by Deb Radcliff

Part  1  |  Part  2  |  Part 3

A "Getting-started" Policy

The first two parts of this article have shown the depth and complexity of security vulnerabilities and smart phones. Part three of this series presents the policy side of how to prevent attacks, and provides an overview of the history of mobile malware.

It'd be nice if organizations today could have comprehensive smart phone use policies in place and the power to enforce them, says Nick Ianelli, mobile security analyst for U.S. CERT.

"On company-issued phones, it'd be great to say, "No gaming," and "No software installs without the authorization of IT, and turn off Bluetooth except when synching,"" he explains.

It'd also be good to remotely check patch level and security software running on the device at the time of VPN connection or PC synchronization. But, we're at least a year away from standards-based vendor products delivering this level of automation. So, in the meantime, start small, say experts. They offer the following advice¹:

• Take a survey. Find out who's using smart phones for what type of business. Then, make a risk assessment of those applications and the data stored in them.
• Start an awareness campaign. Educate your power users about the value of their business data, and what would happen if it were stolen or rendered inaccessible by a mobile virus. Educate all users about the dangers posed to their personal information and how they shouldn't believe what they see on their devices, just like on their PCs.
• Don't just tell them. Show them. Make them hands-on aware of the features in their phones that are risky, and show them how to use them securely.
• If you must issue policy around business phone usage, stick only to your power users and what you can control with today's technology. For example, all phones come with remote locking, meaning they can be shut down if they're reported lost or stolen. So that policy should be implemented on any phone containing valuable business, or regulated data.
• Turn on encryption. Although not built to Trusted Platform specifications at this time, many mobile phone vendors have some type of built-in encryption. Third-party applications are also available. Look for easiest interface, as users will have to interact with their encryption programs.
• Control network connections through VPN access.

Resources

The following comprises a brief history of mobile malware²:

• Spring 2004: Mosquitos, the game infected by a Trojan, sends messages to expensive toll numbers, causing considerable economic loss to its unwitting victims.
• June 15, 2004: Cabir.A, first Symbian worm to replicate through an active  Bluetooth connection, emerges.
• June 16, 2004: Only one day later, Cabir.B makes an appearance, and will continue its spread mainly in China, India, Turkey, Finland, and the Philippines. To this day, this worm continues to hitchhike around the world.
• July 2004: Duts, nicknamed the "polite virus," hits Pocket PCs for the first time and spreads to all .exe files in the directory through infected programs exchanges. When a program hit by Duts is activated, a message appears asking the user permission to proceed: "Dear User, am I allowed to spread?"
• Aug. 2004: Brador appear. This back door creates a copy of itself in the start file on handheld devices and informs the attacker the minute the device is online. The hacker can then connect to the palmtop through the TCP door and covertly control the device.
• Nov. 19, 2004: Skulls.A attacks Symbian-based smartphones, appearing on Web sites that allow users to download shareware applications for the Symbian operating system. If erroneously installed, the Trojan blocks the functioning of applications, allowing the user only to make or receive phone calls.
• Nov. 29, 2004: Skulls.B emerges. As with previous Trojans, this is spread through a file called Icons.SIS, blocking the functioning of the cellular device's applications and allowing the user only to make and receive phone calls, deleting all other functions. Skulls also carries the worm Cabir.B.
• Dec. 9, 2004: Cabir.C, D and E appear.
• Dec. 21, 2004: Skulls.C, Cabir.F and Cabir.G appear.
• Dec. 22, 2004: MGDropper spreads during game installs disguised as the cracked copy of the popular cellular phone game Metal Gear Solid. When launched, MGDropper installs versions of Skulls and Cabir and tries to undermine the security products installed on the phone.
• Dec. 26, 2004: Cabir.H and Cabir.I make an appearance. Both target cellular  phones with a Symbian 60 Series operating system.
• Jan. 11, 2005: Lasco, targeting cellular phones with a Symbian operating system and an active Bluetooth connection, combines viruses and worms and replicates the behavior of the notorious Cabir, searching for other active Bluetooth devices so it can replicate and look for .sis files to infect.
• Feb. 1, 2005: The Locknut.A trojan (also nicknamed Gavino.A and B by some anti-virus companies) aims at phones with a Symbian 7.0 operating system. It's a Symbian SIS Trojan file that substitutes a binary file, blocking the phone and preventing any application from opening. Once hit by Locknut.A, the phone becomes unusable, even for phone calls.
• March 3, 2005: Commwarrior.A starts creating unwanted billing for infected Series 60 users. This virus, however, adds a new layer of sophisticated intelligence, using Bluetooth during daytime for spreading and sending MMS messages at night. To become infected, the user has to accept the installation dialogue; once done, detection is difficult. The global spread of Commwarrior.A has been rapid because of the trust users have with the sender.
• March 18, 2005: Locknut.B installs as a phony patch for Series 60 phones, rendering the operating system unusable by preventing any application to launch. It also contains Cabir V, which spreads through Bluetooth.
• April 4, 2005: Fontal.A, a SIS file Trojan, installs a corrupted font file into an infected device, causing it to fail at the next reboot. Fontal.A also damages the application manager so that it cannot be uninstalled, and no new applications can be installed before the phone is disinfected.
• May 9, 2005: Skulls.K replaces the system applications with non-functional versions, drops SymbOS/Cabir.M worm in to the phone, and disables third-party applications that could be used to disinfect it.
• August 26, 2005: Doomboot.B pretends to be a utility that can be used to reboot a phone, but when a user makes use of this application, Doomboot prevents the phone from booting again.
• Sept. 20, 2005: Cardtrap.A, a malicious SIS file Trojan, tries to disable a large number of system, and third-party applications and installs Windows malware on the phone memory card.
• Oct. 30, 2005: Commwarrior.C installs when a user replies to a new SMS or MMS message by opening a Web page using the phone's browser, then tries to change the logo to "Infected by Conmwarrior" (observed on Nokia 660 phones).

