Once it is recognised that each type of business has a different motivator for their digital journey, one can step back and see the relative organisation effort that has been attributed to the change.
WannaCry impacted a large number of computers world-wide, it appeared to exploit random Windows computers world-wide in a cascade fashion. Exploiting the human element along with some known, though not patched, vulnerabilities in Microsoft Windows code (SMB). The question of should Microsoft have patched the code or more importantly, why they didn’t, is something that I’m guessing history will understand. As is the question about how extensive Microsoft has been exploited by the NSA and others for use in times of war or other state/syndicate needs.
However, despite the widespread distribution of the WannaCry malware, it appears that the authors have not collected their bounty in Bitcoins. This could be because it was more successful than expected, or that it was just not their intent. I can’t help feeling that this was mayhemware and not malware – something designed to cause disruption to perhaps test the potential to expose the risks posed by the NSA code.
Either way it is a wake up call to CISO’s and cyber security professionals all over the world – the old way of protecting the ‘edge’ of the network is dead. Everything needs to be untrusted and managed as levels of managed risk – people included.
More technical detail can be found on WannaCry on Wikipedia.
28th June 2017 Update: NotPetya is running rampant too. It appears to use a tweaked version of the open-source Minikatz code combined with the NSA leaked EternalBlue SMB exploit used by WannaCry. The key difference with WannaCry appears to be the use of the ‘administrator’ credentials to gain access to more vital areas of the hard disk’s file structure improving the potency of the encryption and rendering devices unusable unless decrypted with the paid for key.
Is this a sign that Malware extortion is actually growing breed of mayhemware with the coders perfecting their art?
As a lawyer suffers an ICO fine of £1000 for keeping personal information on their home computer, we all need to think again about how home working, BYOD and pervasive computing is going to work. With over 725 unencrypted documents from 250 people (including vulnerable adults), this is likely to be just the tip of an iceberg that will require everyone to think a little more about how they keep their data (and the information within) safe.
Just a little bit of humour, I know this has done the rounds on various internet sites, but remember all, no matter how good an architect you are, you are always limited by the builders that interpret your plans.
Lack of PCI DSS awareness is not an excuse
For an organisation like Evans Halshaw, you would expect PCI DSS compliance and data standards that keep your credit card and personal safe. Yet they are part of a hidden problem where people just don’t understand the legal and moral obligations that they represent on behalf of their organisations.
I have a wonderful email from their “sales manager” Mike Spooner and team who state that “PCI DSS will not allow us to store credit card information”. With this gap in PCI DSS knowledge, it is likely that there is also a gap in how to handle general data protection. Therein lies the concern. They are taking credit card, loan, payment and personal plan details and what are they doing with them?
We pass our data and our information through our ISP’s. They have the ability to sweep data about us, inject adverts and code into our browsing. The have the ability to censor and limit what they think is right and appropriate. But how far should we allow this trust to go?
Sure, there are some legislative regulations to which they must comply (snoopers charter stuff), but they have the ability to make money out of your clicks, artificially promote information in their own interests and track your very lives.
Yet on the whole we trust these people, trust them to listen into our lives and to help us on our journey around the web (suggested sites and redirects). But should we?
Just once in a while you see an idea and think “that’s just impossible, improbable and expensive”. Then you think, but how cool would that be. Think of the engineering, the skills required, the innovation and then think of the potential.
Here is just one: the Mayflower Autonomous Ship. A Plymouth to Plymouth (UK-US) sailing of an autonomous ship. I would argue this is more difficult technical proposition than an automated plane (see BAE systems for that) as most of the technology does not exist in a connected way and the numbers and complexities of the environments sensed around it are far more complex.
What amazing potential this technology has – water taxi’s automated, automated harbour entry systems, and a world connected shipping system. Those interconnected systems and sensors could publish weather, barometric, temperature, current, density and more from all around the world. All live, all part of the internet of things.
They have launched a crowd funding campaign to get things off the ground, which with a rather modest ambition of 100K looks like they are getting close. So I urge any like-minded innovators in technology, to go look at their site and help out where you can.
There is general fear around the use of cloud based infrastructure-as-a-service. A cultural fear of the change it implies: the movement of IT from power to service provider, the perception that management will lose control, and the organisational structure changes and more.
Let us just recap first on the difference between traditional infrastructure and IaaS:
Traditional infrastructure, bought and installed on site, is expensive and takes upfront capital expenditure, requires the purchase of all associated supporting software and hardware (such as monitoring and management) and requires a team of people to run and manage it.
By moving to the cloud, there is less upfront cost, lower optional expense and has fast delivery times. This is a cultural challenge though:
big old IT projects -> dynamic procurements that are reliant upon 3rd parties
But where is the IT team with this approach?
Not known for their ability to evolve over time, IT teams traditionally are quite static, risk adverse and cost centric. Their challenges revolve around two key fundamental changes:
- IT needs to be able to let go and let their services run elsewhere
- Business owners need to feel comfortable that IT can keep their data safe on 3rd party services
Both are a question of ownership. IT needs to feel that it owns the services provided by 3rd parties and the business needs to feel comfortable that IT are keeping their information safe and secure. Both are reliant upon the other, but IT should be leading the way and facilitating change.
The fix to IT-as-a-Project?
The focus of IT though is wrong. In fearing the cloud providers, IT are alienating themselves from the business need for cost control, rapid change and flexibility. IT are becoming the problem and not the solution.
Cloud providers run IaaS systems in vast numbers. Security is their number 1 priority. Without a secure environment in which to run the services, their market and customer base would soon dry up. That’s not to say that the services hosted on IaaS are secure, but the base layer of the service must be secure.
