Automated Governance: The Lynchpin for Success or Failure of Cloud Computing

Transcript of a sponsored podcast on cloud computing and the necessity for automated and pervasive governance across a services lifecycle.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Get a copy of Glitch: The Hidden Impact of Faulty Software. Learn more about governance risks. Sponsor: WebLayers.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Thanks for joining this sponsored podcast discussion on why governance is so important in the budding era of cloud computing. As cloud-delivered services become the coin of the productivity realm, how those services are managed as they are developed, deployed, and used -- across a services lifecycle -- increasingly determines their true value.

Management and governance are the arbiters of success or failure when we look across a services ecosystem and the full lifecycle of those applications. And yet, governance is still too often fractured, poorly extended across the development-and-deployment continuum, and often not able to satisfy the new complexity inherent in cloud models.

One key testbed for defining the role and requirements for cloud governance is in applications development, which due to the popularity of platform as a service (PaaS) is already largely a services ecosystem.

Often times, development teams are scattered globally, contractors can come and go, testing is provided as a service -- all while the chasm between development and deployment shrinks and iterations of deployments are hastening.

Here we’ll discuss the needs and potential for solutions around governance in the cloud era using the development and deployment environment as a bellwether for future service environments.

Here to help us explain why visibility across services creation and deployment is essential -- and how governance can be effectively baked into complex ecosystems -- we're joined by Jeff Papows, President and CEO of WebLayers and the author of Glitch: The Hidden Impact of Faulty Software. Welcome back to BriefingsDirect, Jeff.

Jeff Papows: Dana, thanks for having me on again.

Gardner: And, we're also here with John McDonald, CEO of CloudOne Corp. Welcome to the show, John.

John McDonald: Dana, hi. Thanks.

Gardner: Let’s start off, as it often the case with these cloud discussions, by defining "cloud" for our purposes, what we're going to focus on today, and I think that has lots to do with PaaS. So, let’s start with you John McDonald. Tell us what you think of when people mention cloud, particularly in development and deployment strategies in this notion of PaaS?

The role of confusion

McDonald: There is a ton of confusion about this right now and to be honest with you, for a lot of companies this confusion serves them in what they are trying to do.

To try to clarify it for everybody, cloud computing is really quite simple to understand. It’s all about getting access to hardware on-demand. This is hardware that I might use for any number of purposes -- for storing data, providing tools, and hosting an application.

There are a lot of companies out there that have done hosting in the past, application hosting or whatever, who are now morphing into cloud-computing companies. Some of them are actually even using cloud-computing technologies to do it, even though they just named themselves that.

Cloud, from a technology perspective, is more about some very sophisticated tools that are used to virtualize the workloads and the data and move them live from one bank of servers to another and from one whole data center to another, without the user really being aware of it. But, fundamentally, cloud computing is about getting access to a data center that’s my data center on-demand.

It’s frequently confused with another concept called software as a service (SaaS). SaaS is about getting access to software on-demand. So as cloud is to hardware, SaaS is to software. Frequently, these concepts are used together, so that when you do that you have an environment that scales up and down dynamically as your needs change up and down.

Sometimes that’s labeled Platform as a Service. In other words, I'm providing an entire platform or a work bench of tools on-demand. There are two concepts together, sometimes it’s called infrastructure as a service (IaaS), when what it is that I am providing is more of an infrastructural set of tools.

Fundamentally, the easiest way to remember it is that cloud is to hardware as SaaS is to software. Basically, for CloudOne, we're providing IBM Rational Development tools both through cloud computing and SaaS. Right now, we're the only people doing that. So, it’s unique and frankly pretty fun.

Gardner: Jeff Papows, why do you think application development has become such a great demonstration of what cloud computing can do? Why is there such a good fit between cloud, as far as John just defined it, and application development?

Papows: John’s explanation was both accurate and important, because there's a habitual capacity in our industry, as both of you have recognized, for people to get confused or hung up on vocabulary and on the most recent flavor of acronym headaches.

If you think about a lot of what John said, and a lot of about what’s going on in cloud computing it’s not a particularly new thing. What we used to think of was hosting or outsourcing. Then, you saw vertical instantiations of it around particular competencies like payroll. Companies like ADP were basically clouds with distinctive vertical expertise and processing payroll and doing tax reporting.

Mobile world

What’s happening now is the world is becoming more mobile, as 20 percent of our IT capacity is focused on new application development every year as opposed to maintaining what we have.

We have to get more creative and more distributed about the talent that contributes to those critical application development and projects. That’s why you begin to see, as John started to describe it, a razors and razor blade taxonomy, where it’s one thing to virtualize the hardware environment and some of the baseline topology and infrastructure, but then you begin to add layers of functionality.

Rational Team Concert (RTC) is one good case in point, as John pointed out too, but design time governance is the next logical thing in that continuum, so that all of the inherent risk mitigation associated with governance and then IT contacts can be applied to application development in a hybrid model that’s both geographically and organizationally distributed.

Gardner: John McDonald, you mentioned the fact that cloud fits in where workloads are unpredictable. With application development that’s certainly the case. It’s not just the constant hum of production, but really more fits and starts. Tell me, from your perspective, why cloud works so well to support application development across its continuum right up and into deployment?

McDonald: Yeah, that is the case. There's a myth that development is something that we ought to be tooling up for, like providing power to a building or water service. In reality, that’s not how it works at all.

The money that you save by doing that is the reason you can open any trade magazine and the first seven pages are all going to be about cloud.

There are people who come and go with different roles throughout the development process. The front-end business analysts play a big role in gathering requirements. Then, quite often, architects take over and design the application software or whatever we are building from those requirements. Then, the people doing the coding, developers, take over. That rolls into testing and that rolls into deployment. And, as this lifecycle moves through, these roles wax and wane.