Footnotes

¹Sources: CERT, Kaspersky Labs, Symantec, Yankee Group

²Information provided by F-Secure

--

Deb Radcliff is an award-winning freelance writer, educator and speaker based in Northern California. She's been covering online crime and security ever since working as researcher on a book about infamous hacker, Kevin Mitnick back in 1995.

by Howard Rohm

Reprinted with permission from the Balanced Scorecard Institute.

Part 1   |  Part 2

Phase One: Building A Balanced Scorecard

Phase One: Building The Scorecard, consists of six steps. Step One is an Assessment of the organization's foundations, its core beliefs, market opportunities, competition, financial position, short- and long-term goals, and an understanding of what satisfies customers. Many organizations have completed this basic step, typically as a self-assessment at an off-site workshop for managers and executives. Usually, an organization's strengths, weaknesses, opportunities, and threats are developed, discussed, and documented. There is no need to repeat this "environmental scan" of an organization if the information is available and current, say within the past six months. It is important, however, to ensure that the assumptions that underlie the basis for the organization's existence and its business strategies are still valid and sound.

Other important aspects of the self-assessment step are to choose a champion and the core Balanced Scorecard team, set a schedule for the development steps, secure resource commitments necessary to develop and sustain the scorecard system, and develop a roll-out communications plan to build buy-in and support for the changes that will follow. Communications planning includes internal and external public information activities that will be used to spread the word about the Balanced Scorecard initiative and what it means for managers and all employees.

Step Two is the development of overall Business Strategy. In larger organizations, several overarching strategic themes are developed that contain specific business strategies. Examples of common strategic themes include: Build the Business, Improve Operational Efficiency, and Develop New Products. For public sector organizations, strategic themes might include: Build A Strong Community, Improve Education, Grow the Tax Base, and Meet Citizen Requirements. In addition to describing what the approach is, business strategy, by elimination, identifies what approaches have not been selected. Strategy is a hypothesis of what we think will work and be successful. The remaining steps in the scorecardbuilding phase provide the basis for testing whether our strategies are working, how efficiently they are being executed, and how effective they are in moving the organization forward toward its goals.

Step Three is a decomposition of business strategy into smaller components, called Objectives. Objectives are the basic building blocks of strategy -- the components or activities that make up complete business strategies. Southwest Airlines developed a business strategy to compete successfully in the crowded commercial airline market. The business strategy of Southwest includes the following components: innovation and speed in the redefinition of a marketplace; short-haul, high frequency, point-to-point routing (a significant departure from traditional hub-and-spoke routing); a high proportion of leased aircrafts; a very simple fare structure; and ticketless travel.¹

Mecklenburg County, North Carolina developed a strategy to implement the Board of County Commissioners vision for 2015. The strategy has the following main themes: Growth Management and Environment, Community Health and Safety, Effective and Efficient Government, and Social, Education and Economic Opportunity. Strategic components include: Increased Employee Motivation and Satisfaction, Increased Employee Knowledge, Skills and Abilities, Improved Technology Capacity, Increased Use of Partnerships, Reduced Reliance on Property Taxes, Improved Service Value, Improved Environment, Reduced Crime and Violence, and Reduced Preventable/Communicable Diseases and other Health Problems, among others. ²

The Federal Aviation Administration Logistics Center developed two business strategies: Become Customer Driven and Increase Business. These strategies were then decomposed into actionable goals with specific performance measures (metrics) and targets.³

One of the military commands has developed the following strategic themes to meet its goal of Equipping The Warfighter To Win: Quality Systems Equipment, Expert Life-Cycle Management, Operational Efficiency, and High-Performance Organization. Each theme decomposes into specific objectives that drive performance and can be measured.⁴

Figure 5.  Strategic Mapping

In Step Four, a Strategic Map of the organization's overall business strategy is created. Using cause-effect linkages (if-then logic connections), the components (objectives) of strategy are connected and placed in appropriate scorecard perspective categories. The relationship among strategy components is used to identify the key performance drivers of each strategy that, taken together, chart the path to successful end outcomes as seen through the eyes of customers and business owners. Figure 5, a strategic map for a transactions-based company, shows how an objective (effect) is dependent on another objective (cause), and how, taken together, they form a strategic thread from activities to desired end outcomes.

In Step Five, Performance Measures are developed to track both strategic and operational progress. To develop meaningful performance measures, one has to understand the desired outcomes and the processes that are used to produce outcomes. Desired outcomes are measured from the perspective of internal and external customers, and processes are measured from the perspective of the process owners and the activities needed to meet customer requirements. Relationships among the results we want to achieve and the processes needed to get the results must be fully understood before we can assign meaningful performance measures.

