The Parable of the Bike Race

by Vince Kellen, Senior Consultant

I finally had the chance to catch up with a long-time colleague of mine for lunch a few months back on a cold, wintry and blustery Chicago day. We sat down, and ordered tea and coffee. Not waiting to order our food, she immediately began to tell me a story about a recently retired CIO and former boss of hers, Hal, who had just returned from a cross-country tour of the United States. I sat and waived off the waiter. She was on a roll, so I listened. As best as I can remember it, this was Hal’s tale, told second-hand to me, about a rather unusual bike race.

Hal was driving west through the Rocky Mountains last autumn and was forced to stop in a smaller town in north central Colorado. The main road was closed off and there appeared to be no other way through town. Hal pulled his car off to a side road and walked up to the blocked road, which had spectators lined on both sides of the street. Looking down about a block, he saw that a bike race was about to begin. He walked up to the road barricades. Noticing his curiosity and unfamiliarity with the town, a bystander nudged him with an elbow and said “You won’t be getting through for about an hour. Gotta let the bike race clear.”

Being patient, Hal squinted in the bright, warm sun. “That’s ok,” Hal said. “I’ll watch.” Hal looked at the brightly colored shirts and numbers the bikers wore. The shiny glint of bike gears and wheel rims shimmered. Bikers attended diligently to their bikes, preparing for the beginning of the race.

The bystander snickered a bit under his breath. “Unusual race,” he said.

Puzzled, Hal asked, “Why?”

“No one knows how to ride a bike.”

The bystander stood silent, slyly smiling, letting Hal’s pause extend a bit. Thinking the bystander’s comment a joke, Hal ignored him and watched the bikers get ready for the start. The bikers, about 100 in number, stood poised and ready. A loud air horn went off. The bikers pushed off.

Just as the bystander said, it became quickly apparent to Hal that in this particular race, no one knew how to ride a bike. Unsurprisingly, bikers immediately careened and flopped, crashing into each other while falling to the ground, scraping knees, elbows and hands. Hal could hear swearing, groans and howls from where he stood. With a barely amused and mostly pained look, Hal grimaced as the bikers struggled. Some bikers were busy cleaning bloody scrapes. Others were furiously and vainly trying to keep their balance while moving forward. Others gnashed their gears uncontrollably up and down, going nowhere.

One biker, in a fit of anger, threw his bike off the side of the road and stomped on the wheels, bending the rims. Another stood next to her bike, madly kicking the derailleur. Off to one side, hidden from the messy mass of bikers, one biker was cautiously and slowly moving forward, wobbling a bit, but making steady progress. Seeing this, all the remaining bikers suddenly but erratically exerted harder.

A small pack of about eight younger and more muscular bikers saw this new leader and doubled their efforts, but in vain, as they collided into each other in a more spectacular and equally painful crash. Quickly, what looked like a mechanic appeared from the sidelines and was helping repair one of the crashed bikes and then another.

Hal’s amusement shifted to frustration. “Why can’t they ride their bikes?” he thought. The bystander bumped him again. “Looks like all the money these bikers spent on the latest in equipment was a failure,” he snickered. “At least someone made money on this!” He continued, pointing at what looked like the bike mechanic. “I know that guy. John something. I forget his last name. He’s actually getting paid to help these bozos. It’s a good gig for a Sunday afternoon. Some of these cyclists have bucks, if you know what I mean. It’s like taking candy from a baby.”

The carnage continued for several more painful minutes. The lead biker, despite a couple of falls, was now a few blocks ahead and the gaggle of the previously fallen muscular and over-confident bikers had somehow figured out how to keep their balance and were moving along. A few moments later, about a dozen or so bikers began wobbling uneasily forward following them.

Hal continued observing. By his count, about fifty or so bikers were no longer prone on the ground, but were meandering along, barely staying up. He looked at his watch. Now he understood why the bystander said it would be an hour.

