Those who don’t know history are destined to repeat it. So said Edmund Burke (1729-1797), a British Statesman and Philosopher who is generally viewed as the philosophical founder of modern political conservatism. What does that have to do with Cloud Computing or even IT in general? Unfortunately, a lot.
Geva Perry presented the keynote address at the 2012 Cloud Connect Conference. Mr. Perry is a board member and advisor at several tech companies and for the past six years has been blogging about the Cloud in Thinking Out Cloud. His main point of his keynote talk: your company is already moving to the Cloud, and it is being driven from the bottom up. He cites some examples:
- An InfoQ Survey that shows almost half of the Cloud Computing adoption decisions have been made by developers or at the department level, not by C-level executives or even IT leaders.
- Individual sales people are using their own credit card to buy SalesForce.com, a leading sales support Software as a Service offering. They found SalesForce.com saved them time and provided more and better capabilities than the “company-approved” solution.
- Often it is the IT developers using Amazon Web Services who initiate the first Cloud adoption exercise in a company. The on-demand self-scaling resources do significantly reduce the time to set up development and test environments, often accomplishing in a couple of minutes what the official IT process does in a couple of days.
This should not be surprising. More and more people use smart phones and tablets outside of their business environment, and want the same convenience and capabilities at work. They are using Cloud-based email, Twitter, Facebook, LinkedIn, Flickr, Picasa, reading and writing blogs, using Google Docs, Microsoft Office 365, the iCloud, and probably dozens more Cloud-enabled apps and offerings. They can do anything from anywhere and anytime, and want to work in the same way. It drives the BYOD (bring your own device) phenomenon, which is driving many IT managers crazy, primarily because they lose control. They lose control of where their data is located and what is happening to it. They lose control of who is accessing it. They face an almost impossible task of supporting dozens of different devices and connection mechanisms from users who know what they want, but really do not understand what is happening behind the scenes.
But this is not the first such bottom-up revolution in IT.
About 20 years ago many IT executives discovered that they were losing control. Individual managers were setting up their own departmental servers to provide specific applications to their employees, and sometimes even customers. The main enabler was the plummeting cost of a server. Instead of the six- and seven-digit prices for mainframes that had launched the general use of computers in business in the 1960s, powerful servers were now available for less than US$10,000. In many large companies, they could therefore be expensed or fell within the spending limits of department managers. A manager could pick up the phone and call HP, Dell, IBM, or a host of other vendors and have a server delivered in a couple of days. Simply install some off-the-shelf software and, voilà, a new application was available. The server would plug into the wall and sit in a normal office environment, often next to the coffee pot in the break room, completely outside of normal IT control. And it all just ran fine by itself. Usually. IT managers had no idea how many servers were actually on their network, where they were, what they were doing, or what data they managed.
About 10 years ago, the next IT revolution was in full motion: open source. Anyone could download free or very inexpensive software to do almost everything: Linux operating systems, Microsoft Office-like programs, browsers, software development tools, utilities, financial analysis programs, database software, an almost endless list. IT managers had no clue what software is being used to run the company’s business.
The reason for these bottom-up revolutions is the same: Corporate IT was not providing what people thought they needed in the appropriate time frame. When technology provided a self-service solution that they could afford, they just took it. No more spending months getting IT to understand your needs, create a detailed design document, and then put it in the queue, usually at least a year out. Having been on both sides of these discussions, the conversation always ended the same: “You don’t understand that we need it NOW!” versus “We don’t have the resources to do that.” IT was viewed as the bottleneck to progress – ponderous, slow, and always wanting answers to every possible scenario. “Just do it” was not in their vocabulary.
Of course, when something failed, IT was supposed to jump in and save the day. Often they could, but the thanks were short-lived. When IT couldn’t fix it, it was still IT’s fault. On more than one occasion I asked for their latest backup so I could recover from a catastrophic hardware failure. The answer was often, “What’s a backup?”
Does a company need a centralized IT organization? Is the CIO irrelevant? Maybe in some cases you can just wing it. You don’t need IT to be involved in a March Madness pool, or even in tracking responses to the latest sales campaign. However, it is important that you have central control over any data that is critical to your business or when inappropriate handling of that data can lead to compliance or regulatory problems. Some examples:
- Systems that manage data protected by privacy laws, financial or health-care compliance requirements, or other external requirements in contracts with customers or partners. If some of your customers are governments, some of those requirements are not only in the contracts but also in laws and executive orders.
- Applications that are critical to the operation of the business. These are the systems that take orders, manage production lines and distribution, and enable communication with customers and partners. Based on their specific requirements, you will need to have appropriate backup and disaster recovery processes in place. This almost always includes your email system.
- Systems that manage data that is controlled by your Corporate Live Cycle Management policy. This is the policy that determines when you must delete old emails and documents, and enables the company to response to court discovery orders.
In my view, this requires a significant philosophical change in the CIO and senior IT management. They should see their role as enablers, not enforcers. It is probably impossible to stay ahead of your employees, but the first response should be “That should work” instead of “Don’t you do that until we have spent 6 months testing it.”
By moving to the Cloud, IT can free up its scarce resources for these new and usually more interesting duties. Plus, having a variety of different devices and mechanisms for your employees to do their job may be a blessing. Remember your HR diversity training? If Ireland had not standardized on a single species of potato, the potato blight of the mid 1800s would have been an annoyance, not a disaster. If a serious problem comes up with one device, it probably will only immediately impact a small percentage of your employees or customers. The work around may be as simple as, “Get on your laptop and enter the order there.”
Another important consideration is your policy manuals, especially Security and Life Cycle Management. Often they were written around some very specific mechanisms. At a minimum they need to be reviewed, but more likely they need to be written from an entirely different perspective. For example, instead of “enter your usercode and password on the signin screen” the manual should define application access requirements at a functional level, and specify several approved mechanisms for gaining access. Many companies are now providing annual ethics training to preserve the company culture and provide a comfortable and sustainable workplace. That annual training should also include training on the company’s security and life cycle management policies.
The last word:
Why don’t we teach history in Computer Science curricula? Why are public school history courses mostly about who did what to whom when, but rarely the “why”? Why did I have to learn who brought chickens into Delaware and when? Yes, we needed to know her name for the final. But there was no discussion of “why” and what opportunities occurred because of it. It was just another isolated incident in a very big pile of isolated incidents.
Admittedly, it is much harder to teach history if you are trying to keep track of lots of different threads that impacted or caused these incidents. It would be like trying to understand a war without understanding the economic issues that impacted its start, influenced its execution, and largely determined what happened after. Oh, wait, that describes every history course I ever took.
Keep your sense of humor.