But the traditional model of getting development tools doesn’t really work that way at all. You usually buy all of the tools that you will ever need up front, usually with a large purchase, put them on servers, and let them sit there, until the people who are going to use them and log in and use them. But, while they are sitting there, taking up space and your capital expense budget, and not being used, that’s waste.

This cloud model allows you to spin up and spin down the appropriate amount of software and hardware to support the realities of the software development lifecycle. The money that you save by doing that is the reason you can open any trade magazine and the first seven pages are all going to be about cloud.

It's allowing customers of CloudOne and IBM Rational to use that money in new, creative, interesting ways to provide tools they couldn't afford before, to start pilots of different, more sophisticated technologies that they wouldn't have been able to gather the resources to do before. So, it's not only a cost-savings statement, it's also ease of use, ease of start-up, and an ability to get more for your dollar from the development process. That's a pretty cool thing all the way around.

Gardner: So the good news is about that agility, that flexibility and adaptability toward a workflow of some sort across a development process. The bad news is that these things can spin out of control and that there is not a common thread or a fabric around them -- especially if you're doing source in your cloud’s hybrid models or multiple cloud or multiple sources of the platform or tools or testing.

Back to you, Jeff Papows. What do we do in terms of defining the problem set? What's the problem that governance is going to help solve?

Economic perturbation

Papows: John describes some of the economic realities, as well as the pragmatic realities of agile development, which I agree is not linear. It's a set of perturbations that, as John said, wax and wane depending on where you are in a particular development cycle, in which organizations your skills are being, are being amassed. That's as it should be, and it's nature’s law. In any event, you're not going to change it.

When you try to add some linear structure and predictability to those hybrid models, as you both have been discussing, the constant that can provide some order and some efficiency is not purely technology-based. It's not just the virtualization, the added machine capacity, or even the middleware to include companies like WebLayers or tools like Rational. It's the process that goes along with it. One of the really important things about design-time governance is the review process.

In a highly distributed, hybrid, agile application-development model -- where you may have business analysts in Akron, Ohio, architects in Connecticut, coders in Singapore, and outsourced QA in India -- the one constant taxonomy is the ability to submit and review and deal with some logical order and structure to the workflow that makes that collaborative continuum more predictable and more logical, irrespective of all of the moving parts, both digital and human, and the fabric that we're talking about here.

Governance is a big part of the technology toolset that institutionalizes that review process and adds that order to what otherwise can quickly become a bit chaotic, depending on where you are in the perturbations that John describes.

McDonald: This is a really good point that you're making, Jeff. The challenge of tools in the old days was that they were largely created during a time where all the people and the development project were sitting on the same floor with each other in a bunch of cubes in offices.

The cloud allows us to create a dedicated new data center that sits on the Internet and is accessible to all, wherever they are, and in whatever time zone they are working, and whatever relationship they have to my company.

As the challenges of development have caused companies to look at outsourcing and off-shoring, but even more simplistically the merger of my bank and your bank, then we have groups of developers in two different cities, or we bought a packaged application, and the best skill to help us integrate it is actually from a third-party partner which is in a completely different city or country. Those tools have shown their weaknesses, even in just getting your hands on them.

How do I punch a hole through the firewall to give you a way to check in your code problems? The cloud allows us to create a dedicated new data center that sits on the Internet and is accessible to all, wherever they are, and in whatever time zone they are working, and whatever relationship they have to my company.

That frees things up to be collaborative across company boundaries. But with that freedom comes a great challenge in unifying a process across all of those different people, and getting a collaborative engine to work across all those people.

Papows: That’s a great point John. I was with the CIO of a major New York bank about two weeks ago. Like so many CIOs in this financial services sector post-2008 they are in the midst of clamming together two very large complex inherently different back-office systems. Then, on a magical date, somehow they're supposed to intersect without the digital version of Pearl Harbor. That’s not a reasonable request, but these are not reasonable times.

Complexity curve

Without the ability to create these ad hoc environments, not just organizationally or geographically, but perhaps separate production from testing and development -- and without the ability to automate a good part of the tooling associated with reviewing these massive, mountains of legacy code bases before you magically intersect these things and put them together -- there's not a prayer that carbon-based, biped life forms are going to pull that off without a far more automated approach to that kind of a problem. It’s reached a point in the complexity curve, where you just can’t throw enough bodies at it.

McDonald: That’s right. It’s almost a requirement to keep the wheels on the bus and to have some degree of ability to manage the process in the compliance with regulations and the information about how decisions were made in such distributed ways that they are traceable and reviewable. It’s really not possible to achieve such a distributed development environment without that governance guidance.

Gardner: One of the interesting things that I have noticed in talking about cloud for the past several years is the realization fairly early on that the owner of the application or service -- and not the provider -- are the ones who are inherently and ultimately responsible for the governance. They are also responsible to the end user in in terms of their performance expectations. So, given that reality, who is responsible for governance and where should it begin and end? Where does it intersect with ownership within these ecosystems?

Papows: When I say "governance," I'm not talking about the Sarbanes-Oxley corporate governance context. I am talking about it specifically as it relates to IT. That is a function of the C-level executives, meaning it’s a partnership between the CIO and the CEO. This is not something that happens at the level of architect, the program, or this digital professional that’s in the trenches. There is an aspect of this, Dana, that we have to wake up and get environmentally much more honest with one another about.

We're dealing with some challenges for the first time that require out-of-the-box thinking. I talk about this in "Glitch." We have reached a point where there a trillion connected devices on the Internet as the February of this year. There are a billion embedded transistors for every human being on the planet.

We have reached a point where there a trillion connected devices on the Internet as the February of this year. There are a billion embedded transistors for every human being on the planet.

