Enterprise Initiatives

This blog focuses on Enterprise IT topics such as Enterprise Architecture, Portfolio Management, Change Management, Business Process Management, and recaps various technology events and news.

I was asked by Michael Krigsman to be a guest blogger on his blog IT Project Failures on ZDNet. My post focused on IT Leadership as the main cause for most failures. Read the rest of the post here.

My last day at my job for the past 13 years is coming up this Thursday (7/3). I have spent the last couple of weeks writing a document describing everything I have learned about SOA over the past two years so that I can leave some knowledge behind. When I got to the chapter on security, I was surprised to find how little information there was on the web as compared to most SOA topics. As I dug deeper I realized that what was missing was blog posts from practitioners. Nearly the entire Google result set for SOA security was links to vendor information, industry analysts, or authors. Where are all of the bloggers on this topic?

This concerns me. I wonder if IT in general is underestimating the need for more security when it comes to SOA. Security in SOA is much more complex then what we were used to in the world of client server. Improperly secured SOA is a hackers dream!

Check out this quick white board video on ZDNet

SOA Security risks
  • SOA exposes your legacy applications to the outside world
  • SOA uses, WSDL, XML, and SOAP to allow services to be discoverable and self-describing. These are human readable in ASCII and can give away the keys to the kingdom if the proper security is not in place.
  • Integration presents numerous challenges including single sign-on, privacy, encryption, etc. at the message level.
This last point is important. In the traditional client server world we are concerned with network security (point to point communications) and application security which deals with user roles. But services exposed to customers, partners, and suppliers requires another level of security that I will call message level security. This requires us to embrace a whole new level of standards in the WS-* family (WS-Security, WS-Trust, etc.). Read blogger Eric Roch's post from last year called SOA Security Architecture.

Of all the research that I have done recently, I recommend two sources of research. First is the book SOA Security by Ramarao Kanneganti and Prasad A. Chodavarapu. This is an outstanding book that uses simple examples to get key points across. You don't have to be a security guru to read this book. Second is spend some time at the OWASP website and make sure you design for the Top Ten threats.

To all you EA and SOA bloggers out there, let's start a conversation about SOA security. There seemed to be discussions in the previous years but for whatever reason it has becoming very quiet in 2008. Security should be built in upfront and not an after thought that you take care of later.

It's been a few weeks since I posted the jobs that come across my desk from recruiters. I have quite a few this week. You can find the details by clicking on the links or going to my IT Job website.

Python/C++ developers - NYC

VB .Net Developer - Orlando

Hyperion Planning Developer - St. Paul, MN

Sr. Hyperion Architect - Atlanta

Oracle Portal Admin - NYC

Sr. Lead Business Apps Developer - Orlando

Compliance Manager

I did a podcast with Michael Krigsman on his blog IT Project failures. We talked about SOA and how to prevent your SOA project from failing. You can read his commentary and listen to the podcast from Mike's post here

The last few years have brought many great advancements in technology and the upcoming years promise to bring more. As companies push to drive the costs of IT down while increasing productivity and output, many large enterprise initiatives have become high priorities. The chart below shows IT's top 10 Management priorities for 2008 (source: CIO Insight):

When you look at this list it is obvious that today's IT leaders need to be experts in more than just technology. They need to understand the business and they need to have good people skills. I created the following diagram which I call the leadership triangle. I feel strongly that IT leaders need to excel in all three areas: Business, People, and Technology.


From the business perspective, not only do IT leaders need to know how the business's products and services function, they also need to be able to speak in business terms. This requires MBA type skills in the area of Finance, Economics, and Accounting. When you produce your business case for initiating a large new technology project like SOA, Green initiatives, or ITIL you must be able to describe business benefits in terms of NPV (net present value), IRR (internal rate of return), and payback periods. When dealing with infrastructure projects like disk consolidation, virtualization, and others you should understand the different rules of depreciation, lease options, contract and vendor management. The list goes on.

From the people perspective, the IT leader must be a coach/mentor, great communicator and presenter, skilled in leading through change (organizational change management), a negotiator, a sales person, and a visionary.

From a technology perspective, IT leaders must have at least a high level knowledge of a variety of areas including architecture, security, infrastructure, regulatory/compliance, data, quality assurance, operations, etc.

It is rare to find one person who excels in these three areas. If you find one, good luck keeping them around for a long time because they are highly sought out. Some companies can accomplish this by assembling a strong leadership team that works closely together towards common goals. This requires the leader of this group to be exceptional from the people perspective.

