jump to navigation

What to make of Heartbleed? 10 Apr 2014

Posted by Tony Law in Impact of IT, IT is business, IT marketplace, ITasITis, Social media, Tech Watch, Technorati.
Tags: ,
1 comment so far

I watched the BBC News report last night about the security hole in Open SSL. With its conclusion that everyone should change all their passwords, now … and the old chestnut that you should keep separate passwords for every service you use, never write them down, and so on. Thankfully by this morning common sense is beginning to prevail. The Guardian passes on advice to check if services have been patched first; and offer a link to a tool that will check a site for you.

First, as they say, other Secure Socket Layer implementations are available. While a lot of secure web connections do rely on Open SSL, it’s not by any means universal.

Second, as always, dig behind the news. As Techcrunch did. This is the first vulnerability to have its own website and “cool logo”; this was launched by Codenomicon in Finland which started by creating notes for its own internal use and then took what it calls a “Bugs 2.0″ approach to put their information out there. I remember doing something similar way back in Year 2000 days. Incidentally, the Open SSL report (very brief) credits Google Security for discovering the bug. It also identifies the versions which are vulnerable. (There’s a note there that says that if users can’t upgrade to the fixed version, they can recompile Open SSL with -DOPENSSL_NO_HEARTBEATS which, I’m guessing, gives a clue as to the naming of the bug.)

If you want real information, then, go to Heartbleed.com. The Codenomicon Q&A is posted there. In brief: this is not a problem with the specification of SSL/TLS; it’s an implementation bug in OpenSSL. It has been around a long time, but there’s no evidence of significant exploitation. A fix is already available, but needs to be rolled out.

What was clear, too, is that the BBC reporter (and some others) don’t understand the Open Source process. The Guardian asserts that “anyone can update” the code, and leads readers to suppose that someone can maliciously insert a vulnerability. Conspiracy theories suggest that this might even be part of the NSA’s attack on internet security. But of course that ain’t the case. Yes, anyone can join an Open Source project: but code updates don’t automatically get put out there. Bugs can get through, just as they can in commercial software: but testing and versioning is a pretty rigorous process.

Also, this is a server-side problem not an end-user issue. So yes, change your passwords on key services that handle your critical resources  if you’re worried but it might be worth, first, checking whether they’re likely to be using Open SSL. Your bank probably isn’t. There’s a useful list of possibly vulnerable services on Mashable (Facebook: change it; LinkedIn: no need; and so on)

And what do you do about passwords? We use so many online services and accounts that unless you have a systematic approach to passwords you’ll never cope. Personally, I have a standard, hopefully unguessable password I use for all low-criticality services; another, much stronger, for a small handful of critical and really personal ones; and a system which makes it fairly easy to recover passwords for a range of intermediate sites (rely on their Reset Password facility and keep a record of when this has been last used). But also, for online purchases, I use a separate credit card with a deliberately low credit limit. Don’t just rely on technology!

Links:
• Heartbleed, The First Security Bug With A Cool Logo, TechCrunch, 9 Apr 2014
• Heartbleed bug, website from Codenomicon (Finland) – use this site for onward references to official vulnerability reports and other sources
• OpenSSL project
• The Heartbleed Hit List, Mashable, 9 Apr 2014
Heartbleed: don’t rush to update passwords, security experts warn, Alex Hearn, The Guardian, 9 Apr 2014
• Heartbleed bug: Public urged to reset all passwords, Rory Cellan-Jones (main report), BBC, 9 Apr 2014
Test (your) server for Heartbleed, service from Filippo Valsorda as referenced in The Guardian. I’m unclear why this service is registered in the British Indian Ocean Territory (.io domain) since Filippo’s bio says he is currently attending “hacker school in NYC”. On your own head be it.

Facebook at 10, Microsoft at 40 5 Feb 2014

Posted by Tony Law in Cloud, Impact of IT, IT is business, IT marketplace, ITasITis, Managing IT, Social media, Technorati.
add a comment

OK, a slight stretch for a snappy headline but these have been two lead stories in the last few days.

Others will comment with more depth and more knowledge than I can on either Facebook’s tenth anniversary or the appointment of Satya Nadella to succeed Steve Ballmer (and, of course, Bill Gates) at the head of Microsoft. But I was remembering, quite a while ago now, a META Group event in London when the Web was just arriving and disintermediation was a new word. The speaker took a look at the banking industry, with new on-line start-ups starting to eat the lunch of the established financial institutions.

