In Praise of (Useful) Managers

You do need some managers. Elon Musk is trying to prove that Twitter can be run with only himself and the people who write code, and it’s not going well. It turns out that it takes a little more to run an organization than just coding and tweeting.

For example, Elon had announced that only enterprise customers who would pay $$$ would have access to the API. But he had fired everyone who was able to process an application for an enterprise license. So when the last overworked API engineer committed the change that implemented the limit, there were no paying customers because there was nobody to take the money of the few tool vendors willing to pay up.

Your overhead grows inexorably. Unless you pay very close attention, the fraction of total headcount actually writing code goes lower and lower. To avoid ending up having to take a chainsaw to your organization as Elon has done, calculate your coder percentage today and keep track of it.

Cloud Means Aomeone Else is in Control

Cloud services mean you are at the mercy of someone else. It is bad enough that hackers broke into Western Digital’s My Cloud service and encrypted their customer’s data. But many private customers are now learning what it means to use WD’s cloud-based login service. It means that even though your data is stored on your own NAS device in your own basement, you still cannot get at it when WD is down.

If you are using any cloud-based login service in your organization, ask your CISO how people would log in and access ressources if that service is down.

Hybrid Work is a Leadership Decision

Get back to work, or else… That is the message from companies across the board. The latest is Amazon, who just dismissed a petition from more than 30,000 workers objecting to their three-days-a-week-in-the-office policy.

The Wall Street Journal reports that hybrid work is back to the pre-pandemic level at around 16% percent on average, with higher values in technology and information work.

Software is a collaborative effort, and no amount of Zoom meetings and Slack channels will change that. For example, I once led a team dispersed in four different rooms. Even though we were all on the same floor, we were constantly behind schedule and delivering poor quality. When I finally managed to get us all in the same room, productivity and quality shot up.

As an IT leader, it is your job to create as much value as you can with the resources at your disposal. You are not doing your job if you shrink from your leadership responsibility and let your programmers work wherever they want.

Where is the Profit

“But we’re a startup!”

“That’s not enough anymore. How will you become profitable?”

This is the essence of discussions between startups and their VC funders today and increasingly between big companies and their shareholders. Unfortunately, Ford’s CFO didn’t get the memo because he is still trying to pass off their $3 billion loss on electric vehicles with the “consider-us-a-startup” excuse.

Increased shareholders’ attention is also forcing all the big tech companies to kill off many of their loss-making projects that do not have any path to profitability, with an accompanying bloodbath of firings.

An audit showed that 47 of the 98 Danish municipalities were running AI projects. Two of these had provided value.

Do you have realistic business cases behind your projects? Or is the business case a collection of rosy assumptions retrofitted onto a project someone just wanted to do? It is better to find and kill vanity projects than to be called to the CEO’s office to explain why you are frittering away the company’s money. Contact me if you want an independent outside opinion on your project portfolio.

Who Thinks About Risk?

A “Silicon Valley Bank Risk Management Department” T-shirt is the latest in ironic workwear. Not that SVB seems to have much risk management – their Chief Risk Officer stepped down in April last year, and the position was vacant for eight months.

Does anybody have the Risk Manager position in your IT organization? Every project creates a risk matrix and mitigates the worst risks, but once the project is complete, risk management evaporates in many organizations. The CISO does some risk management, but many IT risks are outside her remit. And risk management falls squarely in the “important, not urgent” category that always gets pushed to the back of the task list…

Criminally Bad Project Management

Sometimes, failed IT projects cost real money. Like it just did for British bank TSB, who was fined about $60 million for their shambolic IT migration. The disaster locked people out of their accounts for weeks, and the total cost to the bank is now approaching $500 million with payments to customers, project post-mortems and IT cleanup.

“The firm failed to plan for the IT migration properly, the governance of the project was insufficiently robust and the firm failed to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems,” the report from the banking authority concluded.

Those words don’t apply to any of your IT project, do they?

Once you Grow up, you Need to Stop Moving Fast and Breaking Things

Moving fast and breaking things can be fine for a startup. They might need to iterate several times and maybe even pivot once or twice before they achieve product/market fit. It is not OK for an established business. Facebook has long since given up on this strategy, but Twitter, under Elon Musk, has rediscovered it. By thrashing around and changing direction daily, they are alienating both the users and the advertisers who were supposed to pay. If you want to move fast, roll out changes to a small percentage of your users. A mature continuous delivery organization practices blue/green deployment, but even if you are not doing CI/CD, you can still test changes with a small subset of your users. Don’t uncritically inflict the latest great idea on your entire user population. #itleadership #innovation #makeitliveuptoitspromise

Beware of Asymmetric Risk/Reward Profiles

Would you continue to sell a lock based on technology that has been known for 14 years to be trivially easy to hack? Of course not! But Scantron in Denmark has merrily been foisting insecure locks on unsuspecting Danish apartment administrators. Even after a worried renter told them about the problem in several emails and even physical letters (!), they ignored the problem. It took a media shitstorm to make them realize the errors of their ways.

Digital locks have an asymmetric risk/reward profile. The reward is small – you save a little by not having to administer physical keys and re-key locks. The risk is huge – someone might copy a key, turn it into a master key, and rob hundreds of apartments.

When you are evaluating digitalization projects, be very careful about those with such an asymmetric profile. Almost every organization has digitalization projects with a better risk/reward balance than digital locks…

Be Prepared for Every Eventuality

My latest favorite German word: Bargeldnotversorgung. It means “emergency supplying of cash.” The careful Germans are preparing for the worst-case scenario of widespread blackouts. Part of their plan is to make sure that everybody has an adequate supply of little colored pieces of paper, also known as “cash.”

Meanwhile, in Denmark, authorities, and shops are merrily careening towards a cashless society that will collapse as soon as the power goes out.

There are many things that can go wrong, and a well-run organization is prepared for all of them. In cases of risk management, be like Germany, not like Denmark

IT Leadership has to Harness the Power of AI

AI has finally gotten really useful inside the IT organization. Most of the examples on the internet are frivolous and amusing, like how to remove a peanut butter sandwich from a VCR, written in the style of the King James Bible. But ChatGPT is helpful for mundane tasks in IT as well.

I’ve been fixing open issues in a small open-source project recently. One of the issues was that part of the code would concatenate strings to build SQL statements. That’s a classic SQL Injection vulnerability. ChatGPT can fix these bugs faster than I can. So I tell the AI, “please rewrite the following to use bind variables,” and give it the code.

Another example is working we legacy shell scripts. My sed/awk skills are rusty, but I can give a convoluted shell statement to ChatGPT, and it will patiently explain all the options and exactly how it works.

Many of your programmers are already playing with ChatGPT, GitHub Copilot, and other AI tools. You might as well embrace it. Set up a knowledge-sharing community for those curious about how AI can help IT. Have them present to you and the rest of the IT department. You’ll be amazed if you haven’t played with ChatGPT and its ilk.