MORE ENTRIES
- Another take on opening PCs, or not
- Getting some process going
- Selling a more open environment to management
- Running an effective meeting
- Licensing rules for virtual machines
- The ROI of metrics
- Legal challenges to virtual machines
- Are weekly status reports a good idea?
- More on whether or not to open up PCs
- And now, time for some self-indulgence
Advice Line | Bob Lewis »
March 2008
Another correspondent weighs in on the lock-or-not-lock debate - Bob
Dear Bob ...
I'm not sure that workers downloading "stuff" on their PCs is really the place that innovation should come from. The reward that something might happen there of value is far out weighed by the risk the corporation faces of being out of compliance or having unauthorized or inappropriate software on company owned PCs. And there is no way to really quantify the risk of "catching a virus" on the back of a downloaded executable.
That being said there should be a process to initiate approval for test software, down loads, etc. that can be pretty simple and not a bottleneck. That's what my previous company did.
- Download Preventer
Dear Preventer ...
I agree that workers downloading stuff isn't where innovation comes from. Workers downloading (for example) open source solutions that will fully or partially automate a business process that is currently handled in a cumbersome way, and that isn't important enough to be a priority for central IT? That's a different story.
Your phrasing is telling. "The reward that something might happen there of value …" makes it clear you consider any potential upside to be, not the result of thought and planning on the part of employees, but an accidental byproduct of random, aimless activity.
I agree. The risks associated with random, aimless activity far exceed the potential benefit.
All I have to say is that if your employer hires employees who spend most of their time engaged in random, aimless activity, the company has a much bigger problem than the risk of a computer virus.
- Bob
Dear Bob ...
We work with a software vendor whose app we host. They are small (20-ish employees), we have to cover a lot of customers and pretty close to 24/7. We are, unfortunately, their largest install, certainly larger than they designed for.
There have been scaling problems.
My problem is in figuring out how to get us past the "cowboy" software support process. When I started in IT in the early 90’s I worked for ATT in New Jersey so I found all about software quality Bell Labs style. And worked in electronics before that and got the Deming et al background. I even was a Fagan Inspection facilitator. We counted function points.
Years later I find myself in a different universe. There's been lots of growth, and more potential but we have very little common understanding of the need for configuration management or a rigorous testing/promotion process. We have a test environment but it's often bypassed with my management going straight to the vendor, changes going straight to production.
CMM level 0.5 all around. Maybe -1.
Managers have been around at large orgs and pay lip service to the process thing, and we have made improvements, but we also suffer from the pride of "let's put on the show right here in the barn!" thinking -– we're small, unconventional and smarter than the rest, yessir.
And even when we have made a stride or two in the quality direction, each personnel change on our side or the vendor side results in the whole thing falling down and going backwards, because it really wasn’t a core process change.
So where do I look for tips on how to get us all on the software process cluetrain?
Your article "A scandal unveiled," (Keep the Joint Running, 9/15/2003) was right up the same alley, but pointing in the opposite direction –- about enterprise apps that don't downscale. Well, we need the other thing –- upscale the brains to the support the enterprise approach, because we are already in the enterprise world.
My web searches only find the enterprise stuff -– ITIL, CMM, Six Sigma and all. Those are overwhelmingly complex and I get glassy eyed looks mentioning anything like that to my compatriots.
So are there any "software process improvement for SMB dummies" kind of programs I can latch on to?
- In Chaos
Dear In Chaos ...
Sounds to me like you do have a scaling-down challenge. You need software quality assurance and change control, only you need the "lite" versions.
They'll be far better than nothing at all, and as much as your company culture will allow. Let them gel, and remember, once you get on the process train, it's hard to stop before you arrive at bureaucracy station. I can understand your managers' allergies to the bulky ways of doing things they escaped from. I've escaped from them myself, and am glad of it.
I've also lived through the We're-Smarter-Than-Everyone-Else mentality enough times to know what it leads to ... usually, being dumber than everyone else. People who are really smarter than everyone else get that way by first learning what everyone else knows. Then they figure out what to do differently.
Assuming you're in a position to influence things, I see two basic strategies for getting the ball rolling, depending on the specifics of the social situation.
In the first, you and a compatible soul with equivalent influence in the software vendor work together to develop the plan. In the second, you and your manager put it together. It depends on which you think will be more effective.
The plan itself is pretty basic. It's a presentation that starts with two questions: (1) What risks aren't we willing to take? And (2) What risks are we willing to take?
The risks you aren't willing to take are:
The risks you are willing to take are:
Next slide: "This isn't just theory," listing catastrophes and near-catastrophes that everyone in attendance knows about.
Your next slide is titled, "Procedures we need to enforce to prevent the risks we aren't willing to take." List them.
Your voice over is that you no longer have a choice about instituting and enforcing these procedures. You do have a choice about how lean or bulky you make them.
Present to the key decision-makers ... one-on-one first, to get buy-in, then in a group setting to demonstrate consensus. Plan the sequence of presentation carefully, too. You don't want to offend key decision-makers by leaving them to last. You also don't want to waste their time by meeting with them too early, before you've perfected the pitch.
This is just a sketch, of course. It should get you pointed in the right direction.
And don't become discouraged if nobody buys what you're selling. Chances are they won't, until there's a life-threatening experience.
Facts and logic by themselves are rarely persuasive, especially in companies that are making money.
- Bob
Dear Bob ...
I actually agree with your position [on opening up PCs, see for example "The feasibility of unlocked desktops," Keep the Joint Running, 3/24/2008] and I try to advocate policies that only "punish the guilty", but this is a very hard sell in the boardroom. Directors will not make decisions based on what my gut says is the right policy. They also make it very painful to explain this position whenever something goes south and the bad apple employee floats to the top.
So, I'm looking for a way to sell an "open use" culture to the board without completely leaving my pants down around my ankles. I hate metrics also, it's like "no business left behind" where one size "must" fit all. But unfortunately, that is the stream we are all swimming in today. If you have any specific ideas of how we can translate this message from the soapbox to the bottom line, I sure would be listening. I'm in the choir preacher Bob, now how do we sell this good news to the directors and shareholders?
- Open to open
Dear Open ...
