There’s an interesting post over at Bruce Schnier’s blog where he discusses where security did, and didn’t, work with the Christmas underwear bomber incident. As is his usual inclination, he points out that the threat wasn’t new, security (on the whole) worked, and, of interest to us, the fact the more information would not have helped prevent the threat.
After the fact, it’s easy to point to the bits of evidence and claim that someone should have “connected the dots.” But before the fact, when there millions of dots – some important but the vast majority unimportant – uncovering plots is a lot harder.
This is a lot like the challenge we’ve been talking about under the banner of The value of information. How do we make sense of weak, conflicting and volumous signals we see in the environment outside our business, fuse this with strong signals from data inside the business, and create real insight? Granted, sometimes we’re aware of the signals (or at least the shape of their outline) we need to go looking for, much like Tesco’s decision to integrate weather forecasts and historical till information to predict customer demand. In other circumstances, we’re not so sure what we’re looking for. The business equivalent of predicting (and responding to) the underwear bomber might be managing exceptions in a complex, global supply chain, countering a competitor’s new product launch, or supporting a social case worker dealing with a unexpected crisis in a client’s domestic situation.
It’s tempting to create counter measures – prescriptive workflows designed to resolve a problem – to each of these scenarios on a case-by-base basis. Or even just throw up our hands and continue with the tribal processes of old. But, as Bruce points out, this doesn’t work. The challenge with taking action against specific threats is that the terrorist will simply use a new tactic next time, or you’ll be confronted with yet-another situation. Soon you’ll have overloaded your knowledge workers with exception scenarios which only address yesterday’s problems. You’ve started an arms race which you cannot win.
Bruce’s solution, in the context of security, is to integrate information into an operational decision making framework which wards against generic attacks.
What we need is security that’s effective even if we can’t guess the next plot: intelligence, investigation and emergency response.
This prompts me to think of two things:
First, we might need to add third dimension to that figure from Inside vs. Outside: Precision, to compliment Inside/Outside and Information Age. (Here, the engineer in me is going to split hairs over the definitions of focus, precise and accurate.) This new dimension captures how precise our need is. The Tesco example from above prefers precise signals, signal which communicates a single message. The exception manager might require imprecise signal, a derivative communicating a generic message aggregated generated by correlating a number of (in)precise signals. (A note of caution though, is to remember the recent impact of derivatives on the global financial markets.)
Second, we might want to rethink about how we conceptualise and use information information in our business. We currently have a very linear view, with information generation and consumption tightly connected to the stages of our value chain. It would be interesting to see how some of the ideas and frameworks behind the value of information could be fused with a decisioning framework like OODA. This would provide a tool to simplify the (potentially too complex) value of information framework, and realize it in operational work practices.
I’m not sure about the first point, but I expect the second will be fertile ground for further investigation.
We’re struggling to keep up. The pace of business seems to be constantly accelerating. Requirements don’t just slip anymore: they can change completely during the delivery of a solution. And the application we spent the last year nudging over the line into production became instant legacy before we’d even finished. We know intuitively that only a fraction of the benefits written into the business case will be realized. What do we need to do to get back on top of this situation?
We used to operate in a world where applications were delivered on time and on budget. One where the final solution provided a demonstrable competitive advantage to the business. Like SABER, and airline reservation system developed for American Airlines by IBM which was so successful that the rest of the industry was forced to deploy similar solutions (which IBM kindly offered to develop) in response. Or Walmart, who used a data warehouse to drive category leading supply chain excellence, which they leveraged to become the largest retailer in the world. Both of these solutions were billion dollar investments in todays money.
The applications we’ve delivered have revolutionized information distribution both within and between organizations. The wave of data warehouse deployments triggered by Walmart’s success formed the backbone for category management. By providing suppliers with a direct feed from the data warehouse—a view of supply chain state all the way from the factory through to the tills—retailers were able to hand responsibility for transport, shelf-stacking, pricing and even store layout for a product category to their suppliers, resulting in a double digit rises in sales figures.