Getting a bit too close, the bystander nudged Hal with his elbow again. “I think we have a trend here! Looks like the investments in bikes are paying off now! I got my money on the newer models. All the best cyclists have those these days.” Hal watched the bystander who was now talking on his cell phone. “Gotta get the model 750s. They seem to work best,” Hal overheard him say.

Hal waited another thirty minutes or so, watching patiently. The remaining twenty or so bikers still on the ground begrudgingly cleared away their wreckage and withdrew from the race. Race organizers were cleaning up the mess and clearing the roadway. Hal began walking back to his car. The road was going to be open soon and he wanted to get moving on.

After getting into his car, Hal pondered a bit. He wasn’t quite sure who was the more foolish, the bikers who couldn’t ride or the bystander giving tips on what bike to buy while watching this crazy race.

It’s not the equipment, Hal mused. It’s the rider.

 

Remembering Art

by Robert Charette, Director and Fellow

We were saddened to learn that a former member of Cutter Consortium’s Enterprise Risk Management & Governance advisory service, Art Gemmer, passed away in his sleep. Art helped pioneer project and program risk management at Rockwell Collins, where he worked for 27 years before leaving and starting his own consulting company. His obituary can be found in The Gazette Online. Services will be held Friday, 28 March.

Innovation of the Second Kind: Cultivating a Frame of Mind

by Lee Devin, Senior Consultant

I see a difference between innovation as it relates to particular products, services, or ideas, and innovation as it relates to the great changes that are shuffling their feet in the wings, ready to come on stage and change our lives. To assure long life as a company making goods to sell at a profit, we need a lot of the first kind of innovation; we need, in other words, to continually improve the way we develop and exploit our industrial methods. To assure life at all as a developed economy — a planet even — we need a whole lot of the second kind; we need, in other words, to break with the past and move on.

Soon. Now would be good.

To begin on innovation of the second kind, we need to cultivate a frame of mind that supports and encourages everyone to think hard about some of the ideas that got us where we are today. There’s no need to waste time repudiating them. (Although, when we see pictures of mountaintops lopped off and tamped down into the hollows and valleys, it’s tempting.) Yesterday is yesterday, over, and we need to put some of our attention on tomorrow.

I’d like to start a list circulating informally among us, a list of ideas that urgently need reconceiving. Each of us has a couple of those, but putting them together might jog our minds a bit. That, and each of us knowing that others are thinking along similar lines. Having company is a great impetus to innovation.

My list starts with failure and efficiency. From recent discussions, I think failure turns up on most lists. Not so sure about efficiency.

1. Failure. Our reconceiving of failure might take the form of exchanging definitions and descriptions that could lead us to new language to identify the work situations we now call failure. We could pile up a body of thinking that everyone could take in and use as material for the next conversation with someone who hasn’t made the leap. It might be worthwhile to get in the habit of writing “failure” whenever we use the word to name an iteration that’s a step made toward a future emergent outcome.

2. Efficiency. Right now, efficiency points at a cluster of ideas, all related to removing anything in excess of the absolute minimum needed to achieve a rigidly proscribed outcome. We assume that if we achieve that minimum, we’ll maximize our profit from the venture.

A growing number of people understand increasingly well that many displays of “efficiency” don’t exactly represent the facts. It will be an epochal advance when someone figures out how to assess the true cost of gathering coal by filling a valley with the mountaintop: to name who pays (for the immediate damage and for the damage caused by burning the coal); to name (and collect from) who should pay; to name who profits; to assess the true cost of the coal and compare that with the price; and, in short, to describe fully and honestly the efficiency of such mining methods.

3. Other ideas that could use reconceiving … please, add to this list!

Is a Data Warehouse Essential for Business Performance Management?

by Curt Hall, Senior Consultant

The majority of organizations that have implemented or are planning to implement business performance management solutions rely on a data warehouse to support the data integration requirements of their performance management initiatives. This finding comes from a Cutter Consortium survey conducted in January 2008 of 101 end-user organizations based worldwide. The survey was designed to measure the extent that organizations are implementing business performance management and the techniques and tools they are using and the issues they are encountering.