The point was this. The new entrants invested, typically, in just two things: infrastructure, and software development. Existing players had institutional weight; they had enterprises to keep in existence with all the corporate overheads that accumulate over time. with shareholders and stockmarket expectations and dividends. They needed to cut costs to compete with the new lean players. And (doesn’t it still happen?) they would target the IT budget. So the area of investment which differentiated their new competitors was precisely where they were dis-investing.

Microsoft is fast approaching 40. It’s a solid, established player with corporate overheads, strategies, shareholders. Is it still as lean and sharp as the company which turned on a sixpence (a dime, if you’re American; a 5p piece for the youngsters) when it “got” the Internet and realised that MSN and AOL were not going to be where most of the traffic went. Enter Internet Explorer, competing with Netscape; and the rest is history.

Well … we can look at areas in the recent past where that hasn’t been repeated. Smartphones? a lot of Windows phones have been sold, but Android and iPhone are the big players and an Office 365 subscription gives access to Office mobile software on these platforms as well as Windows. But on the other hand: Office 365 is a good model, for both consumers and Microsoft, because it converts intermittent capital costs for what is still essential software into predictable operational costs. And while capital versus operational is the language of the enterprise, where Microsoft’s heart arguably is these days, the concept works for individual licences. There are undoubtedly challenges, but a CEO with an Indian background may have the right insight and vision to work round all that unavoidable corporate baggage.

What about Facebook? Facebook has got to the stage where it is acquiring the corporate baggage (shareholders and so on). It’s had to face up to public perception, particularly over issues like personal online security. Both companies now find themselves covered in the main news sections and financial pages, like any other corporation, rather than only in  geek-tech reporting. They’ve gone mainstream.

So Facebook has new competitors in the social media space, sharper and newly innovative where Facebook is unavoidably solidifying. Microsoft is in a stable, continuing enterprise market which it understands; it appears not to understand the consumer market so well. Facebook is in precisely that consumer market, although a lot of enterprises use it to communicate with their own consumers. It’s a fashion market. What’s coming next? and how can Mark Zuckerberg stay ahead of the game?

No links here; just a personal opinion, and you can find lots of links with some easy searching!

Business Process Improvement 17 Sep 2013

Posted by Tony Law in Impact of IT, IT is business, ITasITis, Managing IT, Technorati, Uncategorized.
add a comment

Working for GlaxoSmithKline IT, after the 2000 merger, developed my familiarity with business process improvement (small letters) and with Six Sigma methods and metrics. I would never call myself an expert. Routine training was to Green Belt level, without taking the qualifying exam, and I don’t have the instincts which make a leading practitioner able to pick the right tools to adopt for any specific need.

But it taught me a lot, which can be applied well beyond IT. First: as a previous CEO used to say, “If you don’t keep score, you’re only practising”. So, to drive and verify and improvement, you need metrics. But pick the right ones, which will show you where you are. Establish your baseline before you start doing anything. Use the metrics to demonstrate the change (you hope!). And when the improved process has reached the status of business-as-usual, you can probably drop the measure. It’s no longer needed.

Second: a saying that was drummed into us. “Don’t tinker!”. Don’t make changes on the basis of “I think …” without the analysis. Don’t over-react to one-off incidents: processes have variability, and some outliers will happen naturally.

And third: develop and demonstrate your own (internal IT) understanding and improvements before you try to work with the rest of the business. IT has, perhaps, an unique overview of what goes on across the company, and is almost always a participant in any business improvement project. So there’s good leverage there: but you have to gain credibility first. It takes a lot to get to the point where, when a business leader asks for an IT development, you can say “Why? What improvement are you driving? Who will own it? How will you measure it?”

Well: tomorrow I’m facilitating a Corporate IT Forum event on Business Process Improvement (BPI). I’m expecting the twin threads of, first, identifying and improving IT’s own processes; and, second, putting that experience and expertise at the service of the business as a whole. Where are the sources of information and analysis?

Gartner have a Leaders Key Initiative on BPI. The overview, as recent as July this year, has a natty graphic showing the BPI practitioner as a juggler (operations, transformation, skills, technology and innovation) under pressure from both business and technology forces. They offer a number of tools for maturity assessment “across IT disciplines” (what about the rest-of-business?); key metrics (that’s IT spending and staffing, not how to measure a process); and best practices across several competencies. It seems, though, towards the end to lapse back into business process management (BPM) not BPI.

