Monday, October 31, 2005
Enterprise Architecture and Insulting Firms
Here is an interesting article in CFO Magazine of one firm who consults on ERP systems but couldn't get their own ERP system stable...
I have always had the utmost respect for one consulting firm: McKinsey having worked with many folks from this firm during the dot-com days on wingspan bank. I remember talking to one of the partners in a discussion about work / life balance which kinda seemed non-existent. He did mention that you can pick one of the four: Function, Geography, Industry and People. Would love to know if others in the blogosphere know of any ex-McKinsey folks with technical backgrounds that would love to work for a large Fortune 100 enterprise?
McKinsey does something special not done elsewhere. They thrive on the intellectual capital of its people. They do so by making folks feel connected. They have a very strong alumni network that even when one leaves the firm, they are still part of it. Maybe in all reality, this is what enterprise architecture should be all about. Imagine an enterprise where folks leverage each others knowledge...
Many enterprises are struggling with the notion of intellectual property and don't really know how to capitalize on the smarts of the folks within the walls. Maybe they would be well-served by having their enterprise architect's read the latest Economist magazine and the article entitled: A market for ideas.
In my travels, I have noticed that enterprises that truly understand enterprise architecture seem to eschew outsourcing. Maybe they realize that cost savings can never be truly obtained by turning over the keys to folks in other countries and the real work requires coming up with real strategies done by your own employees.
Sunday, October 30, 2005
Enterprise Architecture: Mistakes Made in Outsourcing to India
The key focus is on lessons learned from the past and not blindly adopting CMMi in order to align with abstract concepts such as CMM pushed by outsourcing firms.
Saturday, October 29, 2005
Enterprise perspectives on SOA
SOA isn't about ESB's or some other marketing ploy used to convince executives that they are behind the times if they don't listen to the message. Curious to find why no one ever talks about the notion of business architecture and how SOA should be aligned to it? Many vendors create technical reference implementations but none of them have even made the attempt at creating a business reference implementation.
IBM has the potential to show leadership in this regard as they have core knowledge about many industry verticals from their learnings on San Francisco. Within the insurance vertical, they have the IIA framework that is a great starting point for creating business oriented reference implementations.
Many insulting firms have been savage in incorporating the word SOA into their marketing material without developing a true understanding of the problem at hand. Enterprises are game to get a "strategy" without figuring out reasons others have failed. Simply, SOA done without organizational change is just plain dumb. The success or failure of SOA is directly correlated to the ratio of intelligence to stupidly. At least one blogger has acknoweledged that blame for SOA failures should be placed on stupid people.
SOA attempts to solve for interoperability but only focuses on technical interoperability. How about management insulting firms as part of "strategy" making recommendation on how to fix the organization chart within large enterprises? I can tell you that one guy who gets it is Sam Lowe, Chief Enterprise Architect of Cap Gemini who has a great entry on the real issues making or breaking enterprise SOAs.
I suspect that CapGemini is capable of creating real strategies around SOAs in that they not only address the organizational issues with their clients but also within their own walls. I suspect they don't have a lot of kindergartners doing "strategy" and backing up the bus. Their strategy seems to eschew having "analysts" who may at best have five years of experience in IT and instead prefer folks who have done real work and gained real experience provide consultative advice.
Speaking of "analysts", maybe the second fatal mistake realized by enterprises is asking the vast majority of them for guidance. In my humble opinion, the folks over at ZapThink and Burton Group seem to get it, but the rest should be simply ignored by corporate America. Of course, Burton Group is more politically correct than myself, but you should check out the three major impediments to SOA...
Another problem with SOA where the dots haven't yet been connected is the notion of identity. Craig Burton is starting a good conversation on the problem here. Collectively, we all need to connect the dots...
