Wednesday, October 31, 2007
Enterprise Architecture: Conversations vs Presentation
In order to untwist the usage of these distinct words, it becomes important to understand the distinction between the two. A conversation is to achieve a flow of meaning as compared with breaking down one side of an argument (debate). Having diverse opinions, yet still getting along. A presentation is more about getting all folks on the same page and discouraging diverse opinions.
Tuesday, October 30, 2007
Enterprise Architecture and Process Justification
Not a week goes by when I don't have a reason to be in Home Depot. Yesterday, I had to run in and get bulbs for the Kitchen when I ran across a process weenie from my past who was talking about leveraging the experience of their Indian outsourcing partner and their love of CMM. Since we were in the lumber aisle, I gradually moved away from those nice sturdy 2x4s.
The benefit of formal process models is the sharing of information about things that work, and things that don't work. Everyone who decides to "buy in" to a process needs to accept the responsibility of evaluating that process in relation to their own work. It's certainly true that following the rules of a formal process without understanding it or thinking about it can lead to bad outcomes.
Besides, everything has a process. It just doesn't need to be a heavy process, and fully described by methodologists. In India, the ability to scale the revenues by leveraging a large population requires use of process as a substitute for competence but in America where we have an age problem, it is better to prefer something more lightweight...
Enterprise Architecture: Indian Outsourcing and Paying Dues
Enterprise Architecture is most frequently discussed in context of process and all the wonderful comprehensive documentation that emerges but almost is never used. What if we were to instead think about Enterprise Architecture where those practicing it adopted the notion of stewardship?
I suspect you will find that when you outsourced the maintenance of your critical enterprise applications, the functionality that the business desires is implemented albeit in a slower manner than onshore delivery. You may also find that system qualities such as scalability, defects per lines of code and so on are rapidly increasing. Luckily, most Enterprise Architects don't have enough technical savvy to measure and therefore folks in India are safe for now.
I wonder why folks no longer think about the notion of paying dues. The process of doing actual work and gaining thereby actual experience. It provides an opportunity for a newcomer (most folks in India) to demonstrate the competence and work habits necessary to be accepted by the old-timers (the analogy is to the dues one pays to be the member of a club).
Also sometimes said of a certain obligatory suffering in connection with some endeavor. For programmers, this is the business of actually writing application code and seeing it through to implementation. The suffering part could be said to be that period of time one spends as a maintenance coder supporting other people's code. The expected result of this is the accrual of certain wisdom and perspective with regard to design and execution of software engineering projects.
I wonder how many Enterprise Architects continue to discriminate against Americans where they will desire ten years of experience yet don't put the same constraints on Indian counterparts...
Monday, October 29, 2007
Links for 2007-10-29
Laurence Hart once again provides a solid perspective on ECM Standards. I wonder why Documentum bloggers aren't part of the conversation?
The folks who oversee Linux need to go out and purchase copies of Ounce Labs and Fortify before they lose the battle to Microsoft.
American's and the Environment
At some level, American's have outsourced the destruction of land to far away places such as India and China where the poor will do anything regardless of morale conscious in order to make a living. Indian outsourcing is driven off the mental model that we shall eliminate all tasks which can be commoditized so that we can focus on higher value work.
George Alexander left an interesting comment in my blog that is worthy of analysis:
Why do I love folks who throw stones from glass houses? Maybe you are unaware that during the industrial revolution, the now-developed countries were polluting the most so that their economies would be developed.
- Maybe you forgot to mention that America has never ratified the Kyoto protocol which gears toward a cleaner environment. Not surprising since we all know that if it does, its own economy would suffer a lot.
- Maybe you can also mention that Americans are the biggest gas guzzlers in the world (forget the fact that the rest of the world sees America killing for oil) and publicize through your blog that the 2 million gallons busted folks taking their trucks for joy rides can help the environment.
- Oh, maybe you can also mention that when it comes per capita waste your utopian nation wins numero uno. A moral lecture on pollution control for the rest of the world from a country with the highest amount of per capita waste...
Boston Red Sox and the World Series
Links for 2007-10-29
I wonder if Jason Yip understands that there is a better chance of solving world peace than this happening in large enterprises
Another blogger who got it twisted in thinking that folks in Fortune enterprises don't actually ask their vendors to write secure code. Maybe the issue is that vendors don't want others to know that we are asking? After all, it may require them to actually fix something with current versions vs focusing on creation of new insecure products we don't actually need.
I wonder if lovers of Israel will amplify this story or instead prefer to exercise their right to remain silent?
