I just read Ivan Ristić’s slides for his talk on “How to Render SSL Useless“, found via Luke O’Conner’s blog. Thanks, Luke!
(spoiler: Here’s the shorter answer: if you use SSL/TLS, you’re probably not using it for the right reasons and you’re probably not getting the level of security you think you’re getting, because you’re probably doing it wrong.)
Ivan’s points boil down to this: SSL/TLS, by itself, is secure. It’s all these implementation details that render it insecure in practice. Ivan then offers eleven areas where SSL is “broken” in practice.
Here’s my issue with the slides: some of them don’t detail problems with SSL at all, and the other half are built into the design of SSL itself.
Let’s go through the slides by point.
Ivan’s first contention is that self-signed certificates are bad. Ivan argues that they’re insecure, they teach users to ignore warnings, and that it’s cheaper to get a “real” certificate than to use a self-signed one anyway.
Well, a self-signed certificate is certainly differently secure than one signed by a root CA, but as to whether or not it’s less secure or insecure, that’s a completely different question (trusted authorities and exploitation scenarios deserve their own post, so I’ll leave it at this for now — edited to add — thank you, Ed Felten, now I don’t need to write this up). The second contention is just silly, users don’t need to be trained to ignore warnings, they do it already. The last is at best incomplete. It requires a certain level of skill to deploy a service that relies upon a self-signed certificate, so saying “you have to maintain it” should be considered as part of the cost is mostly pointless. You have to maintain any certificate, whether you sign it yourself or pay Verisign to sign it for you. If I have to pay Bob the Apache Wizard to maintain my site and Bob knows how to generate a self-signed cert, it’s going to be cheaper for me to have Bob sign the cert than it will be for me to pay Verisign to do it, because Bob is going to get his salary (or his packaged SLA payment) either way.
Ivan’s second contention is that private certificate authorities are bad. The logic follows mostly along the lines of the previous point… it’s better for you to pay someone else to do this for you than it is for you to do it yourself. Now, he has something of a point here. Building a CA isn’t the same as self-signing a certificate, it takes a higher degree of knowledge to build the thing properly. I would imagine that there are a number of CAs out there that are unnecessary and they could be easily covered under one of the existing root CAs. However, there are any number of completely legitimate reasons for running your own CA, and in any event I don’t think one-off CAs represent a big threat to the overall infosec domain.
Oh, and against both previous points: for-profit root CAs have issued insecure certs before, why should we trust them?
Points 3, 4, 8, 9, and 10 are all basically the same point: if your site needs to be encrypted some of the time in transmission, it really needs to be encrypted all of the time, period. This is a good point (really should be a single point with examples, though), and I’m more or less with Ivan on this one, although I understand why it isn’t always the case.
Point 7 is that SSL sometimes isn’t used at all when it should be. Not sure why this belongs on the list, that’s not a problem with SSL implementation, per se. And I personally haven’t seen an unencrypted site that handles sensitive data in a long while, so I don’t know how germane it is anymore.
Point 11, and to a lesser extent 5, aren’t so much problems with SSL as they are problems with the couplings between SSL & DNS, pushed through the lens of user expectations. DNS has had its own problems.
Finally, point #6 (using an EV certificate, as opposed to a normal SSL certificate) illustrates the problem I have with computer security engineering professionals.
Now, I haven’t seen the talk and I haven’t read any of Ivan’s blogging (I should, and I’m adding it to my blogroll now), so I can’t say that this is fair, but just reading the slides, here’s how I interpret the underlying context of this talk:
“SSL is totally secure, if you are using it in the totally most secure way and no other way, because we designed it to be totally secure if you use it in the totally most secure way. Oh, but we also made it so that you could use it in all of these other ways, but DON’T DO THAT because you ruin our perfect design by using it in the non-perfect way!”
There’s a reason why I switched my research focus from infosec to disaster/crisis management, and this is it. Information systems security designers have a tendency to draw a box in their head, and design a system that is secure inside that box. If you use the tools they provide within the boundaries of that box, you’re golden, and if you don’t, you’re probably screwed. But that’s not on them because they can only design out to the edges of the box.
The problems with this approach are that most systems don’t fit inside that box, the box itself often sits on top of a completely insecure table, and often the box itself has lots of little holes in it that are punched into it for various reasons.