Friday, October 28, 2005
Industry Analysts and Enterprise Architects
Many analyst firms have structured their model around this fact and have changed their approach to pursue software vendors who have big marketing budgets who in turn use the research in their marketing efforts as collateral material to large enterprises such as the one I work for. Analyst firms that use this particular style and the software vendors who give them tons of money haven't yet came to the realization that us folks in corporate America have now caught onto the game and may in the future not only consider this form of research worthless but may start doing the research we desire ourselves.
The main problem with this form of research is that enterprises need access to ideas and the best thinking. They need thoughts on game changing plays not just whom happen to be willing to pay for briefings. Pretty much every enterprise architect I know of in other Fortune 100 enterprises have on their radar the notion of open source software which in the charge the software vendor model simply never seems to show up.
In another conversation with Bloor Research, they mentioned that the problem with most open source projects is that these projects don't do marketing. The real problem is slightly different in that if open source when covered by industry analysts only covers open source that is created by large software vendors and not the stuff that is truly useful then their research is discredited.
I publicly state that the vast majority of open source projects that are truly useful to our own enterprise are not developed by traditional software vendors who embrace open source but by folks in small software companies who don't have the money to pay for marketing and our peers in other enterprises who create valuable software for themselves.
One enterprise I have the utmost respect for is Duke Energy. Their core business is not selling software but selling energy yet they have created valuable software for others to use. I encourage folks to check out their .NET framework for software development. If I were to listen to the advice of analysts, I guess Duke should start marketing something they wanted to simply be a good citizen for?
Duke isn't the only company that is delivering valuable software to the community using open source. In fact, there are dozens more of large enterprises that not only use open source software but contribute. Wonder if we could get analysts to start telling a more interesting story?
Some of the open source projects that my peers have used and contribute to at work include projects such as Liferay Enterprise Portal, Virtual Token Descriptors (VTD) and OSWorkflow.
If analysts want to sell folks like me on buying their research, they will need to start telling the whole story which includes open source projects. They need to tell the story of enterprises whose business is not software but created valuable working software for others to consume. The secret is out and if analysts want to survive, they will do well by considering this value proposition.
Jumping back to the conversation with Andreas, I was very encouraged by our discussion. He was the first analyst to not simply arrange for a briefing where he wanted to talk to me about marketshare or other things of minimal value in my mind but actually asked me if I knew of innovative companies he should be researching. It was the first time I could give analysts a direction they should head. In thinking about this, maybe every enterprise architect should call up their favorite analyst firm and task them with the goal of not only figuring out alternative open source projects but vendors that are not on the radar!
In the discussion, I have learned that he was also working on a research report in the spirit of open source industry analysis that will be licensed under the creative commons model. The folks over at RedMonk were the first to do this with their groundbreaking research on Compliance Oriented Architectures. I wonder if James Governor has realized the effect of his own thinking not only on his clients but on enterprises such as the one I work for. He has started something magical.
We know that RedMonk gets open source, we now know that Nemertes gets open source, curious which analyst firm will be third...
Wednesday, October 26, 2005
Why enterprises should reconsider using XML...
I wonder what would happen to all the enterprises who use XML if they decided to pull a move like SCO...
More details here.
My hypothesis states that many of the outsourcing firms in the United States that are India based also discriminate. Sure, many of them may have a figure head that is from another country, but I defy anyone reading this blog to supply hiring statistics of any of these firms and the number of folks they hire that are black, hispanic, native american, etc. If the number of minorities working for outsourcing firms are below the national average, would a reasonable person conclude this feels an aweful lot like discrimination?
The Civil Rights Act of 1991 provides relief in terms of real fines for those who openly discriminate. For all of those American's who lost their jobs to an outsourcing firm, maybe they can't get their job back, but they can level the playing field by pursuing this approach. Maybe these firms should read the EEOC poster several times.
I wonder if those in corporate America who hire outsourcing firms that practice EEOC but don't require if of their outsourcing partners may also be guilty? The EEOC is in charge of administrative and judicial enforcement of the federal civil rights laws and providing compliance education. I wonder what the legal exposure is to enterprises in this fashion? Maybe a lawyer could blog a response.