Specifically, when asked, “Does your organization have an existing data warehouse that you are using/plan to use to support the data integration requirements of your business performance management initiative?” survey participants responded as follows:

• “We are using/plan to use our existing data warehouse” (44%)
• “We do not have an existing data warehouse/data integration architecture but plan to develop one ourselves to support our business performance management efforts” (19%)
• “We do not have an existing data warehouse/data integration architecture but plan to buy a packaged business performance management application that includes a data integration architecture”(10%)
• “We do not have an existing data warehouse/data integration architecture and do not foresee having to develop one to support our business performance management efforts” (15%)
• “Don’t know” (12%)

That the overwhelming majority of organizations (i.e., 73%) are using or plan to use some form of data warehouse to support their performance management applications makes sense when you consider that data integration and ensuring data integrity were found to be the third most-difficult issues confronting organizations implementing business performance management initiatives, according to the survey.

This finding is important for several reasons. For one, data integration requirements for business performance management can be daunting because of the number of sources that need to be accessed/integrated in order to feed the performance analytics and KPIs. In addition, over the last several years, some have pushed the idea that the data warehouse is no longer essential for performance management and other BI-related applications. The argument is that the availability of virtual data integration brokers using real-time data capture technologies means it is no longer necessary for organizations to undertake complex (and risky) data warehouse projects.

I have long argued that the data warehouse is still essential for comprehensive BI applications (those spanning multiple departments, business units, and users, etc.). This is because, although virtual data broker technology excels when it comes to capturing and integrating real-time data, questions exist as to how well the technology supports complex data cleansing — especially when the data is drawn from multiple, heterogeneous, distributed sources. Moreover, although virtual data brokers are excellent for displaying real-time information in dashboards, scorecards, and other “at-a-glance” style applications, they may not be able to present a historical view. Such a view is essential for adding business context to recent developments (e.g., contrasting regional sales or shipments for the current week’s marketing campaign with those from last week, last quarter, last year, and so on). It is for these reasons, among others, that I have always urged organizations to consider data warehousing and virtual data broker/real-time integration tools as compatible rather than mutually exclusive technologies.

In conclusion, the survey’s finding that the overwhelming majority of organizations implementing business performance management applications are relying on a data warehouse to support their efforts tends to throw cold water on the “no need to utilize a data warehouse” argument — at least as far as business performance management is concerned. As a result, I urge organizations that are considering foregoing the use of a data warehouse to carefully reexamine their requirements — especially when it comes to the need to ensure data integrity for performance management applications.

But this is just my opinion. I’d like to hear your view on this matter as well. Does business performance management, done correctly, require a data warehouse?

Technology Trends: Room for Cautious Optimism

by Gabriele Piccoli, Senior Consultant

We recently published the results of our annual Cutter Benchmark Review survey on trends and technologies for the coming year. This is the third yearly issue of CBR where we ask our contributors to look forward to the coming year and see what technologies and IT trends we can expect to endure, which ones are emerging, and which ones seem to be losing steam. Our ability to do trending and year-over-year comparisons is strengthening with every survey and the cumulating of results. We have been very careful in keeping some of the questions consistent so that we can comment on changes over time. The trends issues are particularly important in my opinion as they give us more than a spot evaluation of what is going on and instead enable us to take a more long-term view.

Our contributors, Dennis Adams, Chair of the Department of Decision and Information Sciences in the C.T. Bauer College of Business at the University of Houston, and Cutter Senior Consultant Jeroen van Tyn, offered some interesting food for thought and insight based on the data. Below I’ve copied some highlights:

• Virtualization: 61% of respondents indicate their companies are currently using virtualization tools, a 9% increase over last year’s results. The greatest use of virtualization tools is for application testing and development (42%), followed by system patches and update testing (25%), and production (25%).

Jeroen expects that the continuing maturation of virtualization will support the upward trend in application of this technology across the board and that larger companies will continue to lead the way, as they have the greatest interest in keeping down the number of physical servers they have to manage.

