The other morning I read a terrific piece by one-man security think-tank Bruce Schneier written for CNN. It serves as a terrific introduction to what is known as security theater. From its Wikipedia entry:

Security theater has been defined as ostensible security measures which have little real influence on security whilst being publicly visible and designed to demonstrate to the lesser-informed that countermeasures have been considered. Security theater has been related to and has some similarities with superstition.

Now, let’s transpose this to Information Technology.

Recently I had the opportunity to consult for a start-up company in a very nascent and competitive sector in the virtualization marketplace. Their product is a virtual desktop solution based off of a completely proprietary protocol stack and driver suite. It’s very cool stuff, and very complex. This provided their senior management team with a number of challenges wherein we can draw parallels to security theater.

Since no metrics yet exist to quantify the entirely subjective nature of a user experience or satisfaction index (the first company to reliably demonstrate a workable metric will dominate more than just the virtual desktop market), senior management drew some downright bizarre conclusions about root causes of unhappy users experiencing application crashes, iTunes running sluggishly, Excel scrolling too slowly, etc. Their analysis resulted in a firm commitment to a belief that the software being developed by the engineering team was infallible, Apple and Microsoft products are bug-free, and that the undeniable cause of all issues was that IT personnel did not participate in this illusion.

The problem this created was an entire department, IT, left trying to consider how to inform overly-experienced management (there is such a thing) that managing expectations is entirely different from managing perceptions. Feigning concern for non-existent problems in order to assuage worries about product performance does a disservice not only to employees, but ultimately to the shareholders. However, it does fall right in line with the meme that perception is reality. Once you buy into the meme, it’s not such a leap to start to believe that creating perceptions creates reality; a concept which is very popular, but not even consciously realized, in larger companies.

Perception: The IT department is terrible.
Reality: Brand new, highly complex software still under active development has the potential to crash and create problems.

Perception: Taking my shoes off at airport security makes me safe.
Reality: Terrorists also wear underpants.

The unfortunate nature of this resulted in directives more fitting for mature, large companies than those just scratching the surface of their growth stage. It’s incredibly cynical to say, but it’s also incredibly accurate: Forgo actually solving problems, but make sure you create the impression that you are. If everyone does this, then everybody is covered, and everybody’s jobs are safe. Create the perception, create the reality. This is management theater.

The longer this behavior is allowed to linger (especially in senior management), the more and more institutionalized it becomes. It can be very challenging to dig a company out of its effect.

As a business leader (and let’s never forget that you are part of the team, not the team itself) if you suspect you have a problem, you need to step back and interface with people outside of management. Get a feel for what issues can be addressed proactively before they become severe. Do you have a member of the management team who is blaming rather than addressing? Cut them loose before it’s too late for yourself and your shareholders.

Working with a recruiter is both an art and a skill. Recruiters frequently employ tactics that, to the untrained (or unskilled) eye can be appealing. For example, recruiters often claim that they will work with you to help you determine your exact needs. They will attempt to dazzle you with stories about how they employ armies of third parties to pre-screen candidates before their resumes reach your desk. If you are a leader in the position to hire individuals to fulfill a specific need inside your organization (and you are not already a mature, 1,000 employee, large business), then you should really take recruiters’ claims with a grain of salt — or perhaps not utilize their services at all.

For example, I recently met with a recruiter who boasted about their company’s use of on-line talent screeners. When I asked about their methods, they basically scour social networking and placement sites (such as Facebook, MySpace, CraigsList, et cetera) for the resumes of job seekers. They will use basic task workers to look for keywords in resumes and then send them over as viable candidates. When I pried for details, it came out that their talent screeners are located in another country. Not that there is anything wrong with that, but I know that all of us are aware of how difficult it can be to bridge a language barrier presented by many call centers. Now try and imagine how difficult it would be to communicate a skill context to these so-called head-hunters.

I told this particular recruiter that I don’t plan on doing business with them because of these tactics. It’s not fair to me, as an employer, and it’s not fair to the job seeker, who is simply going to have their resume sprayed into several hundred inboxes, hoping that one hiring manager bites.