Other bloggers in the blogosphere have jumped all over Iraq's constitution because it will forever forbid gay marriage but haven't done the same for countries we are friendly with such as India, China, The Philippines and so on. I wonder if folks that support this issue are hypocritical? Here is an interesting link to this subject.
Next week, I will blog about the persecution of Christians in India along with some facts that may change one's perspective. In closing I leave you with an interesting article entitled: India charges Finnish tourist for bathing naked.
Tuesday, October 25, 2005
Corruption will lead to India's downfall
Here is a link to the full story!
Monday, October 24, 2005
The correct way to think about identity...
There are two bloggers on identity management that I read with passion. First, there is Archie Reed of HP and the second would be Kim Cameron of Microsoft. Sadly, both are having the wrong conversations when it comes to identity. The perspective they share is from the viewpoint of the consumer when the conversation from the perspective of the corporation is more interesting.
For example, due to laws such as Sarbanes Oxley a manager needs to attest on a periodic basis that all of their direct reports have access to the systems they need while not having access to the systems they don't. While this appears as a somewhat simple statement, when dissected it becomes more difficult. Imagine working in a large enterprise where there are 200,000 employees. Wouldn't it be useful to record centrally the notion of attestation? Wouldn't it be useful in a court of law when the government comes with their subpoenas that this recording was digitally signed? Makes me wonder if Archie and Kim ever had the opportunity to talk to the folks at Accenture, PWC and Deloitte about certifying identity?
Even if you were to ignore corporate environments for a moment, the conversation is still flawed. Users don't pick a digital identity solution. Nowadays with large enterprises prefering to buy systems over building systems inhouse, they don't pick a digital identity solution either. In the real world, identity is analogous to plumbing in that it simply is embedded into a larger context.
When one buys a house, they specify things like color of paint on the walls, siding and carpet but usually don't have much say in the color of the pipe of their plumbing. Identity is plumbing. Users don't demand plumbing and users don't demand identity in the sense they blog about it.
Others within the blogosphere are now talking about Sxip and Identity 2.0 which they will repeat mistakes already made. As an architect and advocate of open source wherever possible, they did good here by making it open. Likewise, they have done an equal good job of solving for various system qualities (i.e. availability, scalability, performance, etc) and have even done wonderful in advocating various standards around it. But they failed on two important aspects...
First, they didn't define how Sxip will interoperate with other identity implementations. After all, we can't believe that their will be a single uber-identity? Do we really have faith in corporate America and their ability to adopt the same identity proposed by this standard such that there is one?
Interoperability is key to the success or failure of an approach. Sxip if done correctly should interoperate with identity approaches used in corporate America today including Kerberos, Active Directory and so on. The one pet peeve that torques me is when open products don't interoperate with other open products. How about making it interoperate with OpenSAML?
Kim Cameron has done a wonderful job of coming up with a metasystem whitepaper but too are leading us in a direction that is not ideal. Reference architectures need reference implementations. I really hope that Kim will push his bosses to create an open source reference implementation of the identity metasystem, otherwise I would encourage others to run in the opposite direction. Sxip did get this right.
Some within the community will argue whether the approach used by Sxip is really standards based in that it wasn't ran through a standards body. My own thinking in this matter is they did the right thing. The vast majority of standards bodies are filled with vendors looking for standards as an advanced form of branding. Standards bodies themselves need to invite end users to participate and ratify standards and stop being insular.
Anyway, I hope that Kim Cameron has thought about making Sxip interoperable with the identity metasystem he is proposing. Inquiring minds would love to know...
India and Racism
When one looks at firms such as Infosys and their employees, a vast majority of them tend to be of higher castes. Of course, many will tell you that caste based hiring no longer occurs but statistics show a different picture than the rhetoric.
American's who grew up in the 80s and 90's are keenly aware of the notion of equal opportunity and understand it is simply wrong to hire (or not hire) based on the nationality, religion, gender or ethnic origin of a person. In fact, American corporations have taken deliberate steps to not only put an end to discrimination but to also encourage diversity. Too bad the Indian government hasn't encouraged diversity at all levels.
