Embrace Shadow Tech or Die

‘Shadow Tech‘ – we IT folk do enjoy our cool-sounding names don’t we?

The term Shadow Tech refers to the use of consumer technology by the workforce, usually in a way that is not sanctioned by ‘Corporate IT’.

Generally speaking the IT department does not like the  business to use any technology that they (IT) haven’t selected, procured and learned how to support. The instinct of your average IT team is to declare shadow tech verboten, often citing ‘security’ as the reason.

Today’s shadow tech manifests itself in the form of iOS and Android devices. Our employees have them at home, love them and can see how they will help at work – but the IT team says “No, it’s not safe“.

‘ICT as Denier’ is a dangerous role to adopt. I’ve already written about the battle with pernicious ‘security’ but when it comes to shadow tech the real threat is to the IT department – the threat of irrelevance.

We can illustrate the risk by casting our minds back to Shadow Tech 1.0. Less than 30 years ago the IT Dept. was about number crunching and centralised computing – the mainframe was still king. Then in the late 80s and early 90s the Personal Computer (PC) started appearing in people’s living rooms. “Wow!” the people thought “These PCs are great, I can see how this would really help me with my work.”   

The IT Department said “No – that’s not how we do it – if you want some computing doing come to us and we’ll sort it out for you”. So the business promptly ignored IT and went out and bought PCs.

PCs proliferated on desktops throughout the organisation and a person in each area would often adopt the mantle of ‘the guy who knows about computers’. Within a few years we had mini-IT Departments all over the place, less control at the centre and an uncoordinated ad hoc approach to technology exploitation.

Wind forwards 20 years and many organisations have now managed to wrest control of ICT back to the centre. The PC (laptop) is ubiquitous but that’s OK because it is now approved and controlled by the IT team. Meanwhile, in the data centre, the mainframes have gone and Windows servers hum away contentedly – all is well with the world.

But hark! Here comes Shadow Tech 2.0 the iPhone and iPad started appearing in people’s living rooms. “Wow!” the people thought “These mobile gadgets are great, I can see how this would really help me with my work.”   

The IT Department said “No – that’s not how we do it – they are not safe. If you want some computing doing come to us and we’ll give you a proper computer”. So the business promptly ignored IT and went out and bought iPads.

We know what happens next because we’ve been here before.

(There’s something here that needs exploring around the importance of ‘Institutional Memory‘ in helping us avoid repeating the mistakes of the past – but that’s a post for another day)

Again Corporate ICT loses control – but this time the stakes are far higher. Both the volumes of data and the sensitivity of the data in use are hugely increased compared with 25 years ago. If the end users succeed in bypassing the IT Department then there’s a real risk of a security breach (and near certain compliance problems) – and the users will find a way to use these devices at work because people are clever.

The CIO’s role in this is to act as a trusted advisor to the business. IT should be a door-opener not a gate-keeper. The IT team need to get ahead of the curve and work out how to use these amazing new devices safely. Buy lots of different models and trial different management software then go back to your business users and say “Hey, look – we’ve worked out a way that you can use these things at work.”

But it doesn’t stop there – Shadow Tech 3.0 is already upon us and its name is Software as a Service (SaaS). I am a huge advocate of cloud computing and SaaS and I’ve written about this before. SaaS is so good (easy to use, cheap and easy to deploy) that your users will already by eyeing it/using it. Most SaaS tools require little more than a browser – your users are able to purchase their subscription and be up and running on the new application without IT ever knowing about it. This represents a serious threat to the organisation’s data as it is unlikely that the user will have checked that (e.g.) the data is being stored in the EEC.

The CIO’s job here is not to issue a diktat “Staff must not sign up to cloud based software tools.” rather we need to educate staff as to the risk and request that they run all such proposals past the ICT Governance Team so that they can do the due diligence/legwork around security. Sometimes there will be a genuine reason why a SaaS application should be blocked in the corporate world (e.g. DropBox *shudders*) – but usually this stuff is safe to use.

This is ICT adding value to the organisation and it’s a pointer towards ICT’s new role (the inexorable movement from the management of tin and wires to the management of data and risk).

