Monday, June 24, 2013

Revolutionizing How Business Interacts with IT

Virtualization technologies have allowed IT to streamline delivery of IT services to business. We can establish templates to support common requests and automate deployments. But is this all that we can do with IT virtualization?

What if we took the automation further and reduced the delivery of an entire technology stack to a few minutes and even seconds?

What if we allowed customers to order like they'd order a book from Amazon?

What if we allowed customers to offer their own services in the same marketplace as the basic offerings, again, like Amazon?

What if we allowed them the freedom to run as fast as they'd like while making clear which responsibilities transfer to them?

What if we provided services, with high levels of automation and self-services, that help them to take these new responsibilities with ease?

What if we were completely transparent about expenses and provided fine-grained measurement of services rendered and consumed?

What if customers could easily employ APIs to expand and contract their IT services consumption as load increases and decreases?

What if the business passed a similarly fluid use of IT services to their customers?

Now all we need is a name for this. The name needs to act as short-hand for all of the above.

Monday, June 17, 2013

Passion, Wisdom, and Humility

Guy Kawasaki, giving a speech about innovation in Minnesota recently, repeatedly spoke of the destructive combination of arrogance and stupidity. I had to wonder if some, in an audience filled with business and IT leaders, found themselves relieved to be arrogant and intelligent.

While this recipe for success might be true for them. First off, intelligence is not enough. What value is intelligence if it can't be articulated? What value is it when it is articulated but no one can stand the message?

What's required is wisdom. Arrogance erodes wisdom. And no wise person , in my estimation, will ever be arrogant-- not openly.

The recipe arrogance and intelligence is as useless as arrogance and stupidity. Failing to understand this and, worse, failing to see a difference between intelligence and wisdom is just plain stupid.

What about passion? Is it enough to be passionate about what you do? What if your passion is used to drive destructive outcomes? Not wise.

Arrogance and stupidity are catalysts to one another (whichever dances lead is dominant). The outcome is destructive. Arrogance and wisdom are antithetical. The outcome is also destructive; unless, of course, the practitioner feels so full of wisdom that it doesn't matter what quantity is eroded by arrogance (surely an idiot at heart).

What about passion and humility? Passion without humility is almost always destructive. Humility without passion is simply good showmanship. Passion and humility are catalysts to one another with a positive outcome (whichever dances lead is made whole by the closeness of the other). Passion and stupidity are, of course, destructive... and common. Arrogance, passion, and stupidity is a lethal recipe.

With this, I'm left with some explanation of the irrational experiences that I occasionally have to put up with professionally. What's most maddening is that it is always the least rational person that dresses up their destructive habits in rationality. The Socratic method is the weapon of choice, or some wild interpretation of it anyway. This is, no doubt, the arrogant and intelligent recipe for (apparent) success.

What lurks behind these episodes is often transparent to all who are too kind to speak of it: poor past decisions, failures masked in diversion, incomplete work, unrealized vision, lack of understanding, incomplete knowledge, fear of incompetence, etc. I see ambitious people who seem to spend the bulk of their energy on the hard work of holding all of this at bay. Of course, the simple alternative is to admit when something didn't work or became an outright failure. But this is not the path. And once you start down the wrong one, it's nearly impossible to change direction.

Why should we care? I have seen this behavior fuel territorialism that erects barriers between organizations that really must work more closely for mutual benefit. I've seen it block attempts to measure quality, essentially rigging the results so that problems are obscured allowing claims of success where failure is the eventual outcome (institutional ADD aids in this deception since time most often erases the path to accountability).

We should care because it deeply effects performance. Often these people with destructive tendencies are in positions of power and/or influence. They are most often the passionate defenders of status quo and work against true innovation. While defending the status quo is a perfectly rational position in a company that has success, it is often contrary to the values espoused by leadership. A company that doesn't innovate can only ride on past success so long before they are passed up. Chances are comfortable margins will shrink and inefficiencies will stand out plain as day over time.

We should at least encourage defense of the status quo with transparency about the positions being held; leave the challenge to those who want change to criticize and offer cogent alternatives (they can otherwise be charlatans). But the legion of the arrogant and intelligent often cannot articulate a true defense of the status quo. They tap it only as a source of power to keep up their charade. They tell senior management that there is no need to improve what has already served us well or dress up the old as something new (apparently the true meaning of big data). They'll use wise sounding phrases like "don't let the perfect be the enemy of the good" when what's being defended is not actually good enough but is instead fractured and brittle-- and, this, they know too well.

Again, why should we care? Because, if we're worth our pay grade, we're ambitious and crave innovation. We aim to build and rebuild entire markets. We can't do that with illusions about what we know and what we've accomplished already.

Nassim Taleb wrote “true humility is when you can surprise yourself more than others; the rest is either shyness or good marketing.” In other words, you have to be keenly aware of what you don't know-- what you aren't.

If we're not careful, we'll be building skyscrapers with gravel foundations. It is dangerous to operate from illusions.

Let's call the spades spades and let them either adapt or bring their con elsewhere. Let's be passionate, wise, and humble. Otherwise let's change our mission to: enrich the current stewards while congratulating them for the accomplishments of the past.
Written with StackEdit.

