November 1st, 2009

Amplifying 'weak signals' for IT success

Posted by Michael Krigsman @ 3:29 pm

Categories: CIO issues, Collective intelligence, Cultural issues, Enterprise 2.0, Governance, IT issues, Project strategy, Risk, Tools

Tags: Technique, Information Technology, Organization, Asuret, Productivity, Michael Krigsman

Every seasoned executive knows that gaining detailed and accurate information about his or her organization’s activities is a challenging and ongoing struggle. Disconnects between operational data and management decision-making lead to inefficiency, waste, and ultimately to extreme failures of the type described in this blog.

Usually, some members of an organization do possess accurate early warning information regarding potential problems. However, as we have seen in situations ranging from Enron to financial industry practices that kicked off the current recession, surfacing that information can be difficult.

I asked top auditing services analyst and former BearingPoint managing director, Francine McKenna, to place this issue in context. Francine told me:

It’s a classic problem rooted in human nature. Information in large, complex, and geographically dispersed organizations tends to become diluted and distorted as it flows up the chain. Even worse, some individuals redesign information flowing through their hands based on personal goals and objectives.

The best organizations recognize this state of affairs and create standardized policies, procedures, and governance monitoring activities to overcome it. Despite these efforts, however, the problem remains a very real challenge.

Detecting and amplifying “weak signals.” Techniques that reveal hidden vulnerabilities are a valuable weapon in the fight against project failure.

My recent post, Learning from the weak signals of failure, discussed the importance of methods that detect and amplify these weak signals:

Read the rest of this entry »

September 21st, 2009

Six types of IT project failure

Posted by Michael Krigsman @ 5:39 am

Categories: IT issues, Project portfolio management, Project strategy, Risk

Tags: Information Technology, Project Failure, Failure, Blogging, Strategy, Internet, Management, Michael Krigsman

Projects fail for many different reasons, so I took notice when reading a blog post that describes six specific categories of failure. I thought the list worth sharing because it’s a clever way to view the problem.

This list comes hot off the press from the Preventing Project Failure blog (gotta love the title) written by Michiko Diby, Principal at project resolution firm Sealight:

• Intent Failure – Occurs when the project doesn’t bring enough added value or capability to beat down the obstacles inherent throughout the process. This suggests the original intent of the project was flawed from the beginning.
• Sponsor Failure – Occurs when the person heading up the project is not actively engaged and/or does not have the authority to make decisions critical to project success.
• Design and Definition/Scope Failure – Occurs when the scope is not clearly defined, so the project team is unclear on deliverables.
• Communications Failure – Occurs when communications are infrequent or honest discussion of project problems and issues are avoided.

Read the rest of this entry »

September 10th, 2009

News video: Twitter and social networking identity theft

Posted by Michael Krigsman @ 6:20 am

Categories: Enterprise 2.0, Risk, Tools

Tags: Twitter Inc., Video, Identity Theft, Social Networking, Security, Online Communications, Marketing, Advertising & Promotion, Michael Krigsman

Popular culture seems obsessed with Twitter, Facebook, and other social networking sites. As popularity of these sites increases, so do the risks of identity theft.

Boston’s FOX television news asked me to participate in a segment explaining how end-users can lower risks associated with social networking. Here’s the video:

Do you think social networking identity theft is a serious issue, or is the media over-blowing the whole thing?

March 30th, 2009

Ed Yourdon on IT governance and failure [podcast]

Posted by Michael Krigsman @ 9:29 am

Categories: Cultural issues, Governance, IT issues, Interview, Podcast, Project strategy, Risk

Tags: IT Governance, Governance, Information Technology, Ed Yourdon, Strategy, Podcasts, Management, Internet, Michael Krigsman

Ed Yourdon is a seminal figure in understanding and interpreting software failures. Among Ed’s many accomplishments is writing 27 books and almost 600 articles on this subject. I interviewed Ed to learn his views on the relationship between governance and IT project failure.