So, be a door-opener not a gate-keeper because, guess what, Shadow Tech 4.0 will be along any day now…

Door-opener not gate-keeper

 

An Open Letter to Software Suppliers – 13 Ways to Help the Public Sector to the Cloud

Dear Software Supplier,

The public sector is hemorrhaging money.

We all use the same systems, but instead of joining up and sharing we are each deploying identical solutions in isolation.

This is costing us a fortune at a time when (by the way) money’s too tight to mention.

(more on this profligacy here)

A first step to joining things up is to get all this software out of our data centres and in to the cloud.

We’re trying to get to the cloud – we really are – but you’re not making it easy for us. Here are 13 steps you can take to facilitate our journey to the cloud whilst simultaneously making yourselves some money.

1. Be Cloud Ready

This may seem odd coming from a Head of ICT – but we don’t want to have our own IT departments.

We don’t want any tin on-premise. The public sector should not be in the IT business. An analogy – we consume electricity but we don’t run our own power station. We consume data – but we don’t want to run our own data centre – we want Software as a Service (SaaS).

At my local authority we’ve had a ‘cloud first’ policy since 2007. Every time we buy an application or renew a contract we try to get the vendor to host it for us. This is harder to do than you might think.

More often than not the question “Will you host it for us?” is greeted by the exchange of bemused/panicky looks between the vendor’s sales folk.

“Um, we could install some servers in your data centre and then look after it remotely?” Noooooooooo!

Vendors need to understand that, within a year or two, if you can’t deliver your application as SaaS then we are not buying it.

Vendors should be cloud ready – we shouldn’t have to start from scratch every time. I want you to spin up my instance of your application at the touch of a button. So you’ll need to…

2. Invest Upfront in the Platform

You need to have your infrastructure built and ready to go before you enter pre-sales.

Regardless of whether the servers are in your own data centre or Rackspace’s – they should be humming away before we sign the contract.

The tin is not the customer’s problem.

3. Avoid Short-termism (understand our business case)

There are many reasons why cloud/SaaS is attractive to the public sector – perhaps the foremost being that SaaS should be cheaper than on-premise. I say ‘should’ because it usually isn’t.

We tried to move 2 of our largest, mission critical, systems to the cloud last year. These systems are sold by 2 of the largest software houses in the world. In each case the total cost of ownership over 5 years was TWICE as high under a cloud/SaaS model when compared with traditional on-premise hosting. So we bought the tin, put it in our data centre and it’ll now be at least 5 years before we have an opportunity to look again at the cloud for these systems. Frustrating.

The reason that these two vendors were unable to make their SaaS offering compete with on-premise is that they did not take the long view.

As with most services, the bulk of the cost of any IT department is in salaries. In theory IT departments should be able to reduce headcount as a direct result of moving systems in to the cloud. This, of course, is why many IT teams have nephophobia (fear of clouds). IT departments think clouds are evil. 

The problem is, though, we can’t reduce headcount as a result of just a couple of systems going SaaS. If we put some of our databases in the cloud we’re still going to need DBAs because we still have lots of databases. This is a major challenge to the SaaS business case.

What the vendors need to do is reduce profit margins for these early SaaS forays. By taking a hit now they will be paving the way for organisations to put more of their systems in the vendor’s cloud. You need to be at least matching, if not beating, the on-premise cost – otherwise, why would we do it?

Short-term pain for long-term gain.

4. Be Secure

It seems that there are a surprising number of software companies who don’t know much about IT security, PSN controls or the Data Protection Act (DPA).

You need to be PSN experts. You must understand this stuff inside out.

The UK DPA states that our data must be stored within Europe. IF YOUR SERVERS ARE IN CALIFORNIA THEN WE CAN’T DO BUSINESS. 

We spend an inordinate amount of time verifying that the vendor’s cloud is secure – endless surveys and toing and froing – sometimes we even have to visit the vendor’s data centre. On one occasion we found that a very large supplier intended to host our sensitive, precious, data in a crumbling Victorian warehouse by a river. No thanks.

You need to get together with other vendors and with Cabinet Office and come up with an accreditation scheme. Some kind of SaaS ‘kite mark’. All we want to have to do, as the customer, is ask to see a copy of your certificate and be comforted that you know what you’re doing.

