_Inc @wiseanalytics @XeroxDocuShare
@ydemontcheuil

Please join or follow Gartner’s BI, analytics and information management analysts each Friday at 12:00pm ET on Twitter at #GartnerChat.

Note: Some tweets have been edited slightly in this blog to improve their comprehension and/or enhance context.