Ignore those reasons! Don’t use that functionality! It’s bad! But it’s necessary, that’s why we put it in there! But you’re probably not doing it right, and it’s not necessary for you, so just pay someone else to do it!
If setting up your own CA is bad, then why is it good to have multiple root CAs? Shouldn’t there be just one? (no)
If EV certificates are the best, why do CAs offer regular certs? (because)
If using incomplete certs is a problem, then why is it possible to generate an incomplete cert in the first place? (because not all certs are certifying the same thing)
Heck, if self-signed certs are bad, then why do you have the ability to generate them in the first place? (because in most practical cases, you’re looking for session security, not authoritative identification).
This post was supposed to be a follow-up to “How To Hire a Sysadmin”, but I’ve been a little busy studying for a midterm and delving into the capabilities of Alfresco, so I haven’t had a chance to write that post up yet.
In the meantime, this came across my radar from the ISWORLD mailing list and I needed to plunk it somewhere where I wouldn’t forget about it (del.icio.us all too often turning into a pit): Open Knowledge Creation: Improving the Peer Review and Adoption Process. FTA:
The practice of peer review and acceptance has been in place for many years, predating the Internet, and has recognized shortcomings. The Internet has proven to be a disruptive technology and a means for innovation in many areas of science and society. In this paper we offer an organizing framework aimed at redesigning the peer review and adoption process, referred to as open knowledge creation. The framework proposed utilizes the Internet, Google’s Knol and Groups technology. The open knowledge creation framework consists of four stages: creation, review/revision, evaluation/adoption and publication and is intended to offer journals an alternative for the communication of research that more fully exploits the Internet.
Deserves a thorough read-through and analysis. Drive-by science bloggers from other fields: what’s your take?
Germane to my last post, check this out (from Wired, via Bruce’s blog):
Researchers at the University of Utah have found a way to see through walls to detect movement inside a building.
The surveillance technique is called variance-based radio tomographic imaging and works by visualizing variations in radio waves as they travel to nodes in a wireless network. A person moving inside a building will cause the waves to vary in that location, the researchers found, allowing an observer to map their position.
Add a nice little HUD and you could have your own personal radar, tracking all movement inside your evil genius lair.
I’ve started a new blog over here. This one will still be running, of course.
Lisa Kleinman, a doctoral student in IS at University of Texas-Austin, recently asked the AISWORLD Information Systems World Network mailing list for advice on getting research projects running in real-world organizations.
Lisa compiled all of the responses and created an information page. If you do IS research, or any sort of real world research where you want to get your nose into an existing corporation or organization, there’s some good advice here.
With permission, I’m replicating the page here, in case Lisa’s personal web page disappears from the Internet some day:
|Obtaining (Academic) Research Access from Organizations
|This web page is intended to help doctoral students with the process of obtaining access to conduct data collection with a real world organization. I am a doctoral student who is currently trying to access four Fortune 500 companies to conduct a survey with their employees and make observations while job shadowing.
The information summarized here is mainly drawn from the wisdom of readers on the ISWorld mailing list who were generous enough to share their insight into this process with me. If you would like to be given credit for your response, please let me know and I will add a citation. Also, feel free to contact me if you have additional resources or advice to add to this page.
|1. Published Resources on Research Access
|Rymer, J. & Rogers, P. (1993). How researchers gain access to organizations. Business Communication Quarterly, 56, 42-48.
- This paper has four vignettes where researchers describe in detail their experience with gaining research access. In one case the individual already works for the organization but wants to collect data for his dissertation simultaneously, in another case a doctoral student finds his own research site by cold-calling, the third case discusses access using family connections and the fourth describes how she focused on discussing her research with new people whenever possible in order to generate leads.
Brewerton, P. & Millward, L. (2001). Organizational Research Methods (Chapter 4: Obtaining and Using Access to an Organization), 44-51.
- This chapter briefly summarizes the process of research access by talking about finding leads, putting together a proposal, getting a buy-in and manging the overall process.
Witman, P. (2005). The art and science of non-disclosure agreements. Communications of the Association for Information Systems, 16, 260-269. Available online here.
- Helps researchers negotiate the process of NDAs when trying to conduct research in organizations.