We use the strategic map developed in Step Four, and specifically the objectives, to develop meaningful performance measures for each objective. Thus, we look for the few measures (key performance drivers) that are critical to overall success.

Figure 6. Develop  Results and Process Measures

Figure 6 shows a continuous learning framework for measuring and managing both strategic and operational performance. We put our Performance Measurement stethoscope wherever it is required to get meaningful performance information, whether we want to measure if we are doing the right things, or measure if we are doing things right.

Developing meaningful performance measures (metrics) and the expected levels of performance (targets) is hard work if done correctly, and the development process is fraught with challenges. One challenge is the tendency to hurry and identify many measures, hoping that a few good ones are in the group and will "stick". The problem with this approach is that the value of information generated is limited, and the burden of data collection and reporting can quickly become overwhelming. (One of the worst mistakes I've seen made is for an organization to take measures that already exist, categorize them into four scorecard perspectives, and then announce that the corporate scorecard had been built! These "metric" scorecards are of little value to an organization, as they bear little relationship to strategy, desired results, and the processes needed to produce desired results.)

Another challenge is a tendency to rush to judgment -- not thinking deeply about what measures are important and why. This happens because, usually in response to pressure from a supervisor, we get in a hurry to develop a final set of performance measures ("I need some measures -- just get me some measures!!"). In most strategic plans and scorecard systems I have seen and reviewed, the development of performance measures is not taken very seriously, putting into question the value of the whole strategic and operational effort. Remember, measures are a means to an end, not the end themselves.

We use three different models to get to the measures that matter most. Our goal is to identify the critical business drivers, measure them, and use the information to improve decision-making. ("If it is important to executing good strategy well, and to operating good processes efficiently, measure it -- if it isn't, don't".) The three models are:

The Logic Model -- This model allows us to explore the relationship among four types of performance measures: inputs (what we use to produce value), processes (how we transform inputs into products and services), outputs (what we produce), and outcomes (what we accomplish). This model reinforces the logic of the strategic map by showing the relationship among the activities that produce good outcomes. For public sector organizations, and sometimes for private sector as well, we add another measure category: intermediate outcomes, to capture the important intermediate transformations that take place between what we produce and what we accomplish. This additional step is especially useful when the end outcome is far removed from the outputs produced, or when little control is exercised over the ultimate achievement of the end outcome.

Figure 7. Moving  From Outputs and Activities to Outcomes

As shown in Figure 7, asking a series of "Why" questions will eventually get one to outcomes. The steps required to secure an end outcome usually include several intermediate outcomes. The process works from outcomes to processes also -- just substitute "How" for "Why" in the model above. Start with the outcome and work backwards to the processes that produce the outcome.

Process Flow -- Flow-charting has been around for a long time, and has been a favorite tool of systems engineers and process designers, among others. We apply the technique to build a better scorecard performance system, as flow charting processes helps identify the activities (and measures) that matter most to produce good outcomes. An additional benefit of the technique is that it often identifies places where improvements in efficiency in workflow are needed and possible. And we have found that after applying the model, we usually end up identifying several new initiatives (discussed in Step Six) that can be used to test our strategic hypotheses.

Causal Analysis -- Causal analysis identifies the causes and effects of good performance. We start with the result (the effect) we want to achieve and then identify all the causes that contribute to the desired result. The causal model is most useful for identifying input and process measures that are leading indicators of future results.

It takes more work to develop a few good measures than it does to develop many poor measures. This was reinforced for me when I was training a Balanced Scorecard team in Europe; one of the team members volunteered that his group had 930 separate performance measures. I asked him if he could Outputs identify the strategic measures; after some reflection he said he didn't think that he had any strategic measures. His Performance Measurement report sits on his shelf, unused.

In Step Six, new Initiatives are identified that need to be funded and implemented to ensure that our strategies are successful. Initiatives developed at the end of the scorecard building process are more strategic than if they are developed in the abstract. At one organization I worked with, an improvement team, working outside the framework of a Balanced Scorecard system, identified over 100 new initiatives to pursue. Few of the initiatives were strategic in nature, and after going through the logical framework presented here, the scorecard team identified about a dozen new strategic initiatives that were not on the original list of 100. The team was surprised to have identified any new initiatives at all, given the comprehensive nature of the previous exercise. As in the previous step, be careful to avoid a rush to judgment -- initiatives are means, not ends.

Figure 8. Balanced  Scorecard Logic

Figure 8 shows the logic of scorecard development. Customer requirements drive the way an organization responds with products and services to market opportunities; vision, mission, and values shape the culture of the organization, and lead to a set of strategic goals that outline expected performance; business strategies give us the approach chosen to meet customer needs and attain the desired goals; strategies are made up of building blocks that can be mapped and measured with performance measures; targets give us the expected levels of performance that are desired; and new initiatives provide new information to successfully meet challenges and test strategy assumptions. Resource identification and budget setting complete the process of adding the new initiatives to the current operations to get a total proposed budget for the reporting period.