One of the best approaches is to force people in leadership roles to lead, rather than critiquing. Here's what I mean:
Put some values in front of them that they endorse -- in particular, the cultural value I mentioned, of encouraging initiative. Establish this as a precondition for specific acts of innovation -- the "cultural infrastructure" that's required for innovation to happen. Unlocking the desktop ("loosening the controls" is a better description) is part of this program.
It's the individual acts of innovation that provide measurable benefit. The challenge: Assigning a business value to the preconditions that encourage it.
Ask the company's leaders what value they place on establishing these preconditions.
This isn't at all different from more commonplace questions, like how a company should evaluate the business value of cycle time improvements. You can measure cycle time all you want and demonstrate that a process change has improved it. What you can't do is decide the financial value of a one-hour reduction.
Somebody has to accept that not all dots can be directly connected - that customers value faster delivery; that their valuing it leads to increased walletshare and retention rates, but that proving the connection probably isn't possible.
Part of asking leaders to lead is asking them to tell you what they value, especially when the connection between good practice and business success is indirect. Some will answer the question when you ask it. Others will duck. Either response tells you something important.
- Bob
Dear Bob ...
I need some meeting tools, to keep order, steer content on point and so on.
I find that often, meetings up here take on a life of their own and the moderator cannot take them back without banging on the table.
Also, my boss is very articulate. In the last two tech meetings which he asked me to setup, I wrote concise invitations, and attendees came prepared to get work done.
Fortunately or unfortunately, he took control of the meeting. In the end, he acknowledged his commandeering of the meetings, said there was a lot accomplished, and thanked me for setting them up.
Nevertheless, I felt unprepared as a moderator in comparison to him and see I need to improve my skills. I have asked him to approve my attending some more practical seminars on this.
Before that ... any advice?
- Facilitation-challenged
Dear Facilitating ...
Sometimes, you do have to bang on the table. Just keep your good humor about you as you do so. Here are a few other techniques you might find helpful:
1. Make sure every meeting has a point -- a reason for taking place. Announce the reason at the beginning of the meeting (except for recurring meetings; even in these it's worth reminding attendees on a regular basis).
2. Make sure every meeting has an agenda -- a list of specific topics to be covered. First item on the agenda: Status of action items from previous meetings. Last item on the agenda: A review of all open action items, including new ones this week.
3. Always have a flip chart or whiteboard. Use it to list ideas so everyone can see them; to sketch designs so everyone has a common point of reference; and to keep a "Parking Lot" -- a place to list ideas that have no place on the agenda but still shouldn't get lost. If you use a whiteboard, bring a digital camera so it's contents don't get lost.
4. Every topic should finish with agreement on action -- who is going to do what, and when it will be delivered.
5. Get good at facilitation -- at making sure everyone is heard (including people who would rather sit silently) and that nobody dominates. For people who dominate: "Thanks, Ralph. I think we have that point recorded already -- does this say it?" (pointing at an item on a flip chart or the whiteboard -- another reason for making sure you have one, the other, or both). For non-participants, "What do you think about this, Fred? I know you have expertise in this subject."
Another aspect of facilitation: Get good at recognizing when the group has beat a subject to death. "I think we've said everything we have to say about this subject. The next agenda item is ..."
One more: Recognizing when it's time for a consensus check. "It sounds like we're close to a decision on this - namely, blah blah blah. Let's go around the room. Fred - agree or disagree? Ralph? John?"
6. Rotate responsibility for meeting notes. Whoever is responsible must get them out within 24 hours.
One good format for meeting notes is: Topic/Decisions/Comments (if needed)/Action Items. Repeat and summarize the action items at the end of the notes.
Bad format for meeting notes: "He said/she said/they said." This wastes everyone's time.
Last point: If you do need to bang your shoe on the table, use the heel. Otherwise you'll scuff the leather.
- Bob
More about the legalities of running multiple virtual machines on the desktop:
I did some research on Microsoft's website. The language seems quite clear: OS licenses are tied to physical machines, not virtual machines.
In the current EULA for Windows XP Professional Edition Service Pack 2, the relevant text says:
Here's the relevant text from "MICROSOFT SOFTWARE LICENSE TERMS WINDOWS VISTA BUSINESS":
Note that there is a lot of confusion on this subject, driven by the use of "Virtualization" both for server-side processing (for example Citrix, where you do need a license for each user) and for multiple VMs on the desktop (what I've been talking about).
- Bob
Dear Bob ...
I have long been a skeptic of metrics in IT. So many problems -- measuring the right thing, the reliability and sensitivity of the measures, creating perverse incentives, and gaming the measurement systems for starters. As a CIO, the only thing that really matters to me is how well the services I provide help everyone else in the organization perform well (output, cost reduction, quality, creativity, goodwill, widgets -- whatever they are measuring success on) relative to what IT services cost.
As I was crafting a message to a colleague today, I had an ah-ha moment fueled by and reinforcing my skepticism. I wondered:
Can we measure the value of performance metrics?
Has there been some objective measure of the performance of organizations that use SMART metrics versus those that don't?
In business it might be some measure of profitability trends, P/E ratio, and/or market capitalization. In government... well, that's tougher? Some measure of the effectiveness and value of the government services?
I have doubts as to whether the link between performance metrics and organizational performance has been proven. And if we can't measure it (the performance impact of metrics), how can we manage it?
Thought you might appreciate this angle on the topic. Most people I know would think I'm crazy with this line of reasoning. I may be crazy, but I don't think this line of reasoning is proof.
- Need a diagnosis
Dear Diagnosticated ...
Ah, you remind me of me! Way back when, I asked the budget director of my then employer what the Return on Investment was on the budgeting process. His answer ... I'm not making this up ... was, "We have to have budgets!"
Spoken in a thoroughly shocked tone of voice, too.
I don't know of any certain answer to your question regarding the existence of research on the subject. For questions of this kind -- do metrics/SMART goals/outsourcing/offshoring/whatever the heck -- result in business success, I go back to the two big studies I know about that looked at the sources for long-term business success: Jim Collins Good to Great study and William Joyce, Nitin Nohria, and Bruce Roberson's Evergreen Study.
Both isolated a list of factors required for companies to outperform their competitors consistently. Neither included metrics, SMART goals, outsourcing or offshoring as factors common to highly successful companies.
Draw your own conclusions.
- Bob
Dear Bob ...