There isn’t a lot in the Gartner blogs, but a useful post from Samantha Searle earlier this year challenges us to avoid the word “Process” (unless your business-side colleagues are process engineers or in manufacturing). That kind of gells with the observation that Gartner probably, under the covers, maintain an IT-oriented focus because Process is very present in the key initiative!

Similarly I don’t find a great deal in Forrester specifically around BPI. But there’s a stronger focus on the interplay of IT expertise and whole-business improvement. A recent report, for example, discusses the shift from “a tactical process improvement charter” to a more strategic role across the enterprise. This requires a plan “for optimizing the BPM practice to deliver on new strategic drivers and business objectives”. That sounds more like it.

Interestingly, a search collected a link to Cambridge University which I expected to be to the business school or computer science. But it’s to their internal management services division with a one-page (one-slide, really) graphic and definition of BPI. Take a look. But the Judge Institute of Management Studies does indeed have a Centre for Process Excellence and Innovation, also worth reviewing.

There’s a lot of material you can find by searching. Too much to survey. Assess with care!

Links:
• Business Process Improvement Leaders Key Initiative Overview, Gartner, 25 Jul 2013 (search Gartner for ID:G00251230)
• 10 New Year Resolutions for BPM Practitioners #2: Don’t Mention the “P-word …, Samantha Searle, Gartner blogs, 8 Feb 2013
• Optimize Your Business Process Excellence Program To Meet Shifting Priorities, Clay Richardson, Forrester report, 6 Jun 2013
• Business Process Improvement, University of Cambridge, Management and Information Services Division (undated)
• Centre for Process Excellence and Innovation, Judge Institute, University of Cambridge

Working with others (2) 2 Jul 2013

Posted by Tony Law in Impact of IT, IT is business, ITasITis, Social issues, Tech Watch, Technorati.
add a comment

On Thursday (4th July) I’m facilitating a Corporate IT Forum event called Collaborating with Third Parties (the working title, reflected in its URL, was “Beyond the Firewall”). As it happens this is something I have ideas about. I’ll need to work quite hard not to impose them on the group, since it’s the group’s shared learning that’s important.

Quite a long time ago now, a group of us in BP’s long-disbanded IT Research Unit worked with Imperial College, AEA Harwell (as it was), ICL (remember the British computer company?) and, in due course, many others looking at management architectures for widely distributed systems. That’s to say, where components developed by and hosted by different organisations came together to comprise composite systems which did useful work. In the late 1980s this was not a well understood way of doing applications.

In today’s Internet-enabled world, third-party components are everyday reality. Any vendor who accepts credit card transactions over the Internet, for example, may create their own payment system: but they may equally well wedge in a widget from someone else, who understands and has resolved the issues around payment protection and the compliance and standards embodied in PCI. Whoever processes their payments is almost guaranteed to then invoke either Mastercard or Visa’s online verification service. That payment, then, passes through at least two and probably three different systems before the vendor collects their money. No one organisation has responsibility for the overall system. And it doesn’t matter if you’re an organisation the size of Amazon, eBay or Tesco: when you need a card transaction verified, you don’t have a serious say in how this is done. You interface to Verified by Visa, and you do it their way or not at all.

None the less if you’re Amazon or, in the USA, WalMart, you do have a lot of clout. And if you want to do online supply chain stuff with WalMart, again, however big you are as a multinational global supplier, you do it their way.

These kind of interactions are not equal-handed. One party dominates. I wouldn’t, myself, call these interactions collaborative.

Here’s the other model. In the oil industry (back to BP again) joint ventures are commonplace. You set up a joint operating company, quite likely, with its own capital and operating and management structures: but you want to share expertise and experience and decisions even-handedly so the JV needs to draw on both companies’ information. This doesn’t happen if one of the companies puts its arm round its geology information, for example, and refuses to let the other see it.

More subtly, it doesn’t happen if one company insists that data from the JV is stored in my data centre on my servers and access is controlled by my LDAP directory. It may be stored in your data centre on your servers because that’s the best place. But you have at the least to trust your partners to have access as easily as your own people. They must also be able to decide who, from their side, is allowed access: and preferably to just set it up without referring to you.