For the first time, we're seeing a drought in available computer scientists graduating from colleges and universities. The other side of the dot-com implosion was that the vocation became somewhat less attractive to people.

Moreover, 70 percent of the transaction-processing systems that we're dependent upon in the world economy today run on the things like mainframes and they are written in languages like COBOL. Although there are some very valiant efforts being made by IBM in about 600 universities, we're going to see more of that human capital retire, reach the end of their time with us, and die off in terms of the workforce. Yet, all of that inherent complexity is, at the same time, being exacerbated by all of these mergers and acquisitions.

Put all of those things together and, if it weren’t for companies like CloudOne that are creating these ecosystems and distributed environments that allow people to deal with the 20 percent of that new application development in unique and new ways vis-à-vis the cloud, for the first time in the history of our industry, as computer scientists, we're on the verge of tremendous challenges. That’s why I say it’s a partnership between C-level executives, because these are not traditional times.

Gardner: John McDonald, where do you see the notion of baking-in governance taking place. Clearly, the incentive, the direction, and the vision needs to come from on-high. But how do you embed governance into a development workflow, for example?

Everything has to disappear

McDonald: My view is that it absolutely has to be so incipiently based that everything that you are doing has to disappear. Here’s what I mean by that. Developers view themselves quite often as artists. They may not articulate it that way, but they often see themselves as artists and their palette is code.

As such, they immediately rankle at any notion that, as artists, they should be governed. Yet, as we’ve already established, that guidance for them around the processes, methods, regulations, and so on is absolutely critical for success, really in any size organization, but beyond the pale in a distributed development environment. So, how do you deal with that issue?

Well, you embed it into their entire environment from the very first stage. In most companies, this is trying to decide what projects we should undertake, which in lot of companies is a mainly over-glorified email argument.

It goes right on through to the requirements gathering around those projects that we have decided to undertake to the project plans that are put around those projects, to the architecture, the design, the coding, the testing, the build, and the deployment.

It all has to be embedded at every step of that way, gently nudging, and sometimes shuttling all these players back into the right line, when it comes to ensuring that the result of their effort is compliant with whatever it is that I needed to be compliant to.

In short, Dana, you’ve got to make it be a part of and embedded into every stage of the development process, so that it largely disappears, and becomes something that becomes such a natural extension of the tool so that you don’t have anyone along the way realizing that they are being governed.

Unless you automate it, unless you provide the right stack of tools and codify the best practices and libraries that can be reusable, it simply won’t happen.

Papows: John is exactly right, Dana. It’s got to be automated. You’re not going to do something as ubiquitously as John is describing in a manually intensive non-electronic process. It will fundamentally break down.

Everybody intellectually buys into governance, but nobody individually wants to be governed. Unless you automate it, unless you provide the right stack of tools and codify the best practices and libraries that can be reusable, it simply won’t happen. People are people, and without the automation to make it natural, unnatural things get applied some percentage of the time, and governance can’t work that way.

Gardner: Let’s look at an example vis-à-vis CloudOne. John, tell me a little bit about how you do this. Now that we’ve made a determination to this is the right approach, I’m assuming you use WebLayers to do this. Tell me a little bit about CloudOne as an example of how this can work.

McDonald: When we first began this company, all those many months ago, we knew that this is going to be incredibly important.

WebLayers was the very first partner that we reached out to say, "Can you go down this journey with us together, as we begin developing these workbenches, these integrated toolsets, and delivering them through the cloud on-demand?" We already know and see that embedding governance in every layer is something we have to be able to do out of the gate.

The team at WebLayers was phenomenal in responding to that request and we were able to take several based instances of various Rational tools, embed into them WebLayers technology, and based on how the cloud works, archive those, put them up in our library to be able to be pulled down off-the-shelf, cloned, and made an instance of for the various customers that we have coming to our pipeline who want to experience this technology in what we are doing.

So, right from the start, Dana, we put that into what we are doing, so that when customers experience CloudOne’s technology either in pilot or in production they never know that it’s not theirs. CloudOne Team Concert is a better Rational Team Concert, because it has WebLayers embedded into it, than simply buying Team Concert and doing it on your own.

Embedded automation

At this point, we have approaching a hundred customers who have, in one shape or form, used or touched some WebLayers technology in the course of a pilot. We frankly see a very healthy group of customers, as we go into the fall of this year, who we believe are going to become customers of that technology simply because they have been able to experience that embedded automation, almost disappearing into the background kinds of guidance for governance is what Jeff has been talking about. So, it’s been really a great journey so far, and I can only see it getting better.

Gardner: I know it’s hard to quantify results when you are preventing something bad from happening, but are there any metrics of success? Can you point to the embedded governance and say that got us to "blank" or paid off in some manner or another?

Papows: Unfortunately, the best examples of those tend to come from the places where governance is not. You’ve read about or heard about or experienced first hand the disasters that can happen in production environments, where you have some market-facing application, where service is lost, where there is even brand damage or economic consequences.

We’ve seen ad hoc development. As an example, a year ago at a major European investment banking firm where a CEO did what CEOs frequently do, and demanded that everyone complete an online workflow for everyone’s annual review process.

This particular CEO went further and said that if it wasn't done by year-end, any manager who hasn’t completed this for all of his or her constituents wouldn’t be eligible for the year-end bonus. Somebody very quickly cobbled together some HR workflow, unbeknownst to anyone.

It’s seven times more expensive to fix an application service after it’s deployed than it is in design.

There was a sense of urgency. It relied on a single database thread that was part of a production system that was not reinforced. When everybody collided at once to coalesce to the demands that this particular executive was articulating, it brought down the trading floor.