I talked with our PC support group about the topic you've been discussing the past few weeks [see for example "Getting to 21st century IT," Keep the Joint Running, 3/3/2008 - Bob].
The overriding concern voiced is the liability for improperly licensed software. From the company's point of view, we are liable for any illegitmate copies of software on any computer that connects to our network, no matter which virtual machine it is installed in. What would you say to an SPA auditor who came in and found this situation? There was also concern about the cost of three copies of the operating system - one for each virtual machine, etc.
- Concerned
Dear Concerned ...
I wonder to what extent fear of SPA audits prevents good business. In any event, to answer your question (what would I say to an SPA auditor?) I think I'd say, "Show me your search warrant."
Then I'd call my Microsoft sales rep and point out that while I don't have a lot of choice about whether to use Windows on my company's desktops and laptops, nor about whether to use MS Office, I have a lot of choice when it comes to whether I use/continue to use SQL*Server, Sharepoint, Exchange, IIS, and a very wide variety of other Microsoft products.
Yes, it's Microsoft. Microsoft is a business. That means its sales reps want to do more business with you, not less.
I'm not sure of the legal situation when it comes to virtual machines layered on top of physical machines. To the extent I can figure out the Windows EULA, each license is good for one physical machine. I don't think I've seen any prohibition against installing a license more than once on different virtual machines that run on the same physical machine.
In any event, corporations can usually negotiate minor changes in license terms. I'd think this one would be pretty innocuous from Microsoft's perspective.
So far as illegitimate application software, I'm pretty sure (although I'm certainly not an attorney) that as with harassment, a demonstration that the company has exercised reasonable care in trying to prevent abuses is the key issue - not the existence of a small number of "undocumented" applications.
Plus, with both the locked-down and sandbox VMs the company can and should use scanning software to detect and inventory all applications installed everywhere. When something new pops up, IT asks the user to document the software's legitimacy.
That leaves the personal VM - the physical hardware attaches to the corporate network but the personal VM stays outside the corporate firewall.
You educate your employees regarding the rules; a bad apple or two violate the rules. How liable is your company?
I don't know the answer. I do know that Exxon/Mobil is pushing the legal theory that it isn't legally responsible for the actions of the Exxon Valdez's captain. That would seem to be an applicable precedent.
Even if the SCOTUS finds against Exxon/Mobil, I'm pretty sure the harassment standard of taking reasonable care should keep a company out of trouble with this, but it's very hard to say for sure.
- Bob
Dear Bob ...
What do you think of weekly status reports for developers?
As an IT manager with a number of direct reports, I find it hard to keep track of work being done so I know when to assist some developers. More to the point, some developers tend to spin their wheels on work and need direction from time-to-time to keep moving.
I want to avoid micromanaging but I also need to make sure I can keep the projects moving and mentor those that need help.
Note that I do have one-on-one meetings with everyone on the development team but cannot meet with all of them every week.
- Macro-manager
Dear Macro ...
Weekly status reports are, I think, like timesheets. Some managers insist on them, others don't. Sometimes they provide valuable information, sometimes employees more or less invent the data just before they're due. Generally, developers like neither, viewing both as bureaucratic wastes of time.
The difference between the two is that managers eventually discover inaccuracies in the weekly status reports.
I think the big challenge with weekly status reports is that they are something employees do to help managers, not something employees perceive as creating value for them. They don't pass the WIIFM (What's In It For Me) test.
One possibility (not something I've tried) is to divide the status report in two. Monday morning, developers would be responsible for delivering their plan for the week - ideally, not more than half a page of expected deliveries, each with a space next to it to enter the date delivered. Friday afternoon they are responsible for delivering the same document with delivery dates filled in.
Add to the Friday document comments on issues, barriers and so on, and it might be painless enough that it will make sense to everyone as being a planning exercise as opposed to a reporting exercise.
The most important factors for deciding whether to do this, and then on making it work, are:
When you interact with employees, the second version is far more effective, for a simple reason: You're talking with them about their work as what matters, not about their obligations to you as what matters.
- Bob
Dear Bob ...
I've read your recent article concerning the PC at work viz-a-viz the PC at home ("The portal," Keep the Joint Running, 2/25/2008).
Needless to say as a support technician dealing with the users in a corporate environment, the idea of the PC as a portal is not only a bad one, it merely throws wide the barn door to a series of problems and issues. And opening up the PC for the users leads not to a portal, but a black hole that sucks away time and energy from both the user and the technician who has to support the systems.
Let me give you a good example. Our systems are locked down so that the users cannot install whatever software they wish on the machines. The reason and rationale for this is because of the cost of maintaining and repairing the machines when (not if, when) the user causes either conflict with existing company packages or incompatibility with the same packages.
The need for maintaining a common software platform is to provide ease of maintenance and lower the cost of support. Yet when we do allow the user administrative rights (either via local rights or via a software server that elevates rights prior to installing software) the user will put all kinds of software on the machine that has nothing to do with the business. Media players, browser plugins, screensavers and other downloads will appear overnight, springing up like the fungus that they are.
When the machine starts having problems, it's your responsibility to fix it, but mention removing the problem software and they'll scream they need it.
You also mention 'work/life balance.' Oddly enough, I may be an exception to the rule, as when I leave work for the day, I LEAVE work. As in, I leave whatever problems, issues, projects, documentation, etc. at my desk where it belongs, and enjoy my evenings, weekends and vacations without having to answer emails, phone or text messages about work issues.
I don't want to be bothered when the idea is for rest and relaxation, and actually despair at my co-workers who absolutely have to bring their work home with them. That portal is a ball and chain, erasing their personal life and replacing it with a madness that typifies today's society.
Central IT provides a core set of procedures and products that every user in a company has. You don't want the users to be going down to Costco to purchase those PC's as they'll come back to you demanding support for their problems, their mistakes and failures.
Because I'd tell them 'you bought them, you support them. Oh, and figure out how you're going to get the company software on them, as we won't let them on the network otherwise.' Letting the users go where they want, install what they want, do whatever they want only leads to madness.
Please have exact change ready if you're going that route.
- Support tech
Dear Tech ...
I'm not recommending that users view their PCs as portals. I'm reporting it.
I'm not advocating a wide-open free-for-all either. I'm pointing out what should be obvious to everyone in IT. The reason it isn't is because of the tendency most of us have to look at the world through our own eyeballs instead of the eyes of the people we need to communicate with.