Interview with Prof Kevin C Desouza on AOM-OCIS Student Site
- Professor Desouza discusses how he achieves buy-in from organizations to carry out research.
|2. Finding Leads
- Ask your adviser and/or committee members for introductions to people they know in industry
- Attend conferences where executives and managers are likely to be in attendance and introduce yourself
- Utilize the connections of alumni groups from colleges you have attended
- Utilize the connections of graduated Masters students from your college who may be in industry now (or former students you may have taught)
- Check your Facebook, LinkedIn, etc. connections for any leads
- Contact local community service groups/clubs (e.g. Rotary, Toastmasters) and offer to give a presentation
- Connect with a professional organization/institution who may be able to grant you access to their member list
- Try and get to the highest person possible in the organizational hierarchy (but not so high up that they don’t have time to consider your project and/or are concerned about the reputation of the company)
|3. The One Page Proposal
- Emphasize the direct benefits to the company in terms that they will value and understand
- Explain that they are getting a consultant’s evaluation in exchange for their time
- Eliminate any scientific lingo in the proposal
- Emphasize confidentiality of the organization/employee participants
- Discuss the “lessons learned” that your research will provide
- Explain how risks will be mitigated (time involved, potential political problems)
- Don’t bring up any questions that will put the company in an awkward or defensive position
- Be sure what you can offer (e.g. a written report) will be given to them soon after data collection, not when the dissertation is complete
|4. General Advice
- Rejection by one person from the company does not necessarily mean someone else in the company can’t be of more help
- Don’t send an attachment in your initial e-mail to a lead, people are unlikely to want to open an attachment from a stranger
- Use every opportunity to demonstrate that you are an excellent person to work with
|5. The Verbatim Responses (Uncredited)
|Pardon my bluntness, Lisa, but in my experience no manager is going to read an 8 page proposal from a doctoral student whom they barely know, if at all. I suggest you write a one page proposal and include in the proposal the direct benefits to the company in terms of something that they will value. When I send my MBA students out to do case studies, I tell them to sell themselves to the company as if the company was getting a consultant’s evaluation for the price of their time. That same strategy got me entry and a grant with NASA, also. Create some ROI to the company and they will respond; well at least you will increase your chances.
In general it is just a tough proposition and takes time and likely multiple rejections. Given the school that you attend, it might be possible to get some introductions from Professors who already have consulting or prior research relationships.
But generically, these folks are all busy and have too much to do and too little time to do it. So your approach needs to be fairly concise. If you are working with executive levels of management, you probably need to outline your proposal in one page rather than eight.
Additionally, I always try to ensure that there is a value proposition for the company. That is, they can expect to receive some appreciable benefit for the investment in time that they do make.
But even with those suggestions, I have found it difficult although not impossible to gain access.
|First thing that strikes me is your eight-page description of research. I’d bet the managers didn’t even read it, since they are chronically short in time and attention. Can you put your description in one page?
This improvement would also help you to compress your research intent into a digestible and communicable format.
Cut out all the details and focus on the essentials (e.g., drop the literature, methodology, hypotheses/expectations…). Speak in more general terms, eliminating scientific lingo. Be clear on how
your research would benefit a client organization; thus, focus on practical contributions and drop the research implications and considerations in general.
In a word, frame yourself as a consultant rather than researcher (you still are a student-researcher, formally speaking, but you act at a more mature and self-confident level that managers can more easily relate to). Your pitch: you will be providing a free piece of potentially a valuable advise.
Make sure you don’t save words in guaranteeing confidentiality of info you’ll collect (disguising persons, organization’s name; promising to sign a non-disclosure agreement; citing that you are bound by the ethical norms of academic research).
|My guess is that the 8-page proposal probably scared them, or maybe had them running for legal advice. Naturally, we don’t want to deceive our participants, but it may not be necessary to disclose a lot of information that may not be relevant (I can’t say for sure not having
seen your proposal).
I was able to gain access to two different types of organizations, two electric power companies, and a submarine research and development lab. I have to confess. I had major connections with the
submarine research lab and wouldn’t have gotten within a hundred miles of the place without them.
With the power companies, it only took a casual acquaintance to get me in the door and high up in the chain of command. My situation was a bit different than yours. I was looking to conduct interviews, so I only needed about 10 people from each environment.