I wonder if Vinnie Mirchandani will ask folks at Oracle to rename their conference to Oracle Not-So-Open-in-reality-lovers-of-closed-everything world
Below, is a funny video for folks who love to use Powerpoint in presentations...
Sunday, October 28, 2007
CardSpace and Relying Parties
It is wonderful that Kim Cameron and Ashish Jain talk about relying parties from a language perspective where support for Java, Ruby, C and other languages are supported where only SmallTalk seems to be missing, but never talk about it in terms of how it should be incorporated into products.
I wonder what would happen if Nishant Kaushik talked about how relying party support needs to be built into Oracle CoreID, Craig Randall thoughts on using Information Cards with Documentum and so on. Web Access Management Products from the likes of IBM and CA should incorporate. Likewise, shouldn't BPM products such as Intalio, Pega and Lombardi Software also support?
Saturday, October 27, 2007
How Industry Analysts weaken Enterprise Security...
Bob Blakley, Dan Blum, James Governor, Gerry Gebel and others do a wonderful job of covering the potentials of identity and how it is game changing but the discussion almost always leads to a discussion around products and not the problems that are left unsolved.
Consider the simple fact that The Burton Group and Gartner have pretty good coverage of products that support XACML. They have provided coverage of all of the vendors that provide Policy Administration Points from vendors such as BEA, Securent, Jericho Systems, Oracle, Sun and so on. They will figure out if these products are interoperable yet won't tell you what is missing.
If you aren't guilty of practicing management by magazine and realize that you need to do your own analysis, it becomes apparent that XACML needs to be implemented within enterprise applications such as BPM, CRM, ECM and so on. Have you ever observed Alan Pelz-Sharpe or Bruce Silver ever ask Documentum, Hyperion, Stellent, Nuxeo, Intalio, Lombardi Software or Alfresco whether they implement this security specification or any security specification for that matter?
How difficult would it be for Anne Thomas Manes, Nick Gall or others who aren't security focused to understand whether the products they cover are secure?
Alex Fletcher of Entiva asked if industry analysts are doing their part to cover open source which is a great question. I wonder if a better question is whether industry analysts are doing their part to make software more secure?
Friday, October 26, 2007
Links for 2007-10-26
American politicians are following in the footsteps of their Chinese counterparts and they are allowing their citizens to be used and abused by big business as long as the business keeps on churning.
The use of Maven and ANT in large enterprises is rarely seen. I am of the belief that no one figured out the CIO level
I wonder if this means that folks such as Craig Randall should be more aggressive in thinking about security or should he exercise his right to remain silent on this topic? Maybe he should do lunch with Sean Kline?
Uriel Maimon comments on authentication considerations but avoids the question of even if I know you, do I know what you can do?
This blog entry was more about selling product oriented architectures and most certainly avoided any discussion regarding security oriented architectures.
Quote of the Day: Enterprise Architecture
Thursday, October 25, 2007
Enterprise Architecture: So, exactly what is leadership?
Why is leadership important? Why not just focus on doing your work and running the company and quit worrying about all this leadership stuff?
The answer is actually simple. This is the age of the knowledge worker. Attracting talented people and enabling them to work effectively to fulfill the organization's goals is the single most important activity of today's modern enterprise. Now, more than ever, enterprises need to focus on making profits in a responsible way(I guess this rules out offshoring of IT) and that is best achieved by attracting and retaining good workers.
Most magazines such as InformationWeek and CIO have gotten it twisted to think that leadership is about a particular individual with a C-Level title. Knowledge workers are now more important than innovative ideas. Let's be honest in acknowledging the rate of change in business today is not suffering from lack of innovation, financial assets and physical assets (e.g. factories and raw materials, inventory) but lack of the right people in key positions...
Links for 1007-10-25
Jonathan Schwartz of Sun absolutely rocks. He is going to strike back in the form of a lawsuit to those who believe that being free is a bad thing. Hand those folks a good beat down.
Bet you didn't know that today's CPUs can crack passwords eight times faster than they can check passwords?
I would challenge Larry Greenemeier to understand that afraid is not the right word. For example, most enterprises understand that they are seeking analyst insight into problems they face yet end up with a list of products. Many analyst firms refuse to have enough integrity to help enterprises with their goal and filter out solutions that may be open source for questionable reasons. Sure, you can rationalize anything but until enterprises start demanding seeing open source projects next to large closed source vendors in reports, rationalization is a trap.