5. Build in Disaster Recover as Standard

One of the big attractions of the cloud is that it is immune to localised emergencies. Yet it is surprisingly common to find SaaS offerings that don’t include back-up to a second location as standard.

We shouldn’t have to ask whether you back-up our data to a geographically distant location – and we certainly don’t want it included as an optional (chargeable) extra. It should go without saying that you’ve thought about disaster recovery and this would be a condition of getting your SaaS ‘kite mark’.

 

6. Make Updates/Patches/Releases Opaque to the Customer

When Google adds a new feature to Gmail, or whatever, they do it without any fuss. We generally don’t know that an upgrade has happened until after the fact.

The same should be true of SaaS releases. This work needs to happen behind the scenes without the need for any downtime.

Similarly, improvements and innovations that you’ve developed for one customer should be quickly shared with all your customers (at no extra cost).

7. Get on a Framework

Make your product easy to procure by getting yourselves on a framework such as G-Cloud. Public Sector procurement rules are hugely restrictive and prescriptive – so a product that is easy to procure is very attractive to us.

8. Think About Our Capex vs Opex Problem

Many public sector ICT projects are funded using capital monies – often from prudential borrowing.

We can only spend capital money if we can demonstrate that the investment leads directly to the creation of an asset (tangible or intangible). This is fine for a traditional on-premise delivery model because it’s easy to demonstrate that a tangible asset has been created.

But we can’t use capital money to fund the creation of a SaaS solution because there is no asset being created. At the end of the contract there is nothing that the public sector organisation ‘owns’. Sometimes this isn’t a problem as some organisations will find it easier to lay their hands on revenue (opex) monies, but sometimes it can be a deal breaker.

You can help us here by thinking of ways in which the Saas deal can lead to the creation of an asset that the customer owns. Could you, perhaps, nominate a piece of your cloud infrastructure as belonging to us, the customer, and write this in to the contract? In reality, should the relationship come to an end, we probably wouldn’t want to go to the trouble of availing ourselves of this clause – we don’t want the tin – but the clause’s existence may be enough to convince our accountants that this SaaS project is a genuine candidate for capital investment.

9. Make Short Contracts More Attractive

The days of 5 and 7 year contacts are over. New disruptive technologies mean that we need to be able to react faster than ever before. Look at the way the iPhone has changed the

landscape – we have contracts that are still running that were signed before anyone had ever heard of an ‘app’.

Predicting technology futures is harder than ever – we don’t know what we’ll need in 3 years time so we don’t want to sign 3 year contracts.

I appreciate that this is a commercial challenge – you’re losing a guaranteed revenue stream – but you need to find a way to make short contracts attractive to us.

10. Encourage Multi-Organisation Contracts

This is our responsibility as much as yours – but it’s important to construct contracts in such a way that other public sector organisations can get on board at a later date without going around the procurement rigmarole again.

When selling your wares you should encourage your customers to contact their partners/neighbours to see if they would like to be cited in the contract as part of a procurement consortium – they’ll thank you for it.

11. Be Device Independent

Hopefully this goes without saying these days, but mobile is king, and whatever your SaaS product is for, it should work just as well on an iPad as it does on a laptop.

12. Be Open

Let us at our data! We’ve got big plans for big data so you need to build your cloud offering with openness in mind. We want APIs included as standard that allow us to easily extract data to work on elsewhere.

13. Allow for Online Ratings from Customers

I’ve never come across a SLA that, when push comes to shove, was fit for purpose. Most SLAs are carefully worded such that it’s very hard for them to be breached and that the criteria for triggering penalties is rarely met.

The purpose of contracts and SLAs is to drive a certain kind of behaviour – ie to increase quality, responsiveness and uptime. But a SLA is a crude tool for this. Much better is a system of open online reviews and ratings by your customers.

This is scary, I know – but your product will definitely get better when everyone is able to talk about it openly.

I appreciate that there’s a lot of pain involved in getting yourselves cloud-ready – but if you don’t do it soon some disruptive new SaaS player will come along and take your business. By the way, if you are that disruptive new player – please get in touch – we’ve got some money for you.

Yours sincerely,

The Public Sector