In the four hours that that system was lost, as Murphy’s law would frequently have it, there was about an 11 percent market accretion. The cost of that particular institution for the difference in the trading value for the hours that they were out of business was about $24 million.

There are instances like that, which become almost water-cooler legend, where you can quantify fantastic ROI in reverse. There is a new concept -- and John is probably starting to get exposed to this -- called "technical debt" -- I think one of your blogs touched on this earlier.

We're beginning to quantify the opportunity cost and the human cost in terms of mandates of IT time for things that are not governed or not adhered, so that as you catalogue the number of programs, files, WSDLs, objects, and stuff that don’t meet the acid test, you get a sense for the number of days, and as a consequence the dollars, of technical debt that you are amassing.

There was a great article -- I can’t remember who published it -- that said that it’s seven times more expensive to fix an application service after it’s deployed than it is in design. God knows whether that’s got any decimal-point accuracy, but it’s certainly directionally correct. We are going to provide some dashboard reporting in some objects in our management dashboard series.

As we look toward the end of the year, that will give you some widgets and dials, and we’ll begin to quantify the cost of the things that we find that don’t adhere to the libraries that people like John are building into their infrastructure. While a lot of things in information technology in the last couple of decades have been largely subjective, we're going to get to the point where we are going to start quantify these things fairly precisely.

Gardner: What about you, John McDonald? Do you have any sense of the paybacks, the metrics of success when governance is done properly in your neck of the woods?

Signboards of success

McDonald: I have to agree with Jeff. The biggest signboards of success here are when things go badly. The avoidance of things going badly is unfortunately very difficult to measure. That is something that everyone who attempts to do a cloud-delivered development environment and does the right thing by embedding in it the right governance guidance should know coming out of the gate. The best thing that’s going to happen is you are not going to have a catastrophe.

That said, one of the neat things about having a common workbench, and having the kinds of reporting in metrics that it can measure, meaning the IBM Jazz, along with the WebLayers technology, is that I can get a very detailed view of what’s going on in my software factory at every turn of the crank and where things are coming off the rails a little bit.

I equate this in some ways to a car production factory, where there are many moving parts, lots of robot arms, and people lifting plate glass into place and screwing in bolts and that sort of thing. Everything may look great in my factory, but at the end of the factory, I consistently see the door handle is off by three inches. I can’t release those cars to my dealership network with bad door handles, so I know that I've got a problem, but I can very quickly see where the problem is. That’s how most companies right now deal with governance issues. They wait until the very end of it, as it’s about ready to be shipped to the dealer, and then they notice the door handle is off.

It may be great to go back and know where to fix the door handle, but wouldn’t it be nice to know, before that car went to the rest of the line, that we had a problem with the machine in the door handle’s section. That’s what the kinds of metrics and measurement and responsiveness that this offers allows you to do -- fix the door handle, before it gets any farther down the line, so you never get to that catastrophe where the engine falls out of the bottom.

You don’t even get to the small issues where the door handle is off. You nip them in the bud. Doing that live every day with the visibility into the reports and the metrics around governance is really the magic here, so that you never have that issue of a catastrophe, where you have to hold up and say, "Well, we’ll do better next time."

There's an age-old expression that you're so close to the forest you can't see the trees. Well, I think in the IT business we’re sometime so deeply embedded in the bark we can't see anything.

Gardner: Let's take a look to the future. Clearly, you'll find few people to argue with the fact that software is becoming more important to more companies. And, the cloud is becoming a new way -- at least new in terms of how people conceive of it -- of acquiring software and delivering services.

So this is all going to get worse. We're going to have more companies that see a strategic imperative around software and development and more opportunity for ecosystems and services. Then, of course, we’ve got explosion of data and mobile devices. Let me go first to you, Jeff.

I suppose I already know the answer, but is this important to do now? It's just going to get worse, but doesn't this also cut across and beyond where we go with development and into so many other areas of business? It seems, as I said in the setup, that you guys are the bellwether of how this can become more prevalent across more aspects of business in general.

Papows: You're right. Here is the reality, and it’s interesting sometimes. There's an age-old expression that you're so close to the forest you can't see the trees. Well, I think in the IT business we’re sometime so deeply embedded in the bark we can't see anything.

We've been developing, expanding, deploying, and reinventing on a massive scale so rapidly for the last 30 years that we've reached a breaking point where, as I said earlier, between the complexity curves, between the lack of elasticity and human capital, between the explosion and the amount of mobile computing devices and their propensity for accessing all of this backend infrastructure and applications, where something fundamentally has to change. It's a problem on a scale that can't be overwhelmed by simply throwing more bodies at it.

Creative solutions

Secondly, in the current economy, very few CIOs have elastic budgets. We have to do as an industry what we've done from the very beginning, which is to automate, innovate, and find creative solutions to combat the convergence of all of those digital elements to what would otherwise be a perfect storm.

That, in fact, is where companies like CloudOne are able to expand and leap productivity equations for companies in certain segments of the market. That's where automation, whether it's Rational, WebLayers, or another piece of technology, has got to be part of the recipe of getting off this limb before we saw it off behind us.

The IT business has become such a critical part of our economy. Put the word "glitch" in your Google Alerts bar and see how many times a day you find out about customers that are locked out of ATM networks, manufacturing flaws, technology disasters in the Gulf, nuclear power plants in Houston, or people being killed by over-radiation because of software bugs in medical equipment. It's reaching epidemic proportions, and the proof-point is that you see it in the daily broadcast news cycles now.

There there is simply no barrier for anyone to give this a try.

So SaaS, cloud computing, automated governance, forms of artificial intelligence, Rational tooling, consistent workbench methodologies, all of these things are the instruments of getting ourselves out of the corner that we have otherwise painted ourselves in.

