• ACCOUNT MANAGER
• IT Manager
• Project Manager Opportunities
• Support Analyst Programmer
• PILOT PROJECT MANAGER

The Dark Ages . . .

Tom Cleary, Information Age

15/12/2006 14:37:11

Once upon a time, the world was flat.

And at that time, other self-evident truths were enforced by the institutions that controlled society, such as that the purchase of indulgences reduced the time spent in Purgatory, kings were divine and that heresy or witchcraft were crimes deserving of death.

One of the other, less regarded issues was that because a soul could not arise on salvation day to join with its saviour unless the buried body was intact; anatomy was illegal.

Why are you reading this in an IT magazine? Well, it's like this: over the years many powerful institutions have been overtaken by reality, and I think we are currently living through one of those times.

I'll give it to you straight: I'm technical (among other attributes) and as we know from many observers, this gives me zero credibility from "those who grok business" (Rob Thompsett, take a bow).

Problem is, I also grok business - 'cos these days, not only is IT "core business", most frequently it is the business. When the disks stop spinning, the revenue stream dies. (This has really been true since the mainframe, but in a time when everything is done on the Web, it has now become all-pervasive.)

So why am I using ancient analogies relating to the church? Because I think, and hope, we can learn something from history.

When anatomy was illegal, those who did allow their curiosity to overcome social mores were liable to feel the full force of the law and suffer for their hubris. "Everyone" knew that the reasons for this were founded in fact, held the fabric of society together, and were unquestionably correct - after all, the Pope is infallible.

The problem is that not only did the flat earth idea eventually collapse, but so did most of the other self-evident truths. And for the same reason, Canute was unable to establish his divinity - too much factual, visible evidence in the other direction.

Now let's examine a more modern issue, the use of ICT in business.

Today, we have got an almost religious zealotry built around the idea that "coherence of architecture is essential to good business" and that this leads to the best ROI.

Problem: anyone seen a coherent architecture in theory, let alone practice?

I've observed many attempts over the years to produce a coherent architecture, including attempts from the largest in the Industry (remember SAA? OSI? How CASE tools were going to save the world? And how Object Orientation was going to reduce coding costs? The list is endless) but there has not been a magic bullet.

Iconoclasm: there is no magic bullet.

For many reasons, including Moore's law, the pace of technical change and the adaptation that people and businesses are making to catch up, is unlikely to abate for a long time - if ever.

So, "freezing" a business long enough to install, let alone reap the benefits of a coherent architecture is probably going to kill the business.

Let us make no mistake, friends, ICT is in the business of change and must take responsibility for helping steer that process. For too long, we have been content to act like the scientists on the Manhattan Project who "just did science" letting others decide how it should be used.

And like Oppenheimer et al. as we stare down the slope on the other side of the IT upswell, we can now see where the tsunami will come ashore. Time to ride the wave rather than drown in it.

I contend that one of the most useful things we can do is to get involved in the ICT governance debate inside our organisations and make sure that the sweet, seductive message of coherent architecture gets what it deserves - a wooden stake through the heart.

Yes, coherent architecture can be made to look like the best way of maximising profits, but it is an illusion that has failed too many times over the years to have any credibility left.

Like the Emperor's new clothes, it subsists on herd behaviour and relies upon a person knowing which side of their bread is buttered and choosing to say nothing - not rocking the boat.

And like all castles in the air, one breath of truth and it vanishes like a soap bubble.

Getting a message into the spreadsheets that refutes the ROI hot air will be a challenge - lots of bonuses riding on this one!

But let's apply a different type of common sense: A corporate board is supposed to ensure the stability and continuity of a profitable endeavour, maximising those profits being like the second law of robotics, a subsidiary goal.

Part of that process should include good governance of ICT, which, now that we have AS8015, should be easier to do. But fundamental to good governance is making sure a company can survive serious challenges, which in the case of many businesses these days, means loss or corruption of service in some fashion.

This is where we have seen too much of the kinds of behaviour that lead to situations like the loss of BP's oil pipeline the other month [1] - the infrastructure of most organisations has been chronically deprived of investment for most of its life, but particularly recently, (and not just hardware ) when the Web carries most corporate ROI hopes for reduced costs. So the chances of some significant failure are getting greater with every passing day.

There is a wilful ignorance of the limitations of technology for which business people have been abdicating responsibility when they choose to believe the message of the "coherent architecture" salesmen ( which is welcomed on the salesmen's bottom line) because promises of uptime, throughput etc. have a get-out clause, which too often catches the ignorant right in the wallet.

Mixed architectures may look more expensive, on paper, but are almost universally present. Why?