• Security: The number of companies concerned with intrusion detection has jumped 24% from 2006 to 2008. All of that gain has gone toward networked-based systems, which are more than twice as likely to be employed as host-based or target-specific technologies.

According to Dennis, this continuing trend to defend computing resources at the network level provides an insight into where managers believe intrusions are most likely to occur and, more importantly, allows more flexibility in the design of the system architecture.

• Data Storage: About 75% of respondents indicate that they expect their data storage needs to increase significantly in the near future.

Dennis believes some of this can be attributed to the heightened attention paid to e-discovery. And Jeroen’s take is that we’re seeing a definite upward trend in concern over data management in support of regulatory compliance: Ensuring that the rules are followed is part and parcel of protecting a firm’s ability to survive.

• Open Source: As many as 65% of respondents say their organization has deployed open source systems — a 16% increase over the last two years.

Why are the remaining 35% not deploying open source applications? There have been significant decreases in the number of respondents citing no business need or no relevant applications as the reason, and at the same time, the number citing lack of a business sponsor has nearly doubled. Jeroen took a close look at the data and found that of the respondents lacking a business sponsor, only 17% also lacked business need and/or relevant applications. So 83% could not find a sponsor for apparently needed applications.

• Outsourcing: Cutter’s 2008 survey shows that 55% of respondents have or are planning to outsource work — a 7% increase since 2007. The types of work being outsourced include development work (78%), maintenance work (64%), and help desk support (49%). In 2007, only 38% of respondents outsourced the help desk. That number has jumped to 49% in 2008.

Dennis’s perspective is that “outsourcing the help desk will continue to draw managerial attention. In one sense, it is the outsourcing of low-hanging fruit because of the way most organizations have implemented the help desk as a non-value-adding process. As far as the help desk is concerned, the only thing there really is to do with it is to outsource in order to cut costs.”

• Backsourcing: The number of respondents who are considering backsourcing is down 10% from 2007. A total of 39% of respondents indicate that their organization is considering backsourcing in 2008.

Dennis suggests that this trend will continue; that once the kinks have been worked out of the outsourcing arrangement, there seems to be very few business reasons to bring work back inhouse. In short, once the quality-control issues have been addressed, then what gets outsourced stays outsourced.

• IT Staffing Plans: Despite the recent economic turmoil, 55% of respondents expect to be hiring IT staff in 2008. While another 36% of respondents expect no changes in their IT staffing plans, the remaining 9% expect to be downsizing.
• Service-Oriented Architecture: 57% of respondents say their organization has implemented an SOA initiative or program, a 6% increase over 2007. The primary drivers behind today’s SOA initiatives are: to increase IT’s responsiveness to business demand (73%), to reduce cost of IT operations (58%), to exploit strategic competitive opportunities (51%), and to retire legacy technology (33%). The highest-level champion of SOA initiatives is the CIO at 35%; followed by the EVP, SVP, and VP at 19%; and then the CEO at 17%. There are significant impediments to the adoption/expansion of SOA in the organization, according to 61% of respondents. The reasons cited include a lack of visible ROI (31%), a lack of alignment with business strategies (25%), a lack of business buy-in (23%), and insufficient sponsorship (23%).

Jeroen’s prediction? The stock-in-trade approach of CIOs peddling SOA from a technology perspective is bound to run into trouble, and that, while a bottom-up perspective is an important aspect of successful SOA, there is no substitute for sound business analysis. more

A Disparity of Clarity

by Vince Kellen, Senior Consultant

Recently, I had the chance to talk with two CIOs from large, multi-billion and multi-national businesses with names we all recognize. To protect the identities of those involved, let’s call them Firm A and Firm B.

Firm A is a still rapidly growing consumer electronics manufacturing firm. But over the past ten years, this firm went from 1,000+ in IT staff to just over 500. They went from a couple dozen finance systems to one. They went from a dozen marketing systems to one. They went from about ten HR systems to one, seven relational database platforms to one, and a couple dozen data centers to less than a handful.