In any case, I think the best way in is to have/develop a relationship with someone on the inside. Schmoozing the right people can be the biggest help. I hope this helps. Best of luck with the research.
|1) Go to a conference or meeting where likely prospects might be, and introduce yourself. Industry conferences, discipline-specific conferences, SIM chapters, Executive Women International, UT Alumni groups, academic departmental advisor boards, etc. Be able to explain who you are and what you are trying to do in about 30 seconds. Ask them first if you can setup 15 minutes with them to explain your project, and get on their calendar. If they won’t, ask them if there’s someone else at their organization who can help. Take along your advisor or a committee member if s/he is available. Don’t give them the 8 pages unless they ask for it. But DO explain what insights they can get from your work.
2) Send your email to someone you know at a prospective company to forward along. (UT Alumni groups might be able to help here as well. Also, ask your committee members who they know. And what about their former undergrad and master’s students, where are they working now? What about your former students? What about your Facebook lists?) Internal emails will receive more attention than external emails. Include a one-paragraph summary in the email. Make sure the attachment is small in size, or just don’t include it in the initial email. Few people will be interested in opening a document from someone that they don’t know.
Also, keep in mind that a Fortune 500 company will have many different people who could potentially help you. So a rejection by a specific individual does not mean a rejection by the company. And not hearing from a given person is more likely to reflect that they never read your email than they read it and rejected your proposal.
Finally, ask for funds if you need it, or make it optional. The higher up the corporate ladder you go, the more the issue is not their money, but how much of their time you will need.
|I have worked with many companies in the past 5 years and my experience is that the shorter the description of the project the better. I personally never write a proposal longer than 1 page or that is longer that what can be shown on one screen. A proposal should explain to the business what is the question you are investigating, what data will you need from them, and what
they can learn from it. Your model(s) will probably be very different than the model (data analysis) that you will provide to the company. I wouldn’t try to explain to them exactly what models I’m running. The focus for the company is on the lessons learned. Hope this helps. Let me know if you have further questions.
|8 pages is a problem Lisa – try one page with emphasis on the value proposition to them. You’re a risk with no clear reward. Show them how you will mitigate the risk (e.g., employee time is a cost, you could cause political problems for them, … ) and maximize the reward (i.e., tell them what’s in it for them). There’s other considerations but I’d need to know more about what you’re trying to do to be helpful.
|My experience shows that the following are key to getting the cooperation of senior management, who are the only gate to get access to their organization:
- Use personal contacts to get to the highest hierarchy. It only works top down, no chance for bottom-up. Personal assistants are excellent contacts.
- Send VERY short research descriptions, 1-1.5 pages. they don’t have time to read 8 pages.
- In the executive summary you send focus on the following:
- how they will benefit from cooperation
- why it is not risky for their organization to cooperate
- what they are required to invest in the process.
When (a) is high and (b) and (c) are low, plus the assistance of a trusted or close person, you might succeed. The most difficult thing, however, is to
get the attention of a (very) senior manager.
|See OCIS PhD students website http://ocis.wordpress.com/, there is a very interesting interview with Dr Kevin Desouza http://ocis.wordpress.com/2008/08/25/interview-with-prof-kevin-c-desouza/ – he has some great advice to share about gaining access to those companies. And — do join the discussion if you find it interesting…
|Hi: This is one of the greatest challenges we have as researchers. Here are some suggestions/questions for you to consider:
- Why does this have to be Fortune 500? Sometimes local orgs with ties to your institution are more amenable and just as suitable. Why do you need four sites? Can you change your research appproach to perhaps mine or or two in deeper ways?
- What’s in it for them? Managers of firms need to justify why they would have staff spend time on YOUR project. What possible benefit – in immediate terms – will accure to them? In other words, what relevance (in real not fake academic terms) does your proposed research have for them?
- How much time do you think they have? An 8 page proposal scares them off! Managers are NOT readers the way academics are. An initial one pager covering key issues from their perspective should suffice to gauge interest.
I sincerely hope this is helpful. Good luck with your research.
|The most important thing to remember is that managers don’t have the time or desire to read 8 page research proposals. At the most they will read a 1 page summary and it should be written in business language (avoid all academic jargon).Personal connections are quite important to gaining access to organizations. Some other ideas that might be helpful to consider:
Ask you PhD supervisor/committee members to help you gain access – they are likely to have better contacts than you.