I don't want to seem like an alarmist or try to paint too big a storm cloud on the horizon, but this is simply not something that's going to happen or be resolved in a business-as-usual usual fashion.

Gardner: Okay, so the stakes are high, they are getting higher. Back to you for the final word, John McDonald. What do you recommend for people who need to get started or are thinking of getting more involved with governance part-and-parcel with their activities?

McDonald: That's one of the coolest things of all about this whole model, in my mind. There there is simply no barrier for anyone to give this a try. In the old model, if you wanted to give the technology a try, you had better start with your calculator. And you had better get the names and addresses of your board of directors, because you're going there eventually to get the capital approval and so on to even get a pilot project started in many cases with some of these very sophisticated tools.

This is just not the case anymore. With the CloudOne environment you can sign on this afternoon with a web-based form to get a instance of let's say, Team Concert set up for you with WebLayers technology embedded in it, in about 20 minutes from when you push "submit," and it's absolutely free for the first model. From there, you grow only as you need them, user-by-user. It's really quite simple to give this concept a try and it's really very easy.

If you have any inclination at all to see what it is that Jeff and I are telling you, give it a whirl, because it's very simple.

Gardner: Okay, we'll have to leave it there. We've been discussing the needs and potential for solutions of governance in the cloud era, and using managed development and deployment environments as a bellwether for future cloud and service and IT use.

I want to thank our guests, we have been talking with Jeff Papows, President and CEO of WebLayers as well as the author of Glitch: The Hidden Impact of Faulty Software. Thanks so much, Jeff.

Papows: Thank you, Dana, and thank you, John.

Gardner: Yes, we've been joined here also by John McDonald, the CEO of CloudOne Corp.

Gardner: I'm Dana Gardner, Principal Analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Get a copy of Glitch: The Hidden Impact of Faulty Software. Learn more about governance risks. Sponsor: WebLayers.

Transcript of a sponsored podcast on cloud computing and the necessity for automated and pervasive governance across a services lifecycle. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in:

• Enterprise Architects Increasingly Join in Common Defense Against Cyper Security Threats
  

• Business Trends in Global IT Markets Provide New Traction and Value for Enterprise Architecture
  
  
• Confluence of global trends ups ante for improved IT governance to prevent costly business 'glitches'
  

Confluence of Global Trends Ups Ante for Improved IT Governance to Prevent Costly Business 'Glitches'

Transcript of a sponsored BriefingDirect podcast on the growing danger from faulty software and how to overcome it.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: WebLayers.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on the nature of, and some possible solutions for, a growing parade of enterprise-scale glitches. The headlines these days are full of big, embarrassing corporate and government "gotchas."

These complex snafus cost a ton of money, severely damage a company’s reputation, and most importantly, can hurt or even kill people.

From global auto recalls to bank failures, and the cyber crime that can uproot the private information from millions of users, the scale and damage that technology-accelerated glitches can inflict on businesses and individuals has probably never been higher. So what is at the root?

Is it a technology run amok problem, or a complexity spinning out of control issue -- and why is it seemingly worse now?

A new book is coming out this summer that explores the relationship between glitches and technology, specifically the role of software use and development in the era of cloud computing.

It turns out the role and impact of governance over people, process, and technology comes up again and again in the new book.

We have with us here today the author of the book as well as a software expert from IBM to delve into the causes and effects of glitches and how governance relates to the problem and fixes.

Please join me in welcoming our guests, Jeff Papows, President and CEO of WebLayers, and the author of Glitch: The Hidden Impact of Faulty Software. Welcome to the show, Jeff.

Jeff Papows: Thanks, Dana. Thanks for having us on.

Gardner: We're also here with Kerrie Holley, IBM fellow and Chief Technology Officer for IBM’s SOA Center of Excellence. Welcome to the show, Kerrie.

Kerrie Holley: Thank you, very much.

Gardner: Jeff, let me start with you. Now, the general trends around these complex issues are affecting business and probably affecting just about everyone’s lives. How do these seem to be something that’s different? Is there an inflection point? Is there something different now that 20 years ago in terms of the intersection of business with technology?

Papows: There is. I’ve done a lot of research in the past 10 months and what we're actually seeing is the confluence of three primary factors that are creating an information technology perfect storm of sorts. Some of these are obvious, but it’s the convergence of the three that’s creating problems on the scale that you are describing here.

The first is a loss of intellectual capital. For the first time in our careers -- the three of us have all been at this for a long time now -- we saw, between 2000 and 2007, the first drop in computer science graduates. That's the other side of the dot-com implosion.

Mainframe adoption patterns

While it’s not always popular or glamorous to talk about, 70 percent of the world’s critical infrastructure still runs on IBM mainframes. Yet, the focus of most of our new computer science graduates and early life professionals is on Java, XML, and the open and more modern development languages.

For the first time in our lifetimes and careers, the preponderance of that COBOL-based analytical community is retiring and/or -- God forbid -- aging and dying. That’s created a significant problem, concurrent with a time where the merger and consolidation activity -- the other side of the recession of 2008 -- have created this massive complexity in these giant mash-ups and critical back-office systems. For example, the mergers between Bank of America and Countrywide, and on and on.

The third factor is just the sheer ubiquity of the technological complexity curve. It’s the magnitude of technology that’s now part of our social fabric, whether it’s literally one million transistors that now exist for every human being on the planet or the six billion network devices that exist in the world today, all of which are accessing the same critical, in many cases, back-office structures.

It's reached the point, Dana, from a consumer standpoint, where 60 percent of the value of our automobiles now consists of networked electronic components -- not the drive trains, engines, and the other things. Look at the recent glitches you have seen at places like Toyota.