What I'm asking you and my other subscribers to do is to forget all about how inconvenient and costly it all is, and instead to think about the world as end-users experience it. They go home, fire up their Costco PC (or whatever) which has, in addition to Office and e-mail, and AOL or MSN or whatever: The software they use to download digital photos from their cameras and edit them; Skype; various games; browser plug-ins; iTunes; PDA/Smartphone interface software; Quicken; and TurboTax.
Or whatever their list happens to be, and it all works together with no problems.
Then they go to work, where they have MS Office, Outlook, a browser with no plug-ins allowed, and nothing else. Knowledgeable people like you inform them it has to be this way because if you allow anything else it will all fall apart.
Then they go home, where it hasn't fallen apart. They don't feel like they dodged a bullet. They wonder about why you tell them something that's so counter to their experience.
This is the world IT is living in: End-users who find themselves using crippled technology at work compared to what they use routinely at home.
Just my opinion: IT's credibility is at stake. Providing an impoverished technical environment is why. Figuring out what to do about it won't be as easy as just locking everything down. That doesn't make it less important. Just harder.
- Bob
I use a Treo 700P. Not the newest technology, but certainly not obsolete.
I don't travel to Europe very much, but I do have a trip next week, so I called my cellular provider to activate international roaming.
I waited in the various queues, was only transferred once, and then was told, "to activate international roaming, call this number:" followed by a toll-free number.
Think about this for a moment - it's a telephone company, and its customer support representatives can't transfer me to another number in the same company!
Which leads to the first piece of advice: If you're responsible for the company's telephone technology ... Don't. Do. This. It. Makes. Your. Company. Look. Stupid. And. Incompetent.
Are we clear?
And now for the coup de grace: I called the number and talked with a very nice person who told me the Treo 700P isn't compatible with European cellular telephone standards - it can't be made to work.
This leads to my second piece of advice: At least be honest. The 700P works fine in Europe, for providers that use GSM. My cellular provider doesn't support international roaming on the Treo 700P. Blaming Palm isn't just cheesy.
It assumes I don't know how to use Google.
- Bob
Dear Bob ...
I found it ironic, that just as you are suggesting a new way of looking at the PC (in "The portal," Keep the Joint Running, 2/25/2008), Microsoft is making it even easier to look at it the old way.
I received from InfoWorld a letter: A long, long look at Windows Server 2008. This is Tom Yager's review of Windows Server 2008.
In the email, it states: "Tom notes the strength of the security features, especially the ease with which administrators can lock down clients on and off the network. "
http://www.infoworld.com/article/08/02/25/09TC-windows-server-2008_1.html
While the individual may look at the computer as a portal, business apparently can not be so lax. After all, look at how much trouble has been caused because an individual downloaded a database to his laptop so he or she could continue work on a project at home, and then when the laptop is lost or stolen, a few gigabytes of customer information gets released.
My view of the corporate computer is a world away from my view of my personal computer. But maybe that's because I was brought up in the days of the Teletype, paper tape, punch cards and the VT220 terminal.
- Pondering the irony
Dear Pondering ...
I'm not the first to ask the question of why any business user ever would need credit card or social security numbers in any kind of personal file for any reason at all. The subject is usually folded into this debate. It shouldn't be: Look at the PCI specification and you'll find all credit card numbers should be encrypted in all databases if they are stored. Period. I'd say the same basic prudence should be applied to social security numbers, too.
If you run an operation where business users routinely have sensitive information in their files, use one of the many available products that encrypt the contents of the hard drive. Use biometrics (now cheap) instead of password protection.
There are solutions to most of these challenges other than locking everything down.
Of course, it is also true that nothing fits every situation. I'm sure there are contexts in which total lockdown is the only appropriate solution. That this is true doesn't mean it's therefore the right answer for all of the other contexts.
- Bob
In this week's Keep the Joint Running, ("Getting to 21st century IT," 3/3/2008), I mentioned a radical approach:
Comments, anyone?
- Bob
March 31, 2008
Another take on opening PCs, or not
Another correspondent weighs in on the lock-or-not-lock debate - Bob
Dear Bob ...
I'm not sure that workers downloading "stuff" on their PCs is really the place that innovation should come from. The reward that something might happen there of value is far out weighed by the risk the corporation faces of being out of compliance or having unauthorized or inappropriate software on company owned PCs. And there is no way to really quantify the risk of "catching a virus" on the back of a downloaded executable.
That being said there should be a process to initiate approval for test software, down loads, etc. that can be pretty simple and not a bottleneck. That's what my previous company did.
- Download Preventer
Dear Preventer ...
I agree that workers downloading stuff isn't where innovation comes from. Workers downloading (for example) open source solutions that will fully or partially automate a business process that is currently handled in a cumbersome way, and that isn't important enough to be a priority for central IT? That's a different story.
Your phrasing is telling. "The reward that something might happen there of value …" makes it clear you consider any potential upside to be, not the result of thought and planning on the part of employees, but an accidental byproduct of random, aimless activity.
I agree. The risks associated with random, aimless activity far exceed the potential benefit.
All I have to say is that if your employer hires employees who spend most of their time engaged in random, aimless activity, the company has a much bigger problem than the risk of a computer virus.
- Bob
Posted by Bob Lewis on March 31, 2008 05:29 AM
March 28, 2008
Dear Bob ...
We work with a software vendor whose app we host. They are small (20-ish employees), we have to cover a lot of customers and pretty close to 24/7. We are, unfortunately, their largest install, certainly larger than they designed for.
There have been scaling problems.
My problem is in figuring out how to get us past the "cowboy" software support process. When I started in IT in the early 90’s I worked for ATT in New Jersey so I found all about software quality Bell Labs style. And worked in electronics before that and got the Deming et al background. I even was a Fagan Inspection facilitator. We counted function points.
Years later I find myself in a different universe. There's been lots of growth, and more potential but we have very little common understanding of the need for configuration management or a rigorous testing/promotion process. We have a test environment but it's often bypassed with my management going straight to the vendor, changes going straight to production.
CMM level 0.5 all around. Maybe -1.