The bottom line is that it is the only way to meet real business needs, and that's why it is going to remain the incumbent at most places - because one size does not fit all.

When a board is planning to invest in the future of its enterprise, some allowance should be made to permit a feasible chance that whatever implementation they choose, it will work in practice. No, it will not maximise returns and yes, there is an overhead that must be borne, but like management itself, a non-coherent architecture is a necessary evil which contributes to meeting the objectives of the business.

Too many places have found that their shoestring DR plan failed the one time it was needed, because designing, reviewing, updating and testing it were seen as "too expensive". Besides, the coherent architecture would seamlessly cope with it. Not.

There's another benefit to non-coherent architecture that is currently under-appreciated. As with biodiversity in the global ecosystem, ICT diversity survives better than a monoculture when hard times arrive and for the same reasons, different stock behaves differently when under attack.

Like most really great risks, the risk from a monoculture is hard to accurately quantify, in advance. And with hindsight, few people would bother wasting time costing up how much money would have been a good investment for an extinct company - they're too busy carving up the carcass (which contributes to explaining why risk management is still a bit of a black art).

So, a better strategy might be to plan to be a bit more cynical of architectural promises that look too attractive and maybe pay a bit extra rather than end up in the corporate tar-pit, leaving nothing but a fossilised example to others.

As we have seen, a proper BCS effort should be a prerequisite for a business (and which would be mandated by good ICT governance), needing some planning up front during design, development or architecture efforts, alongside the security and risk evaluations that you already undertake when you're coding, right?[2]

What, you don't? Well, in that case you have to run a penetration test on your system when it's built, yes? And how do you do that - hire a hacker? Whoa! Now we're tripping into dangerous space because you can't trust hackers, can you? Even the "ethical" ones are a bit dangerous - otherwise they wouldn't know the things they do, without which they'd be ineffective and a waste of money. Hang on, we've done the Emperor's new clothes, haven't we?

Here's where culture shock really sets in, because like the early anatomists, taking code apart can bring enlightenment, but just as surely, it's illegal and really harshly punished.

And in an age where the dark lantern of ignorance is being shone on legislation, we have significant issues in trying to get some clarity.

When legislation like the kiddie porn laws do not need any proof of intent, and the "cyber trespass" laws could be interpreted to cover browsing a Web site, then we ICT folks are living in interesting times when trying to prove that our daily tasks are legitimate. Particularly when organisations are baying for more pro-active security measures. No-one wants to be the test case, but with the rapidly changing legislative landscape, there are more "tsunami hacker" cases ahead.[3]

And like heretics, witches and early anatomists, the punishments sometimes seem to far outweigh the crimes.

What would be a better solution? Well, the answer for anatomists was for the Royal College of Physicians to be granted the right to dissect humans, under strict conditions.

This gave comfort that a qualified, ethical, knowledgeable, professional group would be the ones who could take these actions and become involved as experts when offences were discovered, to the benefit of all.

Fast forward to today, and for us, that trust must be built by working together with government, business and societal groups, by overcoming misunderstandings and unfounded fears, by growing together in good faith.

For this to happen, however, the cultural mistrust I referred to above must be overcome and both technical and business parties need to appreciate that there is an alternate view which is not "wrong" - you can't spend money you can't afford to pay back and you can't make a computer do something it wasn't designed to do. [4]

Most of all some respect and tolerance for the professionalism of those who have taken the time to gain the skills, not the usual "OK, you were a techie, now forget all that, you've been promoted - you're a manager now".

The business community may pay lip service to the need for a "hybrid manager" (I first heard that mantra in 1987) but the pressure to conform to the culture, so much that you lose all technical ability has not relented. The Earth is still flat.

But at least the history worm is turning and ICT governance is becoming a live issue; maybe the horizon is curving?

As ICT professionals we might just have to avoid purchasing indulgences and confront purgatory head on. It will be painful, but who knows, we might end up in Heaven after all?

[1]http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20060807/bp_oil_060807/20060807?hub=CTVNewsAt11

[2]At present the previous statement seems outlandish, but as more class action suits making boards accountable for decision-making work through the system, I predict we will see a closer relationship between the development and infrastructure design communities, with the security function contributing to both architecture and audit functions, providing the kind of assurance that a board can trust.

[3]http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/

[4] Both of these statements are true, but each may cause pressure on the other; if you want to make a computer to do something outside its design, be prepared to spend money. And if you can't spend the money because you can't afford to, then you'd better be prepared to modify the requirements to suit your purse rather than expect miracles from ICT people. It may be true that nothing is impossible, but there are lots of things that are unacceptably expensive. A Windows source code licence is one of them, unless you are a really big company or a government.

Tom Cleary is lead information risk manager for CSC in Perth.