So whilst IaaS focus their efforts on security, reliability and availability, internal IT teams focus on the next project. These projects are often at the expense of the maintenance of infrastructure and base level services.
Moving into the cloud, removes the risks of IT-as-a-project, giving IT a stable platform on which to work. As such it should be celebrated as a position that will enable IT to maintain a modern technology platform.
The IaaS budget problem
People are used to capital based procurements. It’s the traditional way of buying IT things. Big boxes turn up, they get plugged in and someone plays with them for six months to get them working. Finance get to depreciate an asset and on the books you see just a proportion of the actual cost.
Procurement of infrastructure-as-a-service is by its very nature different. There is no ownership of hardware, of flashing lights, of big data centres; you are procuring a service. With no depreciable value, the service is a line in the Opex column in finance and often operation costs are considered bad and something to be cut.
So, it is not just IT that need to change, procurement and finance need to realise that the way of doing business in the IT world is changing.
- IaaS prices are dynamic, going up and down in value
- IaaS has frequent repurchasing of shorter term contracts (2-3 years not 4-5 years)
- IaaS relies upon 3rd parties
- IaaS 3rd parties are likely to be leading edge
Summary of cultural problem of IaaS
This is a more complex subject than summarised, here, but as a starting point, think about these key areas of cultural change required to support IaaS:
- IT needs to embrace as-a-service and use it as an enabler for rapid change
- IT needs to adapt away from IT-as-a-project and embrace buying commodity IT as-a-service
- IT and finance need to move from Capex to Opex purchasing models
- IT and finance need to accept and manage the risk of as-a-service
Read more about thoughts on Cloud and everything-as-a-service.
Across all industries, organisations are under an increasing amount of pressure to achieve and deliver more value within a constrained budget. This has resulted in organisations turning towards an Outcome Based Procurement model for a solution.
WHAT IS OUTCOME BASED PROCUREMENT?
Outcome Based Procurement is significantly different from other more traditional procurement models. The contracts derived from this model focus more on the ‘What’ than on the traditional ‘How’, this means that organisations can focus on defining to a service provider what they want instead of trying to provide that themselves and thinking of the how to provide it.
This procurement model works by the organisation providing outcomes that they want met. This removes the need for the organisation itself to come up with a solution, instead the organisation transfers this responsibility to a service provider. Continue reading
It is perhaps true to say that the effectiveness of Enterprise Architecture varies from organisation to organisation, and it would appear that the differentiating factor in the success of practices is the level of acceptance from senior management teams. Organisations which value the contributions enterprise architecture can make in aiding business decisions where IT is a contributing factor, can reap the benefits of a joined up approach when realising institutional goals and ambitions. Let us not forget that enterprise architecture is not just about IT, it’s about bridging the gap between the services which IT can provide with the needs of the wider organisation and the strategic direction it is taking. Continue reading
The phrase ‘IT-as-a-project’ doesn’t naturally come to mind when you think of how to go about managing IT. It has been born out of the experience of project managers as they have progressed through organisations. It has become an almost religious experience for those caught in its grip. The ethos revolves around the need for all change to be a project. Projects become the IT organisation, its life, actions and structure.
IT-as-a-project has benefits: a known cost, a direction of travel (though simple) and an approach generally agreed with finance and the business. It also allows costs to be understood and fixed annually.
This can be useful: during transitions of senior staff, or as temporary constructs when moving IT to 3rd parties. Long term though, it has some serious constraints:
- Each project, as a temporary construct, is inherently selfish. Using Agile badly increases this selfishness. Selfish behaviour within a business is rarely sustainable.
- Your organisational maturity may not allow or expect over-running projects and project costs. Projects, especially poorly run Agile projects, are running risk around cost vs scope. It’s common for projects to just stop when the funding finishes.
- The medium and long term cost of IT becomes uncertain. Projects seem to take over the IT day job and the function of IT seems to get lost.
- A form of Ponzi scheme is often formed. New projects feed the legacy and failings of older projects and the interoperability, security and governance problems selfishness causes.
- Significant loss of competitive edge. As a selfish construct, IT-as-a-project is not looking at the bigger picture, not looking at doing the right thing overall, just what is right for each project individually.
So, should you take IT-as-a-project as your IT strategy? It comes down to two simple thoughts:
- Are you looking for a simple strategy that only needs to be effective short-term ?
- Are you prepared to accept the cost and risk of the medium/long-term impact?
Read about the everything-as-a-service model here.
Is it better to trust someone that you can see openly challenging you or is it better to trust those that hide the same actions?
It’s quite a simple question with some very interesting observations. I’ve seen a range of approaches and it’s fascinating to see how many people are trapped trusting those who are covertly campaigning against them. They seem to do this because they fear challenge and don’t observe or recognize the covert action. They can not or do not see how people can be manipulated to ensure that the perpetrator is not obviously the instigator and how deflection is the gift of a deceiver.
Perhaps this is the accepted nature of politics; but it does not have to be so. It is perpetuated by the thirst for power or influence; and the perceived need to prevent challenge, to prevent criticism and a very real fear of failure.
But I have had the privilege of working with some very intellectual and very wise Continue reading
The EU-US Privacy Shield agreement is due to replace Safe Harbour. The agreement intends to provide Europeans with a level of protection against exploitation of personal information, but with the basic premise based on American companies self-certifying their compliance with the agreement, many Europeans have a right to be skeptical.