Could someone kidnap Richard Stiennon for giving out bad advice? Maybe what he should be calling out is that security products may not be secure or how enterprises need to procure secure software and start demanding of their vendors that they implement secure coding practices.
You can increase the security of the enterprise by focusing on perception management and getting IT executives to hide out in their offices reading over-distilled high-level information while attackers focus on the details.
I wonder if Adam Shostack has any thoughts on whether PCI is sufficient or whether software vendors need to themselves embrace secure coding.
Architecture by Conversation
I am curious to know if my enterprise architect peers understand that briefings with the vast majority of industry analysts also aren't conversations...
India Travel Plans
City: New Delhi
Accommodation at: THE AMBASSADOR HOTEL (Taj Hotel Group)
Accommodation at: TAJ BLUE DIAMOND (Taj Hotel Group)
Accommodation at: THE CHANCERY PAVILION
Wednesday, October 24, 2007
Closing Thoughts on the Tulsa Tech Fest
It has been a very long time where I could focus on technology alone. Being at the Tulsa Tech Fest reminded me of why I entered IT in the first place. Long past are the days where we actually enjoyed all aspects of our positions and have traded it for what is supposed to be an improvement which I now question.
When we were first born, we were innocent and debt free. As we get
Sooner or later, we yearn for the elusive work/life balance and let it escape. We felt into the trap in thinking that balance was about the amount of hours one works and not whether the work itself is meaningful or enjoyable. We succumb to the smoke and unlike Bill Clinton, we inhale the fumes which at first makes us nauseous but over time makes us feel high where we need our fix. We look forward to meeting with our pimp and becoming just like him. We feel that we can sneak some off the top, take a taste and get our cut if we work for him and help distribute the cocaine of IT which we hide under the banner of globalization. We know that outsourcing isn't good for anyone, yet we brush away our notion of community for the almighty dollar.
Having a conversation, even for one minute of something that isn't the dog and pony show is like methadone. You can see the light at the end of the tunnel but wonder if you are strong enough to take the first step. The journey is long and as you progress, you realize that others around you are caught in the same trap and also are struggling. You find that globalization is a lie and that in order to survive, you must become part of a community.
Discussions of technology shouldn't be distant memories where we become savage in the pursuit of soft skills and perception management. More importantly, we have allowed perception management to distort reality where we become savage to each other.
On the long flight back, I thought about my two sons and wonder if I should encourage them to follow in my path. By many measures used in today's society, I am successful, at least if materialism is important to you. But, what if I measured myself using metrics of the past where piety, community and constitution where more important than perception, financial measures and alignment.
Have you heard of the necronomicon? I wonder if I am one of the hidden names? I do know that my past definition of community was distorted and that for the first time at the Tulsa Tech Fest, I finally understand the true meaning of community...
Why PCI will accelerate the loss of personal data...
In the case of PCI what is ultimately being protected is a credit card number, and the $50 in liability an individual stands to lose if there is a breach. PCI doesn't cover all of the other data that users probably really care about, the data that can be used to get credit in their name, their purchase histories, privacy, etc. In that sense PCI has always been about protecting the VISA brand and financial institutions from fraudulent transactions. It wasn't ever about protecting customers. Sure it had a bit of knock-on effect in that companies that implemented security controls to achieve PCI certification were probably doing a good job, but there is pretty clear evidence that people that didn't have enough security *before* PCI didn't have it after. This isn't to argue against public policy that requires security controls, but simply that PCI was never going to be the way to achieve that. California SB1386 has probably done more in this area than anything else.
A disturbing trend within the Information Security Profession...
Links for 2007-10-24
I wonder what Gunnar was thinking when he suggested that focusing on the latest firewall features wasn't a good idea and that security requires a shift in mindset? Doesn't he understand that security spending is primarily driven with Management by Magazine and it is not in the best interest of industry analysts nor software vendors to tell the whole truth?
ECM industry analysts in the United States such as Alan Pelz-Sharpe, Nick Patience and others need to spend time providing coverage for this most wonderful product. Folks such as Bex Huff, Laurence Hart and Craig Randall don't have anything to worry about as neither Gartner nor Forrester will show open source products next to their equivalent closed source offerings in quadrants and waves.
I wonder if James Governor of Redmonk is providing his insight on companies in London who are forming an industry organization to develop and share
IT is how modern business does business, IT will tell you whether your good idea is a flyer or that your wasting time, but if your IT department can't honestly tell you that you have a sick IT department that needs healing then you have a different problem...
Why folks in India don't care about poverty...