What does a completed scorecard look like? The presentation of final scorecard results takes a number of different unique forms to support each organization's unique communications and management needs. Most organizations want to see different scorecard views, including: an end outcomes view, a performance measures (metrics) view, a new initiatives view, and a strategic map. Figures 9 to 11 show examples of several different presentations. Note how an organization's vision and mission can be decomposed into strategic components that are actionable, specific and measurable.

Figure 9. Putting  It All Together - Federal Government Logistics Center

Figure 10. Linking  Scorecard Components

Figure 11. Putting  It All Together - Local Government

How long does it take to build a scorecard system? Depending on the size of the organization, two to four months is typical, six weeks is possible. The drivers of "shorter rather than longer" are: senior leadership support and continuous commitment, currency of existing assessment information, size of the organization, availability of scorecard team members, willingness to change and embrace new ideas, level of organization pain that is driving the scorecarding journey, and facilitation support. (At the risk of sounding self-serving, the journey goes faster and smoother when outside expert training and facilitation assistance are used.)

A Balanced Scorecard system provides a basis for executing good strategy well and managing change successfully. Building Balanced Scorecard performance system using the framework described here will cause people to think differently (more strategic) about their organization and their work. For many, this is a refreshing change to "strategic planning as usual". But will also bring change in the way things are done, as new policies and procedures are developed and implemented. For some, these changes can be troubling. The realization is that the Balanced Scorecard journey involves changing hearts and minds at least as much as it involves measuring performance.

In the second installment of this article, in the next issue of Perform  Magazine, we will explore the steps involved in implementing a scorecard performance system throughout the organization, and discuss the implications of using and managing with a Balanced Scorecard.

The Balanced Scorecard Institute is a free information clearing house on Balanced Scorecard issues, concepts, and techniques, and provides training, consulting, and facilitation support to organizations all over the world. You can reach the Institute at: www.balancedscorecard.org.

Howard Rohm can be contacted at hrohm@mindspring.com.

References

Building and Implementing A Balanced Scorecard: Nine Steps to Success, Howard  Rohm

Performance Scorecard Toolkit, Howard Rohm

Performance Drivers, Niles-Gorman Olve, Jan Roy and Magnus Wetter, Wiley

The Strategy-Focused Organization, Robert Kaplan and David Norton, Harvard  Business School Press

The Balanced Scorecard, Robert Kaplan and David Norton, Harvard Business  School Press.

Keeping Score, Mark Graham Brown, Quality Resources

Measuring Performance, Bob Frost, Fairway Press

The Business of Government, Thomas G. Kessler and Patricia Kelley, Management  Concepts

Outsourcing at Southwest Airlines: How America's Leading Firms Use  Outsourcing, Michael F. Corbett & Associates, Ltd.

How To Measure Performance: A Handbook of Techniques and Tools, Performance-Based Management Special Interest Group, U.S. Department of Energy

Various Balanced Scorecard Case Studies, Harvard Business Publishing

End Notes

¹ See Outsourcing at Southwest Airlines, above.

² From Meeklenburg County, North Carolina Managing For Results  Balanced Scorecard.

³ Federal Aviation Administration Logistics Center Strategic  Plan.

⁴ Preliminary material from the U.S. Marine Corps Systems  Command.

--

Howard Rohm is Vice-President of the Balanced Scorecard Institute, president of Howard Rohm Consultants, LLC and an international trainer, consultant, and facilitator. He has over 25 years of government and private industry strategic planning, Balanced Scorecard, Performance Measurement, and information technology experience.

by Harris Kern

Featuring Harris Kern's 10 Commandments

Part 1  |  Part  2

Top IT Issues and Challenges

After studying over 350 Fortune 500 and Global 2000 IT organizations, I've compiled a list of the top issues and challenges plaguing IT executives. No wonder IT is still considered a cost center by their business counterparts. Below are some of the more common issues and challenges in IT:

