The Effective IT Summit is an annual event, bringing together 300 leaders from business IT. On 24-25 January 2006, the Vale Hotel Golf and Spa Resort in Cardiff hosted a programme of keynote presentations, roundtable discussions and a dinner with guest speaker Doug Richard, technology entrepreneur and star of BBC2’s ‘Dragon’s Den’.

The conference’s breakout sessions were divided into five tracks:

• Live IT – The opportunities created by a world in which IT is pervasive, at home and in the office.
• Buy IT – The most effective ways of procuring and paying for IT products and services.
• Manage IT – The management models and policies needed to ensure that IT and business strategies are effectively aligned.
• Trust IT – The security and compliance issues that surround today’s
e-business world.
• Invent IT – How best to propagate business innovation through the deployment of new technologies.

Each discussion was under the ‘Chatham House rule’ to ensure speaker anonymity and encourage a free and open debate.

Live IT

The relationship between people and digital technology has changed radically during the past half decade. While they used to see IT as something used at work or to withdraw money from their bank, most individuals now interact almost constantly with digital devices. From mobile phones and MP3 players to broadband-enabled PCs, home Wi-Fi and digital TVs, they find – for the first time – that much of their own equipment and services is actually more sophisticated than the technology they encounter at work.

Not only has that created higher expectations for faster networks, better user interfaces and slicker applications at work, it has also given users the confidence to adopt outside technologies and services into the workplace.

One area where that is particularly evident is with wikis. These websites, where the content is loaded and maintained by users, are proving to be effective collaboration environments – and, in some cases, are taking the place of the content groupware that organisations have traditionally provided for their staff.

The director of information management from one global bank at the Effective IT Summit certainly has no doubts as to their value. He openly wondered “whether we could run our department without the internal wiki”.

Organising online conferences in order to pull together input on a particular issue can be a real headache, he said, given busy schedules and the spread of employees across multiple time-zones. If something fails during the meeting, little can be done to retrieve the situation. Wikis, however, can be contributed to any hour of the day, and do not rely on the technology having to perform at a given time. Moreover, with project work shared and visible, the director said, “it doesn’t matter if someone is on holiday because their work can be picked up by someone else.“

Another enthusiast of wikis expanded on what he believes are their benefits. “Because people have the chance to make a contribution they are much more likely to. You tend to get more thoughts and feelings than in a conference.”

As with other Internet-inspired technologies such as instant messaging, the virtue of wikis often lies in their simplicity, he stressed. Traditional methods, such as email exchanges within project groups can exclude potentially valuable contributions. At the same time, trawling through a long list of replies can be confusing and time-consuming.

On the other hand, wikis can involve people who are not necessarily ‘in the loop’ and their content is much easier to review. Indeed, the consensus at the Effective IT breakout sessions was that, in the words of an information security director at a large petrochemical company, “we often make things too clever at our own peril. Products are over-engineered by IT geeks, but 95% of people don’t appreciate that. They don’t want to have to get the manual out; they just want it to work.”

Certainly many employees now have better technology at home than in their office. One technology director from a government agency said that although more powerful home computers could make employees more productive, fears about security – “who might be looking over their shoulder” – meant, in most circumstances, his department did not sanction home working.

For other, more commercial organisations, however, employees were actively encouraged to work at home, even though delegates agreed that that often had an impact on group morale and the sharing of knowledge.

One head of IP strategy at a FTSE100 company explained that at his previous employer, a telecoms company, “you were almost expected to stay home unless you had a good reason to come in. That meant people were loath to leave their homes.” And in his opinion, that made the company less, not more, productive.

Buy IT 

Choosing an appropriate model for the purchase of IT products and services is not getting any easier, delegates at the Effective IT Summit’s ‘Buy IT’ breakout sessions made abundantly clear. The promises of software-as-a-service, utility computing, pay-as-you-go, open source and various other models have only extended the options.

And making the right choice is not helped by the often unclear demands of business units. “The business barely knows what it wants,” explained the business systems manager of a major UK broadcaster. But ambiguity on the part of the business is never any excuse for projects that fail, he added. “It’s up to IT to manage the risk involved when acquiring new technology.”

Interdepartmental disagreements were identified by one attendee as a recurring hindrance to evaluating the appropriateness of various products. “We often have to bring in external consultants just to overcome internal politics,” he explained, “which is a waste of money.”

This was echoed by several IT managers in the sessions, who reported that the priorities of the procurement department, which often presides over IT purchasing, were at odds with the IT department itself. “If you hand it over to procurement, you can rest assured that all they will think about is saving money on the deal,” said one.

The relationship between vendors and their customers was also identified by one attendee as a stumbling block in the procurement process. “There has to be more trust between the vendors and the buyers, so that they can actually help the business to achieve its goals.”

And that has become more critical as organisations have become more dependent on their suppliers. The IT director at a leading investment bank said that while his organisation has historically developed much of its software in-house, that is now becoming less prevalent. “We never outsource competitive edge,” he said, “but a great chunk of the IT system today is just plumbing.”

