Tuesday, June 30, 2009

A daker side of application and human behavior

In DC today at a security conference (Gartner) – and this has prompted the following - I use this blog explore the symmetry between applications and their human progenitors – today’s posting focuses on a darker side – the military, terrorism and war.

I have just left a presentation led by David Sanger, Chief Washington Correspondent for The New York Times. He focuses more broadly on foreign policy, globalization, nuclear proliferation, and the presidency – today’s discussion was on Cyber threats rather than nuclear or trade.

Applications are now soldiers, terrorists, saboteurs and secret agents.

Did you know that denial of service attacks (techniques for bringing down phone, power, broadcast and financial networks) are now a standard tactic in every army’s war book?

Just as air bombing is standard before a land battle begins, so are denial of service attacks.
  • Estonia experienced a devastating cyberattack in 2007 following a decision to move a statue memorializing Russian soldiers who fought during World War II. Pro-Russian hackers took down bank and school websites on Estonian networks.
  • Russia used denial of service attacks before attacking Georgia last year.
  • And earlier this week, Iranian news websites and those belonging to political organizations were hit following the contested re-election of President Mahmoud Ahmadinejad.
Did you know that the US power grids and financial markets are continuously probed searching for weaknesses to be exploited at some future date?

…and guess what? Unlike human terrorists, you cannot easily determine their origin. We have no borders to protect. And even when you find the source (computers) that are launching these attacks – they are rarely in the country of origin (Russia’s attack against Georgia emanated from Turkey). How do you think Turkey would feel if Georgia bombed Turkey to defend itself?

If you haven’t already heard, Obama will soon be appointing a “Cyber Czar” – and before you buy in to some hack (the media equivalent of a computer hacker) complaining that we should be focusing on “the real threats” overseas, our economy, etc. remember your history – think of The Maginot Line – and be grateful that we have a president that actually uses computers and understands their role as the literal “work horse” of the 21st century and, now, the emergence of an entirely new “military front.”

Friday, June 12, 2009

Stuff i took the time to post on LinkedIn that may be worth repeating

I got caught up in a LinkedIn discussion thread on the influence of analysts on application vendors and software categories - i think it bears repeating... the original question was in part ...
Do industry analysts have too much influence on software vendors, who call their products GRC or CCM/T - terms used by analysts?

There were a few comments before i wrote...

I probably read way too much into this question – but it hit a nerve and so here is a rather lengthy reply (for a linkedin comment anyhow).

At the most abstract level – the etymology of terms like GRC are no different than any other phrase or term in natural language – like heat off of an engine, meanings are generated through usage (which often diverges substantially over time from first use). This means that even though careful and deep thinkers take the time to carefully craft a coherent and fully realized definition of GRC – this is not, at the end of the day, the actual meaning of GRC. There are two scenarios here – a) people using the term with a shallower or incomplete understanding and b) people intentionally reusing the term to mean something slightly (or entirely) different. In either case, whoever gets the most air time generally wins.

Looking at the second use case – intentional misuse – this is extremely common in the commercial world (not just hi-tech). What does “natural” mean? How about “fat free”? Hi-tech examples are numerous too – enterprise content management (ECM) is another good example. In fact, I wrote a short column on this way back in 2002 (before blogs were big) entitled “Enterprise: how long is a piece of string?” http://gilbane.com/columns.pl?view=5 …here I offer my own musings on the tension between vendors, consumers and analysts at length– but the topic was not GRC – it was ECM. Is it surprising that vendors like IBM, Oracle, EMC and others are players in both?

To be clear, motivations are not always malicious or deceptive – as long as analysts need to produce a body of work that is organized, integrated and expandable (and commercially valuable) – they will develop (and insist upon controlling) their own taxonomies.

As long as suppliers are most interested in solving problems competitively and profitably, they will emphasize and focus only on problem domains where they are effective (no vendor paints a worldview with a hole in the middle).

And as long as enterprise consumers are focusing their scarce resources on the most material/pressing challenges and opportunities in front of them, they will ignore skills, technologies and opportunities that do not address their selfish interests. Each group works to influence the other two – but the tension is natural – and I believe healthy.

In my view, all three players are correct to do this (in fact, this is more of an ideal than a common practice). So, I guess the short answer from my perspective is that mapping capabilities to features or categories is, by design, an imprecise means of communicating priorities and intentions – and should never be relied upon to replace detailed and deliberate assessments/evaluations/recommendations.

Buyer beware – or – he who controls the language, controls everything – or – meaningful ambiguity is a good thing…

A few complimentary notes were posted on the above :) and then an interesting post came from Michael Rasmussen - a very effective analyst and thought leader in his domain of governance, risk and compliance management....

