12 Jun 2016
“Political leadership is a subtle art in times of plenty. When there are no great crises, there is no public demand for heroic acts. Politics becomes a parlor game, ignored by all but the most devoted citizens, a game practiced most assiduously by those interests–the business associations, trade unions, and single-issue groups–who have a direct stake in the outcome. The game turns on tactics and gestures, on the ability to placate factions, rather than to inspire the masses.”
- Joe Kein, The Natural
02 Jun 2016
Jennifer Pahlka from Code for America has published a pair of essays on IT leadership that anyone thinking about “organizational transformation” should read. They are very high level and a bit lengthy, but are full of good ideas:
In talking about innovation in the second essay, Pahlka has this wonderful section, about the difference between adopting modern development practices and actually innovating.
The problem is that if you want “government technology as good as what we have at home,” you’re going to have to do things like move to the cloud and test prototypes with actual users.
That’s not innovation. That’s just how tech works today.
The practices and tools that result in good digital services vary from organization to organization, to be sure, but there is a lot in common that the private sector, and increasingly the public sector, pretty much agree on as standard.
When we frame these practices as somehow cutting-edge, risky, or non-standard, we do the mission a great disservice.
Sing it! Adopting open source, agile development and cloud technology are not “innovative” any more, they’re just table stakes, the minimum possible ante upon which to build a responsive technology organization.
The other big take home for me is in the first essay, decomposing the functional roles that are traditionally mushed into a single “CIO” position and pointing out how unlikely they are to match the capabilities of any one person:
- Digital services: the services residents use to engage and do business with the City. This can also include APIs and open data programs, though this is often the domain of the other CIO (the innovation officer.)
- Back office software: Day-to-day core services like email, human resources management, budgeting, fiscal and accounting that all departments rely on.
- Mission IT: The business applications that run the internal processes of departments and agencies. These are often custom, but can now make use of underlying commodity technology.
- Infrastructure: Network and connectivity, hosting and device management.
I tend to break the IT roles into just two pieces, but I think Pahlka makes a strong case for all four. My two pieces are:
- Infrastructural. Email, network, desktop, phones, backup, payroll, finance. All skills that are replicated across every organization in existance, where little domain knowledge is required. With appropriate contracting safe-guards, you can outsource all of this stuff.
- Strategic. Business systems unique to your organization and all the facets thereof. Back-end, front-end, user experience, API, etc. The IT tools are common, but the domain knowledge of the data and business processes are unique to your organization. You should own both the technology and the people creating it, for maximum flexibility.
Either way, the idea that the folks who are best at handling one category are also good at handing the other is dangerous.
You no more want your ultra-cautious infra manager (“let’s map out a 4 month plan for that…”) running development than you want a cowboy lead developer making decisions (“deploy!”) that might affect network uptime.
Anyways, go read! Time well spent.
31 May 2016
“Far out in the uncharted backwaters of the unfashionable end of the western spiral arm of the Galaxy lies a small unregarded yellow sun. Orbiting this at a distance of roughly ninety-two million miles is an utterly insignificant little blue green planet whose ape-descended life forms are so amazingly primitive that they still think digital watches are a pretty neat idea.”
- Douglas Adams, HHGTTG
25 May 2016
I like the internet, I use a lot of sites, I don’t fear online shopping or discussion or communication or banking. As a result, I have a pretty healthy footprint of accounts, and I have been finding recently that my brain can no longer keep up.
So I’ve started using a password manager, LastPass, which works just fine.
Once I fully committed to it, the number of passwords managed started a slow and seemingly relentless climb, as over time I returned to all the many sites at which I had been forced to register accounts in the past. As a result, I’ve learned useful things:
- The number of sites I have accounts on is far larger than I thought. I have 40 entries in LastPass already, and I imagine I’m only about 2/3 of the way through adding all the sites I use more than once a year. Of those, easily a dozen are what you might call “important”: banks, brokerages, email, OAuth sources (Twitter, Facebook, Google), etc. Far more sites than I kept separate passwords for!