Managers have been around at large orgs and pay lip service to the process thing, and we have made improvements, but we also suffer from the pride of "let's put on the show right here in the barn!" thinking -– we're small, unconventional and smarter than the rest, yessir.
And even when we have made a stride or two in the quality direction, each personnel change on our side or the vendor side results in the whole thing falling down and going backwards, because it really wasn’t a core process change.
So where do I look for tips on how to get us all on the software process cluetrain?
Your article "A scandal unveiled," (Keep the Joint Running, 9/15/2003) was right up the same alley, but pointing in the opposite direction –- about enterprise apps that don't downscale. Well, we need the other thing –- upscale the brains to the support the enterprise approach, because we are already in the enterprise world.
My web searches only find the enterprise stuff -– ITIL, CMM, Six Sigma and all. Those are overwhelmingly complex and I get glassy eyed looks mentioning anything like that to my compatriots.
So are there any "software process improvement for SMB dummies" kind of programs I can latch on to?
- In Chaos
Dear In Chaos ...
Sounds to me like you do have a scaling-down challenge. You need software quality assurance and change control, only you need the "lite" versions.
They'll be far better than nothing at all, and as much as your company culture will allow. Let them gel, and remember, once you get on the process train, it's hard to stop before you arrive at bureaucracy station. I can understand your managers' allergies to the bulky ways of doing things they escaped from. I've escaped from them myself, and am glad of it.
I've also lived through the We're-Smarter-Than-Everyone-Else mentality enough times to know what it leads to ... usually, being dumber than everyone else. People who are really smarter than everyone else get that way by first learning what everyone else knows. Then they figure out what to do differently.
Assuming you're in a position to influence things, I see two basic strategies for getting the ball rolling, depending on the specifics of the social situation.
In the first, you and a compatible soul with equivalent influence in the software vendor work together to develop the plan. In the second, you and your manager put it together. It depends on which you think will be more effective.
The plan itself is pretty basic. It's a presentation that starts with two questions: (1) What risks aren't we willing to take? And (2) What risks are we willing to take?
The risks you aren't willing to take are:
- Intrusions.
- Installations that seriously degrade system performance or knock it down entirely.
- Becoming a stultifying bureaucracy.
The risks you are willing to take are:
- Software defects that result in unexpected application behavior (non-critical bugs).
- Features that end-users don't find as appealing as you expected.
Next slide: "This isn't just theory," listing catastrophes and near-catastrophes that everyone in attendance knows about.
Your next slide is titled, "Procedures we need to enforce to prevent the risks we aren't willing to take." List them.
Your voice over is that you no longer have a choice about instituting and enforcing these procedures. You do have a choice about how lean or bulky you make them.
Present to the key decision-makers ... one-on-one first, to get buy-in, then in a group setting to demonstrate consensus. Plan the sequence of presentation carefully, too. You don't want to offend key decision-makers by leaving them to last. You also don't want to waste their time by meeting with them too early, before you've perfected the pitch.
This is just a sketch, of course. It should get you pointed in the right direction.
And don't become discouraged if nobody buys what you're selling. Chances are they won't, until there's a life-threatening experience.
Facts and logic by themselves are rarely persuasive, especially in companies that are making money.
- Bob
Posted by Bob Lewis on March 28, 2008 06:10 PM
March 26, 2008
Selling a more open environment to management
Dear Bob ...
I actually agree with your position [on opening up PCs, see for example "The feasibility of unlocked desktops," Keep the Joint Running, 3/24/2008] and I try to advocate policies that only "punish the guilty", but this is a very hard sell in the boardroom. Directors will not make decisions based on what my gut says is the right policy. They also make it very painful to explain this position whenever something goes south and the bad apple employee floats to the top.
So, I'm looking for a way to sell an "open use" culture to the board without completely leaving my pants down around my ankles. I hate metrics also, it's like "no business left behind" where one size "must" fit all. But unfortunately, that is the stream we are all swimming in today. If you have any specific ideas of how we can translate this message from the soapbox to the bottom line, I sure would be listening. I'm in the choir preacher Bob, now how do we sell this good news to the directors and shareholders?
- Open to open
Dear Open ...
One of the best approaches is to force people in leadership roles to lead, rather than critiquing. Here's what I mean:
Put some values in front of them that they endorse -- in particular, the cultural value I mentioned, of encouraging initiative. Establish this as a precondition for specific acts of innovation -- the "cultural infrastructure" that's required for innovation to happen. Unlocking the desktop ("loosening the controls" is a better description) is part of this program.
It's the individual acts of innovation that provide measurable benefit. The challenge: Assigning a business value to the preconditions that encourage it.
Ask the company's leaders what value they place on establishing these preconditions.
This isn't at all different from more commonplace questions, like how a company should evaluate the business value of cycle time improvements. You can measure cycle time all you want and demonstrate that a process change has improved it. What you can't do is decide the financial value of a one-hour reduction.
Somebody has to accept that not all dots can be directly connected - that customers value faster delivery; that their valuing it leads to increased walletshare and retention rates, but that proving the connection probably isn't possible.
Part of asking leaders to lead is asking them to tell you what they value, especially when the connection between good practice and business success is indirect. Some will answer the question when you ask it. Others will duck. Either response tells you something important.
- Bob
Posted by Bob Lewis on March 26, 2008 07:25 AM
March 24, 2008
Dear Bob ...
I need some meeting tools, to keep order, steer content on point and so on.
I find that often, meetings up here take on a life of their own and the moderator cannot take them back without banging on the table.
Also, my boss is very articulate. In the last two tech meetings which he asked me to setup, I wrote concise invitations, and attendees came prepared to get work done.
Fortunately or unfortunately, he took control of the meeting. In the end, he acknowledged his commandeering of the meetings, said there was a lot accomplished, and thanked me for setting them up.
Nevertheless, I felt unprepared as a moderator in comparison to him and see I need to improve my skills. I have asked him to approve my attending some more practical seminars on this.
Before that ... any advice?
- Facilitation-challenged
Dear Facilitating ...
Sometimes, you do have to bang on the table. Just keep your good humor about you as you do so. Here are a few other techniques you might find helpful:
1. Make sure every meeting has a point -- a reason for taking place. Announce the reason at the beginning of the meeting (except for recurring meetings; even in these it's worth reminding attendees on a regular basis).
