Sten Vesterli

Making IT Live up to its Promise

Author : Sten Vesterli

The Intern Did It!

The intern did it! Solarwinds’ new CEO just added another top contender to the pantheon of bad excuses. This one is right up there with “the dog ate my homework” and is destined to become an instant classic.

Testifying before a U.S. Congressional Committee, Solarwinds came out looking like bungling amateurs. First, they had a system that allowed a password like solarwinds123. Second, they had an externally accessible system where that password worked. Third, they didn’t do anything about it when security researchers pointed it out. Fourth, they try to pin the blame on an intern that created that password.

As a CIO, you can either isolate your public-facing systems completely from the internal ones, and allow username/password access. Or you can use two-factor authentication or other additional security. The time when you could secure a non-trivial, externally-facing system with just a username and password are long gone.

User Experience Disasters

, ,

This week’s episode of my podcast Beneficial Intelligence is about User Experience disasters. Danes consistently rank among the happiest people in the world, but I can tell you for sure that it is not the public sector IT we use that makes us happy. We have a very expensive welfare state financed with very high taxes, but all that money does not buy us a good user experience.

Good User Experience (UX) is not expensive, but it does require that you can put yourself in the user’s place and that you talk to users. That is a separate IT specialty, and many teams try to do without it. It doesn’t end well. Systems with bad UX do not deliver the expected business value, and sometimes are not used at all. A system that is functionally OK but that the users can’t or won’t use is known as a user experience disaster.

We have a web application for booking coronavirus testing here in Denmark. First you choose a site, then you chose a data, and then you are told there are no times available at that site on that date. If a UX professional had been involved, the site would simply show the first available time at all the testing centers near you. We now also have a coronavirus vaccination booking site. It is just as bad.

As CIO or CTO, some of the systems you are responsible for offer the users a bad experience. To find these, look at usage statistics. If you are not gathering usage, you need to start doing so. If systems are under-utilized, the cause is most often a UX issue. Sometimes it is easy to fix. Sometimes it is hard to fix. But IT systems that are not used provide zero business value.

Listen here or find “Beneficial Intelligence” wherever you get your podcasts.

Beware of Data Collectors

,

The days of untrammelled data collection “for the common good” might be ending. At least the watchdogs are yapping a little louder, as a new court case in London shows. The British National Health Service apparently has a contract with secretive American data analyst company Palantir, and they are being sued by a private privacy watchdog.

I would probably not choose to name my company after the device with which the dark lord Sauron subverted the wizard Saruman. However, the Lord of the Rings reference is obviously lost on investors, who value Palanatir at around $50 billion even though they have yet to make money.

As a CIO, you need to know where your data goes. If you have third parties analyzing them, you need to have someone make an independent assessment of whether you can expect your data to be safe with them. You need to balance the reward against the reputational risk if you are found cooperating with shady operators.

Do You Know Where the Problems Are?

In Arizona, there are prisoners still behind bars who should have been released. The reason: The software that calculates their release date hasn’t implemented a 2019 law change. With this being just one of the 14,000 bugs (!) reported on the system, these people can potentially stay locked up for a long time yet. Officials claim there is no problem and their manual process flawlessly implements a complicated rule estimated to take 2,000 hours to program.

It is a leadership decision to decide what gets implemented first. And this one should be at the top of the list – right after the bug that means gang affiliation is not properly recorded, and members of warring gangs might end up in the same cell…

A desparate whistleblower finally went to a local radio station with this story after having been ignored internally for a year. As the CIO, do you have a method in place that ensures concerned programmers and users have a way to point out critical issues?

Who is Listening?

Clubhouse is apparently fairly leaky. It bills itself as an exclusive new form of social media and is iPhone-only and invitation-only. However, that doesn’t mean that everybody can’t listen in. A hacker just proved as much by accessing several supposedly private audio streams. Additionally, all of their back end infrastructure is located in China, letting Chinese authorities listen in as well.

There are very few services that are actually secure. We used to assume that our conversations are private, but that assumption rarely holds. A US school board were bad-mouthing parents on a Zoom they thought were private, but the recording was public. They have now all resigned.

If you have confidential information that will be valuable to an adversary, talk about it in a meeting room in the office. And leave your phones outside.

Missing AI Results

It turns out AI was not about to cure cancer. There was no shortage of hyperbole when IBM’s Watson AI beat the best humans at Jeopardy, but IBM has been unable to create a viable business from their AI prowess. Now their AI-powered health department is for sale if anybody wants a slightly used AI with one careful owner.