It’s similar to what Euan Semple says about conversations. He quotes David Weinberger to the effect that “Conversations only happen between equals”; and he elaborates this. “If two people are not prepared to see each other as equal, at least for the duration of their interaction with each other, then what they are having is not a conversation”.

It’s the same for a collaborative relationship. If you want to decide whether a relationship is truly collaborative: I think this is the same as asking whether control is symmetrical. If you were in their place, and they in yours, would you be able to work in the model you’ve set up?

If I’m wrong about this, I’ll find out on Thursday. What do you think?

Links:
• Collaborating with Third Parties, Corporate IT Forum workshop, 4 Jul 2013
• Euan Semple (2012), Organisations don’t Tweet, people do, John Wiley, Chichester. Page 110 ff.
• PCI (Payment Card Industry) Security Standards: the PCI Security Standards Council
Working with others (1): feeling pleased with myself (ITasITis, 1 Jul) was about something quite different!

Facebook faces up: whose reputation? 30 May 2013

Posted by Tony Law in Impact of IT, IT is business, ITasITis, Social issues, Social media, Technorati.
add a comment

Facebook made the mainstream news again last night. Behind the news there’s an interesting twist.

In brief: Facebook is being forced (as the commentators put it) to face up to issues of inappropriate and inflammatory comment being posted on its open platform. In the early days of the internet (think Newsgroups) or of the Web, anyone could put anything up. Communities like newsgroups or conferencing sites were largely self policing. Now, with the development of case law and some explicit regulation, it’s not such a free-for-all.

Facebook mirrors this. In many ways, for some people, Facebook is the Web. Its un-policed, self-regulated, relatively small caterpillar has become a free-flying butterfly (is that a good metaphor?) where it has millions of users, representing a wide variety of (mostly legitimate) points of view, different cultures and so on. It’s taken a while for the management of a multi-billion public company to realise they have to exercise responsibility.

OK, so far, so obvious. But the interesting thing to me about last night’s news item was that the pressure has come, specifically, from advertisers. In the Web world we’re used to thinking of advertisers as a necessary intrusion; they pay for our Google searches, our online news (paywalls apart), most of our “free” services. But here, it’s the advertisers that have forced Facebook to take notice. No, said the Nationwide Building Society (and others), we will not take the risk of our brand appearing alongside this kind of stuff.

As the BBC report says, the Nationwide action went public on Twitter. Looking at the Twitter feed for @asknationwide, on 25th May, it appears they received a large number of tweets relating to ads being displayed alongside offensive content. One tweet to @everydaysexism says “It is not our intention for our ads to appear on pages like this. We will report this page to Facebook and suspend our ads”, and they did just that.

Whoever thought that damage to brands could become a force for positive change?

Links:
• Sexism campaign: Facebook learns a lesson, Rory Cellan-Jones, BBC Technology, 29 May 2013
• Facebook bows to campaign groups over ‘hate speech’, BBC (Dave Lee and Rory Cellan-Jones), 29 May 2013
• BBC news video, 29 May 2013
• Twitter: @askNationwide and @everydaysexism (look here for other news links)

Business Continuity, Olympic style 12 Apr 2012

Posted by Tony Law in Impact of IT, IT is business, ITasITis, Social issues, Technorati.
1 comment so far

People are beginning to talk about “keeping business running in London during the Olympics” or words to that effect. I’ll try and track some of the most helpful commentary.

The Olympic planners themselves highlight the key issues. Of course the effect will be at its greatest close to the venues, but these are quite widely scattered across London and beyond. Nor is the impact limited to those areas:

  • travel: there will be perhaps millions of additional people in, and travelling to and around, London. Event start times may mean additional travellers in the rush hours. Transport networks will be re-organised to service the games, meaning disruption to normal travel patterns
  • logistics: deliveries into or from, or transport through, London will see challenges
  • communications: there will be significant additional load on communications networks which might lead to overload and failures in other areas
  • accommodation: will be scarce and probably more expensive than usual
  • staff: people may be on leave (escaping, or, because they want to attend events or are volunteering), or, on shorter timescales, giving attention to reports of high profile events as they happen
  • and don’t forget that however good the preparation there is always the possibility of a high profile security incident which would cause disruption very widely

Suggestions, and commentary, are beginning to emerge. What’s striking me is that we’ve been here before: not in relation to the Olympics, clearly, but with other situations where travel and normal business patterns might be disrupted. Ash clouds. Bird flu. And so on.