And now for the kicker. The IT budget went from about 4% of revenue to less than 1%. Along the way, their budget shifted from about 85% of the budget fixed and 15% discretionary to about 50% fixed and 50% discretionary.

Firm B is a large IT outsourcing provider and consultancy with over 100,000 employees. They outsourced a bunch of IT overseas (doctor heal thyself!), cut the number of applications they support from a couple thousand to less than 500. They went from many desktop and back-office platforms to one.

Oh, yes, and over the past six years, this firm cut the IT budget, as a percent of revenue, in half. And they freed up substantially more capital to apply to new initiatives.

As Darth Vader said about Luke Skywalker’s double back flip escape, “Most impressive.”

Both CIOs entered into a tangled mess of IT and drastically simplified it, standardizing on essentially a single core set of infrastructure platforms and a single enterprise application vendor. These more standardized and centralized IT shops have enabled the IT function to be more adaptable and responsive. Let’s call this the strategy of the “One.”

To execute this strategy, it appears both firms had strong executive teams and CEOs on board with the strategy and willing to twist some arms.

Ever the cynic, I asked both of these CIOs a simple question, “What’s next? What will provide you the next great leap forward in productivity?”

In both cases I got a good pause. Firm B’s CIO was honest. “We don’t know,” he said. But he was sure that focusing on how to get IT to contribute to revenue, as opposed to IT cost-cutting, was going to be part of the plan. Firm A’s CIO was a little uncertain, but did suggest that the IT budget as a percent of revenue will have to increase somewhat and they would have to continue to find ways to add to the revenue equation for the firm.

Inside I wept for these CIOs. It must be tough having so much success.

Both CIOs were crystal-clear about what they needed to do to simplify the absurd IT complexity they inherited. And both CIOs were much less clear on how IT will make another equally impressive contribution

The disparity of clarity was disquieting.

A voice went off in the back of my brain. Will both firms have to ‘recomplexify’ to make the next leap forward? And at the scale of these two firms, what would that look like? Will the strategy of the ‘one’ be replaced, yet again, by the strategy of the ‘many?’ Will it be déjà vu all over again?

Over the long term, walking the tightrope over the hell-fires of complexity and the glaciers of simplicity requires a most impressive and uncanny balance.

The First Thing We Do, Let’s Kill All the Risk Managers — Again

by Robert Charette, Director and Fellow

The financial community recently seems to have added a new twist to the advice given in Shakespeare’s Henry VI (Part 2) with regard to lawyers in the wake of the US $130-billion-plus write-offs that are increasing daily due to the subprime mortgage debacle.

The Canadian Imperial Bank of Commerce recently fired its chief risk manager after that bank faced write-downs of CDN $2 billion on top of the previous CDN $978 million quarterly write-offs related to its holdings in subprime mortgage debt in the US. The expectation by financial analysts is that the subprime losses for the bank will continue to grow throughout this year.

The risk management units at Citigroup (which had to take $23.2 billion in write-offs in the past six months) and Merrill Lynch (a firm only one-third the size of Citigroup but which also had to take $24.6 billion in write-offs over the same time frame) are being “revamped”; a nice word meaning “don’t let the door hit you on the way out.”

John Thain, the new chief executive at Merrill Lynch & Co., conceded that risk management at the company is dysfunctional. Thain went on to say that the risks Merrill took were siloed when they logically should not have been, which in turn led to a lack of understanding of the risks that were being taken on. In addition, Merrill’s enterprise risk committee “just didn’t function.” Finally, Thain implied that the risk appetite of the firm was a whole lot bigger than its wallet allowed.

Let’s look at just how deep this “lack of risk understanding” was. Last October, when Merrill Lynch announced that it had to take a US $8.4 billion write-off, most financial analysts thought that Merrill, given its market exposure in the subprime market, would have to take a fourth-quarter write-off as well, but estimated that this would only be in the range of $4 billion. No one at Merrill disputed that estimate. Well, it turned out to be $16.4 billion. Being off by a factor of 400% in fewer than 90 days is some mean feat of risk misestimation, don’t you think?