2. Make sure every meeting has an agenda -- a list of specific topics to be covered. First item on the agenda: Status of action items from previous meetings. Last item on the agenda: A review of all open action items, including new ones this week.
3. Always have a flip chart or whiteboard. Use it to list ideas so everyone can see them; to sketch designs so everyone has a common point of reference; and to keep a "Parking Lot" -- a place to list ideas that have no place on the agenda but still shouldn't get lost. If you use a whiteboard, bring a digital camera so it's contents don't get lost.
4. Every topic should finish with agreement on action -- who is going to do what, and when it will be delivered.
5. Get good at facilitation -- at making sure everyone is heard (including people who would rather sit silently) and that nobody dominates. For people who dominate: "Thanks, Ralph. I think we have that point recorded already -- does this say it?" (pointing at an item on a flip chart or the whiteboard -- another reason for making sure you have one, the other, or both). For non-participants, "What do you think about this, Fred? I know you have expertise in this subject."
Another aspect of facilitation: Get good at recognizing when the group has beat a subject to death. "I think we've said everything we have to say about this subject. The next agenda item is ..."
One more: Recognizing when it's time for a consensus check. "It sounds like we're close to a decision on this - namely, blah blah blah. Let's go around the room. Fred - agree or disagree? Ralph? John?"
6. Rotate responsibility for meeting notes. Whoever is responsible must get them out within 24 hours.
One good format for meeting notes is: Topic/Decisions/Comments (if needed)/Action Items. Repeat and summarize the action items at the end of the notes.
Bad format for meeting notes: "He said/she said/they said." This wastes everyone's time.
Last point: If you do need to bang your shoe on the table, use the heel. Otherwise you'll scuff the leather.
- Bob
Posted by Bob Lewis on March 24, 2008 05:53 PM
March 20, 2008
Licensing rules for virtual machines
More about the legalities of running multiple virtual machines on the desktop:
I did some research on Microsoft's website. The language seems quite clear: OS licenses are tied to physical machines, not virtual machines.
In the current EULA for Windows XP Professional Edition Service Pack 2, the relevant text says:
1.1 Installation and use. You may install, use, access, display and run one copy of the Software on a single computer, such as a workstation, terminal or other device ("Workstation Computer"). The Software may not be used by more than two (2) processors at any one time on any single Workstation Computer.Seems clear to me that the license is tied to the hardware, not to any VM running on the hardware.
Here's the relevant text from "MICROSOFT SOFTWARE LICENSE TERMS WINDOWS VISTA BUSINESS":
2. INSTALLATION AND USE RIGHTS. Before you use the software under a license, you must assign that license to one device (physical hardware system). That device is the “licensed device.” A hardware partition or blade is considered to be a separate device.And,
a. Licensed Device. You may install one copy of the software on the licensed device.
You may use the software on up to two processors on that device at one time. Except as provided in the Storage and Network Use sections below, you may not use the software on any other device.
f. Use with Virtualization Technologies. You may use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system. If you do so, you may not play or access content or use applications protected by any Microsoft digital, information or enterprise rights management technology or other Microsoft rights management services or use BitLocker. We advise against playing or accessing content or using applications protected by other digital, information or enterprise rights management technology or other rights management services or using full volume disk drive encryption.This last is a baffling set of restrictions, but does not require a separate license for each VM.
Note that there is a lot of confusion on this subject, driven by the use of "Virtualization" both for server-side processing (for example Citrix, where you do need a license for each user) and for multiple VMs on the desktop (what I've been talking about).
- Bob
Posted by Bob Lewis on March 20, 2008 05:54 AM
March 19, 2008
Dear Bob ...
I have long been a skeptic of metrics in IT. So many problems -- measuring the right thing, the reliability and sensitivity of the measures, creating perverse incentives, and gaming the measurement systems for starters. As a CIO, the only thing that really matters to me is how well the services I provide help everyone else in the organization perform well (output, cost reduction, quality, creativity, goodwill, widgets -- whatever they are measuring success on) relative to what IT services cost.
As I was crafting a message to a colleague today, I had an ah-ha moment fueled by and reinforcing my skepticism. I wondered:
Can we measure the value of performance metrics?
Has there been some objective measure of the performance of organizations that use SMART metrics versus those that don't?
In business it might be some measure of profitability trends, P/E ratio, and/or market capitalization. In government... well, that's tougher? Some measure of the effectiveness and value of the government services?
I have doubts as to whether the link between performance metrics and organizational performance has been proven. And if we can't measure it (the performance impact of metrics), how can we manage it?
Thought you might appreciate this angle on the topic. Most people I know would think I'm crazy with this line of reasoning. I may be crazy, but I don't think this line of reasoning is proof.
- Need a diagnosis
Dear Diagnosticated ...
Ah, you remind me of me! Way back when, I asked the budget director of my then employer what the Return on Investment was on the budgeting process. His answer ... I'm not making this up ... was, "We have to have budgets!"
Spoken in a thoroughly shocked tone of voice, too.
I don't know of any certain answer to your question regarding the existence of research on the subject. For questions of this kind -- do metrics/SMART goals/outsourcing/offshoring/whatever the heck -- result in business success, I go back to the two big studies I know about that looked at the sources for long-term business success: Jim Collins Good to Great study and William Joyce, Nitin Nohria, and Bruce Roberson's Evergreen Study.
Both isolated a list of factors required for companies to outperform their competitors consistently. Neither included metrics, SMART goals, outsourcing or offshoring as factors common to highly successful companies.
Draw your own conclusions.
- Bob
Posted by Bob Lewis on March 19, 2008 05:43 AM
March 15, 2008
Legal challenges to virtual machines
Dear Bob ...
I talked with our PC support group about the topic you've been discussing the past few weeks [see for example "Getting to 21st century IT," Keep the Joint Running, 3/3/2008 - Bob].
The overriding concern voiced is the liability for improperly licensed software. From the company's point of view, we are liable for any illegitmate copies of software on any computer that connects to our network, no matter which virtual machine it is installed in. What would you say to an SPA auditor who came in and found this situation? There was also concern about the cost of three copies of the operating system - one for each virtual machine, etc.
- Concerned
Dear Concerned ...
I wonder to what extent fear of SPA audits prevents good business. In any event, to answer your question (what would I say to an SPA auditor?) I think I'd say, "Show me your search warrant."