There was great hope that the self certification elements of the old Safe Harbour agreement would be dropped in favour of an audit and assessment carried out by the EU, but in the proposal to date, it looks like any audit of a self certification would have to be done jointly between the EU, the ombudsman and the US FTC. Not an easy task and likely to put off all but the largest cases of breach or compromise of personal European information.
It’s the latest buzz word to hit IT – Bimodal – and yet it perfectly described the problems faced by most modern and digital orientated businesses: the ability to be agile and innovative whilst providing all those standard services that are required to keep the IT world running.
I’ve discussed a number of models with a recent focus on everything-as-a-service (XaaS), but the catchier and more complete Bimodal model brings together both my thoughts on buying as-a-service (for the BAU and keep the lights on functions) as well as the creation of innovation units dedicated to providing the business change and creativity to be competitive.
I certainly watch with fascination as the momentum behind Bimodal IT builds to become the standard functioning model of any modern IT service.
Is this another marker of the end of end of neoliberalism or the end of an empire? The American Empire? Like Rome and London, the final years of empire were highlighted by religious and political extremism pushed forward as the demand for change overtook the old ways.
Romes spiral of destruction started with ever more extreme political actions to keep the population and the wealthy in under control; and the evangelical embrace of Christianity whilst retaining devotion to expired gods.
In the UK, socialism and solidarity threatened the political elite. They were forced to embrace things that were good for people and not just the few; and a fiercely Christian system to had to concede that population gave up on religion – perhaps preferring science and logic.
So now in America, the quasi democratic system that allows you to choose between two parties of almost similar views promoting people from the same pool of political Continue reading
Just a muse today: I do seem to be meeting a stream of false prophets at the moment. People dedicated to saying ‘yes’ to whatever you say, people dedicated to making you think that you are right and that the world is amazing because of you. Often with scant regard for the real world their goal is to elevate you into a bubble of unreality. From this position you can do no harm to them (but also no good for you).
Some of these false prophets think they are politicians – spending their lives spinning yarns to the point of disbelief; some are light-hearted and are interested in you; but many are using this as a deception to cover their own troubles and limitations and to defraud you of the opportunity to help the real world (and yourself).
In business it is so easy to be enticed into these good news messages. Seriously good managers are able to spot and mitigate against these people, but others suck it up and pat themselves on the back and worship these people as idols.
So my tip for the day: Take a step back and think about your business environment. Is it all as rosy or bad as you think? And what incentivises your team: your customer, the future, innovation; or is it padding nests, personal agenda or political ambition.
I got fed up of attempting to search the web for the size of wiper blades after another muddy bath destroyed the rubbers on mine, so thought it would be worthy of note.
Landrover Discovery 1 uses 18″ for both front wiper blades and 13″ for the rear wiper blade. I’ve tried various sorts, but nothing seems to beat the original style wiper blades.
Fantastic walk covering starting on the southern edge of Bodmin Moor, walking through high banked single track roads, woodlands, upper reaches of the River Warleggan and up to the spectacular Bury Castle.
The Cloud First Strategy
Part 4 – Being an intelligent customer
It’s a long time since IT underwent any real structural change. Like many other administrative parts of the business, they are formed into a self contained unit based on one of a number of very similar organisational building blocks. It’s like looking through a book of 1980’s housing plans – all very similar, all designed without the context of whats around them and all without concern for a sustainable future.
These copybook IT structures work for the old powerhouses of IT demand but are distant from the dreams of dynamic and flexible digital businesses.
Poor quality, low value
The jokes about poor quality, low value, cheap IT provided by in-house teams are a result of a culture of pushing down price at the expense of quality and value; and the business often reduces budgets in line with their perception of the service. It is a self fulfilling prophecy that IT seems to be determined to perpetuate.
Moving the culture
The difficulty now is that people spend more of their lives in the digital world. They know how to use the digital world, they know how it works for them and they know what would help them. Long gone are the days where IT knows best.
Imagine just the simple things – you want to get hold of someone. Depending on how close you fit into the ‘digital native’ stereotype, the chances are you would send a message – text, Facebook, Skype, iMessage. Your conversation would be disconnected and you would pop-in and out of interacting with it.
In business through we still seem to assume that the telephone, face to face meetings and email is the only answer. We do this partly because we like to divide work and personal life and clear separation helps, but also because there is a control culture coming from IT inspired by the cost/value/quality argument and the need for a quantitive evidential trail.
The legend goes that to control cost you must actively manage the value and quality; and if you own all the knowledge no one can question you through fear of being shot down by an evidential trail of ‘I told you so’.
This culture of fear, accountability and control appear in the digital world, but they are self and peer managed. Knowledge loosing it’s power. Freedom of expression, innovation and sharing become the seat of power. Look at the power of WikiLeaks: highly valuable and classified information became worthless overnight.
The requirement to share as part of the digital business world is a great threat to the old power bases within IT (and other parts of the organisation). Traditionally these power bases have relied upon their knowledge being locked away into a ‘dark art’.
However, there is no place for this in digital business. Everything-As-A-Service is the enabler to change the culture of old traditional locked-in IT. Those services with dark art documentation (or lack of) and even more dark art maintenance (with overtime) are moved into the cloud. Provided by professionals, documented by professionals, managed by professionals.
The opportunity of change
Changing the profile of the in-house team is also an opportunity to reinforce this cultural change. A move is required from hands-on to a shared knowledge model. The move is often called the ‘intelligent customer’.
Despite moving into a world that embraces revolutionary change, everything-as-a-service also requires a level of interpretation. Not only to allow the business to choose wisely, but also to manage the supplier base and support business change. The focus shifts to the relationships, to better understanding the business and to ensuring that sustainable business can be created in the digital world.