- Offer something back to the company. Be sure that what you offer doesn’t impact the independence of your research. You might offer to write up a short report at the end of the field work that would provide them with insights about all the companies where you conducted field
- Be willing to open up your research design and reconsider the factors that are limiting you. For example must you study F500 companies? Do you have contacts in other companies/sectors that would make just as interesting a study? Of course you want to make your decision about
fieldwork on more than just convenience and willingness of the company to participate, but we can often find the rationale for our choices once we have a viable company to work with.
- Use the prestige of the School to gain access and talk about the value to the company of partnering with the university (they can put this sort of information on their PR material). Some folks buy into the idea of helping to shape knowledge but others want to know how your study will
- Find the right level of contact person – someone too high up will likely ignore it and worry about how the findings might effect the company’s reputation whereas someone too low (line level manager) will not have the authority to authorize the study and will be very busy…so
your proposal will stay at the bottom of the pile.
Hope these ideas are helpful. Best of luck.
- Make your connection with someone relatively senior in the organization. You want to be in touch with someone who can approve your project and commit the resources to it. If your contact is too low, then s/he can only say “no”, never “yes.”
- Use your alumni relations office to identify graduates of your school. They may be more receptive to your proposals due to institutional affinity.
- When you make contact, do an excellent job. E.g., prepare thoroughly for meetings, follow up promptly, prepare excellent deliverables (be they memos, proposals, etc.) In other words, use every means you can to illustrate that you are going to be a good person for the organization to work with.
|I’m a PhD candidate in a very similar situation. What is working for me is to offer organizations I want to work with something that’s of interest to them in the short term (i.e., not the results of the thesis in x years). It can take the form of a report or recommendations from what I have learned in their organization. I’m presenting this as a way for the organizations to better understand their own practices and thus to be able to improve them. This approach is also useful as a form of validation of the initial data analysis.
|One thing that struck me in your message was the 8-page proposal. The companies that I’ve worked with have wanted significantly shorter requests – 3 pages at most (with lots of white space) but oftentimes, only 1 page. Once I’ve received the OK, the person designated as my contact has sometimes wanted more detail, but usually, nothing more than the original proposal.I suggest creating a 1-page executive summary of the proposed project that outlines what you want to do, what type of involvement is required by the company, and how the company will benefit. For example, you might organize the page into the following sections:
Introduction – 1 paragraph that describes the problem you want to address and the goal/objectives of the research.
Organizational benefits of participation – 1 paragraph about how the company will benefit. A sentence or two followed by 3-4 bullet points followed by a concluding sentence or two is all that’s needed.
Study participation requirements – here, you have 2 subsections, job shadowing and employee survey. Include shadowing requirements (How many people, how long will you follow people? Will you observe or ask questions?) and for the survey, how many people, how long to complete (I suggest aiming for 20 minutes since that usually doesn’t scare people off). You may find it helpful to include a third element – a timeline (e.g., 1 quarter for the shadowing, 1 quarter for the survey, 1 quarter for data analysis and feedback, and 1 quarter, assess benefits of ongoing research).
Conclusion – statement about absolute confidentiality for individuals and organization, along with contact info. I suggest including your advisor’s info along with yours.
Gaining access can be challenging, but field research is the most rewarding for me. Best of luck.
|One of the things that I learned from doing my own dissertation research was that these managers need more than just a liking (or real interest in) your research topic. I did interviews across all employment levels of a multi-national company to study the implementation of an ERP system. What (I am pretty sure) gained me access was to point out to the General Manager (who became my ‘sponsor’ of sorts) the value to him of what I was doing. In the end, we agreed that I could do my research freely but I was to provide the GM with a short paper/report answering some of his concerns: what did the employees feel was done ‘right’, what was done ‘badly’, what should be done again/not done again in a similar initiative.Try ‘selling’ your project on its merits to the company: it may just give you that edge.
|First, did you include an executive summary in your proposal? I know, from my own research experiences, that executives are too busy to read an 8-page proposal. Secondly, be persistent, but considerate. We must remember that accommodating academic researchers is not a high priority in their exceedingly busy lives. And third, do you have any contacts who might intercede on your behalf? Are there senior researchers (an advisor?) who could pave the way, so to speak? Could you make use of the school’s (or university’s) advisory council/board? Those individuals are already involved with academia, and it is more likely that they would have a personal interest in seeing you succeed.