• How do CXOs lead, educate, and partner with CEOs and the executive  management team?
• How does IT ask the right questions and jointly specify project requirements to prevent business units from throwing project requirements over the transom (often as solutions masquerading as requirements)?
• How do IT executives market and enhance their value to the enterprise?
• How can IT get its business partners to communicate IT's value to the  enterprise?
• How does IT stop purchasing technology for technology's sake?
• How can IT stop the mistrust and develop credibility with the organization?
• How can IT change the mindset of, "IT is for IT's sake" into a  customer-centric culture?
• How does IT jointly develop business cases that can be used to determine  priority?
• IT does a good job of following orders, but how does it change such a  culture to one that has creative solutions?
• Traditional IT strategic planning is a yearly, typically static, and discrete, process. It takes considerable time (often four to six months) to produce a large, static document that details projects and timetables from a technology versus business viewpoint. How do we change this process into one that is more tightly integrated with the business?
• How can IT do a better job of aligning with the business?
• How can IT do a better job of thinking strategically and being more proactive instead of always being in a reactive mode in their production environment?
• What are the minimum, yet sufficient, processes required to build the ideal  IT organization?
• How can IT maintain centralized control for standards, processes, and  architectures?
• Systems are often slam-dunked into production - how can IT ensure a smooth  transition from development to production?
• How can IT become more cost effective?
• How does IT stop "working in silos" to become a team with synergy?
• How can IT be perceived as adaptable rather than bureaucratic?
• How can IT use less related (isolated) communication and develop more key  relationships?
• How can organizations retain IT staff?
• Which IT governance model should be used and how should it be used?
• How can management direct employees well when it is so pressed for time?
• How can management help when an organization restructure has negatively  affected certain individuals
• How can very entrenched mindsets be changed?
• How can barriers that revolve around culture be bridged?
• What can be done when staff is trying to manage their workload, but many are  failing miserably and burnout is widespread?
• How can ownership and accountability of key enterprise-wide processes be  clarified?
• How can IT reduce complexity?
• How can a good balance be achieved between security and privacy?
• How can management empower a staff that is not, or does not, feel empowered?
• How can IT be helped to do more with less?
• How can system management processes be made effective?
• What to do when an annual HR performance appraisal program to evaluate  employees is not effective for IT?
• How can quality of life be improved for IT staff?
• What can be done when lack of patience is common among staff?
• How can management help the IT staff manage their time more effectively?
• What can be done when communication is atrocious between IT and the business; IT and vendors; external service providers; and within IT, especially between Applications Development and Operations Support?
• How can a company fix its IT organizational structure when it is missing a  key function(s) or if it is not properly structured?
• How can day-to-day behaviors be aligned with, or support, organizational  objectives?
• What can a company do when it is faced with replacing or outsourcing  inadequate, under-performing IT operations?
• How can IT develop an effective outsourcing strategy?
• How can IT satisfy rapid ramp-up and/or multi-location infrastructure  requirements?
• How can leading-edge technology and services help IT gain and maintain  market advantage?

These enterprises are bleeding profusely because of many years of procrastination and neglect. Years of merely focusing on new system development and technology have finally taken their toll, and it's costing companies millions. The issues are common and widespread throughout all industries (i.e., telecommunications, manufacturing, entertainment, and media). No one is excluded.

Executives are looking outside their confines for answers, and they're seeking guidance from infrastructure service providers for quick solutions. A word of caution to these executives-do you think these service providers -- many of which came out of the cupboards overnight -- have their act together?

Executives, please heed this warning: If you outsource trash, you will receive twice the trash in return, which of course means, twice as many headaches. You will have to manage two dumpsites. You will still have to deal with your customers, and in addition, with the vendor that stores your trash.

The only way to turn this around is to focus on people, process, and the organization structure as technology. The first step is to define the ideal IT environment.

The Ideal Computing Environment

My definition of the ideal IT environment is one that is  designed to exceed the enterprise's strategic goals while nurturing the  individual to achieve exceptional productivity and job  satisfaction. The follow signs are an indication of such an  environment:

• Educated and committed enterprise executive management
• Complete alignment with business goals and objectives
• Strategic decisions that accommodate a dynamic business environment
• Cost effectiveness
• Common architecture (i.e., processes, tools, standards)
• Staff is productive and has a better quality of life
• Culture encourages honesty, mutual respect, creativity, and job satisfaction

When designing the ideal computing environment, a critical piece of the equation is establishing the right methodologies, or what I refer to as the 10 commandments for building a competitive IT organization. As depicted previously, most of what stands in the way of developing such an organization is not technology related. When designing this environment, the focus should be on:

• People
• Organization structure
• Processes
• Technology

Just as most people abide by a set of commandments in our everyday life, the same holds true for IT staff responsible for establishing a competitive IT organization. The following are guidelines, or what I refer to as the "10 commandments for building a competitive IT organization":

The Ten Commandments

I. Thou shalt focus on the thy people.

The corporate mandate is, "do more with less." In IT, we've been doing more with less for years. Arguably, running the business of IT is more difficult than managing any other business, for several reasons:

• Customer demands for additional services and higher service levels at a  lower cost
• Constantly changing customer requirements; continuous change to keep up with  business requirements
• Rapidly evolving technology
• Rapid ramp-up and/or multi-location infrastructure requirements for  corporate acquisitions
• Constant threat of being outsourced as most executives feel that IT is not a core business competency and/or they perceive that vendors can provide services at a lower cost
• Infrastructures that are complex to design, support, and maintain
• The need to forge compromises between business and technical constraints
• The need to enrich relationships with the business
• Managing ambiguity
• Managing time horizons
• Non-IT executives' difficulty in understanding IT's value
• Politics -- IT is the "undesirable step-child." Most executives have no idea what to expect from their IT team, and do not recognize what it takes to deliver technology solutions to the business
• And finally, the worst catalyst for the past few years, economic downturns  and rising global competition

Physically and mentally, IT professionals are disheveling. IT executives are saying, "We've been lean for years and now my staff is burning out from consistently working 12+ hour days and weekends. What's it going to take to stop the hemorrhaging?" IT executives have invested in implementing key elements to build world-class organizations such as:

• Best practices (i.e., processes, standards)
• The best technology money can buy
• Experienced employees

Management has also gone so far as to invest in a variety of team-building exercises over the past few years in an attempt to promote teamwork and motivate the staff, hoping they would see an increase in productivity and customer satisfaction.

Yet when all is said and done, the staff is still not performing at the level required to provide a satisfactory level of service to their customers. So what's it going to take? Effectively implementing best practices and acquiring the best technology money can buy will help a bit. The traditional ways of dealing with IT staff (i.e., communicating regularly, incentives, challenging people, delegating responsibility) also help, but only a bit; it will not guarantee success. The people issues today require  extraordinary measures.