Then I'd call my Microsoft sales rep and point out that while I don't have a lot of choice about whether to use Windows on my company's desktops and laptops, nor about whether to use MS Office, I have a lot of choice when it comes to whether I use/continue to use SQL*Server, Sharepoint, Exchange, IIS, and a very wide variety of other Microsoft products.
Yes, it's Microsoft. Microsoft is a business. That means its sales reps want to do more business with you, not less.
I'm not sure of the legal situation when it comes to virtual machines layered on top of physical machines. To the extent I can figure out the Windows EULA, each license is good for one physical machine. I don't think I've seen any prohibition against installing a license more than once on different virtual machines that run on the same physical machine.
In any event, corporations can usually negotiate minor changes in license terms. I'd think this one would be pretty innocuous from Microsoft's perspective.
So far as illegitimate application software, I'm pretty sure (although I'm certainly not an attorney) that as with harassment, a demonstration that the company has exercised reasonable care in trying to prevent abuses is the key issue - not the existence of a small number of "undocumented" applications.
Plus, with both the locked-down and sandbox VMs the company can and should use scanning software to detect and inventory all applications installed everywhere. When something new pops up, IT asks the user to document the software's legitimacy.
That leaves the personal VM - the physical hardware attaches to the corporate network but the personal VM stays outside the corporate firewall.
You educate your employees regarding the rules; a bad apple or two violate the rules. How liable is your company?
I don't know the answer. I do know that Exxon/Mobil is pushing the legal theory that it isn't legally responsible for the actions of the Exxon Valdez's captain. That would seem to be an applicable precedent.
Even if the SCOTUS finds against Exxon/Mobil, I'm pretty sure the harassment standard of taking reasonable care should keep a company out of trouble with this, but it's very hard to say for sure.
- Bob
Posted by Bob Lewis on March 15, 2008 01:03 PM
March 14, 2008
Are weekly status reports a good idea?
Dear Bob ...
What do you think of weekly status reports for developers?
As an IT manager with a number of direct reports, I find it hard to keep track of work being done so I know when to assist some developers. More to the point, some developers tend to spin their wheels on work and need direction from time-to-time to keep moving.
I want to avoid micromanaging but I also need to make sure I can keep the projects moving and mentor those that need help.
Note that I do have one-on-one meetings with everyone on the development team but cannot meet with all of them every week.
- Macro-manager
Dear Macro ...
Weekly status reports are, I think, like timesheets. Some managers insist on them, others don't. Sometimes they provide valuable information, sometimes employees more or less invent the data just before they're due. Generally, developers like neither, viewing both as bureaucratic wastes of time.
The difference between the two is that managers eventually discover inaccuracies in the weekly status reports.
I think the big challenge with weekly status reports is that they are something employees do to help managers, not something employees perceive as creating value for them. They don't pass the WIIFM (What's In It For Me) test.
One possibility (not something I've tried) is to divide the status report in two. Monday morning, developers would be responsible for delivering their plan for the week - ideally, not more than half a page of expected deliveries, each with a space next to it to enter the date delivered. Friday afternoon they are responsible for delivering the same document with delivery dates filled in.
Add to the Friday document comments on issues, barriers and so on, and it might be painless enough that it will make sense to everyone as being a planning exercise as opposed to a reporting exercise.
The most important factors for deciding whether to do this, and then on making it work, are:
- Being clear about what you're looking for (including providing a template, so it's a fill-in-the-blanks exercise, not a blank-sheet-of-paper essay).
- Keeping it as minimalist as possible so it doesn't become burdensome.
- Communicating why it's important, so everyone understands and it doesn't become "just paperwork."
- If at all possible, finding a way for it to be useful for the developers, for the reasons outlined above.
When you interact with employees, the second version is far more effective, for a simple reason: You're talking with them about their work as what matters, not about their obligations to you as what matters.
- Bob
Posted by Bob Lewis on March 14, 2008 12:13 PM
March 08, 2008
More on whether or not to open up PCs
Dear Bob ...
I've read your recent article concerning the PC at work viz-a-viz the PC at home ("The portal," Keep the Joint Running, 2/25/2008).
Needless to say as a support technician dealing with the users in a corporate environment, the idea of the PC as a portal is not only a bad one, it merely throws wide the barn door to a series of problems and issues. And opening up the PC for the users leads not to a portal, but a black hole that sucks away time and energy from both the user and the technician who has to support the systems.
Let me give you a good example. Our systems are locked down so that the users cannot install whatever software they wish on the machines. The reason and rationale for this is because of the cost of maintaining and repairing the machines when (not if, when) the user causes either conflict with existing company packages or incompatibility with the same packages.
The need for maintaining a common software platform is to provide ease of maintenance and lower the cost of support. Yet when we do allow the user administrative rights (either via local rights or via a software server that elevates rights prior to installing software) the user will put all kinds of software on the machine that has nothing to do with the business. Media players, browser plugins, screensavers and other downloads will appear overnight, springing up like the fungus that they are.
When the machine starts having problems, it's your responsibility to fix it, but mention removing the problem software and they'll scream they need it.
You also mention 'work/life balance.' Oddly enough, I may be an exception to the rule, as when I leave work for the day, I LEAVE work. As in, I leave whatever problems, issues, projects, documentation, etc. at my desk where it belongs, and enjoy my evenings, weekends and vacations without having to answer emails, phone or text messages about work issues.
I don't want to be bothered when the idea is for rest and relaxation, and actually despair at my co-workers who absolutely have to bring their work home with them. That portal is a ball and chain, erasing their personal life and replacing it with a madness that typifies today's society.
Central IT provides a core set of procedures and products that every user in a company has. You don't want the users to be going down to Costco to purchase those PC's as they'll come back to you demanding support for their problems, their mistakes and failures.
Because I'd tell them 'you bought them, you support them. Oh, and figure out how you're going to get the company software on them, as we won't let them on the network otherwise.' Letting the users go where they want, install what they want, do whatever they want only leads to madness.
Please have exact change ready if you're going that route.
- Support tech
Dear Tech ...
I'm not recommending that users view their PCs as portals. I'm reporting it.
I'm not advocating a wide-open free-for-all either. I'm pointing out what should be obvious to everyone in IT. The reason it isn't is because of the tendency most of us have to look at the world through our own eyeballs instead of the eyes of the people we need to communicate with.