Other creative avenues would be building rapport through local organizations: Toastmaster’s, Rotary Clubs, Country Clubs, etc. For example, you could volunteer to give a program for a Rotary meeting. Then at the end of your presentation, make a verbal request for participation. Have business cards and a 1-page outline ready to distribute. You are very fortunate — there are 14 Rotary Clubs in the Austin area. You can make contact with the clubs, explain what you need, and see if they’d be interested. This link shows meeting locations, date/times, and contract numbers for your area.
My biggest problem was the high turnover of executives in the companies in which I had already gained access. Essentially, I had to start from scratch twice, re-building relationships with those organizations after my dissertation.
In a nutshell, be concise in your explanation of the project, be specific in requesting what you need from them, and communicate what they can hope to gain from helping you. It doesn’t hurt to offer to make presentations on your results, perhaps finding a solution to an issue relevant to the executive.
Hope that helps a little. Gaining access to corporations is often difficult. Best of luck,
I saw your message on IS World and sympathize with the difficulties you’re having. I’ve been doing this for 20 years and have visited hundreds of companies, but it’s always a challenge. It mostly takes a lot of persistence and using any network that you can access. One good place to meet managers is at conferences where they are attending or giving talks. You can just walk up and introduce yourself, instead of going through all the e-mailing and phone calls just to meet them (you still have to do that to set up an appointment).
One suggestion. You said that “Using my personal network and some creative emailing, I’ve managed to get some initial nods of interest from two managers at different companies. However, I am having trouble “closing the deal.” After I’ve sent them both 8-page proposals outlining my research plans and questions, I’m not receiving any replies back.” I would send people a one page outline of your research, with another page at most of questions. A long proposal or very extensive questionnaire can scare people off. Also, leave out any questions that are likely to put them on the defensive. Save those for then end of the interview after you’ve gotten the rest of the information you need. Finally, let them know you won’t use their name or company name without their permission, and that you’ll show them what you write before publishing it in case there’s any sensitive or proprietary information they don’t want published.
The good news is that this can be the most fun part of research, talking to real people and learning from their experience. Good luck.
|I don’t know if this is any help in your situation but the best thing I found was to work initially with a professional organisation (in my case the Insolvency Practitioners Institute ) and sell them on my ideas, then I was able to contact their members with their permission and support. The other important thing is to make sure the organisations you contact can see a benefit for them. In my case I targeted early career practitioners and was doing research into DSS design for a particular task, so I was able to frame it and sell it as free training. I ran my data collection sessions strictly in accordance with my research needs, then did a subsequent de-brief and interactive discussion which was all about the learning for the participants, and nothing to do with the research. I probably would suggest you cut back the proposal material also – a short zippy single page overview with an offer of more detail later if required is more likely to be read than a longer detailed story.
|I’ve just been through that process (finished my dissertation one year ago), and routinely work through that issue with various clients, and various research methods (quant, case study, etc.).Several thoughts:
– In my most successful instance (my dissertation research) I was working through people I’d known in industry for some time. Even though all I was seeking was access to documents (which I would return, and which would be anonymized before publication of research) and access to people (for interviews, with no human subjects risk), there was still considerable friction, esp. due to the large company (a large bank).
– To overcome that friction, it was critical to give them a “what’s in it for them”. Even though these were people I’d known for a while, if there’s any up-chain reviews, they need to be able to explain it. So while an 8-pager is good, a 1-pager may actually serve you better, as execs won’t read 8 pages.
– What do you need from them?
– What are the risks?
– What are you doing to protect them? (confidentiality, encryption, anonymization in writing, …)
– What benefit do they get? (These could be meaningful to them as a company, as well as the altruistic “benefit to the educational system, to others, …”)
– One resource you might look at is The Art and Science of Non-Disclosure Agreements. It was intended to look at the legal aspects of these relationships, but there’s a lot of good material there about relationships as well.
I’ve been working in the IT industry in one way or another since I graduated college in 1993. That’s 15 years now… wow, seems like it hasn’t been that long.
I’ve been involved with many different IT projects in many different organizations, and I’ve seen or heard or been exposed to a thousand more. I’ve seen successes and I’ve seen failures. Overall, more failures than successes. This shouldn’t be a surprise to anybody, the industry storybook is rife with tales of colossal failures… maybe 5 failures for every success.