IT must embrace itself for constant change.
The next chart shows IT's top ten technologies for 2008 (Source: CIO Insight):

Some of the key IT initiatives that could come from this list are SOA, BPM, Business Intelligence, Master Data Management (MDM), Virtualization, SaaS, ITIL, Portfolio Management, Social Computing, and many others. Each one of these initiatives requires people to change the way they have traditionally worked. Some roles and skills may go away and new ones may be created. Many of these initiatives require very specialized skills and demand more collaboration across different areas of expertise, including business SMEs (subject matter experts).

But the technology is the "easy" part. Getting the business sponsors to own and help drive the initiatives and leading people through change is where IT has a huge skills shortage. Many people in IT don't even acknowledge that these two things are important. I can't count how many articles I have read that claims SOA is a failure and is nothing more then hype. The same is said for enterprise architecture (EA) where recently EA has been called a joke. The joke is that companies try these large enterprise initiatives without relevant business drivers and without having an organizational change management (OCM) plan. Many think by simply having smart technicians, they can get any IT project done.

The future will drive even more change.
Over the next few years, cloud computing will become a key driver for reducing complexity, reducing costs, and improving agility. I recently made a short vlog (video blog) on this topic. Software as a Service (SaaS) and Platform as a Service (PaaS) will cause a major shift in the way we think and work. There will be all kinds of resistance from the infrastructure and security staffers. Moving to a platform in the cloud is a threat to the current roles and responsibilities for these folks. Over time (5-10 years), PaaS will become mainstream and IT shops will likely become smaller and will definitely have a different technical makeup then it has today. People will have to retool and stay current with trends. Software will become a true engineering exercise that requires knowledge of distributed systems, security, data management, and networking. Drag-n-drop n-tier developers will become the Cobol programmers of our next decade. Globalization and social software will radically change the team structures. Project teams will be scattered across the globe. Rising oil prices will lead to more virtual offices. Ten years from now we will look back and laugh at the notion of cramming hundreds of people into cubes. Companies will be able to hire staff from around the globe and won't be restricted to local markets. Users will have the power to assemble their own applications by leveraging mashups and software in the cloud. How will we manage the future?

IT Leaders need to change with the times
So what does this all mean? When you add up all of the things I just mentioned, the role of management has become far more demanding. If your managers are struggling today, how will they survive tomorrow? Just think of the cultural and ethical ramifications of managing a remote team of workers from around the world. IT leadership will be even more demanding then it already is and we already have a shortage of leaders who excel in all three areas of the leadership triangle. So how will we solve this dilemma? Currently, many IT shops just "stay the course" and do not adopt any of these large enterprise initiatives. In the future as cost reduction becomes a matter of survival, many of these initiatives won't be optional.

Unfortunately, I don't know the answer to my own question. There is already a skills shortage in IT across the board. There isn't a shortage of people applying for management and leadership positions, but there sure is a shortage of people who are qualified! Where will the next generation of leaders come from? How many companies will recognize the importance of the leadership triangle? How many more IT projects will fail before somebody does something about this dilemma?

What do you think needs to be done? How will we overcome the Leadership shortage?

I recently wrote a post called Microsoft Free - One year later that spoke about my experience using all open source products in a corporate environment with mainly Microsoft products. The guys at Gustygeeks.com invited me to be their guest on their weekly show. I recorded a portion of the show which you can hear by clicking play on the media player below. Enjoy!

Get your own playlist at snapdrive.net!

There have been a few paradigm shifts in IT over the past 30 years. First was the introduction of the PC which changed computing forever. This moved us from a very structured and controlled mainframe environment to an empowered and chaotic distributed environment. The next big change was the introduction of the Internet in the workplace. This has fueled globalization and lead to more demanding and tech savvy customers. The next big thing is cloud computing, specifically, Platform as a Service (PaaS). Before I go into why I believe this to be true, let me clarify the terms.

On Premise
Traditionally, companies run a majority of their software, both proprietary and 3rd party, within their own data centers. Common software products that you see in corporate data centers are Microsoft Office, relational databases like Oracle, DB2, and Sysbase, and financial systems like Lawson and SAP.

Internet applications are typically web sites or proprietary applications that are built to run on a browser but are hosted within the walls of your company. Popular websites like eBay, Amazon, and Google are run from within those companies data centers. Many of the web applications that most companies built are run within their data center or by some hosting partner. Let's be clear that hosting is not in the cloud. In a hosting environment you have dedicated infrastructure assigned to your application(s) that is not shared with other companies. When you want to scale up you have to buy/lease more infrastructure and bandwidth.