What CEO Thain also didn’t say was that Merrill Lynch was also passing on its lack of risk understanding in the subprime

more

Choking on “One Throat to Choke”

by Vince Kellen, Senior Consultant

Beat ‘em up. Knock ‘em down. Slap ‘em around. Keep them on a short leash. Teach them a lesson. Make ‘em behave. Vendors, that is.

This phrase has recently seeped into common IT parlance. I’ve even heard vendors, typically large ones, say that the reason we should buy their wares is that they can then provide us with this pugilistic benefit. Fascinating. A value proposition predicated on giving customers the right to beat up the vendor! Where do I sign?

This idiom reflects elided thinking regarding risk. Managers seeking throats to choke, I believe, are simply displacing anger or carrying around naïve ideas about risk. Hopefully it is the latter since that is more easily remediated.

Risk has only two options (excluding unabated growth which I will ignore for now since it is too painful to think about for too long): it can disappear or be displaced. Risk disappears when teams of people gain new knowledge and develop new patterns of activity that demonstrate increased expertise in a problem and superior outcomes. This is the preferred approach to risk management. Risk is displaced when it is simply moved outside of the imaginary borders of a firm to a service provider.

It is a perilously false assumption that displaced risk is managed risk. The “one throat to choke” meme simply says to vendors “you have the risk and if you mess up, we’ll choke you into improvement.” Maybe it’s just me, but I find this all sort of Neanderthal-ish. I thought our cerebral cortex was capable of more nuanced thought than this.

Another metaphor that is similar in its direct opposition to “one throat to choke” is the much older “don’t put all your eggs in one basket” meme. Personally, I think the “one throat to choke” meme has been given wings by large vendors to supplant “don’t put all your eggs in one basket” meme. Nice aikido move if you ask me.

But replacing one bad metaphor with another doesn’t make for good risk management. In the interests of adding something useful to the current bar talk, I offer the following thoughts.

• Displaced risk isn’t really reduced. It is more often temporarily ignored. If a firm assigns risk to one vendor but does not actively co-manage that risk with the vendor, that risk will come back bigger and badder than before. Ignored risk is like toxic waste. The longer it goes undetected, the worse it silently gets.
• Risk can be monetized. If risk is displaced to a third party, the third party is entitled to some financial gain for managing that risk. Conversely, if the firm gets assigned the risk, it is entitled to some price reductions (or other suitable form of consideration) for managing the risk.
• Some risk can’t even be displaced. Despite all this talk about monetizing and assigning risk, firms have to understand who is the chicken and who is the pig (that is, who gets inconvenienced and who gets slaughtered) in the deal. If the firm assigns the risk to the “one throat to choke” vendor but still bears dire consequences if the vendor fails to deliver, choking the vendor may not help. Having a dead vendor and a failed solution isn’t comforting to anyone, it’s called a tragedy. Our job is to avoid tragedies (unless one finds entertainment value in them).
• Bigger is better. In the land of IT, vendors pay more attention to larger customers. Reducing the number of vendors to a smaller set can often create a greater profit potential for the vendor. This can better align vendor and firm goals. Consolidating vendors along this line of thinking is not a bad strategy.
• Less can be more. But, in the land of IT, firms that can adroitly manage their supply chains well will have more flexibility than firms that require “one throat to choke.” IT shops that can manage this complexity (more niche vendors) are probably superior to those that need to resort to simpler vendor management techniques. Why? Because they probably have a well-orchestrated set of activities regarding complex vendor management. IT shops that can manage greater complexities can help their firms manage complex competitive environments.

While I may dally with either a “best of breed” or a “one throat to choke” approach regarding my IT supply chain, depending of course upon the circumstances, I am haunted by a remark a wiser and older retired CIO once said to me about the “one throat to choke” strategy.

Who is choking whom?

“Town Meeting” - Open Conversation on State-of-the-Art Agile

by Michael Mah, Senior Consultant

I’m a storyteller by heart, which is why I so enjoy the work that I do. Not only my own stories, but exciting stories about what other people have experienced in life and work, which I’ve been privileged to share with them as a consultant.