You take those three meta-level factors and put them together and we're making the morning broadcast news cycles now on a daily basis with, as you said, more and more of these embarrassing things coming to light. They're not just inconvenient, but there are monumental economic consequences -- and we're killing people.

Gardner: Kerrie Holley, we've looked at some of these issues -- society issues, organizational issues, and the technology behind them -- but technology has also been part of the solution or the ability to scale and manage and automate. I think service oriented architecture (SOA) has a major impact on that.

So, are we at a point where the ability of technology to keep up with the rate of growth is out of whack? What do you sense is behind some of this and why hasn't the technology been there to fix it along the way?

Holley: Jeff brought up some excellent points, which are spot-on. The other thing that we see is that we've had this growth of distributed computing. The easy stuff we've actually accomplished already.

If we look at a lot of what businesses are trying to accomplish today, whether it’s a new business model, differentiation, or whatever they're trying to do compete, what we are finding is that the complexity of that solution is pretty significant.

It's something that we obviously can do. If we look at a lot of technologies that are out in the market place, unfortunately, in many cases they are siloed. They repair or they help with a part of the problem, but perhaps they're not holistic in dealing with the whole life-cycle that is necessary to create some of this value.

Secondly -- this is a point-in-time statement -- we're seeing rapid improvements in the technology to solve this. With Jeff's company and other organizations, we are seeing that today. It hasn’t caught up, but I think it will. In summary, Jeff brought up several points in terms of the fact that we have ubiquitous devices and a tremendous amount of computing power. We have programming available to the masses. We have eight-year-olds, grandmothers, and everyone in between, writing software.

Connecting devices

We have a tremendous need to connect mobile devices and front-ends. We have 3D Internet. We just have an explosion of technologies that we have to integrate. Along with that comes some of the challenges in terms of how we make this agile, and how we make it such that it doesn't break. How do we make sure that we actually get the value propositions that we see? Clearly, SOA is a part of the solution, but it's certainly not the end-all in terms of how we repair and how we get better.

Gardner: One of the things that intrigues me about SOA is the emphasis on governance. To get the best out of a distributed services-orientation, you need to think at the very beginning and throughout the process about how to manage, automate, and reuse, as well as the feedback loops into the process -- all on an ongoing basis.

It strikes me that if that works for SOA, it probably also works for management and organizations, and it works for the relationship between workers and customers. Let me take this back to you, Jeff. Is governance also in catch-up mode? Do we have a sense of how to govern the technology, but not necessarily the process? Is that what's behind some of it?

Papows: You're right, Dana. There's a cultural maturation process here. Let's look at a couple of the broad economic planks that have affected how we got here, because I've been in the software industry for 30 years now. Remember that the average computer scientist, at least in North America, on average, makes 32 percent more than the mean average in the U.S. economy. And, software, computer services and infrastructure has accounted for about 37 percent of the growth in the gross domestic product in the United States and Asia in the last decade.

So the economic impact and success of our industry almost can’t be overstated. Because of that, we've grown up for decades now where we just threw more and more bodies at the problem, as
the technological curve grew.

All that means is automating those best practices and turning them inward, so that we’re governing ourselves as an industry the way that we would automate or govern many things.

There was always this never-ending economic rosy horizon, where you would just add more IT professionals and you would acquire and you’d merge systems, but rarely would you render
portions of those workforces redundant.

In 2008, the economic malaise that we’re managing our way through changed all of that. Now, the only way out of this complexity curve that we’ve created, to use Kerrie's terms, is turning the innovation that has been the hallmark of our industry back on ourselves.

That means automating and codifying all of the best practices and human capital that’s been in-place and learning for decades in the form of active policy management and inference engines in what we typically think of as SOA and design-time governance.

Really, all that means is automating those best practices and turning them inward, so that we’re governing ourselves as an industry in the same way that we would automate or govern many things. But now it’s no longer a "nice to have." I would argue that it’s critical, because the complexity curve and the economics have crossed and there is no way to put this genie back in the bottle. There is no way to go backward.

Gardner: Kerrie, any thoughts about what’s perhaps now a critical role for governance, perhaps governance up and down the technology spectrum, design time, runtime, but also governance in terms of how the people and processes come together?

Holley: Absolutely. One of the nice things that the attention to SOA has brought to our marketplace is the recognition that we do need to focus on governance. I don’t know of a single client who’s got an SOA implementation who has not, as a minimum, thought about governance. They may not be doing everything they want to do or should be doing, but governance is clearly on the attention span of everyone in terms of recognizing that it needs to be done.

So, when we look at governance and when we look at it around SOA, IT governance is something that we’ve had for a long time. SOA governance is a subset, you could say. It complements, but at the same time, it focuses our attention on, what some of the deltas have brought to the marketplace that require improved governance.

Services lifecycles

That governance is not only around the technology. It’s not only around the life-cycle of services. It’s not only around the use of addressing processes and addressing application development. Governance also focuses on the convergence that’s required between business and IT.

The synergistic relationship that we seek will be promoted through the use of governance. Change management specifically brings about a pretty significant focus, meaning that there will be a focus on the part of the business and the IT organizations and teams to bring about the results that are sought.

Examples of problems

Gardner: Jeff, in your book you identify some examples. Are there any that really stand out I that we can trace back to some root cause in the software lifecycle?

Papows: There are, and it’s unfortunate. The ones that make the greatest memory points and often the national headlines, characteristically are the ones that affect the consumer broadly as opposed to the corporate ones.

Obviously, Toyota is in the headlines everyday now. Actually, there was another news cycle recently about Toyota’s Lexus vehicles. The new models apparently have a glitch in the software that controls the balance system.

The ones that make the greatest memory points and often the national headlines, characteristically are the ones that affect the consumer broadly as opposed to the corporate ones.