The key to success within IT is promoting self-discipline so staff can effectively manage their own lives. My vision brings the world of IT and discipline together to properly address the people issues in IT. The goal is to arm IT professionals with the right tools to become more productive, not only in their career, but in their personal life as well. At the end of the day it's all about the people. Staff will need to motivate themselves; yearly or quarterly offsite team-building activities are not the answer. Motivation has to originate from the individual consistently. IT executives need to empower their  staff to acquire discipline to be successful.

The most important ingredient in one's lifetime is discipline; with it you can achieve everything; without, you will struggle to exist.

Yearly Performance Reviews

IT executives should also supplement yearly performance reviews (sponsored by HR) with a program I refer to as People Performance Management. Employees need to establish and monitor goals weekly. Yearly performance reviews are ineffective in IT; a year in IT seems like an eternity!

II. Thou shalt effectively organize to partner and align with the  business.

IT needs to be organized to rapidly respond to the needs of individual business groups. This requires a planning process tightly integrated with each of the business groups and an enterprise-wide vision within which all of these needs can be met. This can only be accomplished by establishing working relationships at individual, and group levels with all business partners.

Business teams, including IT as a "business," work together. Other than enterprise infrastructure, there is no such thing as an IT project. Whether IT is responsible for 10 percent of the tasks or 90 percent of the tasks, IT is merely a member of a business team led by a business project champion. All projects require business unit champions and business project champions.

All members of this business team are scheduled with accountabilities and deliverables, and priorities are determined through jointly developed business cases. All projects are required to build a business case; a technology case is not sufficient. Further, all business cases are required to discuss alignment of objectives with enterprise objectives. IT is inseparable from the business and requires complete alignment with business goals.

"Alignment with the business" needs to be more than a strategic plan or a written set of operating principles. The technology organization needs to be set up in a way that allows business alignment to flow as a natural consequence of the way the job is done.

To flexibly align with the business, IT needs to be able to react both functionally (e.g., deep technical skills) and geographically (e.g., globally, regionally, locally) to business imperatives. The solution is a matrix organization that combines shared services with personnel dedicated to business units at the global, regional, and local levels. This can accommodate any enterprise needs by strengthening or weakening "dotted lines" and/or "standards/guidelines."

The only way to align with the business is to become a part of the business. Dedicated applications development staff, physically sitting with the business, having their operational priorities set by the business, participating in business operations and strategy, and having their budget overseen by the line of business forces technology to be aligned with the business. The key to the matrix is that these groups, for all practical purposes of reporting to the line of business, are reporting on a straight line into technology and on a very strong dotted line to the business. This unit is a part of the business, but ultimately, reports to technology. The management principles to be followed are a strict adherence to joint understanding, with no surprises. The business priority is to discover and prioritize opportunities and needs, while the technology priority is to offer practical solutions. The systems manager in charge of this group must represent IT to the line of business, and must represent the business unit to IT. This position in a matrix organization requires the ability to report to multiple managers and to be an honest advocate for each. Success requires the appropriate personality as well as the appropriate culture. Taking the time to find and train capable systems managers is critical. The organization may be right, but still will not function correctly without the right people in these key positions. And they need to understand the business, the personalities, and the technology without allowing ego into the equation.

The systems manager is the single point of contact between business units and IT, since a many-to-many relationship is counter-productive. All activity is coordinated through the systems manager, who must avoid the trap of becoming a bottleneck. A large part of this role is like that of a traffic cop participating directly only in those activities that require a systems manager's direct involvement. The systems manager has direct control of the business unit's dedicated application development staff and coordinates the business unit's use of shared technology services.

Shared services provide specialty skills that may not have critical mass within each business unit, and need to be managed for the enterprise to leverage skills, obtain economies of scale, and maintain an application architecture. Specialty skills may include database administration, system administration, help desk, and network administration. Shared services are traditionally almost exclusively found in infrastructure or data center groups. Technology as a business partner has now evolved beyond this model of shared services. Personal productivity services are critical, new shared-services organizations that don't report through the data center hierarchy.

Personal productivity services are a group that integrates support personnel and personal productivity applications at the desktop and individual level. It is technology with a human face. It is comprised of the help desk, first- and second-level support, training, and desktop development. Desktop development was created to expose many users to IT value powerfully and directly because of the speed of implementation and the very real and immediate "quality of life" improvement. This very quick response to individual and small group needs repeated for many small groups is an opportunity to add value to the enterprise and at the same time, establish relationships across the organization.

IT has become mission-critical and needs to be managed as a strategic asset. IT is inseparable from the business and requires complete alignment with business goals. Successful IT executives need to consider themselves and convince others to consider them as part of the business, not separate from the business, by managing risks and expectations.

Continue to Part  2.