My last Cutter webinar was about telling stories from 5 companies implementing Agile methods. Two in particular achieved remarkable results from their work; they are Follett Software in McHenry IL and BMC Software in Austin TX. That webinar along with another that I delivered on industry productivity patterns was among the highest attended in the Cutter series. My sense is that it’s because both contained really interesting stories.

On Thursday February 14th (Valentine’s Day :), I’m going to let two articulate and skilled managers from these remarkable companies tell their own stories - on the web. From the responses garnered from the last two Cutter webinars that featured them, it seems appropriate to let them speak directly to YOU. You’ll learn how they did it, unedited and unrehearsed, as they say.

So we’re going to hold a special “town meeting” - an open chat with our featured guests. Consider this an invitation. I get to play “Charlie Rose style PBS-talkshow host,” and start the conversation with Kim Wheeler of Follett and Mike Lunt of BMC. Both of them have assembled high-performance teams that are hitting the highest quality and the fastest schedules I’ve measured for software development (using the QSM SLIM technologies) on Agile XP and SCRUM methods. And although I know a little bit about what they’ve put together, they can tell it in more detail - in person!

But aside from the technical side of their experiences, you’ll hear about the people side; that is, what did it take to create a working environment that not only pleased the company by the productivity and economic results they achieve, but how it became the kind of workplace that people feel proud to be part of. The last time I was at Follett, you could see and feel the energy among the staff. They were really enjoying working together.

So if any of you who joined us last time would like to “meet” Kim and Mike directly and hear more, we’ve got another exciting event planned. Below you’ll find the official write-up from the Cutter website and the link to register. You can sit from the comfort of your own chair, ask Kim and Mike (or me) questions directly, and listen to what they have to say. I’ve learned a LOT from hearing them, and I hope you do too.

[And if you missed the either webinar but would still like to sit in, you can click on a special link that’s been opened to let you view the previously recorded session at your convenience.]

Cheers, Michael

——————————-

Cutter Consortium “Town Meeting”

After each of Michael Mah’s recent Cutter Consortium webinars, in which he described the remarkable productivity and quality numbers that have been achieved by several Agile development groups, we received a large number of follow-up questions. That’s why we decided to invite you to an “open mic” opportunity on February 14 at 11:30am EST, exclusively for people who participated in, or registered for and was unable to attend, one or both of those webinars. It’s your chance to direct (more) questions to Michael Mah, or to ask BMC Software’s Mike Lunt or Follett Software’s Kim Wheeler just how they were able to achieve among the fastest time-to-market and lowest defect patterns measured in recently recorded software development.

Join the conversation between Michael Mah, Kim Wheeler and Mike Lunt as they describe how they accomplished their remarkable transitions to agile software development. You’ll get a behind-the-scenes look at how each of these organizations achieved both management and team buy-in to create industry-leading, cutting-edge software development “ecosystems.”

And then, after Kim and Mike answer Michael’s brief questions, we’ll open the phone lines up to you, so that you can join the conversation and ask questions as part of this “town meeting”. Or, if you prefer, ask your questions via Chat. Come join us for this special session — unedited and unrehearsed!

To register, click here.

“An Agile Metrics Chat” is added as a continuation of Michael’s recent Cutter Webinars: “Compared to What? A Look at Application Development Benchmarks” and “The Impact of Agile on Productivity at Five Companies.” To review/re-play these webinars, just log in at www.cutter.com/project.html.

Cyberflexing: What we’re in store for in 2008

by Mark Seiden, Senior Consultant

In the last year or two, I’ve become very interested in cyberflexing. Because I’m a member of a National Academy of Sciences study (in progress) on the subject of “Ethical and Political Implications of Offensive Information Operations,” I must mention that what I’m saying here are personal opinions on many of the issues and not conclusions of the study group.