Sometimes folks from India who come to America forget or simply are not aware that they too should practice diverse hiring and not just people from their own countries. I was reminiscing with a friend who was born in India about an experience I had in the days after September 11th.
I visited the local market down the street from work to buy halal meat. The shop was owned by a person from Somalia and is located in a minority community comprised of black and hispanic people. Several street people approached me in conversation while I was in the shop telling me that I should avoid buying pizza from the guy next door because he was down with Bin Laden (He wears a turban and was a Sikh). They also told me that they would put him out of business. Not wanting to put my own health in harm's way, I didn't bother to educate them to the real facts and let them think whatever they wanted and for this I admit my guilt.
Anyway, as months past the pizza shop owned by the guy from India was ultimately closed. In a location a couple of doors down, another Indian person opened a fried chicken store prior to it closing and is still wildly successful. Being somewhat puzzled, I asked myself the reason why one was successful while the other one wasn't and the answer suddenly appeared.
The Indian owner of the pizza shop thought it was sufficient that he simply could work hard and take money from the community without giving back. He only hired people from his country. Compare and contrast the Indian owner who opened the fried chicken store had hired people from the community that were of different ethnic descent and was successful.
In other words, he understood the importance of diversity. He knew that if he created jobs from those in the community, they in turn would show him not only respect but reward him with business. I wonder how many other folks from India will stop hiring only others from their own country and start practicing diversity?
Maybe diversity will not be a choice in India. Imagine what would happen if American companies started to enforce the same rules and guidelines they practice in America on their outsourcing partners? Imagine how much better India would be if a new generation understood that discrimination no matter what the reason is wrong...
Sunday, October 23, 2005
Industry Conferences and Industry Analysts
In the blogosphere it is typical practice for folks to blog their experiences at industry conferences. I am no different. As usual, the vast majority of speakers are either from the industry analyst community or the vendor community and are infamous for presenting thinly veiled sales presentations chock-a-block with eye candy but lacking any substance. I can finally say, that I was presently suprised in attending the Information Security Conference put out by TechTarget. While it had the analysts doing their industry voodoo and vendors pitching their wares, it also had some decent presentations by end customers something that is rarely seen at other conferences.
Within the information security space, it seems as if folks are still struggling with getting spam under control, patch management and other kindergartner level information security topics. With the recent attacks that are in the media, I was disappointed in that no one was talking about security that happens at the application level. There were no presentations on identity management, federated identity or a topic near to my heart on writing secure code. For the most part everyone is still talking about security at the infrastructure level. No wonder most enterprises when breached end up in the media. No pity on them...
As far as my conversation with industry analysts in all started with a conversation I should have had with a prominent industry analyst that didn't occur. Awhile back, I came across a report on enterprise portal software and noticed that it did not contain any mention of open source portal offerings. Within the same time period, I ran across a wonderful open source portal: Liferay that was more scalable than anything on the planet and was validated to be more secure by an independent third party. As I started to learn more about Liferay, I also learned that it was used by several prominent Fortune 100 enterprises. Was curious why the analysts weren't talking about it.
The conversations with analysts brought me to a conclusion that I never really thought about in the past. I used to contribute to a variety of open source projects but that there are tons of folks on the planet to do this. My real calling is in my own ability to speak about corporate usage of open source. Since I am employed by a Fortune 100 enterprise, I could start talking about not only open source in terms of the software we use, but our mindset in what we will adopt and what we won't. I asked myself what would happen if I started to think of myself as a vendor giving a briefing to an industry analyst on the products we use would they then consider putting them into their quadrants...