--

Harris Kern is a renowned American author, publisher, lecturer, and IT consultant, who focuses his considerable talents on simplifying IT -- and making it work. Through the Harris Kern Enterprise Computing Institute (www.harriskern.com), he has developed a powerful resource for building competitive IT organizations. Under the umbrella of the Institute, IT professionals from many of the world's leading companies come together to take advantage of leading edge disciplines and strategies for improving the IT industry.

by Steve Ulfelder

An Executive Guide to Utility Computing -- What it is, what it isn't,  and the kind of results you really can expect

In the May 2003 issue of the Harvard Business Review, Nicholas G. Carr wrote  a provocative article titled "IT Doesn't Matter". As might be expected, it roiled the zone in which business and IT collide; the article immediately spurred counterpoint columns, became the subject of dozens of symposia and launched heated boardroom discussion.

A careful reading of Carr makes it clear that his true argument is not so much that IT doesn't matter, but that it matters so much -- has become such a slab of business bedrock -- that it is actually IT's competitive value that's no longer a potential business differentiator. This is highly arguable itself, of course; some might say that in today's business environment, technology doesn't matter in the same fashion that electricity and running water don't matter.

Which brings us to the concept of expecting technology to behave as electricity and running water do. Those commodities are available anytime they're needed; they stand by invisibly when they're not; the infrastructure that surrounds them is resoundingly reliable; and they are paid for based on consumption.

This "invisible utility" model is the promise of on-demand computing, which also is referred to as flexible computing, grid computing, autonomic computing and a host of other terms. (Editor's note: After studying these terms, we've decided "on-demand computing" is both a good description of the practice and a name commonly used in the industry.

The dizzying variety of names is a symptom of the wider confusion surrounding on-demand computing. The field is growing so quickly and is being "spun" so furiously by vendors, system integrators, analyst firms and other interested parties that business executives seeking to learn about and evaluate it have a difficult time getting a solid footing. "Different suppliers are offering different mixes of [hardware, software and professional services] and using the same buzzword," says Dan Kusnetzky, a research vice president at Framingham, Mass.-based IDC. "Managers are often confused."

IT and business leaders are taking the on-demand computing movement very seriously -- as they should -- but they are also appropriately skeptical, having seen the hype cycle at work before. Murray Horwitz, CIO at Uline Inc., a Waukegan, Ill., shipping supplies company that currently has no plans to adopt an on-demand model, speaks for many technology leaders when he says, "It's a great concept, but I don't know how you implement it, and I think [vendors and enterprises] are going to have trouble figuring out how to cost it." This article's mission is to cut through the hype, language barriers and confusion to present a cleareyed look at on-demand computing -- its genesis, potential, limitations and implications for your business.

Defining On-demand

Here is a simple, if circular, way to define on-demand computing: It is IT functionality on demand. At its heart, on-demand consists of two elements:

To ensure business continuity, enterprises generally possess enough IT resources to meet peak demand. During off-peak hours, a great deal of processing power, bandwidth and storage capability sits unused, contributing nothing while draining electrical power, real estate and human resources.

The driving question behind on-demand computing is compelling: What if businesses could buy fewer of these IT resources, pool them and reliably meet users' needs by pushing the resources wherever they were needed?

Frequently asked questions: Do all these resources come from our own existing IT infrastructure? Or do we let a third party own the computers, so that we simply flip a switch and watch the functionality pour out? Or are we simply reorganizing the IT resources we already own? For the purposes of this article, "on-demand computing" refers to the practice of pooling your existing IT equipment, while "utility computing" refers to buying it from an outside provider.

Refining On-demand

On-demand computing brings a major shift in the way enterprises think about IT challenges. For the past decade or more, the idea was to integrate -- to make disparate software applications work together.With on-demand, IT becomes a set of functions a vailable on the network. "This is an architectural change," says Jason Bloomberg, a senior analyst at Waltham, Mass., research firm ZapThink. "And software architectures have always been very difficult to understand, let alone change."

To devise an on-demand computing architecture, the IT organization must create what's known as an abstraction layer. This is not for the faint of heart; it's a complex, time-consuming process that must begin with an exhaustive inventory of existing IT resources, which, in and of itself, is enough to frighten off many organizations.

Make no mistake, integration doesn't vanish in an on-demand world -- it remains a part of the picture, but it is no longer the final goal. Bloomberg offers one helpful way to think of this transformation. Under the traditional integration view of IT, all that matters about your company's mishmash of computer systems is connecting them. To shift to on-demand, you must change the mishmash into a set of Lego building blocks. Accomplishing this won't solve all your problems -- far from it -- but it's a necessary first step.

The major point to remember is that we are a long way from the day when you  twist the tap and useful computing flows out.

Many executives wonder what on-demand will do to their investment in Web services, which are essentially a way for different software programs to communicate. Most experts say Web services will play a key role in the adoption of on-demand. The reason: The initial technical challenge is to virtualize resources -- to make them behave as if they are something they are physically not -- and it's not a stretch to say that Web services do the same for software applications. Put another way,Web services are a valuable tool in transforming the mishmash into Legos.

A Brief History

Like neckties, technology strategies come back into fashion if you hang on to them long enough. Veterans from the days before CIOs, when IT was the Data Processing department, may recall time-sharing. Developed at MIT during the 1950s, time-sharing became a popular way to access mainframes back when computers were as big as your shag-carpeted rec room and CPU cycles were expensive.