Keep in mind: these low-quality recruiters don’t care about your business and they don’t care about the candidates. They want to get paid. The bigger the area they carpet bomb with resumes, the better chance that a candidate will stick.

One thing that can aid your search for the right candidate is, and I will step into HR territory here, making sure that you, the leader, truly understand what your business’ needs are.

Are you looking for resource and are you looking for someone who has a degree? Many times, fresh graduates from even top universities can woo prospective employers with mention of their academic accolades and awards. It’s important for us to remember that “book smart candidates” are often useful as functional resources. These are people who have demonstrated the ability to absorb information and retain data as a function of process or procedural outcome. They can be tremendous assets to your organization. But are they truly talent?

Many times, I’ve seen HR departments overlook highly qualified candidates because of the simple lack of a educational credentials or industry certifications. While these individuals were out accomplishing goals and doing, their peers were busily memorizing answers to the next pop-quiz.

It’s a harsh thing to say because nobody likes to feel that their investment in their education was a waste. Of course, there are many extremely talented individuals who have years of education and have been highly successful. But on the other hand, what about those who are naturally gifted?

Many of the most successful individuals in technology came into their own without the benefit of a completed education:

• Bill Gates – dropped out of college
• Steve Jobs – dropped out of college
• Larry Ellison – dropped out of college
• Michael Dell – dropped out of college
• Steve Wozniak – dropped out of college

What if these individuals had been overlooked by overzealous HR departments or hiring managers? Would we even have personal computers?

This was recently even discussed in an article posted at SmartMoney.com:

A more inclusive four-year degree isn’t the answer, because the degree itself often obstructs learning. Consider the laid-off sales clerk who wishes to pursue a college education in hopes of finding a better job. If he wants to go to a name-brand school he must study for and take an admissions test, and apply. He must file a financial aid application as long and complex as a tax return. If accepted by a school, he must wait for the right part of the academic calendar to come around, and hope that the classes he wants aren’t full. Suppose all goes well. He’ll be sitting in front of a teacher 18 months after first deciding to learn.

What folly. As I write this, Google is putting every book ever written online. Apple is offering video college lectures for free download through its iTunes software. Skype allows free videoconferencing anywhere in the world. M.I.T. and many other schools have made course materials available for free on their web sites. Tutors cost as little as $15 an hour. Today’s student who decides to learn at one o’clock should be doing it by one thirty. A process that makes him wait 18 months is not an education system. It’s a barrier to education.

Ultimately, the decision on who to hire is yours and yours alone. But before you go discarding resumes, take a moment to look for the diamonds in the rough. If you understand the context of what you are hiring and what the persons you’re looking at bring to the table in terms of talent and not just slips of paper, you’ll be doing your business a favor.

C-level executives have trouble understanding that they aren’t experts, that projects must scale and that a robust technical empire wasn’t built in a day. Bradman Group CEO Robert Bradman says a CIO must help them see this bigger picture. The good news is that once they do, these executives generally do what’s in the best strategic and tactical interests of the organization.

This not only serves as a good primer on what Bradman Group strives to deliver to its clients, but also as a good set of basic rules for successful IT management. We talk about the importance of viewing technology as an investment and how one measures its returns and of building your strategy as early as possible to maximize those returns.

The paper is written in an alarmist tone with an alarmist headline. Anytime a respected cryptographic expert starts talking about breaking an established form of encryption, it should be both met with skepticism and curiosity. However, in this case, the paper pales from this academic standard. I am not sure why Bruce felt the need to publish this as it is so far below even his own standards.

The entire paper can be summarized by a single sentence from the paper itself:

While staged in the context of TrueCrypt, our research highlights several fundamental challenges to the creation and use of any DFS: even when the file system may be deniable in the pure, mathematical sense, we find that the environment surrounding that file system can undermine its deniability, as well as its contents.

What does this mean? If you are saving your company’s business plan in Word onto an encrypted file system which uses hidden encryption containers, Windows may very well compromise your ability to deny that you were using encryption because of the “Auto Save” feature which saves temporary copies of your documents on a non-encrypted filesystem (e.g. your C: drive).