Governance is an important topic and a key driver toward aligning IT activities with an organization’s broader strategic goals and interests. Given Ed’s stature in the field, this is an important podcast. To listen, just click the start button on the audio player at the top of this post.

I’ve summarized and edited some of Ed’s comments, but listen to the podcast for the best experience.

What is IT governance?

Governance is usually the province of organizations managing large projects. It comprises five areas:

Read the rest of this entry »

February 16th, 2009

Yes, Twitter is still dangerous

Posted by Michael Krigsman @ 8:49 am

Categories: CIO issues, Enterprise 2.0, IT issues, Politics, Risk, Security and privacy, Tools

Tags: Twitter, Security, Michael Krigsman

Twitter’s power to broadcast confidential information unobtrusively remains a genuine security risk to government and private sector organizations. For example, CBS News reports that a Congressman disclosed confidential information on Twitter during a secret trip to Iraq:

Congressman Pete Hoekstra (R-Michigan), a ranking member of the House Intelligence Committee, caused what some have argued was a major lapse in security last week when he used the micro-blogging site Twitter to post real-time updates about a secret congressional envoy into Iraq.

Congressional Quarterly reports the Pentagon is reviewing policy following the Pete Hoekstra situation:

Read the rest of this entry »

December 11th, 2008

Study: 68 percent of IT projects fail

Posted by Michael Krigsman @ 9:27 am

Categories: CIO issues, IT issues, Interview, Project portfolio management, Research and statistics, Risk

Tags: Project, Information Technology, Analysis, Skills Gap, Michael Krigsman

According to new research, success in 68% of technology projects is “improbable.” Poor requirements analysis causes many of these failures, meaning projects are doomed right from the start.

These are staggering numbers, hitting the high end of the Standish Chaos Report and presenting a far worse picture than Sauer, Gemino, and Reich.

• Related: Requirements and failure: Interview with CA’s SVP of IT Governance

Key findings from the report, The Impact of Business Requirements on the Success of Technology Projects from IAG Consulting, include (emphasis added):

1. Companies with poor business analysis capability will have three times as many project failures as successes.
2. 68% of companies are more likely to have a marginal project or outright failure than a success due to the way they approach business analysis. In fact, 50% of this group’s projects were “runaways” which had any 2 of: taking over 180% of target time to deliver; consuming in excess of 160% of estimated budget; or delivering under 70% of the target required functionality.
3. Companies pay a premium of as much as 60% on time and budget when they use poor requirements practices on their projects.
4. Over 41% of the IT development budget for software, staff and external professional services will be consumed by poor requirements at the average company using average analysts versus the optimal organization.
5. The vast majority of projects surveyed did not utilize sufficient business analysis skill to consistently bring projects in on time and budget. The level of competency required is higher than that employed within projects for 70% of the companies surveyed.

This chart illustrates the requirements skills gap most companies face:

Read the rest of this entry »

October 6th, 2008

Improve your failed IT culture

Posted by Michael Krigsman @ 7:42 am

Categories: CIO issues, Cultural issues, IT issues, Research and statistics, Risk

Tags: Team, Culture, Information Technology, Risk Management, Enterprise Risk Management, Strategy, Business Security, Business Operations, Management, Michael Krigsman

The underpinnings of IT failure lie in culture, the unspoken rules governing an organization’s style and general priorities. Since most organizations pay little attention to project culture, it’s not surprising failure rates remain high.

New research by SAS sheds light on this issue. In a survey of 316 senior financial industry executives sponsored by SAS, the Economist Intelligence Unit explored the role of culture in enterprise risk management (ERM):

Creating a culture for risk management is a challenging proposition for most firms. One of the keys to successful risk management is embedding risk management within the company culture, but for surveyed executives this was the most widely encountered challenge, cited by almost one-half of respondents.