One of the most heartbreaking things in the research for the book was on software that controls the radiation devices in our hospitals for cancer treatment. I ran across a bunch of research where, because of some software glitches and policy problems in terms of the way those updates were distributed, people with fairly nominal cancers received massive overdoses in radiation.

The medical professionals running these machines -- like much of our culture, because something is computerized -- just assume that it’s infallible. Because of the problems in governance or lack of governance policy, people were being over-radiated. Instead of targeting small tumors in a very targeted way, people’s entire upper torsos, and unfortunately, in one case, head and neck were targeted.

There are lots of examples like that in the book that may not be as ubiquitous as Toyota, but there are many cases of widespread health, power, energy, and security risks as a consequence of the lack of policy management or governance that Kerrie was speaking to just a few minutes ago.

Gardner: Well, these examples certainly are very poignant and clearly something to avoid. I wonder if these are also perhaps just the tip of the iceberg. In addition to things that are problematic at a critical level, is there also a productivity hit? Are large aspects of work in process not nearly as optimal as they could be or are plagued by mistakes that drag down the process?

I want to take this over to Kerrie. IBM has its Smarter Planet approach. I think they're talking about the issue that we're just not nearly as efficient as we could be. What makes the headlines are these terrible issues, but what we're really talking about is a tremendous amount of waste. Aren’t we?

Things we could do better

Holley: We are. That’s exactly what inefficiency is. It speaks to a lot of waste and a lot of things we could do better. A lot of what we’ve been talking about from a Smarter Planet standpoint is actually the exact issues that Jeff has talked about, which is that the world is getting more instrumented. There are more sensors. There is a convergence of a lot of different technology, SOA, business process management, mobile computing, and cloud computing.

Clearly, on one end of the spectrum, it’s increasing the complexity. On the other end of the spectrum, it’s adding tremendous value to businesses, but it mandates this attention to governance.

Gardner: Jeff, in your book do you offer up some advice or solutions about what companies ought to be doing in this governance arena to deal with these glitches?

Papows: We do. We talk about what I call the IT Governance Manifesto, for lack of another catchy phrase. I make the argument that it’s almost reached the point now where we need to lobby for legislation that requires more stringent reporting of software glitches in cases where there is human health and life at stake. Or, alternately, that we impose fines upon individuals or organizations responsible for cover-ups that put people at risk. Or, we simply require a level of IT governance at organizations that produce products that directly affect productivity and quality of life issues.

Kerrie said this really well, Dana. Remember that about 70 percent of our computer scientists in a given year are basically contending with maintaining the existing application inventories that run all of our financial transactions in core sub-systems and topologies. So, 70 percent of our human capital is there to basically keep the stuff that’s in place running.

So, 70 percent of our human capital is there to basically keep the stuff that’s in place running.

Concurrently, we have this smarter planet, where we’ve got billions of RFID tags in motion and 64-bit microprocessors have reached a price point where they are making the way into our dishwashers. We’ve got this plethora of hand-held devices and applications that’s exploding.

All of that is against the backdrop of this more difficult economy, where we can’t just hire more people without automation. We haven't a prayer keeping our noses about water here.

So, God forbid that we ask the federal government, which moves at a dinosaur’s pace relative to Internet speed, to intercede and insist on some of the stuff. But, if we don’t police our own industry, if we don’t get more serious about this governance, whether it’s IBM or WebLayers or some other technological help, we run the risk of seeing the headlines we’re seeing today become completely ubiquitous.

Gardner: Kerrie, I understand that you’re also penning a book, and it’s focused on SOA. First, could you tell us about it, but then are there any aspects of it that address this issue of governance, maybe from a self-help perspective and of not waiting for some legislation or external direction on it.

Holley: The book that’s going to be out later this year is 100 SOA Questions: Asked and Answered. What my co-author [Ali Arsanjani] and I are trying to accomplish in the book, which distinguishes us from other SOA books in the marketplace, is based on thousands of questions that we’ve experienced over the decade in hundreds of projects where we’ve had first-hand roles in as consultants, architects, and developers. We provide the audience with a hands-on, prescriptive understanding of some of the more difficult questions, and not just have platitudes as answers, but really give the reader an answer they can act on.

We’ve organized the content in a way that you can go by domain. If you’re a business stakeholder, you can go to particular areas. That gets back to your question, because business clearly has a big role to play here. The convergence or the relationship between business and IT has a big role to play.

You can go directly into those sections. We do talk about governance. The book is not about governance, but a good percentage of the questions are on governance. What we try to do is help organizations, clients, practitioners, and executives understand what works what doesn’t work.

Always a choice

One of the examples, a small example, is that we always have a choice when we do a project. We can do it in multitude of ways, but we have a lot of evidence that when governance is not applied, when it’s not automated, when it’s not thought about upfront, the expense on the back-end side is enormous. That expense could be the cost of not having the agility that you foresaw.

The expense could be not having the cost reduction that you foresaw. The expense could be the defects that Jeff has spoken about -- the glitches. There is a tremendous downside to not focusing on governance on the front-side, not looking at it in the beginning. The book really tries to ask and answer the toughest SOA questions that we’ve seen in the marketplace over the last decade.

Gardner: We’ll certainly look forward to that. Back to you Jeff. When we think about governance, it has a bit of a siloed history itself. There's the old form of management, the red-light, green-light approach to IT management. We’ve seen design-time governance, but it seems to be somewhat divorced from, even on a different plane than, runtime or operational governance.

What needs to happen in order to make governance more holistic, more end-to-end?

Papows: It’s a good question, Dana. It’s like everything else in our industry. We’re sometimes our own worst enemy and we get hung up on language, and God forbid, we create yet another acronym headache.