The reason the paper is alarmist is that Bruce is seemingly waving his hands in the air that the encryption itself is broken. The entire issue that he and his team will be presenting at Usenix is based purely on process and has nothing to do with the efficacy the encryption algorithm itself. This same problem exists with any competing product’s implementation of encryption containers.

As far as this relates to the enterprise itself, it’s important to remember that encryption is important, but it is only as strong as the people who use it.

If your goal is to protect the privacy of your corporate data, then there is a tremendous amount of user education that goes into making sure that policies are understood and ultimately adhered to. This should be part of any IT Governance plan. It’s not just about securing your corporate data, but it’s about building a more responsible workforce that takes ownership. This is as much a leadership issue as it is a policy issue.

Bruce’s paper should no more deter anybody from implementing encryption as a part of their corporate security strategy than their System Administrator telling them that security doesn’t matter because the PCs all have Kingston locks.

I do feel that Robby’s 9 Signs of a Clueless CIO article redux contains many truths, but I feel that some should be viewed in the context of good indicators that a CIO will be successful rather than evidence of actual incompetence. For example:

1. Zero Cultural Context The tech world is small enough that everybody knows the big names. Not counting Bill Gates and Steve Jobs, the clueless CIO can’t enumerate a dozen IT luminaries. One can no more be ignorant of the major players in open source, security, databases, networking, and web development than the names and positions of key professional athletes. This is our culture; these are our people. Know them and their stories.

While knowing the culture and the major players is a good sign that an individual actually has passion about their career, does it actually represent a genuine lack of ability?

If a company is going to embark on a virtualization project, does the CIO really need to know that Diane Green was sacked from VMware? Will it necessarily doom the project to failure? Probably not.

Conversely, other items he writes about are quite accurate and hit with razor precision:

4. Short-Term Thinking – IT is infrastructure, built to last and run reliably for years. Any CIO who instantly snubs warranties or does not discuss maintenance and support belongs in another line of business. Technology is about the many tomorrows, not the single today. CIOs who fail to understand long-range tactics deserve to be as obsolete as the second-rate, unsupported systems they implement.

In all, it’s a well written, humorous look at what will make or break a CIO and it further validates Bradman Group’s management ethos.

For a bit more context and reference, take a look at our original article.

Bradman Group has been recommending its clients to deploy Full Disk Encryption to its desktops and laptop systems since its inception. FDE technology is a method of encrypting an entire hard drive independent of its operating system. The net result is that a stolen PC or laptop utilizing FDE will be unusable by its thief as no data on the hard drive will ever be recoverable without a password.

For the SMB, where advanced features such as key escrow and ActiveDirectory integration are not cost effective, the TrueCrypt suite provides a rock-solid, enterprise-ready, and completely open-source alternative that functions with all of the latest business operating systems (Windows XP, Server 2003, Vista, and Server 2008, including all 64-bit variations). Installation and simple, safe, and brutally effective.

Last Thursday, the TrueCrypt Foundation has released version 6.0 of its popular disk encryption technology. New features include

• Cryptographic engine is now completely multi-threaded and will take full advantage of multi-processor (multi-core) capabilities in servers and desktops. (From our own internal benchmarks, we’ve seen a dramatic increase in encryption speed, especially with cascading ciphers.)
• Hidden Operating Systems are now supported on encrypted drives. Those who have extreme security needs may now create a decoy installation of Windows along with a complete undetectable hidden installation.

Let’s take a look at three common management techniques, quoted from the above referenced article:

• Supervising is telling someone what to do and then making sure it is done the right way. Think: assembly line or “My way or the highway.”
• Mentoring is when someone who has firsthand knowledge imparts it to someone who is less experienced. Think: sagacious or “This is how we did it in my day.”
• Coaching is when employees are invited to explore a challenge or situation with the assumption that they are capable of unearthing new possibilities/solutions and that they need only to be given time on the path to uncover great ones. Think: Give me your best shot or “What’s your best thinking on this issue”?

The article states, and I completely agree, that the millennials are least effectively managed through supervisory or mentoring styles. I might even go one step further and say that nobody truly enjoys being viewed as a cog in a machine, in the way one does while being managed by a supervisory style. The assembly line description is duly apt, and unfortunately practiced by many middle managers of technology teams.