This ability to rapidly see and act on information has accelerated the pulse of business. What used to take years now takes months. New tools such as Web 2.0 and pervasive mobile communications are starting to convert these months into week.
Take the movie industry for example. Back before the rise of the Internet even bad films could expect a fair run at the box-office, given a star billing and strong PR campaign too attract the punters. However, post Internet, SMS and Twitter, the bad reviews have started flying into punters hands moments after the first screening of a film has started, transmitted directly from the first audience. Where the studios could rely a month or of strong returns, now that run might only last hours.
To compensate, the studios are changing how they take films to market; running more intensive PR campaigns for their lesser offerings, clamping down on leaks, and hoping to make enough money to turn a small profit before word of mouth kicks in. Films are launched, distributed and released to DVD (or even iTunes) in weeks rather than months or years, and studios’ funding, operations and the distribution models are being reconfigured to support the accelerated pace of business.
While the pulse of business has accelerated, enterprise technology’s pulse rate seems to have barely moved. The significant gains we’ve made in technology and methodologies has been traded for the ability to build increasingly complex solutions, the latest being ERP (enterprise resource planning) whose installation in a business is often compared to open heart surgery.
This disconnect between the pulse rates of business and enterprise technology is the source of our struggle. John Boyd found his way to the crux of the problem with his work on fighter tactics.
John Boyd—also know as “40 second Boyd”—was a rather interesting bloke. He had a standing bet for 40 dollars that he beat any opponent within 40 seconds in a dog fight. Boyd never lost his bet.
We often find ourselves on the back foot, reacting to seemingly chaotic business environment. To overcome this we need to increase the pulse of IT so that we’re operating at a higher pace than the business we support. Tools like LEAN software development have provided us with a partial solution, accelerating the pulse of writing software, but if we want to overcome this challenge then we need to find a new approach to managing IT.
Business, however, doesn’t have a single pulse. Pulse rate varies by industry. It also varies within a business. Back office compliance runs at a slow rate, changing over years as reporting and regulation requirements slowly evolve. Process improvement and operational excellence programs evolve business processes over months or quarters to drive cost out of the business. While customer or knowledge worker facing functionality changes rapidly, possibly even weekly, in response to consumer, marketing or workforce demands.
We can manage each of these pulses separately. Rather than using a single approach to managing technology and treating all business drivers as equals, we can segment the business and select management strategies to match the pulse rate and amplitude of each.
Sales, for example, is often victim of an over zealous CRM (customer relationship management) deployment. In an effort to improve sales performance we’ll decide to role out the latest-greatest CRM solution. The one with the Web 2.0 features and funky cross-sell, up-sell module.
Only of a fraction of the functionality in the new CRM solution is actually new though—the remainder being no different to the existing solution. The need to support 100% of the investment on the benefits provided by a small fraction of the solution’s features dilutes the business case. Soon we find ourselves on the same old roller-coaster ride, with delivery running late, scope creeping up, the promised benefits becoming more intangible every minute, and we’re struggling to keep up.
There might be an easier way. Take the drugs industry for example. Sales are based on relationships and made via personal calls on doctors. Sales performance is driven by the number of sales calls a representative can manage in a week, and the ability to answer all of a doctor’s questions during a visit (and avoid the need for a follow-up visit to close the sale). It’s not uncommon for tasks unrelated to CRM—simple tasks such as returning to the office to process expenses or find an answer to a question—to consume a disproportionate amount of time. Time that would be better spent closing sales.
One company came up with an interesting approach. To support the sales reps in the field they provided them with the ability to query the team back in the office, answering a clients question without the need to return to head office and then try to get back in their calendar. The solution was to deploy a corporate version of Twitter, connecting the sales rep into the with the call center and all staff using the company portal via a simple text message.
By separating concerns in this way—by managing each appropriately—we can ensure that we are working at a faster pace than the business driver we supporting. By allocating our resources wisely we can set the amplitude of each pulse. Careful management of the cycles will enable us to bring business and technology into alignment.