So, what are the recommendations being re-invented? For the people issues, some clear short-term ones such as don’t arrange meetings during the Olympics which involve lots of people travelling to, and needing accommodation in, the London area. See if working patterns can be changed to stagger travel. And do check out the events at the out-of-London venues too. Expect that, for those who do need to visit, accommodation expenses will increase. Book travel as far ahead as possible.

But (this is an IT blog) once again the discussion focusses on alternatives. Use online technology to support distributed meetings: much more a way of business-as-usual than it was, for example, ten years ago at “9/11″. In fact, where I worked, it was 9/11 that kick-started the use of distributed meetings: not just from the security angle, but because the number of people out of place that single week highlighted just how much the company was spending on travel.

Encourage and support staff working from home, to circumvent commuting disruption: we had that one with the bird flu scare, and one of the key questions was whether the company’s inbound connectivity was adequate. Another, not immediately obvious, is whether the public infrastructure (which in residential areas won’t have been upgraded to support the event) is up to the increased load being placed on it. We’re a lot further on than even a couple of years ago in understanding different ways of enabling business activities to use personal technology, but staff likely to work from home may still need to be provided with additional services or facilities too.

Here are a number of references and events.

First, check out the Olympic organisers’ own business continuity information, planners and tools. London 2012 online has an extensive Business Network section highlighting both opportunities for businesses to get involved and the continuity challenges. Track through to Preparing your Business, or download (PDF) Preparing your Business for the Games.

The CMA (part of the BCS these days) is hosting an eventon the afternoon of 16th April focussing on the comms issues: Managing Your Business During the Olympics will include fixed line, mobile network and data centre providers and an ISP.

I’ll seek more, but the major (global) analysts not surprisingly don’t have much. In the meantime I’m off cycling in France along the Avenue Verte Dieppe-Forges (posting in French – sorry!), so I’ll extend this post next week.

Tech trends for 2012: who thinks what? 6 Jan 2012

Posted by Tony Law in Cloud, Consumerization, Impact of IT, Insight services, IT is business, IT marketplace, ITasITis, Managing IT, Social issues, Social media, Tech Watch, Technorati.
add a comment

It’s the time when insight services are awash with predictions for the coming year. I’ve been having a look or, where possible, a listen to a few.

Did you see a recent Forrester announcement? In line with their own recommendations, they’ve replaced the CIO post with a Chief Business Technology Officer. With hindsight I’m surprised it’s taken this long; “Not IT but BT” has been a Forrester theme for several years now.

Another place where I’ve seen the Business Technology tag used is in McKinsey‘s quarterly newsletter. Their Business Technology office has just reported their sixth annual technology survey. According to the newsletter, “executives say their companies are boosting IT spending and adopting new technology platforms to support innovation”. McKinsey see a significant challenge to IT: “Aspirations—and current expectations—for IT have never been higher”.

Here are a few other pointers.

IDC Insights believe the CIO’s 2012 agenda will be shaped around the “Four Forces” (Cloud, Mobile, Social, and Big Data). I’m registered on their webcast (10th Jan: free) to hear more. Yankee Group also offer a focus on mobility. Their focus is on the market for devices, but their research speaks also to the corporate buyer strategist when they see an even smartphone market between Android, iPhone and BlackBerry. Oddly, though, they refer to the Bring-Your-Own market but don’t have a focus on tablets. They do, though, see both personal Cloud services and HTML5 becoming important in the coming year.

Gartner, of course, have created their swathe of Predicts 2012 content. Of course, most of it is client-only access. But the front page of Predicts 2012 includes a 15-minute podcast from Darryl Plummer. He highlights the same four areas as IDC (except he says “Information” instead of “Big Data”). It’s worth listening to Darryl; he’s quite listenable-to.

Significantly, Gartner’s highlighted report for the IT community is titled “Gartner’s Top Predictions for IT Organizations and Users, 2012 and Beyond: Control Slips Away“. You almost don’t need to read the report; but there’s a useful summary by Peter Galen at Infosec Update. Corporate control of users’ IT assets has been useful, but is now increasingly a myth. Seems like Gartner are saying that this year is the year it will reach tipping point. But, listening to Darryl speaking in this area, I did rather wonder “What took you so long?”