And yes, I’ve seen just how ineffective this management style can be with technology workers — on several occasions. A few years ago an inexperienced CEO decided, as their last action before leaving the company, to move the entire technology team directly under the influence of one of these supervisory-style managers. This individual knew how to manage one thing very well: the assembly line work which their team was responsible for. If there was anyone on Earth who was going to be in charge of widget assembly, then there is no one I would have trusted more. But when it came to thinking strategically or understanding the nuance of technology, this was far from an optimal choice.

Mentoring can be equally destructive. I’m sure we’ve all had the opportunity to work with someone who has spent decades of their career dedicated to one technology and thus every problem can be addressed by that knowledge. An excellent example would be a database administrator I had the pleasure of working with at one point several years ago. He would approach every problem as if he’d done it before, even though his arguments were laced with anachronisms (e.g. “I appreciate the fact that you want to use Java, but we tried using Java back in ’82 and it did not work then and it won’t work now!”).

When put into the context of our “three knows” (Know your needs, know the solutions, and know their value.) the picture gets clear: use the right tool for the job. I’ve written about the effects of using the wrong tools before when I discussed “bozo explosions” in your IT department and how to avoid them through effective technology (and technologist) management.

It is also important to remember that while a properly managed team, in its simplest form, yields higher output and higher quality of work, one aspect is often forgotten. A properly managed team is a properly function team, and down the road this always builds strength and value to the business. Consider when, for example, a company is exiting through a buyout. A robust, scalable, and highly effective infrastructure commanded by a talented team of efficient and enthusiastic technology workers will yield greater return for shareholders due to its impact on the company’s real dollar value. I have seen this time and time again through both personal and indirect experience. (In fact, a previous experience with such an exit translated directly into a seven-figure increase in purchase price as a direct result of the work that I did.)

Part of what Bradman Group does when engaged by a client is to look at exactly these types of issues and make decisions based on our expertise and experience with technology and business. We have the know-how to look at how an existing IT team or strategy is being managed and make corrections in order to better have technology strategy serve the business.

For more information, please see our Five Questions paper or contact us directly.

A lack of IT leadership is obviously an issue and while completely different from ineffective IT management, the same critical problems arise. Poor IT management views personnel as resources instead of talent (a big no-no) and infrastructure as a cost (another no-no). This is indicative of PMP/project management thinking: everything is a functional commodity whose output can be measured on a Gannt chart. (Incidentally, I’ve seen Gannt charts from long-time project managers that literally state “two hours to solve any integration problems.” From an technology worker’s perspective, claiming that solving “any integration problem” can be packaged and completed as a deliverable within two hours is laughable. Technology doesn’t work this way because technology is not an assembly line.)

As we’ve said before, it is of absolute import that IT leadership be both technologically astute and business aware.

What manifests itself out of these leadership problems is a slow death spiral of your IT department. Without a stable strategy, you’ll find your IT budget escalating and costs rising because every problem will be addressed with “quick fixes” and patch work. When it comes to IT, throwing money at a problem never solves anything; doing so can even make matters worse! Don’t believe the hype a consultant tells you. Don’t believe the hype from a VAR. No, you don’t need to buy some new software to address a problem.

Be proactive, keep IT focused as an investment, and build your strategy wisely. This is what Bradman Group does for its clients. We live by this approach. We examine existing infrastructure, talent pool, business processes, and business goals to posit a course of action that will address what should be key concerns for business leaders. Then we execute. The end result is that our clients have an IT strategy built with a long-term, holistic view that is scalable.

Once a business starts to look at IT as an investment instead of a cost, they’ll find that the capital that is spent on IT has a return (even in the short-term, one project I’ve personally worked on had a quarter-million dollar budget and realized its ROI in six months — because it supported the business goals and had measurable results).