Cloud Computing
With cloud computing, we are now talking about running software that is written by someone else who also manages the infrastructure. SaaS or software as a service is a prime example of this. Salesforce.com has been a leader in this space with their CRM services. You can pay to use any module and plug that module right into your environment. Mashups and services like GMail, Google Docs, Mapquest, social software like Facebook and Twitter fall into this category. How is this different then regular Internet computing? All of these products/services are open and completely programmable and the underlying infrastructure is nothing that you need to manage.

Now comes the game changer! Major Internet presences like Google, Amazon, and Salesforce.com have built a highly reliable and scalable infrastructure platform over the years. Now they are building out excess capacity and selling it to us as a service. Now you can take your on premise and Internet applications and run them on their platform. This is a combination of hosting and SaaS but with scale and sharing. Unlike hosting, every company is sharing the same infrastructure. Now a $100M company runs on the same world class infrastructure that a $10B company runs on. There is no other way for the $100M company to justify the robustness of the infrastructure that they get with PaaS. The pricing model changes things significantly. Instead of licensing you now pay as you go. As your traffic increases, your applications have access to virtually unlimited infrastructure and you scale in real time. Good bye disaster recovery and business continuity initiatives. Your entire business continuity plan becomes running on two PaaS providers in case one goes down.

I put together this 7 minute video blog that goes into more detail for you hardcore folks out there.

So what are the main challenges that Saas needs to overcome?

  • IT leaders must be educated
  • IT leaders fear of giving up control
  • IT leaders fear of security issues with giving up their data
  • Maturing PaaS technology
It will take a few years before many companies make the move to PaaS, but it is coming. The economies of scale and TCO will be so compelling that CIOs will be crazy not to jump on the bandwagon. Eventually we will get over our control issues. Most payroll and many CRM applications are already running as hosted or SaaS solutions today. Think about it. That is our employee and customer data that is already outside our walls. How about security? When was the last time you went to the bank? Do you buy books on Amazon? Do you use your debit card for most of your purchases? It's already happening. In fact, most security breaches are inside jobs by people who have intimate knowledge of systems and/or infrastructure. PaaS might make us even more secure. Here is another reason. These PaaS vendors' core competencies are building reliable, scalable, and secure platforms. Their applications don't have to be just enterprise class, they have to be global class. They will spend more money on security then our companies can even dream about spending because without world class security, they have no customers.

What does this mean to IT?
Nick Carr, in his latest book The Big Switch, discusses his thoughts. I had the opportunity to see his presentation live at the Gartner AADI conference last week. He believes that IT shops will be substantially smaller 5-10 years from now. The reason is simple, the majority of our infrastructure and applications will be run and managed elsewhere. We will spend less time patching, securing, and upgrading and more time innovating. Today, roughly 70% of IT hours are dedicated to keeping the lights on, which leaves very little time for us to meet the business needs. PaaS does not eliminate this work, but it does greatly reduce it.

Startups and smaller companies now have advantages like never before. They can quickly bring a product to market at very low cost and only pay for the traffic that they generate. As they grow and attract customers, the infrastructure scales automatically to meet their needs. Now, they still need to architect their software to scale, but they don't have to worry about bandwidth, adding machines, and dealing with licenses. This means that your biggest competitive threat might be a company that has not started yet. Your existing competitors have all of the baggage of legacy like your company does. It will take them time to move pieces of their infrastructure to this new way of doing things. It's the new kids on the block that can quickly scale and be agile enough to move at the speed of the consumer.

There is a lot more to talk about on this topic but I'll stop for today. Many people just don't understand PaaS enough yet to see where this can go. I will try to continue to discuss what the future holds and what the impacts of these changes will be to IT and the business.

I stumbled across a video blogging website called Seesmic today. I spent several days at the Gartner AADI conference in Orlando this week and created the following video summing up my thoughts about cloud computing and Platform as a Service (PaaS).

In summary, cloud computing and PaaS are emerging technologies that will drastically change IT over the next few years. IT Leaders need to get better at organizational change management or these initiatives will fail.

Please provide me with some feedback. I want to know if this type of content has any value.

There has been a lot of excitement around Web 2.0 technology lately. It appears that we haven't learned much from our Web 1.0 days, also known as the .Com days. These exciting new technologies allow for companies to quickly produce new web sites and easily extend existing web sites. The problem is people forget that to be successful in the long term, you still need a reliable and well designed architecture and you still need some form of governance to ensure that the end product can meet high levels of quality of service.