But if that relationship to the plumbers is going to be successful, many IT staff will need to hone their skills. Specifically, the lack of appropriate soft-skills within the IT department was seen as a cause for concern: “IT people don’t really know how to manage a relationship,” said one IT manager.

The consensus was that negotiating service level agreements, and ensuring they are met, is an art that must be mastered. Many of the session attendees agreed that developing a master service agreement – defined against the business model and negotiated between IT and the business – can help reduce the complexity of dealing with both service providers and technology vendors.

“A master service agreement establishes the rules of engagement, and puts the buying organisation in a much stronger position,” explained one advocate of the technique.

Trust IT 

The cyber-crime spotlight mostly falls on attacks from outside the organisations, but the biggest danger actually comes from the so-called ‘insider threat’. And managing the security risks brought by employees dominated the Effective IT breakout on ‘Trust IT’.

Implementing sound identity management technology is an obvious first step, but not a simple one. While the number of identity tokens and passwords – for physical entry, remote access, Windows login, multiple applications – has contributed to staff confusion and support overheads, single sign-on is not necessarily seen as an ideal solution. “Auditors hate it because it holds everything in one place,” said one security chief. “So we’re looking for a balance between standardisation and control.”

During the off-the-record sessions, delegates shared anecdotes of the cost of failing to strike that balance. Horror stories included a ‘temp’ secretary who revealed all of a manufacturer’s suppliers to each other through an email with a five-page long ‘To’ list. The email also mistakenly inflicted a denial of service (DDoS) attack on some of the company’s smaller providers, some of which took five days to recover.

In a more deliberate use of that DDoS technique, delegates heard of how extortionists who had earlier threatened to bring down gambling web sites had now moved on to attack easier targets: charity sites. “It is hard to find someone with the expertise and hunger of a Russian student,” quipped one online security chief.

But the threat from inside is often just as severe. One attendee described how his own security team attempted to steal company data with the intention of starting up a rival organisation. A combination of careful computer forensics and strong-arming unravelled the group of five conspirators – all of whom had adopted pseudonyms based on the film Reservoir Dogs. “So I put the film’s poster on my door and asked each employee into the office,” he said. “The ones who went white were the next to have their laptops investigated.”

The problem of ‘who guards the guards’ can be partially solved by designing systems that have security engineered into them, offered another delegate. But instilling a security ‘culture’ is the only agreed way to deal with every internal threat. “Signing a corporate security policy doesn’t work – you have to use technology to prevent employees going on gambling and pornography sites,” advised one security head at a global manufacturer.

Bringing together the points raised during these sessions, discussion leaders drew up a new “risk register” of the root causes of data security breaches: greed, arrogance, other loyalties, complexity, mutuality of trust, complacency and politeness. Among the solutions: collaboration, monitoring, observation and, ultimately, experience.

Invent IT 

Technological innovation is often assumed to be a random consequence of inspired thinking by creative individuals. But in fact, innovation breeds only in very specific circumstances.

“Innovation happens in frugality, in encounters and in openness,” says Mårten Mickos, CEO of open source database vendor, MySQL. Few would take issue with that perhaps with the exception of the frugality.

At Information Age’s recent Effective IT Summit, CXOs from around the world debated why it is just as important for IT organisations themselves to be innovators as it is for IT vendors.

“The landscape is so fast-moving nowadays that a competitor can overtake you in a nanosecond,” highlighted the senior technical manager of future products at a major telecoms company. “Especially in an industry like ours, it’s a case of natural selection – survival of the fittest. We simply need to innovate to stay alive.”

Indeed, in industries such as financial services and telecoms, there is a very fine line between IT and innovation. “Our IT department is our innovation department,” he stressed.

But who within the organisation should take ownership for innovation? Conference attendees gave varying responses to this question, including ‘the chief knowledge officer’, ‘the marketing department’, and one delegate even answered ‘finance’. But most agreed that the main place where innovation is fostered is in research and development.

The head of systems architecture at a global pharmaceutical giant, for example, cited how his company reinvests one-fifth of its annual profits on R&D. “Our share price is directly influenced by how the market sees our pipeline of future products. Innovation is both a business process and a necessity for us,” he said. So why should the same approach not be applied to innovation in IT?

But when it comes to innovation, size appears to matter. One delegate from a small UK ecommerce company argued that large companies can afford not to be innovative in their ideas, as long as they are good at managing innovation.

They can treat innovation as a commodity and innovate through acquisition, he said. In contrast, for small to medium-sized enterprises innovation can be much more challenging. “Innovation is maximum risk with potentially no reward,” he said. “We cannot foot the development costs on our own. The best we can hope for is to sell our innovation to a venture capitalist or bigger player in order to see the innovation come to fruition.”

A senior technology officer from a petrochemical multinational suggested that while R&D and technology push innovation, the marketing department also has a critical role to play in the innovation process. “Marketing people can often see what the key enabler is and they can talk to end users in a language they understand,” he said.

Innovation emerges where there is an opportunity for serendipity, said the head of business planning at a major waste management company – often described as “the watercooler effect”.

“Using email, blogs and other social software does not foster innovation. Innovation is the result of synergy and direct communication within the organisation. That communication has to be embedded within the organisational culture,” he said.