A few excellent examples from the original CIO article:

3. The CIO gulps vendor Kool-Aid.
   Did you know that there are more than 34,750 registered lobbyists in Washington, D.C., for just 435 representatives and 100 senators? That’s 64 lobbyists for each congressperson. I wonder how many vendor account managers there are per CIO. You are smart enough to know that vendors are trying to sell you and you won’t be fooled wholesale. Yeah right. Their influence can eat away at you without you even realizing it. Be even more skeptical than you are now. Just say no.

I’ve seen CIOs and IT Directors fall into this trap on many occasions! While it’s acceptable (and part of the job) to be aware of what new technology is about to befall the sector, it’s not acceptable to let your budget become your license to spend.

One of Bradman Group’s core competencies is vendor relationship management. We have inside contacts throughout the technology industry and wield them with great success for our clients. We are skeptics and never, under any circumstance, swayed by vendors out to raid our clients’ coffers. This goes for value-added resellers (VARs) as well.

4. The CIO is a technical dinosaur.
   Unless you are running for president of the United States, experience does matter. Technology has changed since you were writing RPG on the mainframe umpteen years ago. And for you younger guys who made your bones writing VB or Java Web apps, make sure you know why there is so much buzz about Ruby on Rails and multicore programming. Your ability to talk tech will go a long way to earning the respect of application development professionals.

If I had a penny for every time I’ve seen this one in practice…

Just last month I met with a prospect who made the mistake of having me meet with their IT Director. The individual in question was leading a highly technical team of people, yet his IT background was from the 1970s. He is used to working with soldering irons and 1980s-era embedded systems.

The CIO needs to be on the ball, at all times, when it comes to current technology and be able to put that technology into a practical context that both the business and technology components can understand. As I’ve said before, knowing how to operate an iPod does not qualify you to be in executive management nor do your years plugging away on a TRS-80.

If a CIO can’t speak the language of technology, then they is doomed to be derided and disrespected by the technology team at their command. That is by definition a true leadership problem.

7. The CIO doesn’t know the difference between resources and talent.
   The fastest way to lose respect is to put clueless managers in charge. Clueless managers equal clueless CIOs. Can you ever imagine Doc Rivers, coach of the 2008 world champion Boston Celtics, talking about player resources like they were interchangeable? “I need two guard resources.” “I need a center resource.” No. Talent and teamwork make winning teams. Talent matters. Don’t pay lip-service to talent. Find a way to locate and use the talent in your organization. You will only be as good as the team you assemble.

This one stems from CIOs who fancy themselves as glorified project managers. The PMs that I’ve worked with in the past regard everything as a resource. From a functional perspective, this makes a tremendous amount of sense. But without leadership that can appreciate the subtleties and nuance of the project, a PM will do nothing but irritate everybody involved. Especially IT people, whose minds are constantly churning with subtlety and nuance.

Indeed, part of the CIO’s role is to provide that type of leadership. The CIO should instinctively be able to understand who has genuine talent and foster that talent, encourage it, and channel it. At the same time, they should be able to take definitive action when and if it is necessary with under-performers.

The role of a CIO is valuable to any business, but in order to be effective he or she needs to effectively build a bond with technologists and the business leaders. Bridging that communications gap will tremendously increase the efficacy of technology in its role of supporting the enterprise and building its overall value.

For more information, check out:
What is a CIO?
The Virtual CIO Advantage

Businesses are discovering that their success is increasingly tied to the quality of their information. Organizations rely on data to make significant decisions that can affect customer retention, supply chain efficiency and regulatory compliance. As companies collect more and more information about their customers, products, suppliers, inventory and finances, it becomes more difficult to accurately maintain that information in a usable, logical framework.

The data management challenges facing today’s businesses stem from the way that IT systems have evolved. Enterprise data is frequently held in disparate applications across multiple departments and geographies. The confusion caused by this disjointed network of applications leads to poor customer service, redundant marketing campaigns, inaccurate product shipments and, ultimately, a higher cost of doing business. Add to that a sense of unrest and poor communication between departments regarding data quality and you’re at a standstill.

Much of this is directly related to building stronger links between business and information technology. While data stewardship and management are functional aspects which our VCIO program encompasses, it’s but one part in a successful IT strategy.

Feel free to read our article on five questions every business leader should ask about IT for more details.