Monthly Archives: April 2007

User Innovation and Security

Posted on by
Reply

Look out Jimmy!!!User Innovation by end users of IT systems is inevitable. For years this innovation has primarily happened on the end user device. There have been a number of reasons for this; flexibility, isolation, responsiveness, connectedness, tools, capacity, control, etc. Each of these have created a compelling User Innovation platform.

Most organisation don’t actually like their users innovating in this way because they think users should be “doing their job”. One of the levers that organisation pull when they are trying to get people to focus on “doing their job” is security; “you can’t do that because it’s against the security policy”. The “security policy” being the lever to get them to step back into line, but this doesn’t work because the need to innovate is strong.

Let me try and explain the reasons why I don’t think that management via a rules based security policy works.

Security is normally the responsibility of a central function who express this responsibility through a security policy. Users are responsible for following the security policy, not for good security. The policy that is defined needs to be applicable to everyone making it generic in nature and tends to be rules based “though shalt not send executable files across email”.

The combination of centralized responsibility and generic rules based policies put the end user in a situation where they don’t understand the real security issues and hence innovate around the policy in inappropriate ways.

Rules based policies then get embedded into the service that is manufactured for the end user. Because the User Innovator assumes that the rules have been embedded into the service they also assume that if they are allowed to do something that it’s not a security problem.

But the truth is, it’s not possible to embed the rules in all situations within the service. Lets take Internet based services as an example. How do you set boundaries on the whole Internet with a set of rules and how on earth do you embed those rules into the service that you deliver.

At the same time you limit what they can do within the organisation so that Innovators are more likely to innovate outside it.

The publishing of potentially sensitive corporate data on Google Calendar which has been uncovered this week is probably a good example of these issues. I’m sure there are a number of reasons for the problems, but one of the main ones has to be people’s lack of understanding of the security issues involved, their reliance upon the security boundaries set for them and the level of control placed upon them within the organisation.

User Innovators need to be embraced as people who are adding value, they then need to be given some responsibility to consider the risks of the innovations that they are undertaking. Sometimes this means physically protecting them. Sometimes this should mean educating them on the risks that they are about to face and providing them with mechanisms for mitigating those risks. User Innovators need to be taught how to undertake a risk assessment of their innovation. They are going to innovate, so we should help them to do it knowing the risks.

The User Innovators are not the enemy though, they are trying to innovate so that they can gain something and that something is normally a benefit. Their skills should, therefore, be harnessed to help answer the security problem that are changing every day. There are a number of ways of getting their significant expertise focused on a particular problem, but I think that’s a topic for another day.

Technorati tags: ,

User Innovation and End User IT

Posted on by
2

Jimmy and Grandad take a trip to LondonI’ve been giving some thought, and just a little reading, to the concept of User Innovation and its impact on IT. Because we are talking about User Innovation my primary area of interest is with the End User devices and the services that they are provided with.

To start with it’s worth putting some form of definition around the phrase User Innovation. I’m primarily talking here about the phenomena researched by Eric von Hippel and documented in The Source of Innovation and Democratizing Innovation.

Perhaps the best way of defining it is to describe a personal experience. I use Flickr as a photo sharing site, when I first started using the site I noticed that there wasn’t a group for photographs of Lancashire, where I live. So I created one. Having created one I invited others I know to join it. Not long after I’d created the group Stu notices that the group has a strange URL and thinks that it would be great if it had a simple URL. What’s more Stu did a bit of research, worked out how to do it and gave me the instructions. So now Flickr has a Lancashire group with a nice simple URL (http://www.flickr.com/groups/lancashire/) where people share pictures almost every day.

There are two innovations in this example, the creation of the group and the change of its URL. Both of these innovations where undertaken by a User of the service, not by the Manufacturer of the service. I wasn’t 100% happy with the service as it was delivered to me by the Manufacturer, so I modified it. Fortunately Flickr has been built to encourage that kind of innovation, but more than that, the modification I made was immediately available to the whole community.

The alternative to User Innovation is Manufacturer Innovation. In Manufacturer Innovation it’s the person who is creating something to sell that undertakes the innovation. Manufacturer Innovation normally to follows the design, build, test, deploy process, with the requirements for the design phase coming from within the Manufacturer.

I have a lot of experience as a Manufacturer of End User Services (what used to be called Desktop Services). I (We) design a service and sell it to the people who are going to Use the service changes to the design are driven by the internal development process. 

For years there has been one primary driver for the development of these services – cost. This has included the cost of support as well as the cost of acquisition.

If you want to reduce the cost of acquisition then you need to make the delivery of a service highly automated and to automate something you need repeatability. If you want repeatability then you need uniformity. Delivering 1000 PC all the same is cheaper than delivering 1000 PC that are all different.