India Outsourcing has managed to turn the masses of employees from Wipro, TCS, Infosys, Cognizant and others into selfish self-centered Americans who are comfortable driving to and from work, focusing on materialism while ignoring the masses who are poor along the way.
Sadly, one and only one individual has chosen to step up while the folks who are of Indian descent within the blogosphere have chosen to exercise their right to remain silent. I commend George Alexander and the comment he left below:
- Let me assist you in doing a little bit so that even if poverty doesn't become history, we can still do our part like Mother Teresa did. Right now I'm in out of station on a project assignment and will be here for quite sometime so I can't join you in Bangalore unfortunately but I'll join you in spirit because I usually do things a little different though the purposes are almost same. You're an altruistic for sure. Take a little time out while you're in Bangalore and deliver those grocery bags (and don't stop with ten, it'll cost you peanuts if you take the purchasing power you have in India) to the following places which I know pretty well:
1. New Life Children's home (200 kids)
2. Accept (takes care of AIDS patients and their kids)
3. Lisa's home (takes care of special children who are orphans).
If you're interested, I could give you the contact addresses of these places so you can go visit them at the least. They're right in the city so it won't be hard to take a rickshaw and visit these places by take a short time out from your hotel room. Sometimes the biggest way to amplify a cause is by practicing it myself and cutting down on the preaching. Being only human, most of the time, I might tend to end up looking more like a big hypocrite. We can all do our part in small different ways just like you suggested.
For the record, I will make it a point to support the first and third charities but must pass on the second. Being a believer that there is one God to whom all praise is due, I acknowledge that there is absolutely zero point zero ways to catch AIDS if you follow his commandments. As for the other charities, I will move past my commitment of ten bags per location and double it since you made the effort.
Now only if I could get others to help make poverty history...
Tuesday, October 23, 2007
Questions on India and Charity
In the meantime, I am still struggling to figure out whom else that is an employee of Infosys, TCS, Wipro, Accenture, Cognizant or other Indian outsourcing firms that are willing to stand with me and help fight hunger in India. Maybe I could figure out ways that folks in India can help folks in other countries make poverty history. It would make my week, if there was just one India based blogger that would donate to Universal Givings which is listed on my home page. I surely hope I am not alone in this effort...
The Case of Insecure Security Software...
I wonder what would happen if you were to gain access to the source code for the products they evangelize and were to run them through a static analysis tool that seeks out insecurity, what would they find? Wouldn't you as a customer want to know that these vendors aren't gassing their own heads up and are using independent objective tools such as Ounce Labs, Fortify, Klocwork or Coverity to review their own code bases?
What would happen if the likes of Dan Blum, Nick Selby, Bob Blakely and Gerry Gebel where to start asking security vendors whether they use secure coding practices would we be in a better spot as customers. Don't worry vendors, the industry analysts won't print information that will truly help us customers make informed security decisions...
Where can I hire a top notch Security Project Manager?
Candidates should have the following attributes:
- Ten years of IT experience in a project management capacity leading projects physically in the United States for Fortune 500 enterprises.
- Last project should have been a security-oriented project such as Identity Management, firewalls, upgrade of Active Directory, etc
- Some familiarity with offshore software development.
- Degrees, PMP certification, etc are NOT important. Passion for doing the right thing is.
- Able to commit to working on a project that is one year in duration in the Hartford CT area.
- Ability to present to large audiences and able to create high quality PowerPoint presentations
- Must be self-motivated, Type A Personality
- Eschewer of heavyweight processes encouraged by CMM. Believer in light weight agile methods for software development.
Quote of the Day: October 23rd 2007
Monday, October 22, 2007
Links for 2007-10-22
The Company EA is on Line Two
Jordan commented on my blog regarding the recruitment of enterprise architects in telecommuting capacities. While I held back on the name of the company, I can tell you that this particular enterprise does do lots of telecommuting. They even let many of their employees attend Tulsa Tech Fest. Maybe, the conversation should be around what initiatives should enterprise architects strategize about related to telecommuting. After all, if we can outsource to India, why shouldn't we be allowed to work from home?
IBM, BMC and Oracle and the lack of support for Active Directory
Does it really matter if Microsoft Active Directory isn't 100% standards compliant if 499 of the Fortune 500 have it? Vendors, your customers need out of the box integration and not babbling conversations about what is wrong with your competition...
I wonder if the sacred cow is all those enterprise folks who spend way too much time listening to industry analysts and not actually talking to each other?