- The centrality and potential vulnerability of the email account is hard to overstate. For 90% of the accounts I have added, the first step was “reset the password”, since I had forgotten it. (In fact, that was my old access mechanism, since I accessed many sites so rarely.) And “reset” uses access to email as a source of proxy authentication. So, 0wn my email address, 0wn me, entirely. If you haven’t enabled two-factor authentication on your email account yet, you need to, because of this.
Usually, improving security involves things getting more inconvenient but in the case of using a password manager, it has actually been a net improvement. No more time spent trying to remember which of the passwords in my limited brain key-chain I had used for a site. No more reset-password-and-wait for the many sites at which I had no idea what the password was.
LastPass has been very good, and I have only one note/caveat. The password manager works by installing a plug-in into your browser, so if you use multiple browsers (I use both Chrome and Safari regularly) you’ll end up with multiple plugins. The preferences on those plugins are managed separately. Same thing if you use multiple computers (I do, desktop and laptop). Each plugin on each computer has separate preferences.
This is important because the LastPass preferences are, in my opinion, a little loose. Once you provide the master password, by default, the password vault remains unlocked and available until you actually shut down your browser. I can go days without shutting down my browser. So, I changed that preference to a time-out of 15 minutes instead. But I had to change it on every browser and on every computer I owned, which was not intuitive, since the plugin is good about sharing other information to other installs transparently (add a password on one browser, it’s available on all).
So far I’ve been using the free version of LastPass, but as I move into the mobile world I will probably have to buck up for the paid version for support on mobile devices. Given how much it has simplified my life, I won’t begrudge them the dollars.
Bonus paragraph: Isn’t saving all my passwords on a cloud service really dumb? Not so much. The passwords are only ever decrypted locally by the password manager plugin. The cloud just stores a big encrypted lump of passwords, and I have a lot of faith in AES256. However, my security now has one big central point of failure: the master password. But since I only have to remember one master password, I have been able to make it nice and long, so any remote technical attack on my security is unlikely. That just leaves all the other kinds of attack (social engineering, keylogging, device theft, human factors, etc, etc).
24 May 2016
Building enterprise IT projects as “capital investments” is something I consider potentially dangerous, because it lumps IT “assets” along with much more durable and valuable physical assets.
A key question to ask of an “IT asset” is just how valuable and permanent the asset is. In the venture capital world, nothing makes investors happier than hearing that a company is spending their investment dollars creating “intellectual property”. This is an intellectual product that is defensible and ownable: it’s not locked up between some employee’s ears, it’s owned by the company.
In contrast, building “intellectual capital” is a much more risky proposition. Intellectual capital is my stock in trade, it’s what distinguishes me from a random C/C++ programmer: I know some very detailed things about some specific open source projects that would take quite a long time to learn from scratch. It’s valuable capital, but it lives between my ears. It’s mine and mine alone.
Why is this important for enterprise IT projects? Because so much of the value created in IT projects is “intellectual capital”. Staff are assembled by a consultancy and take months and years to learn a business domain and the particular tools for the problem, and the particular code base that is the system itself.
And then when the project is done… they are sent off to consultancy’s the next project. Flush…
Treating enterprise IT projects as capital projects encourages miscategorization all over the place:
- The “system” is perceived as the target of the investment. But the value of the pile of code and hardware rapidly diminishes to zero once the knowledgeable staff are removed. Changes and enhancements that would take the original developers minutes now require days and weeks of staff learning time before they can be attempted.
- The nature of the funding assumes that at some point the system will be “complete”. It will be in “maintenance” mode. Except the budget assigned to maintainance is too low to make any substantial changes in response to unexpected future needs. So when serious new requirements arise, the response is always to start again from scratch. With a new team.
It’s weird that IT projects get this special treatment, because other areas of government are perfectly aware that when staff leave, they carry out the accumulated intellectual capital of years of learning.
The very nature of the outsourced IT relationship has obscured the fact that government is routinely building up very expensive stores of intellectual capital and then sending them on their way only a handful of months or years after they’ve built them.
Maybe it’s time to get back to building systems in house?