Michael wrote "Yes, industry analysts do have too much influence on defining and categorizing software. Particularly in markets such as GRC. I left Forrester after seven years because I was continually frustrated - my definition and approach to GRC was broader than Forrester's audience. Forrester, Gartner, and their peers are good at reaching the IT audience - so GRC (as a software category) often gets trapped within IT. Occasionally it breaks out into other areas such as finance where they have some traction. They fail to understand GRC's role in EH&S, Quality, CSR, and many other areas. "

...and that's when i went a little overboard for a linkedin discussion (it took two posts to fit it in - here it is)


Perhaps because I too have spent many years in this business (over 20 as an ISV and even 2 as an analyst), I cannot resist the temptation to connect Michael’s point of view with my earlier post. Sadly for all of you, because the post was too long, you will have to read this post AND THEN THE NEXT POST for the punchline...

The ISV-enterprise-analyst knot If you deconstruct the influence of analysts on software categories, you will see that ISVs are keenly focused on their customer needs (this is the ISVs primary focus). In the same fashion, the ISV customers’ primary focus stems from their target customers requirements (whoever they are). Since assessing IT options (or HR policy or tax law or…) is NOT the ISV customers’ primary focus, they look to outside support that is, ideally, expert and independent. With regard to IT, they look to IT analysts. IT analyst firms in this particular scenario have enterprise IT as their primary customers (focus) too. So – ISV sells to Enterprise who is then sold to by Analyst firms who provide “independent” guidance. The result is a tightly woven financial, professional and organizational knot. Leading to the following good, bad and twisted consequences

1) This dynamic discourages innovation and transformational solutions: The enterprise IT group is generally not incented to modernize or re-engineer their IT strategy on their own initiative – and so, typically, do not look to analysts for this kind of advice – they want guidance with minimal risk, a proven (therefore established) approach, using equally stable technologies and suppliers.

2) IT analyst firms deliver what their customer-base wants – That means a topology and best practices that emphasizes a “rear-view mirror” perspective. This is especially true for companies like Gartner and Forrester because of their enterprise client base. (Note that Michael appears to validate this when he writes that analyst firms are “good at reaching the IT audience.” That’s no accident or even handicap from a business perspective – that is their North Star to hitting their revenue goals. This is the high-order bit, the organizing principle, their raison d'etre. )

3) ISVs must “set the table” to win sales. ISV’s try to influence (or appease) analysts as a tactic to influence their shared customer-base. The influence on ISVs (who ultimately must label their software as “grc” or “ecm” or whatever) is, therefore, indirect. If the enterprise IT customer was willing to pay analysts to produce transformational business and operational re-engineering recommendations – then that’s what analyst firms would immediately start to focus on. But, to date, market forces rarely lean in that direction.

4) Sometime the market does demand transformation. Disruptive technologies like the Internet, regulations like Sarbanes-Oxley or economic forces like the rise of India and China may force businesses to place new demands on IT that get passed to analyst firms which then generate short bursts of transformational analyst output. NOTE - This is the exception and lasts just long enough to address the threat and never long enough to reap all of the potential value. This is why so many companies will stop GRC investments once individual regulatory obligations appear to be met but well before an integrated and effective GRC transformation is even in view. It is organizational and professional entropy.

5) In order to transform businesses, you must cut the knot – If the success of a new business practice or technology requires organizational change and/or a re-education of professionals (inside any of these three organizational threads) – the interlocking dependencies of the ISV-enterprise-analyst knot must be severed.

Is this inherently bad? Read my next post please.... (its WAY shorter)


Is this inherently bad? Of course, if you’re a spirit who thrives on transformational change – this will be extremely frustrating (and I count myself among that number). But I have to say that this is not the only view.

As our founding fathers recognized – perhaps the greatest threat to our liberty stems not from dictatorship, but from “a tyranny of the masses.” Like the executive, legislative and judicial branches of government, our “knot” of enterprise IT, ISV and analyst may slow things down to a maddening degree – but it also protects us from swinging corporate strategy and operations too often or too far in any one direction. (hey, let’s throw out our computers and just use iphones!).

Now, I would never presume to speak for or represent Michael’s views – but I did have the good fortune to be one of Michael’s clients when he was at Forrester and have had some experience with him in his subsequent “expanded” and independent role as well. My experience of Michael is that he is a man who is not readily satisfied with the status quo and is energized when he sees a way to materially transform the way people work – and by extension – the way they live.

Ironically, as Michael succeeds in his almost evangelical mission to raise our collective consciousness as to what GRC SHOULD mean, organizational changes within enterprises to better align with good GRC practices will be one sure result. This will in turn lead to a spike in demand for more sophisticated/expansive analyst services around “true GRC” and this will in turn bring “the new GRC” into the analyst firm mainstream. …and in a decade or so, someone will rail against these firms for stifling the next dimension of business/social/operational/financial management. Who knows, perhaps it will still be Michael.

Remember – an “end-to-end solution” is just a silo seen from the inside. (…and apologies in advance to Michael if I have in any way misrepresented or dumb'ed down his outlook beyond recognition)…