What do I mean by Quality of Service (QoS)?
In terms of web sites and software, when I talk about QoS I am referring to:

  • Uptime
  • Performance
  • Service Level Agreements (SLAs)
  • Minimal defects
  • Scalability
Nowadays, a web startup can quickly produce a service on the Internet at low cost. They can simply take advantage of the LAMP stack (Linux, Apache, MySql, PhP), leverage existing Mashups, and build robust user interfaces (RIAs) to produce a cool, eye candy web site that consumers can access for free. Unfortunately, quick is becoming quick-n-dirty.

Balancing Agility with QoS
Startups are faced with a dilemma. They typically have a limited amount of time, money, and resources. They need to get a prototype up and running quickly to give them an opportunity to go after VC funds. The defining moment comes when they get the funding and then have a limited amount of time to produce a Beta version soon to be followed by a real production version. This is where many startups miss the boat. Many prioritize speed to market over sound architecture design. It is a tough decision to make.
  • Do I spend a lot of time and money now and risk missing the window of opportunity?
  • Can I worry about scalability after I see how well received the web site is?
  • Can I afford to pay an experienced architect now or can I wait until we have more money and a good stream of traffic?
Many startups can get away with postponing some of the critical design aspects and target a later release of software to address QoS. But others have not been so successful. Right now, everyone is fully aware of Twitter's Fail Whale, a symbol of incompetence and a colossal architectural blunder.

From Web site crashes

Twitter had quickly become a rising star on the web with millions of users. In the April time frame their traffic spiked to a level beyond what their underlying architecture could handle. Now Twitter is the joke of the town and are victims of daily outages and performance issues. What we found out is that behind the scenes the baby is ugly. Twitter recently responded to some questions from Techcrunch and revealed more information about their "architecture" then any sane person would offer. Here is a summary of what I learned:

  • Use one database for writes (because "replication of MySQL is no easy task")
  • Limited scalability -3 physical database machines "POWERING ALL OF TWITTER"
  • Human Intervention required - "There's a lot of necessary handholding and tweaking "
  • They plan to grow operations, rather then fix the handholding
  • Tightly coupled - massive traffic on one part affects all
  • Many design flaws - "Everything from faulty process, environment, configuration, and just plain load"
Their solution is to hire top talent at top prices and go into fire fighting mode to save this product. This is the typical result when a company with a successful product takes short cuts in terms of architecture and design. You can pay for it now or pay double later. Twitter is paying big now in salary, lost customers, and declining brand value. This is a worst case scenario for a company who generates zero revenue and who's goal is to be purchased by a big spender.

But Twitter is not the only startup having issues. It is becoming common for me to experience crashes and outages in my daily routine of using various new web sites and services. There have been days that I have seen four sites down at the same time. It is getting so common that I started creating a collection of screen shots.

Technorati has been struggling recently with a surge in web traffic. Countless other startups have flashed their cute crash messages on my screen. To me, the joke is on them. It's no wonder that the corporate architects of the world (me included) get a little annoyed when the media and talking heads start touting Web 2.0 and Mashups as the silver bullet for enterprises. Many have said that we should skip SOA because it is hard and time consuming and instead go the WOA route. I think Web 2.0, Mashups, and WOA are all great technologies, but when they are applied to an architecture that does not scale or do not follow some form of governance to assure some level of QoS, then you will likely need to design a cute outage web page to entertain your users as your team scrambles to bring the system back on line.

Here is one that I have created for any new startup out there.

I had a few really attractive jobs show up in my inbox this week which I posted on my IT Job Board. Feel free to share these with your friends and colleagues:

Until next week, have a great weekend and a productive week.

I have been experimenting with Jott lately. Jott is a service that let's you translate voice messages to many different services like SMS text messages, Twitter messages, and blog posts. I just tested the Jott to Blog functionality. Since Jott messages cannot exceed 30 seconds, I refer to this as "Micro Podcasting". Is this useful? The jury is still out, but it is simple to do.

So below is a transcript of my voice message. You can see that Jott butchered my message. Luckily, it creates a blog post in draft mode which gives the blog author a chance to touch it up. For the sake of showing how this works, I am leaving the transcript unedited. At the end of the micro podcast you can click on the link to listen to the actual message. Enjoy!

This is my first test of what I am calling micro podcasting, what that is it is using jott we have short podcast and it will go right in your phone into your ____ account, it's pretty cool stuff. I checked this out last night and sent my first twitt using jott and in twitter there is a turn called micro blogging and that sending out short information ___ to blogs, here I am doing micro podcasting leaving out short messages, voice messages, so that's it for today my first micro podcast. listen

Powered by Jott

I have created many Jott's and most of them translate very well. For some reason this Jott did not translate well. The key is to speak clearly and slow enough so that Jott can create a clean translation. With all that aside, it is pretty cool that I can speak into a phone and create a blog post that has both a transcript of my voice mail and a link to the actual voice message.