Sunday, June 9, 2013

Cyber Barkers

Who do you trust? Who can you trust? Could it be that major events that you've heard about on the news regarding major breaches have more, much more to the story than you could ever know? Could it be that the RSA breach involved a Chinese national hired by RSA itself? Could the Israelis have been the hired assassins in the clean-up that followed in the days after the discovery of Stuxnet?

There's a sector of the security industry that slings intrigue to sell products. Anytime I'm on a call with their bigshots, I imagine them pacing around in their walnut paneled dens, wearing smoking jackets, and swirling a cognac.

They have seen ugly things. Uglier than you can even imagine; uglier than they are allowed to reveal. You think you know something, kid?

They are connected. They were talking with three letter agencies just this morning about this very subject... the one we're talking about that's so scary... which agency exactly cannot be revealed.

They have people in Russia, right now in fact, trying to infiltrate a hacking ring that's targeting your industry. There's a lot of indication that your industry is about to be in the cross-hairs much more than they have been so far. Trust me, one of my people abroad... and she happens to be drop-dead beautiful... which helps her get information... I'll tell you stories over a beer sometime... tells me that this is going to hit hard by next year.  Take note... and cover. You've got a bumpy ride ahead.

These are most likely just the stories of sad, pot-bellied guys who eat too much on the road. The worst trouble they run into is probably with their expense reports. But they'd like you to buy it and, most of all, to believe that you need their services to keep your operations top-notch.

The plot of the best Pakula movie is their back-drop. Their wares? Murky.

They'd like you to believe that once you hire them, you'll have briefings not unlike the president gets from the CIA (a much more insidious source of snake oil... but I digress).

But they are more the "like it never happened" guys of CYBER security.  I have no doubt they can get your basement, so to speak, free of horrible smells after an unfortunate back-flow.  (Some seem to be little more than an overly hyped RSS feed.)  But do they mean anything at all to your security program? Can they provide more than having one of your employees join Infraguard? I doubt it.

Why should I be bothered by all of this amusement?

These guys take our eye off the ball. They allow us to check a box on a list and are more of a good luck charm than a true, practical solution.  They validate the narrow, tool buying activities-- the side that treats security like a pathology that requires medication rather than a discipline that requires vigilance.  They make the easier work look more interesting than it actually is.

The true challenge is in software and data security. It's in the architecture. It's fixing the mistakes we've made and embedding security into the day-to-day of every layer of the stack. It's in understanding our responsibilities for the data we're entrusted to handle.

It's time we stop spending so much time on the intrigue while pretending it's real and valuable work. Let's spend our time and money on something more than pop entertainment and innate impulses, like little boys playing guns in the backyard.  Getting serious will be much more difficult and, to many, a lot more dull.  We'll know we're on the right track when it feels more like a challenging university class than a video game.

Monday, June 3, 2013

Application Architecture Gravity

Portals have grown from glorified static pages to mostly functional customer interfaces. On the way, they've grown from business satellite features to Jupiter sized objects that contain their own planetary system. Everything threatens to be pulled into their orbit and, worse, to disappear into their atmosphere. If you're not careful, your innovative idea will become a comet burning up in the atmosphere of the giant portal.

Although everyone knows how destructive their gravitational force can be, the giant portals are the path of least resistance, the ticket to expediency. Forget all architectural burdens, we'll have to get to those later... and when will that be?

This has already created barriers to RIA and mobile adoption. Tacking mobile views on to large portals and shoe-horning terse markup, like JSON, is a quick fix. Long term, however, this will prove unsustainable. In some regard, this is extending the tangle of poor architectural decisions into the scattering of internet end-user devices.

It's easy to understand that, aside from the intoxicating effects of expediency, these decisions are being made because of the following:

  • The giant portal is where the data is.
  • The giant portal is where the developers are.
  • MVC design already prepared us for multiple rendering strategies... right?
  • If we tack on to the giant portal's domain, we can tap their authentication.

What's less obvious, and not fully acknowledged, is that the giant portals are the primary external facing security interface. Beyond authentication and identity, it's the home of complex authorization decision logic and where identity attributes are pushed/copied to make it all happen.

We already have many indications of the trouble to come with the incompatibility of portal authentication strategy with services generally and mobile particularly. The identity, authentication, and authorization aspects of how big companies do IT today are on a collision course with where they want to go: cloud or, more to the point, IT as a commodity. If cloud turns everything IT into a service, how can we live with a gaping hole for services security?

The architectural principle du jour is: Never make assumptions about how people will use your API. Beyond loose coupling, this paves the way for a future where anyone can dream up a new user experience or a new business function from an aggregation of existing ones. Ideally, anyone can bring a new business function to the portfolio with little expense and time. If the API Economy is where we're going, can we tack it onto the huge portals with their nineties heritage?

I say no. But we also can't avoid the influence of the big portals. Additionally, we can't ignore the gems that lie inside: complex business logic and authorization decision logic.

At the very least, and in the spirit of expediency, we must begin aggressive efforts to abstract away the surface of the portals. Behind this abstraction and under the surface will be a mining operation, intentionally separate from innovation efforts.

Anyone who says that the work we did in portals is not important will be as wrong as those were who declared the mainframe dead back in the nineties.

It is important that we control the stifling influence of past application architecture on new and a new architecture that truly enables innovation.

Written with [StackEdit]