Capping the ongoing costs requires the perpetuation of that uniformity, but more than that, it requires simplicity. If you are going to maintain simplicity you need control.

Uniformity and control might cap costs, but they also stifle User Innovation. The need to innovate is strong, though, and Users of the service innovate anyway. They innovate outside the boundaries of the control whether that’s through Internet delivered services, or by utilising equipment outside the control of the standardised service (like the PC at home) or by finding loophole in the control.

So the costs still exist, they have just been moved, and probably increased by people working around the system.

On the flip-side of this debate is the need to protect User Innovators from themselves, but more about that another time.

 

Feeling a little older – ZX Spectrum makes 25

Posted on by
3

Jimmy and Grandad riding lowToday marks the 25th anniversary of the ZX Spectrum.

When I was at school I did most of my ‘O’ levels on a trusty ZX Spectrum, printing it out on a thermal printer and then sticking the bits of metallic paper to some real paper so the teachers could read it.

Knowing it is 25 years old makes me feel that little bit older .

Knowing that I have 2GB in my USB memory stick doesn’t make me too nostalgic for the days of fussy micro-tapes, but knowing how much we managed to do in 48KB does make me wonder whether we have used all of these extra circuits to their full potential.

 

Technorati tags: ,

Blackberry on my Windows Mobile

Posted on by
Reply

Jimmy and Grandad take a trip to LondonIt seems that RIM are wanting to extend their footprint to Windows Mobile 6.

The interesting thing about this is that RIM aren’t porting the capability to a Windows Mobile type application. The software will run as a Virtual Blackberry on the device, this Virtual Blackberry will use the Blackberry interface, not the Windows Mobile interface.

I’ve used a Blackberry interface a little and a Windows Mobile 5 interface a lot. They are very different and I’m a little uncertain how people will feel switching between them.

 

Happy Hour is 9 to 5

Posted on by
Reply

Picnic by DerwentwaterI used last weeks holiday as an opportunity to read Happy Hour is 9 to 5, I was one of the fortunate ones who got a free copy in the Christmas give away. I was going to read it over the Christmas break, but circumstances overtook.

For anyone not familiar with this book it’s written by Alexander Kjerulf who goes by the job title of: Chief Happiness Officer.

The basic premise of this book is that happiness at work is a good thing for everyone, and that the opposite is also true. The book is a great holiday read without too much detailed analysis of research, but with loads of practical examples and comments.

The book contains a number of exercises to use to assess your own happiness at work and to direct you towards finding greater happiness. It also provides exercises for managers. My current position doesn’t include managing people, but I’m often in situations where I indirectly manage people, and certainly provide their motivation.

I’ve finished reading the book, but I haven’t got the exercise done yet. I need to do the exercise because there will have been little point in reading the book if I don’t.

Even before doing the exercises, though, I am aware that my own attitude needs some work especially if I am going to regain an attitude to work that isn’t “Meh” but is “Yay” (see this section). That means making some changes, which requires some planning and some action. It’s also closely linked to the research on My Brain from last year.

Not sure that the The Order of the Elephant idea translates to UK culture though, will have to think about that one:

“Kjaer Group, a Danish company that sells cars in developing nations, introduced The Order of the Elephant a few years back. It’s a huge plush toy that any employee can award to any other, along with an explanation of why that employee deserves The Order. The praisee gets the elephant for a couple of days, and at two-feet tall it’s hard to overlook if it’s standing on that person’s desk.

Other employees stopping by immediately notice the elephant and go, “Hey, you got the elephant. What’d you do?”, which of course means that the good stories and best practices get told and re-told many times. This is an excellent, simple and cheap way of enhancing learning and happiness at work.”

from the What makes us happy at work? section of the book.

I’ve certainly witnessed the observation on meetings though:

Psychological experiments can be very devious, and this one was certainly no exception. The focus was meetings and the format was simple: Groups of people were asked to reach agreement on a contentious topic.

Here’s the devious bit: Unbeknownst to the other participants, one member of the group was an actor hired by the researchers. The actor was told to speak first in the discussions. In half the experiments he would say something positive, while in the other half he would start by saying something critical. After that he simply participated in the discussion like the other group members.

The experiment showed that when the first thing said in the meeting was positive, the discussion turned out more constructive, and people listened more and were more likely to reach a consensus. When the first statement was critical, the mood became more hostile, people were more argumentative and consensus became less likely.

The researchers concluded that the way a meeting starts has a large impact upon the tone of the discussion and on whether or not the group will eventually reach a consensus.

from the What makes us happy at work? section of the book.