The endless boom of Moore's Law drove down the price of computing horsepower inexorably, and timesharing all but vanished. Then, in the late 1990s, the general idea made a comeback when businesses called application service providers (ASPs) appeared and attempted to rent out software applications (as opposed to actual computer processing). ASPs' pitch was that they could relieve businesses of expensive hardware purchases and IT employee salaries. This promise appealed to many smaller organizations eager to avoid up-front costs. For the most part, large enterprises weren't swayed; they already had a massive IT investment, and they were being urged to view technology as a major competitive differentiator.

Because ASPs tended to be startups, most failed during the Great Nasdaq Meltdown of 2000-2001. That failure sticks in the minds of some e xecutives. Michael McClaskey, CIO at Perot Systems Corp. in Plano, Texas, is bearish when it comes to on-demand computing. "I fear that just as in the ASP bust of a few years ago, users will expect commodity pricing along with significant customization of service," McClaskey says, "and the two cannot coincide in a commercially viable model." While he does not entirely dismiss the concept, McClaskey says Perot Systems won't embrace on-demand anytime soon.

Outsourcing, too, is hardly a new concept, and many of its goals and potential gains mirror those of on-demand: lower fixed costs, improved agility, closer alignment with strategic goals.

In fact, many elements of on-demand computing are already commonplace in enterprise IT. The practice is "to a large extent a financing option," points out Bruce Caldwell, an analyst at Stamford, Conn., research firm Gartner, Inc., and there's certainly nothing new about leasing or renting a server, or paying for only six processors on a 12-processor server with the option to add capacity if needed. Storage is sold by the gigabyte, mainframe power by the MIPS. Even services, such as the help desk, are contracted out and paid for by the trouble-ticket.

What is new, then, about on-demand? Unlike leasing and outsourcing, which are IT-organization-centric, it begins with business users' needs and works backward toward a solution.

Naturally (and rightfully), this is a persuasive argument for business  executives.

What's in it for CIOs?

For CIOs, on-demand's major draw is its ability to allow them to say, "Yes, we can do that," rather than, "Now, hold on a sec." The past decade has seen senior technologists shift from their old gatekeeper role, in which they frequently found themselves explaining why various initiatives couldn't be undertaken, to a new and welcome role as enabler. "Today, the CIO is fundamentally thinking about making IT meet the needs of the business," says ZapThink's Bloomberg. "In the past, most IT groups weren't very good at that.Well, the CIO doesn't want to be the bad guy anymore. In those C-level meetings, he wants to say, 'We have a flexible IT organization that can meet the needs of the business and do it with low risk.'"

According to Gartner's Caldwell, this is the factor that has CIOs from every industry intrigued by on-demand: by cutting up-front investment dramatically and offering variable operating costs, flexibility and scalability, it allows enterprises to "deploy a new system almost overnight, so you see much faster ROI," he says -- and return on investment is one of the maj or goals of enterprise IT today.

The Challenges

Amid all the hype regarding on-demand computing and its offshoots, it pays to take a close look at what the technology cannot do -- by itself, at any rate. For example, while on-demand may help businesses reduce their investment in IT resources, it does little to address the age-old challenge of aligning technology spending with strategic business goals. Because on demand is at its root a way to shift resources from one spot to another, its Achilles' heel is exposed when the following questions are asked:

On-demand computing can be very attractive. But know that, if you do it poorly, you will sometimes be under-provisioned and sometimes over-provisioned. In other words, you'll be no better off than if you had simply stuck with your old-school, overbuilt IT infrastructure. In fact, you'll be worse off, because with the old infrastructure, you were almost never under-provisioned.

The Marketplace

One major reason for the prominence of on-demand is that most of the world's largest technology vendors have embraced it. Hewlett-Packard, IBM, Microsoft and Sun Microsystems have all made significant investments in the initiative.

System integrators, too, are elbowing in. Some analysts say that if on-demand gains favor, the actual practice of system integration loses its starring role in enterprise IT -- which could place system integrators in the uncomfortable position of advising clients to undo much of the work that SIs have been advising them to do for a decade.

But businesses implementing on-demand will face many new challenges, and many will turn to integrators for expertise -- and indeed, much of the knowledge SIs have built around XML-based Web services and other technologies will prove valuable. Thus, according to a recent Summit Strategies report, on-demand is "a double-edged sword" for global SIs -- those firms "will certainly not be shut off from all this emerging technology," the report says, but they are "unlikely to reap huge revenue gains" from on-demand.

IT veterans have watched plenty of Next Big Things fizzle. In a recent IT World survey, 25 percent of all respondents called on-demand a smoke-and-mirrors technology. Uline CIO Horwitz says, "On-demand will never be as cost-effective as buying the correct size hardware and planning for peak loads. It is a great concept and could solve many issues. But most of the time as a CIO, you need to be in control of the hardware environment, and this does not lend itself to that."

Colin Rankine, an analyst at Cambridge, Mass.-based Forrester Research, is another skeptic -- from a value standpoint. "The pay-per-use model is intuitively appealing, but the reality is that technical and licensing issues don't allow effective resource-sharing," Rankine says. "For enterprise data centers, it's a zero-sum game; the risk and metering overhead cancel out any savings."

For most, merely evaluating on-demand is a challenge today, what with the rapid change and unsettled terminology that prevail in the field. However, it's a challenge

worth addressing, as on-demand may be the most significant shift in IT thinking to arise in the past 20 years.