IBM, in their “5 in 5″ (five trends in five years) take the argument a step further and look beyond the WENA (western Europe/North America) corporate market. Thanks to Basex for the alert to this, but I’m not entirely clear that Basex is looking at the same report. Their focus on mobile devices is on the super-smart, not on the abolition of the digital divide. Worth a look, to lift your eyes beyond the immediate page.

Finally, Ray Wang (now at his own Constellation Research) highlights “10 Mega Business Trends To Watch For In 2012″.

.

Perhaps the key one, for IT, is “Keep consumerisation of IT enterprise class”: in other words, ensure the right balance between enablement and discipline. Here’s a world class statement of the issue:  If IT is too strict, business fails. If business fails to have a level of discipline in technology adoption, IT can not keep up with the lack of standards and scale. Ray sets this in the context (and there’s a timechart) of the change from transaction to engagement as the basis for business. There are comments for innovators, and for those who are scared to innovate.

Happy New Year!

Links:
• Forrester Research Names First Chief Business Technology Officer, Forrester Press Release, 5 Oct 2011
• A rising role for IT: McKinsey Global Survey results, McKinsey Quarterly, Dec 2011
• IDC Insights 2012 Predictions: The CIO Agenda, IDC Insights, 4 Jan 2012, in IT Governance and Executive Strategies. For the webcast (10 Jan), the registration link is at the foot of the page.
• Register and download 2012 Mobility Predictions: A Year of Living Dangerously, Yankee Group , Dec 2011
• Predicts 2012: Gartner; summary at Infosec Island, Peter Galen, 3 Jan 2012
• IBM the next 5 in 5, see also Basex Tech Watch
• 10 Mega Business Trends To Watch For In 2012, Ray Wang, constellation

Links for PCI DSS 8 Nov 2011

Posted by Tony Law in Impact of IT, IT is business, ITasITis, Managing IT, Tech Watch, Technorati.
Tags:
add a comment

I’m facilitating a workshop next week on PCI DSS and as usual here are some of the links I’ve identified, including some recent enforcement casework.

For the uninitiated: PCI is the Payment Card Industry and DSS is its Data Security Standard. PCI is an international body, and the standards are effectively set by the “acquirers” – that’s PCI-speak for those bodies such as card issuers and banks who “acquire” the transactions and transfer money.

National information security requirements are very much to the fore too. In the UK the Information Commissioner’s Office (ICO) recently took enforcement action against Lush, the cosmetics firm, and their press release uses that case to emphasise that organisations must implement PCI DSS, or some equivalent standard, in order to be meet the basic requirements for compliance. This issue was resolved by an undertaking from Lush, but ICO information outlines all the enforcement options and potential penalties.

Compliance to standards doesn’t replace the need to understand potential vulnerabilities, not least when using embedded page elements that can be hijacked!

Glossary:
PCI – Payment Card Industry
PCI DSS – PCI Data Security Standards
CSRF: Cross-Site Request Forgery
IDS : intrusion detection system
IPS: Intrusion Prevention System
ISA: Internal Security Assessor
QSA: Qualified Security Assessor
ISO: Independent Sales Organisation (in this context!)

Links:
• PCI SSC Data Security Standards Overview, from PCI Security Standards Council
• ICO warns retailers to implement PCI-DSS or face “enforcement action”, Security Vibes, 12 Aug 2011
• Online security must be a priority for retailers, says ICO, ICO Press Release, 9 Aug 2011
• Taking action: data protection and privacy and electronic communications, ICO information (including a list of recent prosecutions)
• PCI DSS: An Acquirers guide for PCI Compliance Best Practices, from the PCI Compliance Guide (an independent PCI source)
Cross-Site Request Forgery (CSRF), information from the Open Web Application Security Project (OWASP)

McKinsey ask: How strategic is our technology agenda? 3 Nov 2011

Posted by Tony Law in Impact of IT, IT is business, ITasITis, Managing IT, Technorati.
Tags: , ,
add a comment

McKinsey Quarterly poses this question in the latest issue with some case study information. The fundamental issue is an old one: the IT budget being spent on maintenance, with smart investment being what gets squeezed out. But the illustrations suggest ways to move forward. It’s not the old “Align IT with the business” mantra, which still starts from the assumption that IT somehow is outside and separate from “the business” and that the disconnect is IT’s problem.