The example organisation chart for everything-as-a-service appears to remove ops, help desk and many of the traditional part of IT; but they do still exist. They are provided by 3rd parties under the guidance and support of the in house team.
The in-house team guides and steers the direction of the suppliers to best meet the needs of the business. They introduce targets for suppliers that are mutually beneficial, achievable and allow the business to flex and change. They create an atmosphere of IT being guided by the business and not the technology.
This is stepping back from the coal face and focusing on what actually matters: making business work in the digital world.
Know what to keep and what to move
Be caution though, poor quality managers often move the difficult things to 3rd parties. They do this because it’s easier than attempting to solve the problem themselves (often the motivation behind outsourcing).
The foundation of everything-as-a-service is based on moving out the commodity IT elements but keeping the highest institutional value items. This is where IT add their real value to the business.
By moving the commodity elements of the IT service to 3rd parties, the shackles of old IT are gone and IT is released to work with the business for the business.
Simple rule of thumb: if it’s a commodity IT element, then get a 3rd party to do it; if it is requires high levels of organisational or customer knowledge then it’s going to be better done with in-house teams.
Key targets when moving to create an intelligent customer function:
* Move from fear, blame and power led cultures
* Knowledge is something to be shared not hidden
* The business knows how to do business, so let IT facilitate business needs
* No fear of failure, innovation or sharing
* Customer first
* Taking ownership, listening and spending time understanding
* Embrace change and innovation
Cost vs Value
* Understand the impact of low cost on quality and value
* Let the business choose and let them be honestly informed
* Create a clear and open cost model with no hidden costs and no fake savings
With the demise of Safe Harbour rulings, your online life has become a little less secure – is Boxcryptor the answer to the security needs of Cloud based storage?
With cloud storage, files are easily available to you where ever you may be and at any time of day. They are backed up, replicated and made highly available by servers and services all around the world. But in this one of the key problems of ownership of information is surfaced. If the US has your data, it can see read and profile it.
Of course, many other countries do this too, but the vast investment from the US government in profiling and the location of many of the technology companies within the US puts the conspiracy theorists on high alert.
I much prefer a world where information has little value, shared to the point of openness and respected for the betterment of us all. But this is not a shared view at the moment and for those on that journey, they want to keep parts of their digital lives as secure as they can. For business too, information may be critical to the money needed to fund and sustain the business.
So for this group there is technology that helps to keep personal information secure. In this review, I am looking at how to secure files stored in the cloud. This could be as simple as payslips or as personal as a journal, either way putting them into the could opens them to a higher risk of compromise or personal profiling.
Of the cloud storage providers, some say they are more secure (such as Box) and others security at rest and in transit; none of which protects you from the loss of Safe Harbour and the potential for the US to just take your data.
So if the cloud storage providers can’t help, where else can you turn? There are a newer generation of ‘on disk’ encryption products that aim to provide an additional level of security on-top of the files shared in the cloud. Boxcryptor is one of these and thankfully is based within the EU.
Quite simply, the product takes files stored in cloud locations and encrypts them (and optionally their file name) to stop general snooping of sensitive files. It uses AES-256 and RSA encryption algorithms and offers ‘personal’ and ‘enterprise’ versions.
|File key||AES encryption key used to encrypt or decrypt a file. Every file has its own unique and random file key.|
|User keys||Every user has its own pair of RSA-4096 keys (private and public) and additional AES-256 keys.|
|Password key||An AES encryption key derived from a password using the key stretching and strengthening function PBKDF2 with HMACSHA512, 10.000 iterations and a 24 byte salt.|
|Group key||Similar to users, every group has also its own pair of RSA-4096 keys (private and public) and additional AES-256 keys. Furthermore every group has its own unique and randomly generated membership key.|
|Company keys||A company can have its own pair of RSA-4096 keys (private and public) in case the master key policy is used.|
For the enterprise version there is centralised master key and password change facilities, for personal and company versions there are no routes to recover lost keys and passwords (which is a very good thing). Impressive is what Boxcryptor claim to keep on their key server:
- General information (email, first name, last name, country, etc.)
- Private RSA key (encrypted with the user’s password)
- Public RSA key
- AES keys (encrypted with the user’s password / wrapping key)
- Hash of the password hash
- Number of KDF iterations used in the key derivation functions
- If a company uses the master key: Password Key (encrypted with the company’s public RSA key)
There are client apps for just about every platform, starting from Windows and Mac OSX, to iOS, Android, Chrome, Blackberry and even Windows Mobile (now that is showing commitment). I’ve tried all but the Blackberry client and they all offer the same, simple interface with little fuss and little complexity.
First time set up is simple, install, select the cloud platforms to encrypt and depending on the version turn on filename encryption (something not available to the free version). New files stored on the Boxcryptor drive are automatically encrypted and existing files can be encrypted by right clicking on the files in Explorer or Finder.
Boxcryptor supports just about every cloud storage provider I can think of: Google Drive, One Drive, One Drive Business, Dropbox, Box, Amazon S3, CloudMe, iCloud, SugarSync, Yandex to mention just the obvious names.
Whilst the standard encryption makes the contents more secure, the additional filename encryption scrambles the file names making it impossible to see the original names. Viewing through a normal finder window shows the following:
Viewing through the Boxcryptor drive or app however looks completely normal.
This is perhaps the easiest and most convenient security app I have ever used. If there is a single thing you do to secure your digital world, it should be to buy this app or use the free version and see how easy it is to provide a good level of security for your personal or sensitive files.
My recommendation: this is the must have security app for cloud storage. If you have not tried it download Boxcryptor (affiliate link) now.
Welcome to the household Blu Biscuit.
The Cloud First Strategy
Part 3 – Moving from legacy support to supplier management
Hardware and software become largely irrelevant as the key question becomes, “does this service meet the business need?” The burden of complex supporting systems is moved to 3rd parties as part of the service they provide. Help desk/technical support for the product also moves to the 3rd party.
With XaaS IT, ‘service management’ becomes a much less complex place to be. IT must move to act as the intermediary between the customer and the suppliers.
- Manage multiple small suppliers and contracts
- Maintain compliance and regulatory integrity of the IT service
- Be trusted by the business, the IT team and the supplier community
Traditional IT teams must change. They must transition from ‘service management’ to become ‘supplier management’, they must move away from their focus on technology to contract compliance and supplier relationships.
Example of the differences
Traditionalist IT people struggle to understand this concept, so let’s kick off with an example from a traditional service management function:
- Help desk, call handling and 1st line support
- Purchased for millions and supported by legions of staff. Vast hidden quantities of money and effort are poured into bespoke and unique help desk systems. All this for those ‘important’ help desk stats.
- IT seems unable to work without its help desk and the unfathomable way people are expected to interact with it.
- System monitoring
- Another area tainted by the bespoke.
- Multiple monitoring systems, plugged into master monitoring systems reporting to other monitoring systems.
- Usually visually impressive, the stats and thresholds used are tweaked by IT who spend endless hours perfecting the meaning of red, green and amber.
- Configuration management
- Caught in a legacy trap, where IT consider people as a liability and risk.
- People often go out of their way to remove monitoring, auditing software from their devices due to privacy concerns or because the tools stop people working effectively.
Now, compare that to the XaaS world:
- Contracts include support and maintenance
- Point services and solutions will include the whole life cost including the cost of support and maintenance
- Pay by results
- 3rd parties paid on results. The business should not select based on the background technology. The supplier should be chosen on merit and ability to meet the business need – technology is their problem.
- Results = what your business values
- Little point defining metrics that are irrelevant, unachievable or introduce undesirable behaviours.
- Contracts designed to be flexible
- Scale up and down; match peek times of demand, reduce at lower times of demand.
- Agile. Stick to 2 + 2 years.
- Clear costs, known risk
XaaS Org Chart
The often traditionally bloated supplier management function does not even appear in the everything-as-a-service XaaS IT org chart.
Clearly this is a idealistic interpretation, as the need for help desk type services still exists, but they are provisioned by 3rd party experts and work for the supplier management function.
Is Xaas Outsourcing?
Outsourcing has sat in this territory for quite some time. But the aims and goals of outsourcing are different to those of XaaS. You can see my thoughts on the difference here. Suffice to say, XaaS is surgical in nature, outsourcing is, by comparison, a shotgun approach.
It is likely that outsourcing is chosen by default as it resolves, in one hit, many of the problems experienced by poorly performing IT teams. This though is created by an accidental slight of hand from IT:
IT support tend to work under the illusion that their IT service is unique and requires unique systems for support. They talk about, document and create bespoke systems to maintain the mystery (their job and role). This naivety helps to perpetuate the deception that IT is complex, impenetrable and poor value.
The more difficult the problem the more likely outsourcing is used to solve it; the more likely outsourcing is the more complex and bespoke IT make their systems; it’s a vicious circle that only culture can change.
There are plenty of reasons to keep internal teams, not least for the latent organisational knowledge; but often poor or out-of-date IT management skills push outsourcing as a quick fix.
One core aim of this approach is to fix the overly bureaucratic systems installed by management to create statistics, measurements, and controls. The culture created by these systems often pushes the business to question why ‘help’ is included in ‘help desk’ and pushes IT staff to close calls as quickly as possible.
There is no need to create an IT team that everyone hates. It is possible to design a service that meets the needs of the business in an affordable and sustainable way.
The goals of supplier management in XaaS
So you’ve decided the everything-as-a-service XaaS is the way to go, how do you convince your existing service management staff that supplier management is the way to go?
That’s not an easy one. Those that embrace change are likely to be evangelised by the opportunities presented; others will struggle and may need to stay in their comfort zone through TUPE to 3rd parties. TUPE may sound cold, but in the surgical world of XaaS IT, people can be moved into organisations that best fit their skills or ambitions. This is no outsource shotgun.
Something you should do for every part of your organisation is to set key goals. These should compliment and reinforce your vision for your IT organisation and should help people understand your intent and strategy.
Top 5 goals for XaaS supplier management:
- Enable the digital workplace
- Engage with customers, listen and take ownership
- Form a sustainable relationship with the suppliers
- Provide feedback to suppliers and customers
- Create a sustainable and open financial model for IT services
Take note of the keywords here:
- Ownership: alone taking ownership will increase the positive perception of IT. It will create a shared sense of purpose, a shared need and a shared driver to help the business.
- Sustainable: emphasises the need for practical and maintainable relationships, finances and business services. This reduces the knee jerk IT management style prevalent in some areas.
Key take away points
Whilst brief, the paper aims to discuss the theory of everything-as-a-service IT and it’s impact on a traditional service management function. The proposed move away from service management will scare most IT traditionalists and excite the visionaries, so please take these few points with you:
- Service management in its current format is not sustainable and requires significant revision
- Move to engage, listen and take ownership
- Form a sustainable working relationship between business, customers and 3rd parties
- Create a culture of change, innovation and partnership
I’ve pushed the apprenticeship scheme at Plymouth University for some time and took on Scott Walker to work in my IT Architecture team. A former car mechanic, Scott moved from Carlisle down to Plymouth. For Scott to be short listed for IT Apprentice of the Year is great news!
- Scott’s has created over £650,000 of potential savings for Plymouth University and averted £7million of potential risk
- Scott excelled in driving forwards a city-wide project to connect 100 businesses to super-fast broadband in collaboration with Plymouth City Council
- Completed 2 Year NVQ Level 3 in less than 1 year
- Heading for a Distinction in BTEC
The recruitment process for is often tricky, but from the first moment that the panel met Scott, it was obvious that we’d found someone special… his motivation, confidence and professionalism far exceed his years.
Over the past 18 months, we’ve seen Scott’s ability grow exponentially. It will be a bittersweet day (for his colleagues) when Scott’s Apprenticeship is complete.
He is a trusted colleague and an inspirational person. I wish him every success for not only this but every venture that he undertakes in his career. I have no doubt in his continued success.
“Strategy & Architecture apprentice shortlisted for an award
Adrian Hollister, Head of Strategy and Architecture, Plymouth University
Congratulations to Scott Walker who has been has been shortlisted for IT Apprentice of the Year at the UK IT Industry Awards.
The UK IT Industry Awards 2015 benchmark outstanding performance throughout the UK computer industry and focus on the contribution of individuals, projects, organisations and technologies that have excelled in the use, development and deployment of IT in the past 12 months.
Being shortlisted for one of these prestigious awards from Computing and BCS, The Chartered Institute for IT, is a major boost for Scott’s career prospects and the IT apprenticeship scheme.
Scott has to attend a Finalists Judging Day in Reading on 25 September and the winners will be announced at an awards dinner on 18 November.”
So congratulations Scott Walker and all fingers crossed for a win! To find a little more from Scott himself, head on over to the Plymouth University Strategy and Architecture blog.
XaaS vs Outsourcing: It’s a theme brought up at alt-c this week and something that most people are confused about: Outsourcing and everything-as-a-service XaaS are not the same things.
They may be used to achieve the same results but when you compare the intent of each they clearly show their differences.
Whats the difference between XaaS and Outsourcing?
XaaS is granular, focused and can be applied surgically to key areas that need attention. Outsourcing is expensive to negotiate and apply. It takes time, introduces additional cost of purchase and sale and implies a reduction in flexibility – details are lost or hidden in contractural obligations, service level agreements, the transfer of assets, liabilities and risk.
- Outsourcing tends to apply to larger elements of business. Whole teams or departments moved. The impact to IT itself is structurally significant.
- XaaS tends to apply to surgical strikes. Moving clearly defined elements to a 3rd party. The impact to IT is small and can be managed over time.
Which is best? XaaS vs Outsourcing
That’s going to depend on your organisation, neither may be suitable. To help you decide in the XaaS vs Outsourcing debate, think about the following Top 6 reasons…
Top 6 reasons to go XaaS
- Focus on business need
- Speed and Flexibility
- Standardised, transparent pricing
- Access to global high skill resource pools
- Improvement in image
- Increase in competitiveness
Top 6 reasons to Outsource
- Pass risk/staff to 3rd party
- Create a structured framework of IT services
- Focus on core business
- Long term stability
- Access global high skill resource pools
- Known cost framework
If you have a business (even home based) you can get connection vouchers for up to £3,000 to cover the cost of installing high speed business broadband. The voucher scheme can be used against a package from one of the registered suppliers in the area.
If I read it right, you can put multiple vouchers together from businesses on the same premises. This could enable business parks or multi-occupancy offices the ability to collaborate on the cost of a much bigger internet pipe.
There is a page for Plymouth with the specialist providers listed.
Seems to be a rather overlooked opportunity for business to make the most of some free money to give them high speed business broadband. So, make the most of it now and apply as soon as you can!
The Cloud First Strategy
General change and projects need to be self funded. I’m going to say that again – they need to be self funded. The cost of IT should be the cost of the provision of the known service. The unknown cost of change is given to the business to empower them to choose the priorities and provide the flexibility to select services not provided by IT.
IT should not be scaled to provide endless change and project support, but should be scaled to be the technical conscience of the business: facilitating change, translating business need to technical deliverables, engaging 3rd parties and providing an oversight into the IT elements of change.
Think SME not 3rd Party
Engaging with a 3rd party for delivery does not force you down the consultancy route. Think of the SME approach – dynamic, agile, best of breed skills to best of breed solutions.
Suppliers will thrive in this environment if they are allowed to part of the team and part of the journey. The relationship with suppliers must be sustainable and based on trust between both parties. Suppliers must be able to make a viable and sustainable profit and should run open book integrated into the IT accounts.
Remember: there is little point engaging with a supplier based on the lowest possible cost. Underbidding suppliers run the risk of attempting to make up the money with change control, delivering a valueless service, or withdrawing from the contract.
It may even be viable to export any existing delivery team via special purpose vehicle (SPV) to allow them to work more dynamically, realistically with efficiency and energy.
Moving to an SPV could also be a quick enterprise that moves money around the balance sheet and reduces the headcount numbers. An outsource may also achieve the same result, but costs will need to be carefully controlled and understood – change is often used as a source of profit in such enterprises.
Move away from bespoke code
Poorly executed Agile and similar methodologies often create swathes of poorly documented bespoke code. With projects being self funding the sustainability of the solution must include on-going run costs. Bespoke may be cheap to write, but it’s not cheap to maintain or support.
In the SPV model, the SPV is incentivised to pursue efficient, sustainable delivery models by owning the maintenance of the code and solutions. Inefficient, undocumented, or poorly designed solutions will be financially and materially expensive to support and maintain. The SPV will quickly have to become more efficient or loose contracts to 3rd parties.
The back catalogue of legacy and bespoke code created using agile or similar methodologies is likely to follow this SPV. A contract for maintenance and support must be provided and at a fixed, but sustainable cost. The risk owned by the SPV with clear incentive to reduce and remove the costly bespoke code elements.
Compensations drives behaviour
The move to SPV or outsource must have effective incentives for the staff and SPV. The business may need consistency for a number of years after the structural change or the business may require immediate cost savings, either way, the team moved into the SPV must be motivated to achieve these goals. The SPV route is a great way to move constrained exec’s out of the core and give them the flexibility to excel as a commercially driven arms length body.
What about general day-to-day change?
It would be fair to assume that in the everything-as-a-service model there is strong reliance upon the need for the contracts with 3rd parties to include the cost of maintenance and support change. These elements are needed to ensure that services are compliant with regulatory and security standards and to ensure that services can continue to interoperate.
The contractual obligations of 3rd parties should also be extended to allow the IT team to plan and organise change between the various solutions and 3rd parties. This is standard IT practice, but here the intelligent customer becomes more relevant. It requires a strong understanding of enterprise architecture, governance, the contractual commitments and a timetable of key business events and priorities.
Remember that purchasing on cost alone will fail in this model. Whilst this is not unique to this model, purchases do need to be made on value to the business and support the everything-as-a-service model. Excellence is required in supplier and contract life cycle.
Allow the business to change direction
Once in a while the business will need to change direction. To scale up or down. To create a new branch or brand; or to remove a few. IT should not constrain the business from doing what it needs to do. The contracts put in place with 3rd parties should be designed to allow the business high flexibility.
Services procured could be based on metrics key to the business: the number of products, staff or turnover. This variation of the standard usage model often applied by suppliers may require significant negotiation and contractual skills. Not all 3rd parties will be keen to work differently, so careful and pragmatic selection is required.
Key take away points
Change is embraced as part of the everything-as-a-service IT model through the use of 3rd parties that are incentivised to be more performant, flexible and cost efficient.
How to manage change in XaaS IT:
- Cost of change is given to the business to empower them to set priorities
- IT must not constrain the business from doing what it needs to do
- Use dynamic and agile 3rd parties for delivery
- Remove bespoke code by accounting for whole life cost of services
There is an opportunity to move existing delivery teams into a special purpose vehicle (SPV):
- Allow radical reduction in delivery headcount
- Allow constrained exec’s to flex their wings
- Facilitate cost reduction through the removal of bespoke code
- Facilitate competition with 3rd parties
Cloud First Strategy: Read the next article Part 3 – Moving from legacy support to supplier management go to the INDEX or go back to Part 1 – Impact on the IT organisation
The Cloud First Strategy:
Adrian Hollister, Digital Transformation, August 2015
By now it should be clear that buying IT the old way has long gone:
tin + software + installation + maintenance + staff + training + management + support tools = expensive + slow + poor value
Cloud has been coming for some time, but it’s the everything as-a-service (XaaS) element of Cloud computing that is so compelling. Removing the need for expensive and all consuming IT departments, thinning them down to an intelligent customer layer.
So what does that mean in practice?
As cloud based services are being adopted the approach and model of the IT department needs to change. Services move from local data centres to the cloud, storage moves to the cloud, telephone to the cloud, even network controllers and authentication are moving to the cloud. Office365, Skype, BYOD (bring your own device), Dropbox, etc. That natural convergence of IT services doesn’t leave a lot for IT does it?
There is plenty of value IT can still deliver, just in a different way. No longer about flashing lights, complex help desk systems, and the mysteries of poorly documented services; the IT team can now focus on delivering real business value.
But IT has seen a number of organisational models already in widespread use today, so let’s do a brief comparison:
- Centralised IT. The most commonly used model. Line of business are beholden to a CIO who controls the pace and priority of change. Attempting to be a compromise and usually perceived to be driven by cost and technology not business value.
- Decentralised IT. Usually with this type of model, each line of business has their own IT Director. Priorities are set at board meetings controlled by the line of business (LOB) and facilitated by the CEO. Multiple IT teams, development teams, help desks and support models.
- Federated IT. IT services are owned by a number of parties and the LOB may choose not to use the central IT service. It is quite common to see this after a merger or change and is usually short lived. Complex arrangements of interlinked services, support and development teams.
- Service led IT. A core set of IT services are provided from the centre but are provisioned by 3rd party. CIO focus is shifted to adding value to the business, away from commodity IT provision. Move from developing code to buying services. This is the core to everything-as-a-service (XaaS) led IT departments.
The service led model is a variation of the ‘intelligent customer’ approach taken when business move towards a heavily outsourced model. They key variation is that contracts in the service led IT model are numerous, short and with pinpoint focus. Creating the opportunity for numbers of smaller, specialised and high value businesses to apply.
This creates a level of competition and introduces flexibility to end failing contacts early and pursue new ideas when the business needs change. This also shifts the work that the IT department needs to do, from a hardware and bespoke solution focus, to one of managing their customer and their suppliers. In this approach, the organisational model looses ‘IT support’ but gains ‘supplier management’.
Being commodity, the help desk also goes, replaced from a specialist supplier; and perhaps this commodity element is the big differentiator. Anything that is not a core function of the business and is readily available to procure from a 3rd party should be considered commodity IT and provisioned by expert 3rd parties.
The delivery function also losses out. Without the need for vast quantities of bespoke code the delivery teams can be paired down to a core set of PM, Architects and developers for legacy code and integration maintenance. It’s important to note that all change in this model has to be self funding.
Example everything-as-a-service XaaS org chart
Change is not quite so difficult with as-a-service
Any new model or approach is going to be difficult: there must be a clear strategy for IT. Not only a sense of what is needed today, but also tomorrow; and that strategy must be understood and agreed with the business. The change however, can be quicker than a re-organisation with staff being redeployed in new roles or moved (TUPE) over to suppliers. As such the impact on the organisation and staff will be low compared to traditional reorganisation methods.
The financial considerations will also be different to a traditional reorganisation. Moving head count into supplier contracts will reflect good on in-year savings and savings may be had by purchasing more efficient services, returning floor space and reducing risk. Costs are also likely to be moved towards a standardised monthly fee, giving the business good visibility of often hidden IT costs. Finance will thank you for being able to plan clearly and provide consistent and open costings.
The approach to contracts needs to change. By using short 2 year or 2+2 contracts the business can choose to change provider. This will help the agility of IT provision to meet the changing needs of the business. Some may be tempted by cheaper longer term contracts and for some core services this may be appropriate, but it will limited your ability to grow and shrink to business demands.
There is a significant change in culture, from employment of vast teams of developers, support, help desk and technical specialists; the IT function needs to move to professional supplier and contracts managers and experts within EA, Security, BA and relationship management; and more importantly, projects and business change must be self funding.
By moving to a self funding business change programme, IT wont change things for IT’s sake.
IT for IT’s sake
It’s the bane of any business – IT doing the best thing for IT. Techies wrapped up in their technology, their brand or the latest toys. There is a place for this, but not in the provision of core IT services.
A pragmatic as-a-service model will force IT to move away from looking at technologies and brands and force them to think about what services can be used to meet the business need. It will force a move away from bespoke development to commercial off-the-shelf software and services (COTS).
- COTS – remove the need for developers to create endless unsupportable bespoke code. There are specialist applications and services that are likely to meet the majority of the business need. Start here and be flexible with expectations.
- Software as-a-service (SaaS) – remove the need to worry about the platform and the supported software layer. Just get up and running with the service provided. Flex to need.
- Platform/Infrastructure as-a-service (PaaS/IaaS) – remove the need for people to touch or play with hardware, brands, upgrades. Why do this in house, when you could be using industry experts who do this day in and day out.
It will be a substantial shock to the IT traditionalists. By taking a step away from the coal face of technology provision IT can work closer to the business; for the business; delivering real business value.
The move towards Cloud and as-a-service is inevitable. Will IT be able to keep up with the pace of change?
Key take away points
This is a big subject area that I’ve condensed into a couple of pages, but even if you do not have time to go through the text, here are my key take away points:
The value of everything-as-a-service (XaaS) led IT
- Vastly reduced in-house IT team – keep just the experts
- Vastly reduced in-house IT footprint – services in the cloud only small on-site d/c
- Focus on relationships with the business – IT only exists to support the business
- Clearly accountable IT costs – no hiding project, development and support costs
5 core rules of everything-as-a-service (XaaS) led IT
- Focus on being the intelligent customer
- Drive innovation and business value
- Commodity services should be provisioned by a 3rd party in the Cloud
- Restructure the organisation to focus on business value
- Document, plan ahead and agree your strategy
Cloud First Strategy: Read more: Part 2 – How do you manage change in an XaaS IT model?
Well, it’s been a hectic few weeks getting the carnival float together, but it is finally completed! It’s looking darn good I have to say. So here we are in Liskeard where we came first in the Fairy Queens category.
Not long after we have visited Lostwithiel carnival where we came second. Brilliant to see the Rotary club running these events so well. The streets were completely lined with people and the atmosphere was amazing.
Another weekend and another carnival. Does the party ever end in Cornwall?
At times of corporate difficulty, it’s often the innovation and the speculative research that is first to be dropped. Yet, it is this very innovation that businesses need to survive and evolve beyond their situation.
We all know innovation is difficult, often consuming more effort and resources than available and often returning no results or dead ends. But the occasional flash of brilliance creates a game changing and lucrative shift if adopted timely and wholeheartedly.
We all know that innovation is not always successful. Painful lessons must be taken from the likes of Nokia. A brilliant innovative and leading edge company that was over taken, not by a feat of technical genius, but by marketing innovation. With it’s focus on technology, Nokia sleep walked into technical dead ends, whilst the market just walked away into flashy packaging and branding.
So innovation doesn’t just have to be a product. It could be a business process; it could be new people; or a new way of working. Each could be the differentiator that pushed a business beyond its competition.
Innovation does usually equate to risk, either through change or divergence, so it’s not easy to capitalise on innovation. It takes clear vision, entrepreneurial spirit and luck.
Take Amstrad as the example. In it’s day Sir Alan Sugar took the business to dizzying heights through the home computer boom. His engineers found a product that he could market and sell with great profit. The business grew throughout the 80’s.
Sir Alan Sugar struck lucky through his early products, but this was just luck. Stuck like Nokia, he continued to seek that spark of differentiation from his engineers; but with his competitor’s focus shifting to price the market moved on.
So it takes a little luck to be successfully innovative. It takes good clear vision to deliver upon that innovation. It’s takes entrepreneurial spirit to deliver them both.