AI has proven its worth in many places, also in healthcare. But they have been narrow, well-defined areas like examining X-rays or flagging possibly fraudulent insurance claims. Just throwing a bunch of data scientists and an AI at a problem does not work.

If you have AI projects like Watson that has not delivered the results they promised, you can re-scope them try to harvest some value from solving a smaller and more well-defined problem. Or you can shut them down. The age of unquestioned spending on AI is over.

Contingency Plans

,

Last week’s episode of my podcast Beneficial Intelligence was about contingency plans. Texas was not prepared for the cold, and millions lost power. The disaster could have been avoided, had the suggestions from previous outages been implemented. But because rarely gets very cold in Texas, everybody decided to save money by not preparing their gear for winter. At the same time, Texans have decided to go it alone and not connect their grid to any neighbors.

In all systems, including your IT systems, you can handle risks in two ways: You can reduce the probability of the event occurring, or you can reduce the impact when it occurs. For IT systems, we reduce the probability with redundancy, but we run into Texas-style problems when we believe the claims of vendors and fail to prepare for the scenario when our redundant systems do fail. 

Texas did not reduce the probability, and was not prepared for the impact. Don’t be like Texas.

Contingency Plans

,

This week’s episode of my podcast Beneficial Intelligence is about contingency plans. Texas was not prepared for the cold, and millions lost power. Amid furious finger-pointing, it turns out that none of the recommendations from the report after the last power outage have been implemented, and suggestions from the report after the outage in 1989 were not implemented either.

As millions of Texas turned up the heat in their uninsulated homes, demand surged. At the same time, wind turbines froze. Then the natural gas wells and pipelines froze. Then the rivers where the nuclear power plants take cooling water from froze. And finally the generators on the coal-powered plants froze. They could burn coal, but not generate electricity. You can built wind turbines that will run in the cold, and you can winterize other equipment with insulation and special winter-capable lubricants. But that is more expensive, and Texas decided to save that money.

The problem could have been solved if Texas could get energy from its neighbors, but it can’t. The US power grid is divided into three parts: Eastern, Western, and Texas. They decided to go it alone but apparently decided to ignore the risk.

In all systems, including your IT systems, you can handle risks in two ways: You can reduce the probability of the event occurring, or you can reduce the impact when it occurs. For IT systems, we reduce the probability with redundancy. We have multiple power supplies, multiple internet connections, multiple servers, replicated databases, and mirrored disk drives. But we run into Texas-style problems when we believe the claims of vendors that their ingenious solutions have completely eliminated the risk. That leads to complacency where we do not create contingency plans for what to do if the event does happen.

Texas did not reduce the probability, and was not prepared for the impact. Don’t be like Texas.

Listen here or find “Beneficial Intelligence” wherever you get your podcasts.

Use Real Intelligence Instead of the Artificial Kind

, ,

If you can leverage real user intelligence in your systems instead of the artificial kind, you get a better result with less effort. But it takes some intelligent thinking by your developers to get to that point.

The new Microsoft Edge (version 88) that rolls out soon has crowdsourced the difficult decision of which browser notifications to allow. Users are tired of constant “Allow this website to send you notifications?” prompts, but it didn’t work to just make all of them more unobtrusive. Microsoft tried that first with “quiet” notification requests, but that meant many users were missing out on the notifications they did want. Instead, the upcoming version will use the decisions by all Edge users to decide which notification requests to show. If everybody else has refused notifications from a specific website, the Edge infrastructure learns that and defaults to not show notification requests from that site.

Do you have ways to harvest the decisions your users are already making and use that data to improve your systems? Put your data scientists to work on the challenge of using human intelligence instead of continuing to try to train AIs.

Are you Releasing Sub-Standard Systems?

, ,

Out of a sample of 5,000 apps, 80% did not live up to a reasonable standard. Are you releasing sub-standard apps or systems?

A company the reviews healthcare apps for the UK National Health Service found many bad examples, including apps that provided complex medical advice without any expert backup, or apps without security updates for several years. They’ve been though 5,000 apps, but there are 370,000 health-themed apps out there.

As a CIO, look in your systems list for information about applicable regulation. For every system, you should see a list of what regulations (GDPR, CCPA, HIPAA etc.) apply to that system, and the name of the person who has certified that this list is complete. For every regulation, you should also see the name of the person who certify that the system complies. If you don’t have that information in your systems list, you are probably releasing sub-standard systems.