I am going to regret ever trying this but I was talking with my friend Dennis Stevenson on Google Talk tonight and we were admiring how social networking has opened so many doors for us from a networking standpoint. In our conversation I mentioned half jokingly that all we need is to be able to send Tweets by phone. Then I remember trying out Jott several months ago which is a service that converts voice to SMS text messages from any phone. So I figured that I could hack up something to intercept the SMS text message to send to my blog which automatically feeds new blog posts to my twitter page.

When I went to Jott, which I had written off as a tool that I had no use for, I was pleasantly surprised to find that the smart folks at Jott where one step ahead of me. They already had Jott integrated with Twitter. I simply called the Jott number, said Twitter, and then spoke a short message. Within a few minutes I had a Tweet on Twitter with a tinyurl link to my message.

Then I found that Jott is integrated with Blogger, Wordpress, Google Calendar, and many others. Imagine being on the road and you remember that you have an appointment at 2pm the next day. You can call the Jott number (mine is voice activated) and tell Jott to call Google Calendar. Then simply speak into the phone to set up your appointment in your Google Calendar and you are done.

I probably will now be responsible for many car accidents for sharing this. But seriously, the possibilities with Jott are endless!

In May of 2007 I wrote a post called Open Source and Microsoft Free. Little did I know that this post would show up on Digg, Slashdot, Craigslist, and several other popular web sites and become a platform for both the Linux and Microsoft camps to wage yet another flame war.

This whole "Microsoft free" experiment started when a colleague of mine challenged me to eat my own dog food after reading many of my posts about my dabbling with open source technologies. The next day, after a few blue screens of death and various issues with Outlook, I grabbed a Ubuntu CD and installed it on my laptop....at work! From that day forward, I have not used a single Microsoft product at work. It has been one year now and I have survived with Thunderbird and Evolution, Open Office, Firefox, and many other open source replacements for Microsoft products.

I put "Microsoft free" in quotes because there are a few exceptions. First, I did install IE 6.0 under wine for that rare occasion that I stumble across a website that only works on IE. Second, there is no answer for Visio. Most of the Visio diagrams that I needed to read were embedded in design documents in Word which I can read with Open Office Writer. But for those that I needed Visio for, I opened them at home on my XP box (I have 1 XP, 1 Vista, and 5 Linux boxes at home). I also used Visio at home when I had to create Visio diagrams. The issue is Visio's proprietary format is not available for developers to write a translation utility for.

With those two issues aside, which represents about 1% of my overall usage on my laptop, my Open Source experience was nearly flawless. Open Office worked remarkably well both receiving Microsoft Office files and creating files in Office format. I exchanged literally thousands of documents between Microsoft Office and Open Office. I never encountered a single issue with Word and Excel and occasionally encountered minor formatting issues with Power Point files. The formatting issues where nothing more then some minor placement issues which probably occurred less then 5% of the time.

Over the course of the year I experimented with Ubuntu, Kubuntu, Freespire, Mepis, and PCLinuxOS. I settled on Kubuntu and recently upgraded with ease to the latest version, Hardy Heron. Here is my analysis of the different Linux distros from last fall. With this "Microsoft free" laptop I have coexisted with 1000+ employees who use XP and various verions of Office including 2007 (the 2007 compatibility add-on works fine). I also delivered presentations at conferences using Open Office Impress and traveled across the country and internationally with no issues with wireless connectivity.

I am not in any camps. I use XP and Linux at home and like both. I gave Outlook the boot years ago at home and do just fine with Thunderbird. It has every feature I need. I do however have problems with Vista. But my message here is not about recommending what tools that my readers should use. My message is that I performed at a high level at work while using Linux, Open Office, and other open source products. These tools did not hinder my ability to do my job and did not impact anyone else at my job. I was able to productively coexist with no Microsoft tools in a Microsoft shop. That is all I am trying to say.

I am not going to recommend to anybody that they change their company standards away from Microsoft. What I will tell you is that open source is a viable alternative that can be used in a production environment. So when you see flame wars where the two camps argue back and forth about their favorite technology, you can point to this post when people claim that Linux and Open Office just won't work in the work place. I have validated that they do work for over 365 days now. Whether we should use these tools at work is a whole different story that really depends on factors like corporate culture, skill sets, budgets, user base, executive support, and many others.

All I can say is that for the last year, I have been using Open Source exclusively and I am loving it!

Subscribe to: Posts (Atom)

My favorite sayings

"If you don't know where you're going, any road will get you there"

"Before you build a better mouse trap, make sure you have some mice"