Although a bit hard to read, the following chart clearly shows most respondent’s organizations don’t have a high-priority culture around enterprise risk management. That’s a problem, given the importance of this topic:

Read the rest of this entry »

September 2nd, 2008

FAA outage due to 'fix-on-fail' policy

Posted by Michael Krigsman @ 7:00 am

Categories: CIO issues, Government projects, Politics, Project failures, Risk

Tags: FAA, Outage, Redundancy, Aerospace & Defense, Advertising & Promotion, Manufacturing, Marketing, Michael Krigsman

Last week’s technology failure at a major FAA facility caused air traffic delays throughout the country and highlighted the agency’s poor computing practices. Unlike major corporations and utilities, the FAA operates its air traffic control system with minimal redundancy using a “fix-on-fail” policy.

Redundancy is the foundation concept behind business continuity planning (BCP), which involves creating logistical and operating plans designed to take effect after a major disaster or critical infrastructure disruption. According to the Associated Press, the FAA maintains less redundancy than water or power utilities:

Redundancy is so critical for power and water utilities that they can be fined hundreds of thousands of dollars a day if they’re found insufficiently prepared — and $1 million per day if they’re found to be willfully negligent.

“If this (FAA outage) happened at a power plant,” [according to security researcher, Jason Larsen,] “I’d be telling them to open up their checkbook and expect to be fined.”

The Associated Press article points out pitfalls of the fix-on-fail policy:

“[I]t’s the whole `don’t fix it if it ain’t broke’ thing,” said Branden Williams, director of a unit of VeriSign Inc. that assesses the security of retailers’ payment systems. “It’s unfortunate because it’s very reactive, and it typically winds up costing you more. If you do fix-on-fail, it usually costs you more.”

The AltuisIT blog discusses this same issue:

To reduce their total cost of ownership, industry-leading organizations know that IT systems need to be properly managed and maintained. The “Fix on Fail” approach to systems management results in employee frustration, missed deadlines, increased costs, and lower levels of customer service.

THE PROJECT FAILURES ANALYSIS

The FAA must manage it’s resources and infrastructure within strict budget limitations. By implementing a fix-on-fail policy, which the agency must have decided years ago, the FAA made three bets:

1. Passenger safety would not being jeopardized
2. The system would not likely fail on a regular basis
3. Taxpayers would not accept the costs associated with greater redundancy

In other words, sometime in the past, the agency decided the hassles and risks of the current system were acceptable, given the high cost of alternative policies.

The current situation has focused attention on the FAA and its technology policies. The Wall Street Journal reports the agency is currently engaged in a massive system upgrade, however the article doesn’t provide much detail:

The Federal Aviation Administration said it is overhauling an error-prone computer system that caused hundreds of delayed flights Tuesday.

The system is part of the aging infrastructure that guides air traffic, which the FAA has been trying to update to reduce chronic delays.

Although the agency must manage to a limited budget relative to its large mandate, one wonders whether sufficiently good judgment, and good practice, is being applied to FAA technology decisions.

It’s important to note the FAA consistently states that passenger safety is not compromised by its computing practices.

—

As an aside, here’s an interesting FAA-related story.

Some years ago, I happened to drive by the Boston air traffic control center for the northeast, which is located in Nashua, NH. Being an inquisitive and rather geeky fellow, I pulled up to the main gate and asked the guard for a tour. To my absolute amazement, he phoned someone from the air traffic control floor who promptly arrived and took me inside. I spent the next hour observing air traffic controllers at work and listening to their conversations with planes.

The place looked like a movie set and was darn cool. Unfortunately, in a post-9/11 world such impromptu visits will never, ever happen again.

[Via AMR analyst Jonathan Yarmis on Twitter. Image via http://www.subbrit.org.uk.]

August 11th, 2008

Heart pacemakers vulnerable to attack

Posted by Michael Krigsman @ 6:32 am

Categories: End-user impact, Research and statistics, Risk

Tags: patient, attack, medical device security center, michael krigsman

Technology failures, design flaws, and software bugs can be found in the most unexpected places. Now, researchers have developed a method for remotely compromising heart pacemakers surgically implanted in a patient’s chest.