Isn't it sad at some level that Enterprise Architects spend way too much time focusing on Powerpoint?
Here is a posting you need to email to others...
Do Audit Firms create Insecurity...
Security is a state of mind, not the exclusive territory of certified professionals. In fact, most real security professionals acknowledge that the notion of remembering best practices and running around with checklists can actually hurt the agenda to becoming secure.
If we can get folks to understand that CISSP is of questionable value and instead figure out how to talk about real issues such as selling information security management to IT executives then we would be in a better place.
Most IT executives have their heads filled with garbage as compliance is the only issue ever raised by most external auditors who likewise encourage template oriented thinking.
Enterprise Architecture and Outsourcing to India
When you aren't permitted to have face-to-face conversations, the amount of comprehensive documentation one writes will increase by factors. The problem though is when you start substituting stringent requirements for face-to-face conversation and this so-called maturity habit spread to others then it has a sucking effect in that it kills the ability to hire local talent and build in-house experience.
The savage mindset of pursuing CMM or other metrics around maturity are noble and tend to be driven by the perceived need to hire the best for a job in your company. Likewise, there is a subtle undertone and dis-inclination to spend time and money training folks on the job, because you can't quantify the investment. Over time this causes folks to become lazy and not want to investigate what role really needs to be performed effectively. At the highest level of immaturity, the enterprise then adopts tendencies to copy other strategies that lead to a repeatable stock approach to the problem.
CMM as encouraged by folks outsourcing to India is somewhat like the tragedy of the commons. A commons, that is, a shared or unowned resource, is used inefficiently (a lake being over fished to exhaustion, for example, or being used as a dump for toxic chemicals) because no one has any incentive to do otherwise. The tragedy of the commons describes a situation as an externality. Economists have long known that externalities can be ameliorated in several ways including by making the commons a private good ("internalizing the externality") or by governing the externality through collective action (taxation, permits, etc). Which method is best depends on the situation and often the ideology of the person doing the analysis; it is known that when there are no transaction costs, privatizing the commons leads to an efficient outcome.
Sunday, October 21, 2007
Quote of the Day: October 21st, 2007
Saturday, October 20, 2007
Day Two: Tulsa Tech Fest
Will PCI suffer the same fate as SoX?
I bet you didn't know that Visa as fined multiple banks to date for not being compliant to PCI yet they have chosen to exercise their right to remain silent which has an effect on saying that security is important but not that important.
The issue at hand is that Visa and similiar consortiums are equally cognizant of their brand and by bringing lawsuits against its participants could jeorpardize it.
I guess if consumers want security, they need to stop relying on others to do it for them and demand that all corporations implement secure coding practices. Imagine calling up CitiGroup while applying for a credit card and not only asking them whether they lack patriotism and outsource to foreign lands but also ask them to publicly state on their web sites what aspects of PCI have they chosen to ignore?
Now, what would happen if you also did the same for Sovereign, Bank of America and others. Until consumers take a stand, the problem that PCI attempts to solve for will continue...
Day One: Tulsa Tech Fest
It has been a long time since I have had an honest conversation. Whenever I attend IT gatherings, there is some agenda involved where I have to use buzzwords regarding alignment with the business, value, and babble infitinitum regarding process. The Tulsa Tech Fest is a pleasant anti-thesis to modern enterprise thinking in that attending you will have conversations with real folks who genuinely want to make IT better.
Yesterday, I heard a wonderful presentation from the guys from vidoop who has a compelling value proposition towards making the complexities of paswords go away. It surprises me that I learned of them not from reading the blog of industry thought leaders such as James Governor or Bob Blakely but from others. Of course, they are welcome to redeem themselves by researching and blogging on them in the next couple of weeks.
Anyway, not only did they have a compelling technology proposition, they also had a human value proposition as well. They are a local company in Tulsa and are proud that they haven't made mindless humanless decisions to be anti-community by outsourcing to foreign lands and instead realize that the best business model always takes community into consideration.
The event was put on by David Walker whom I will dedicate a separate blog entry to but would like to say that he is one of the most genuine good natured folk I have met in my travels. The effort of a husband/wife team putting on a conference with 700+ attendees is enormous. It is even more compelling in that he isn't doing it because it is his job or for profit, but doing so because he wants to see the nature of community grow.
The one thing that made me cry is that I realized that while I live in the United States, I rarely interact with American's. The spiritual feeling of being surrounded by IT folks who are patriotic made me realize that I have been bankrupt and yet attending this conference made me feel like a millionaire...