What I'm asking you and my other subscribers to do is to forget all about how inconvenient and costly it all is, and instead to think about the world as end-users experience it. They go home, fire up their Costco PC (or whatever) which has, in addition to Office and e-mail, and AOL or MSN or whatever: The software they use to download digital photos from their cameras and edit them; Skype; various games; browser plug-ins; iTunes; PDA/Smartphone interface software; Quicken; and TurboTax.
Or whatever their list happens to be, and it all works together with no problems.
Then they go to work, where they have MS Office, Outlook, a browser with no plug-ins allowed, and nothing else. Knowledgeable people like you inform them it has to be this way because if you allow anything else it will all fall apart.
Then they go home, where it hasn't fallen apart. They don't feel like they dodged a bullet. They wonder about why you tell them something that's so counter to their experience.
This is the world IT is living in: End-users who find themselves using crippled technology at work compared to what they use routinely at home.
Just my opinion: IT's credibility is at stake. Providing an impoverished technical environment is why. Figuring out what to do about it won't be as easy as just locking everything down. That doesn't make it less important. Just harder.
- Bob
Posted by Bob Lewis on March 8, 2008 01:07 PM
March 06, 2008
And now, time for some self-indulgence
I use a Treo 700P. Not the newest technology, but certainly not obsolete.
I don't travel to Europe very much, but I do have a trip next week, so I called my cellular provider to activate international roaming.
I waited in the various queues, was only transferred once, and then was told, "to activate international roaming, call this number:" followed by a toll-free number.
Think about this for a moment - it's a telephone company, and its customer support representatives can't transfer me to another number in the same company!
Which leads to the first piece of advice: If you're responsible for the company's telephone technology ... Don't. Do. This. It. Makes. Your. Company. Look. Stupid. And. Incompetent.
Are we clear?
And now for the coup de grace: I called the number and talked with a very nice person who told me the Treo 700P isn't compatible with European cellular telephone standards - it can't be made to work.
This leads to my second piece of advice: At least be honest. The 700P works fine in Europe, for providers that use GSM. My cellular provider doesn't support international roaming on the Treo 700P. Blaming Palm isn't just cheesy.
It assumes I don't know how to use Google.
- Bob
Posted by Bob Lewis on March 6, 2008 03:09 PM
March 05, 2008
Dear Bob ...
I found it ironic, that just as you are suggesting a new way of looking at the PC (in "The portal," Keep the Joint Running, 2/25/2008), Microsoft is making it even easier to look at it the old way.
I received from InfoWorld a letter: A long, long look at Windows Server 2008. This is Tom Yager's review of Windows Server 2008.
In the email, it states: "Tom notes the strength of the security features, especially the ease with which administrators can lock down clients on and off the network. "
http://www.infoworld.com/article/08/02/25/09TC-windows-server-2008_1.html
While the individual may look at the computer as a portal, business apparently can not be so lax. After all, look at how much trouble has been caused because an individual downloaded a database to his laptop so he or she could continue work on a project at home, and then when the laptop is lost or stolen, a few gigabytes of customer information gets released.
My view of the corporate computer is a world away from my view of my personal computer. But maybe that's because I was brought up in the days of the Teletype, paper tape, punch cards and the VT220 terminal.
- Pondering the irony
Dear Pondering ...
I'm not the first to ask the question of why any business user ever would need credit card or social security numbers in any kind of personal file for any reason at all. The subject is usually folded into this debate. It shouldn't be: Look at the PCI specification and you'll find all credit card numbers should be encrypted in all databases if they are stored. Period. I'd say the same basic prudence should be applied to social security numbers, too.
If you run an operation where business users routinely have sensitive information in their files, use one of the many available products that encrypt the contents of the hard drive. Use biometrics (now cheap) instead of password protection.
There are solutions to most of these challenges other than locking everything down.
Of course, it is also true that nothing fits every situation. I'm sure there are contexts in which total lockdown is the only appropriate solution. That this is true doesn't mean it's therefore the right answer for all of the other contexts.
- Bob
Posted by Bob Lewis on March 5, 2008 05:36 AM
March 04, 2008
Getting to 21st century IT - User-owned PCs?
In this week's Keep the Joint Running, ("Getting to 21st century IT," 3/3/2008), I mentioned a radical approach:
Correspondent Richard Resnick provided the most extreme suggestion: No corporate-owned PCs at all. Let employees buy their own -- whatever they think they need to do their jobs. It's Nicholas Carr's vision in reverse: Only central IT remains. Employees take over ownership of the periphery, including responsibility for their own PC support.It's an intriguing alternative, and not one easily envisioned. Certainly, the nature of the protections IT would institute would be very different given the change in boundary. I leave the specifics as an exercise for the reader.This is your chance. What do you think of the idea ... not for production staff like call center agents, of course, but for travelers, analysts, developers and so on.
Comments, anyone?
- Bob
Posted by Bob Lewis on March 4, 2008 05:45 AM
|
Three books. Three ways to change the world, your life, or at least Bob Lewis' bank account. Leading IT: The Toughest Job in the World distills the world of IT leadership into eight learnable skills and gives you concrete, practical techniques for each one of them. Bare Bones Project Management: What you can't not do makes project management manageable, even for first-time project managers with no formal training in the discipline. ManagementSpeak: What managers say/What they mean … well, it won't help your career, and won't make you a better manager. Mostly, it will make you chuckle, guffaw, and maybe even chortle. Make friends - it's the perfect gift for anyone who has ever suffered through one of those meetings. Order your copies today! |
TOP STORIES
Top 10 stories of the weekA new place to hide rootkits
Sun exec on OpenSolaris, Linux
AT&T: No free iPhone Wi-Fi info
MS to appeal E.U. fine
XP SP3 causes endless reboots
Vista as insecure as Win 2000
Google grilled on human rights
Java ubiquity an edge in RIA battle
The InfoWorld news quiz
ADDITIONAL RESOURCES
- Virtualization: A Step by Step Approach to Success
- Dialing up Agility with Business Transformation
- 5 Things You Need to Know About Storage Virtualization
- Virtual Test Lab Automation: Manage development infrastructure
- Improve Resource Utilization and Lower Operating Costs
- Protect Your Data with SSL