The Medical Device Security Center describes the vulnerability in a paper titled, “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses“:

Our investigation shows that an implantable cardioverter defibrillator (1) is potentially susceptible to malicious attacks that violate the privacy of patient information and medical telemetry, and (2) may experience malicious alteration to the integrity of information or state, including patient data and therapy settings for when and how shocks are administered. Moreover, standard approaches for security and access control

According to Wikipedia, implantable cardioverter-defibrillators (ICD) are:

‘[S]mall battery-powered electrical impulse generator which is implanted in patients who are at risk of sudden cardiac death due to ventricular fibrillation. The device is programmed to detect cardiac arrhythmia and correct it by delivering a jolt of electricity. In current variants, the ability to revert ventricular fibrillation has been extended to include both atrial and ventricular arrhythmias as well as the ability to perform biventricular pacing in patients with congestive heart failure or bradycardia.

The paper adds:

ICDs have modes for pacing, wherein the device periodically sends a small electrical stimulus to the heart, and for defibrillation, wherein the device sends a larger shock to restore normal heart rhythm.

Here’s a picture of a pacemaker device (scale in centimeters). [The picture is for illustration purposes only; according to one commenter, Guidant pacemakers are encrypted and therefore not subject to the exploits described in this post. Since encryption can be broken, verifying this claim would require careful analysis.]

The research team consists of people from both medicine and computer technology:

Our investigation was motivated by an interdisciplinary study of medical device safety and security, and relied on a diverse team of area specialists. Team members from the security and privacy community have formal training in computer science, computer engineering, and electrical engineering.

The extensive list of specific vulnerabilities could lead to life-threatening scenarios:

• Triggering ICD identification
• Disclosing patient data
• Disclosing cardiac data
• Changing patient name
• Setting the ICD’s clock
• Changing therapies
• Inducing fibrillation
• Power denial of service attack

As technology proliferates through our daily lives, risks associated with poor planning, lack of testing, and failed implementations also increase. In many cases, however, we cannot reasonably expect product designers to foresee the future technology environments into which their products may be placed.

The researchers summarized the problem:

Our research into implantable cardioverter defibrillators has demonstrated failure modes that do not appear to be addressed by some present-day design strategies and certification processes.

Note to pacemaker patients: these exploits are based on laboratory experiments only. The authors emphasize that, to their knowledge, no IMD patient has ever been harmed by a malicious attack.

[Via Zoliblog. Broken heart image via IrishHealth.com. Pacemaker image via Wikipedia Commons.]

February 17th, 2008

Google's huge data centers: the IT failures question

Posted by Michael Krigsman @ 8:36 am

Categories: Availability and reliability, CIO issues, Enterprise 2.0, Failure 2.0, IT issues, Risk, SaaS, PaaS, and SOA

Tags: Google Inc., Data Center, Information Technology, Harper, Data Centers, Storage, Hardware, Data Management, Michael Krigsman

Harper’s has published a blueprint drawing for Google’s new Oregon data center. Dan Farber points out that, “the 68,680 square-foot facility…is expected to demand 103-megawatts of electricity, which would power about 80,000 homes.”

Meanwhile, AFP says, “Google was looking at Malaysia, India or Vietnam to establish the world’s biggest server farm.” Ordinarily, I wouldn’t put much credence behind such speculations, but AFP is a well-established news organization, having been around since 1835.

From a project failures perspective, I wonder about the risk such concentrated operations pose for application downtime and reliability. Despite the best-laid plans, data centers do suffer outages and real customers are affected in the aftermath. Think of the massive impact created by failure at such a huge facility.

As IT steadily migrates into the Software as a Service (SaaS) cloud, data center and web reliability issues will become increasingly important. Phil Wainewright correctly asserts:

[Cloud customers] will be looking for far better outage management and service level reporting in the future than they’ve tolerated to date.

Expect to hear more on this subject in the IT Project Failures blog. In the meantime, please comment with your opinion regarding the impact of large data centers on IT failure.