Here’s why IT projects fail. I’m going to tell you all, so that you’ll know (if you’re a sysadmin or a programmer or whatever) how to avoid them, or you’ll know (as a non-IT person), how to recognize when your IT department is starting something that is very very likely to cost a bucket of money and return very little, except to give you fodder to rake them over the coals when you’re at the water cooler with someone else from Accounting.
There is no such thing as a technological solution. There is no problem that you can solve with technology. Stop thinking that you can, because when your thinking starts at that point, you’ve already started building a foundation without checking to see whether or not the ground can support any weight.
When you’re an IT worker, people bring you problems all the time. Sometimes, they’re not really “problems” at all -> there’s a bug in some software, or something is mis-configured, or some other thing that may take you minutes or hours to fix. This is really the equivalent of putting a band-aid on a wound. The real goal is to prevent infection until the wound heals. Eventually, the software will be replaced with a new version, or the main router will come back online, or whatever… and the work that you’re doing now will be essentially wasted time. Important time, granted… customer-service enabling time -> you’re saving them time at the expense of your own.
With these sorts of problems, you’re a mechanic. You’re a plumber. You’re finding out what doesn’t work in technological system and patching it or working around it. This is the grunt work, the scut work, the stuff that keeps us employed on a daily basis. You’re not providing a solution to a problem. You’re hacking. This isn’t a bad thing, it needs to be done. But this is firefighting. Optimally, you want to do as little of this as possible, because you’re at heart very lazy, and you know your customers want everything to “just work”.
Real problems start deeper. “I need a way to let people see my time schedule” is a problem which requires a solution. “My administrative assistant can’t sync my Treo to the corporate Exchange server” isn’t a problem that requires a solution -> it’s a bug that needs a hack. When people bring you bugs, hack. When people bring you problems, you need to build a solution.
This always, always, always needs to start with information gathering. Period. Always. If you’ve worked in four organizations before, and you’ve run Exchange, and someone comes to you with “I need a way to let people see my time schedule”, odds are very very good you’re going to blurt out, “Well, I could set up an Exchange server…”
Don’t. Cease. Back up. You’re doing it wrong. Period.
You’ve made the first mistake, you started building a house… and you don’t even know that what the customer wants is a house.
Sometimes, a someone comes to you with, “I want you to set up an Exchange server…” and you’re going to blurt out, “Okay, I’ve done that before, it’s pretty easy…”
Don’t. Cease. Back up. You’re doing it wrong. Period.
You’ve made the second mistake, you started building a Victorian because someone told you they think they need a house. The customer doesn’t know what they need. They know what they *want*. It’s your job to figure out if what they *want* is actually what they *need*. Moreover, it’s your job to know if what they need is possible. Sometimes, it’s not.
If you tell them that it *is* possible because your boss is scary and shouts and says, “Don’t tell me what’s impossible,” when you argue with him, I’m begging you… get into another line of work. Eventually you’re going to get fired, or you’re going to get fed up and quit, and the next poor bastard who comes in is going to spend months of aggravation trying to fix the piece of junk you built because you didn’t have the gumption to tell someone that they ought not to build a skyscraper on top of a bog.
The only thing you can do with technology is operationalize a solution. Information Technology work is *enabling* work. We take solutions and we build stuff to make them happen… but the solution has to already be known to some degree. You have to design a process before you start building an object. If you don’t, you’re going to build a really pretty object that nobody uses. You need to know what it is, not necessarily in minute detail… but you’d damn well better have a good idea that it’s supposed to be a house, if it’s supposed to be a house. Whether or not it’s a Victorian or a ranch or a McMansion is important, but it’s not as important as starting off in a residential zoning area.
You need to keep your eye, always, on the solution… and NOT on the technology. If the technology doesn’t fit the solution perfectly… well, that’s not always bad, and that’s not entirely unexpected. You can’t redefine success by changing the game to “I successfully deployed this technology” because deploying the technology isn’t what the customer wants, they want the problem solved. Define what subset of the problem the technology is fixing, and make sure your customer is satisfied with that subset before you build the thing.
And if they want you to build a Victorian and you’re in a commercial zone, suck it up and tell them “No.”