There's an old expression, "Everybody wants governance, but nobody wants to be governed." We run the risk, and I think we’ve tripped over it several times, where we get to the point where developers don’t want to be slowed down. There is this Big Brother-connotation at times to governance. We’ve got to explore a different cultural approach to it.

Governance, whether it’s design time or run time, is really about automating and codifying best practices.

Governance, whether it’s design-time or run-time, is really about automating and codifying best practices, and it’s not done generically as was once taught. It can be, in my experience, very specific. The things we see Ford Motor Co. doing are very different. They're germane to their IT culture and organization, and very different than what we see the Bank of America do, as an example.

To Kerrie’s point about the cost of a lack of automated best practices, if we can use the new verb, it isn’t always quantitative. Look at the brand damage to a bank when they shut customers out of their ATM network, the other side of turning the switch when they merged back-office systems. Look at the number of people whose automated payment systems and whatnot were knocked out of kilter.

The brand damage affecting major corporations is a consequence of having these inane debates about whether SOA is alive or dead, whether you need design-time governance or run-time governance. What you need is a way to automate what you are doing, so that your best practices are enforced throughout the development lifecycle.

Kerrie answered your question well when he said it really is about waste. It’s not just about wasted human capital or wasted productivity or cycles. It’s about wasted go-to-market opportunity. Remember, we're now living in the era of market-facing systems. For almost every major business enterprise, our digital footprint is directly accessible in the marketplace, whether it’s an ATM network or a hand-held device. The line between our back-office infrastructure and our consumer experience is being obliterated.

I'd argue that rather than making distinctions between design and run-time governance, companies simply, one way or another, need to automate their best practices. The business mandates of the corporations need to be reflected in an automated way that makes it manageable across the information technology life-cycle -- or you exist at your own peril.

Gardner: Kerrie, any thoughts on this concept of governance and how we make it more ubiquitous and more enforced as the pain and the problems grow evident? The solution at a high level seems pretty clear. It seems to be the implementation where we stumble.

Governance mindset

Holley: You hit it on the head, and Jeff made the point as well. A lot of people think governance is onerous, that it’s a structure that forces people to do things a certain way. They look at it as rigid, inflexible, unforgiving. They think it just gets in the way.

That’s a mindset that people find themselves in, and it’s a reason not to do something. But when you think about the goals that you're seeking, most goals have something to do with efficiency, lower cost, customers, and making the company more agile. When you think about this, pretty much everybody in the marketplace knows that you don’t get those goals for free. There is some cultural change that’s often necessary to bring those goals about, some organizational change.

There's automation. You don’t start with automation. You actually start with the problem, the processes, and picking the right tool. But, automation has to be a part of that solution. One end of the spectrum, we’ve got to address this mindset that governance gets in the way, that it’s overhead, and that it’s unnecessary.

We know that organizations that are very successful, that are achieving many of their goals, when we peel the onion back, we see them focused on governance. One advice that we all know is that you shouldn’t boil the ocean, that you should do incremental change. We also need to do this in governance.

We need to have these incremental successes, where we are focused on automation holistically and looking at the life-cycle, not just looking at the part-of-the-problem space.

Looking for automation as a way out of the hole that has been created is a consequence of the industry’s own success.

Gardner: Jeff, it sounds like governance needs a makeover. Is there an opportunity? You are going to be discussing this book at the IBM Impact Conference 2010, their SOA conference? Is this a good opportunity? You have a lot of IT executive and software executives from the variety of enterprises on hand, but what would you tell them in terms of how to make governance a bit more attractive?

Papows: We all need to say, "I am a computer science professional. We have reached a point in the complexity curve where I no longer scale." You have to start with an admission of fact. And the reality is that the demands placed on today's IT organizations, the magnitude of the existing infrastructure that needs to continue to be cared for, the magnitude of application demands for new systems and access points from all of this new technology, simply is not going to correlate without a completely different highly automated approach.

Kerrie is right. You can't boil the ocean and you can’t do it at once, but you have to start with an honest self-assessment that, as an industry, we can't continue to go forward at the rate and pace that we have grown, given everything we know and that we see, without finally eating our own cooking.

Looking for automation as a way out of the hole that has been created is a consequence of the industry’s own success. We didn't get here because we failed to be fair to all of those developers in the audience. They're going to listen to this and say, "Why am I the bad guy?" They're not the bad guys.

The reality is, as I said, that we're responsible for the greatest percentage of growth in the gross domestic product. We're responsible for the greatest percentage workforce productivity. We've changed the way civilization lives and works. We've dealt with a quantum leap -- and the texture of human existence is a consequence of this technology.

It's time that we simply admit that we need to turn back on ourselves in order to continue to manage this or we, literally, I believe, are on the precipice of that digital equivalent of a Pearl Harbor, and the economic and productivity consequences of failing are extreme.

Gardner: Well, we'll have to leave it there. We're about out of time. We've been discussing how glitches in business have highlighted a possible breakdown in the continuity of technology and that governance is an important factor in making technology continue on its productivity curve, without falling at some degree under its own weight.

I want to thank our guests. We have been joined today by Jeff Papows, President and CEO of WebLayers, and the author of the new book, Glitch: The Hidden Impact of Faulty Software. Thank you so much, Jeff.

Papows: Thank you, Dana, and thank you, Kerrie.

Gardner: And, we have been joined also by Kerrie Holley, an IBM Fellow as well as the CTO for IBM’s SOA Center of Excellence. Thanks for your input, and we will look forward to your book as well.

Holley: Thank you, Dana, and thank you, Jeff.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks for listening and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: WebLayers.

Transcript of a sponsored BriefingDirect podcast on the growing danger from faulty software and how to overcome it. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.