This article admittedly starts by profiling a dysfunctional CIO who doesn’t understand the issue. But it looks at the issue from the whole business perspective – that is, the CEO’s. It shows how investment can be viewed, even when it’s core infrastructure that’s at issue; it talks about benchmarking capabilities against non-competitive industries, not just competitors; and highlights some of the perceived wisdom which can, sometimes, be plain wrong and a distraction from the real challenges.

How strategic is our technology agenda? McKinsey Quarterly, Oct 2011

Green IT; encountering Connection Research 1 Nov 2011

Posted by Tony Law in Impact of IT, Insight services, IT is business, IT marketplace, ITasITis, Managing IT, Social issues, Tech Watch, Technorati.
Tags:
add a comment

Connection Research is an Australian insight service focussing on sustainability issues. I know of them – they’re in the InformationSpan database – but this encounter at the Green IT event is the first chance I’ve had to hear from a key person; in this case, William Ehmcke the CEO. It’s another META Group spin-off company; William, it appears, led META in Asia-Pacific until it was acquired by Gartner in 2004.

This is an as-it-goes blog, plus a bit of later tidying up.

Connection reckons to work from real data, determining metrics and developing benchmarks. Their areas are: communities; green IT; the built environment; and carbon/compliance (Australia is about to introduce carbon pricing, around A$23/ton).

Connection also recognises “green fatigue” and “greenwash”; but broader issues are gaining prominence for PR; from regulation; or for financial reasons (direct, or indirect because of brand and reputation issues). There’s a perfect storm of issues, because the rise of “big data” is increasing demand; transparency is being demanded; energy security is a rising issue (in Australia as in the USA, though not so much in the UK); and simple cost.

Connection has helped to develop an ICT Sustainability framework and index, with academic partners, across: equipment lifecycle; end user computing; enterprise & data centre; and IT as a low-C enabler. Essentially, in this, is the same distinction as in Simon Mingay’s presentation: doing IT green, and enabling green business by IT. He recognises Bring Your Own plus mobility as a sustainability strategy – it creates fundamental savings and helps reduce the need for permanent facilities on the current scale..

The Fujitsu Global ICT Sustainability report, published Sept 2011, surveyed 80 different areas. It appears that results on the IT Sustainability Index (ITSx; see Connection’s website for more information) have generally regressed recently, and this isn’t a drag effect from emerging economies in China and India. Within the detail, it’s interesting that Government is ahead of the across-sector average index. Surprisingly, brand reputation is driving some “dirty” industry (e.g. mining) up the stack. Nationally, Canada is the leader and the UK second; regulation has been driving this market; and few markets excel in all the sectors.

Ehmcke highlights the major slip in the ITSx for Professional Services; odd, because these industries have only buildings, people and intellectual property. They ought to be easily able to excel; but they don’t, and have slipped relative to 2010 as has, more understandably, manufacturing.

In response to a question: an interesting national measure is GDP value per unit of carbon emission, where Japan leads the way (though not included in the Connection stats; the survey wasn’t done because of the tsunami). Ask how much carbon your enterprise uses per $million of revenue … the use and development of effective metrics is falling back and, without data, action is impossible. Over half the CIOs surveyed have no idea about their IT power consumption, for example.

In response to another question: a point was made that sustainability, in many corporations, is handed to Risk Management (even where there’s a Sustainability Officer), because it’s seen as being about compliance and a holistic view isn’t taken.

A couple more questions, and then a quick outline of the Foundation for IT Sustainability, and the new Green IT Fundamentals course based on licensed training material from Connection, linked to CompTIA, and supported by the Global e.Sustainability Initiative. A useful presentation; the emergence of training, metrics, and certifications is important and the topic was expanded in a presentation from the BCS which I haven’t blogged.

Links:
• Connection Research
• ICT Sustainability: Global Benchmark Report Reveals a Lack of Visibility of the ICT Energy Bill Has Delayed Success, Fujitsu Press Release, 21 Sept 2011: headline summary, with link to obtain a copy of the full report
• Foundation for IT Sustainability (FFITS)
• Global e.Sustainability Initiative (GESI)

Related posts:
A Gartner perspective on Green IT
• Green 3: Andy Lawrence of 451

Follow

Get every new post delivered to your Inbox.

Join 111 other followers