Only time will tell if analysts will if analysts will start covering open source projects not created by just large software vendors who are simply dumping stuff into the marketplace but will tell the story of those who simply want to create useful software with no profit motive. Maybe there is an analyst that would not only talk about using open source software but contributing to it. Maybe they would tell the story in better detail of my own experiences or even the experiences of others. As a purchaser of analyst research, I feel it is important that analyst cover multiple perspectives including paid and open source software. Maybe they will tell the story of the folks at Duke Energy and their contribution of the DUKE .NET development framework to open source.
Anyway, in concluding today's entry I encourage all folks in corporate America to read a great blog entry by Bill Burnham entitled: Conflicts and Cash: Industry Analysts and Start-ups. It is eye-opening...
Saturday, October 22, 2005
The art of becoming a Hit Slut
Bet you didn't know that the vast majority of hit slut bloggers hang out on a blogging site known as ITToolbox? On this site you will find respected bloggers such as Dave Taylor who has his own blog but tends to also post here. Bet you don't know the reason why? You will notice at the bottom of all his postings a disclaimer regarding republished with permission. Is it because ITToolbox will claim all intellectual property of folks who blog there? Is it because the motive for blogging here is to draw traffic to a blog one personally controls?
Other popular bloggers here such as SecurityMonkey talk about ethics yet choose to remain anonymous. Why would someone hide their identity?
Other bloggers such as George Eby Mathew, Sumit Malhotra, Indranil Mukherjee, Sandilya Venkatesh all seem to have positive things to say about outsourcing but never seemed to present a balanced perspective on the topic. Have you ever seem their outsourcing posts even for a second acknowledge that outsourcing can fail? Have you ever seen them quote any statistics on the number of failed outsourcing projects? Have you even seen them provide insight into best practices one what to do when outsourcing fails and a Fortune enterprise wants to bring it back inhouse. I believe that these individuals know more than they are willing to share on this subject but have other motivations in not engaging the community in honest dialog on this topic.
The primary reason for all of the conversations here is not because of anything said to date, but rather the fact that none of these folks ever mention that they are paid hit sluts. Don't get me wrong, its ok to be paid by ITToolbox to blog, but wouldn't ethics dictate that this occurs? Bet you didn't know that ITToolbox doesn't pay per article or similar practices used within the media. They compensate bloggers (aka authors) based solely on the amount of traffic they generate, ultimately turning them into hit sluts.
Sadly, I used to be a hit slut myself and loved the fact that I got a check from ITToolbox every month for $200 in which I used to donate to my favorite charities. But an awakening occured. I was the number two blogger on ITToolbox in June but never received the final check.
When I first started blogging with ITToolbox, I remember emailing Tim Ribich of ITToolbox asking him if he would contribute my payments for October through January directly to specified charities so that I could ensure that 100% of the contribution made it to a worthy cause such that Uncle Sam didn't require me to deduct income taxes from it. He indicated this would be taken care of. Over the next couple of months, I learned that this wasn't taken care of and started receiving abstract email messages.
When I blogged on this particular issue, I also noticed that my blog postings would mysteriously be moderated. Moderation is OK in situations where folks are breaking the law, but I was simply encouraging others to contribute to charity and talking about my own blogging experiences. This awakening caused me to realize that I too was a hit slut and needed to not only practice ethical blogging but encourage others to do so as well. Anyway, I suspect that if any ITToolbox bloggers even consider for a second responding to this blog, their own postings too will become moderated.
The only thing I can hope for is that readers of ITToolbox will start demanding ethical practices not only of the bloggers their but the blog host as well. Readers of blogs have a choice and will leave it up to society to conclude what is right and what is wrong...
Friday, October 21, 2005
Curious if John Udell, Archie Reed and Kim Cameron have read them?
Sunday, October 16, 2005
Outstanding Questions on Mobile Data Security
1. Anyone aware of open source disk encryption software that works with Windows XP? The only project I have ran across is Truecrypt.
2. GNU folks have created a replacement for PGP named gnuPG. Curious if any third party that specializes in cryptography has certified this project?
3. Would love to also learn about open source equivalents that allow for securing USB, Firewire, etc for Windows XP.