Some of the bigger unsolved issues in these areas include:

• The botnet problem

Why can botnets be so easily assembled? Mainly because there are bazillions of unpatched Windows machines on always-on connections, and everyone with a clue disclaims responsibility for them. “Unpatched” means they have known, exploitable security vulnerabilities and can be abused by kiddies running scripts prepared by their more intelligent peers.

Many of those machines can never be patched because Microsoft has walked away from fixing flaws in old versions of Windows and has not opened up this unwanted business opportunity to others (say, allowing partners to produce patches). Microsoft has also so far managed to dodge the product liability issue. Microsoft’s purported solution to this problem is the product Windows Vista Starter, which is sold only in emerging markets. (In their defense, many of these machines are running bootleg copies of Windows.) Those attractive nuisances will be with us until their hard drives fail (the first time I can recall bemoaning the high reliability of disks).

The ISPs, who are in the best position to find and contain the problem, have neither a business model nor legal responsibility to contain these nuisance machines, even when they are made aware of a problem. Mostly, they hunker down into self-serving “carrier mentality,” pretending to allow all machines to send any packets to all machines on the Internet when it’s in their business interest to do so. (They have mandatory responsibilities only after becoming aware of child pornography and intellectual property infringement.) In some cases, they do worse than turn a blind eye: they create the problem by putting equipment at each customer site with weak security, such as routers with default passwords; this allows the routers to be reconfigured so evil (or unwanted) traffic can be directed through the routers to targets and will thus be more difficult for the target to filter out.

When we were in junior high school, and our Bart Simpson-esque friends thought making prank phone calls was hilariously funny, their parents would eventually get a call from the Nuisance Call Bureau at the Phone Company, threatening to turn off their service if it didn’t stop. If only there were such a thing for Internet nuisances. It’s like the automotive age before emission controls, when machines could spew black smoke in unlimited quantities and there was no framework to address the issue: Nobody to complain to, nobody who can issue a “fix-it” ticket ordering the machine “off the road” until it’s fixed. No registration of the machines (except the Windows Genuine Advantage stickers, which do not generally benefit society; in some repressive regimes, communications devices are registered). No licensing for drivers; they don’t need to know anything about safety and responsibility to operate these nuisances. No insurance to repair the damage the machines cause to others.

And then there’s:

• The attribution problem: just because a denial-of-service attack is coming from Chinese IP addresses doesn’t mean it’s the Chinese government attacking.

It might be “patriotic hackers,” who are tolerated or supported in many countries. But it might be two teenagers in Romania, who have assembled a giant botnet out of weak machines, many of which happen to be in Chinese IP space, using easily available kits. Maybe striking back won’t hit your true attacker, but some other victim, maybe a university or a hospital.

It’s the Wild West, but there’s not even a sheriff who’s going to clean up the town. Law enforcement is (overall) technologically challenged and points to jurisdictional problems (many of the attackers are in those emerging markets). Pick up the phone, dial 911, and say, “Man with a gun at location X,” and the SWAT team shows up in 10 minutes. But if you say, “Million site botnet at <list of IP addresses>,” you get a much different response.

So when are we (personally; on the enterprise level) permitted to strike back when hit? Unfortunately, the answer seems to somewhere between “it depends” and “unclear.” There’s nobody of whom to ask permission, so you may be relying on prosecutorial discretion.

Much of the relevant self-defense case law involves situations where women are threatened by abusive partners and defend themselves. Some of the traditions in computer abuse law treat offenses as “trespass” rather than “nuisance.” When you ask a lawyer for advice (and you should), they are very likely to advise you (if they even understand the question) that taking many actions might be risky.

In conclusion, I’ll just say it would be safe to predict that the coming year will be some combination of “The Year of Living Dangerously” and “The Year of Being Pecked to Death by Ducks.”

• del.icio.us
• Digg
• Furl
• Netscape
• Yahoo! My Web
• StumbleUpon
• Google Bookmarks
• Technorati
• BlinkList
• Newsvine
• ma.gnolia
• reddit
• Windows Live
• Tailrank

E-mail It

• To Address:
• Your Name:
• Your Address: