“We know UK businesses are ready to do more than just talk about this issue because it’s on the agenda of every CIO we speak to,” explains James Rigby, MD of SCC. “The consumerisation of IT is already happening in the workplace and it’s happening in every company right now. There are many fundamental questions that organisations have to consider. For example, do they know how many staff-owned smart phones, iPads and laptops are already on their networks and do they know what they’re doing on them? These are big questions and there are compelling reasons as to why it is necessary to know the answers.”

The consumerisation of IT, which is the process that brings personal productivity and social networking elements – both hardware and software – into the workplace environment, is a hot topic. The most recent available Gartner research says it is an issue that needs to be understood so business IT can cope with the demands placed on its networks today and in the future. As consumer technologies increasingly penetrate the workplace, organisations must have a strategy that copes with consumer email and communication services like instant messaging (IM) and voice over IP (VoIP); blogs, social networks and other web 2.0 services; unmanaged mobile devices; network management and remote connectivity.

The generation currently entering the workforce now regard such technologies as part of everyday life and as a result SCC is working with major brands to create an opportunity from this challenge. The company reports that forward thinking companies are exploring ways to meet the issue head on by subsidising employee laptops – wrapping business and productivity benefits together with a desirable staff benefits package.

Meanwhile, the company points out that the major issues driving the IT industry today are part of a bigger consumerisation picture. Whether considering virtualisation, Desktop as a Service, cloud computing, VDI, Windows 7 or collaboration – each represents aspects of the consumerisation of IT and all need to be wrapped into an organisation’s vision for its business strategy.

Over the past year, cloud computing has dominated IT discussions around the country, and rightly so. It offers significant advantages to businesses, especially as resources become more constrained and IT departments struggle to add business value while maintaining all their existing infrastructures. However, care must be taken as not all cloud-based services are created equal. Service delivery models vary greatly from hosted providers that replicate fragmented on-site technologies to sophisticated architectures; and benefits vary greatly too.

So if the devil is in the detail, as always seems to be the case, some practical tips for selecting the right partner may prove useful.

Is the basic design right?

Tight integration of services at the provider level is critical. In the case of email this means security, archiving, continuity and policy management. The ability to provide a unified service eliminates the need for multiple interfaces, reporting and policy management.

They reduce management workload and are ‘aware’ of each other in a way that allows users visibility and access to their email as well as evidential quality to be maintained.

Can they lower IT costs long term?

Partnering with a cloud provider must, at all times, be a low commitment relationship. Able to control licence fees by paying for access to applications on a per-user basis with a transparent pricing model, IT should at all times maintain complete control of user accounts. They should be able to centrally enforce company-wide policies with real-time implementation without having to rely on the service provider’s help desk.

With cloud services IT staff are abstracted from administering patches and general infrastructure maintenance and can have more time to work on strategic parts of the business. In fact, Butterfield Bank, with offices around the globe, has saved £750,000 per year by opting for unified email management – a reduction of 75 percent compared with in-house email management.

Can they offer business continuity?

A cloud provider must be architected to offer constant availability and have rigid service level agreements that back up their assertions. They must be set in stone, well-documented and protect against all possible risks to downtime. Demand references of existing customers to compare your situation and ask questions if none are made immediately available. On-demand email must also be completely transparent and fully interoperable with existing in-house email systems and processes.

For users, the experience with an application, such as Microsoft Outlook, shouldn’t just be seamless but more sophisticated and intuitive than fragmented in-house systems. It should provide more rapid access to archived emails, flawless security, and keep employees working even during outages.

Can they reduce the cost of email compliance?

Business leaders need to be realistic about the regulatory risks of poor email management. Currently, organisations are struggling to manage the mountain of email, let alone comply with evolving regulations. Deutsche Bank, Goldman Sachs and Solomon Smith Barney were each fined $1.65 million for failing to produce emails requested in the course of an investigation. Furthermore, a 2008 survey found that 69 percent of UK companies were unable to produce a comprehensive email audit trail of email records, as required by law.

Partnering with the right cloud provider can substantially reduce the headache of managing and ensuring compliance, by providing an audit trail of all email activity across all user accounts. It must be made available at all times and involve minimal input from company resources.

Finding Mr Right Partner

In summary, there’s no one size fits all cloud model and organisations need to evaluate a vendor for its understanding of the issues faced by staff and management alike. Selecting the right partner can deliver on the promises offered by cloud computing: low cost access to expert guidance and highly-tailored, powerful business applications.

www.mimecast.com

As with all fundamental changes in approach, the move to the cloud will depend on how individuals and organisations adapt their thinking to the new opportunities and ways of working. ITIL provides best practices and models for managing services in the era of the cloud that will help people and organisations to adapt accordingly. It also covers shared services, utility computing, web services and mobile commerce.

Cloud service models – pros and cons

Cloud service providers offer promises of cost savings, better productivity, easier implementations, less administration overhead and more time to focus on projects that add value to the business. However, there are challenges with cloud computing services such as issues around security, data privacy and an inability to change easily in the future. Would you be comfortable putting business critical services in the cloud? Mistakes could result in major incidents and downtime and less reliable services.

There are different cloud service models such as public, private and hybrid models. Public cloud services can offer greater cost savings but may only provide a limited set of service level agreements. There may be difficulties verifying the security and compliance requirements. Private clouds offer greater control but may not deliver the costs savings and ability to scale up or down.

History tells us that there is more likely to be a mixed environment. It is managing such diversity that will be a challenge for many organisations. This may be exacerbated if pay-as-you-go services from the cloud become fashionable in an organisation, there could be a wider range of applications across the user base that become difficult to manage.

Crosshead: What does ITIL offer in the era of the cloud?

An organisation needs to understand the business impact of moving to a cloud service model for a specific service or application. It is also important to understand the key drivers as these are also likely to affect other decisions in running your business and IT.

The ITIL Service Strategy publication provides guidance on generating a service strategy for such a major shift in service delivery. It encourages us to think about:

1. Value creation and delivering business outcomes;

2. Understanding the business impact of using different service models (such as a cloud delivery model);

3. The need to understand internal and external costs and risks;

4. The needs to understand our overall portfolios of services;

5. The importance of understanding service dependencies;

6. Implementing a culture of continual improvement that is supported by an appropriate service management system.

ITIL provides guidance on service portfolio management that helps an organisation to maximise value from its services, while managing risks and costs. This guidance is particularly useful when moving to a different type of sourcing model where there could be significant changes to the value, cost and risk profile. ITIL helps managers to understand and model the quality requirements and related delivery costs of different models.

ITIL defines a ‘service’ as a means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks.

Delivering value from cloud services

Value is derived from delivering better service delivery and customer experiences, such as those anticipated by moving to the cloud. ITIL describes the value of a service to a customer in terms of:

Utility or fitness for purpose: Utility delivers improvement through the performance of the tasks used to achieve a business outcome, for example, users can perform their business activities faster through new functionality in an application service. This is often the attraction for business users of a cloud application, especially if they have an immediate need.

Warranty or fitness for use: Warranty requires the service to have sufficient capacity, to be available, continuous and secure to support the required performance.

A service has to have both utility and warranty to create value for the customer. Warranties in general are part of the value proposition that influences customers to buy. If customers experience poor service quality such as down time or security breaches they start to worry. Good and bad experiences influence a customer’s future buying decisions. Like other services, the experiences of cloud-based services will be influenced by news from the industry, within an organisation or personal experience. If the cloud computer service industry delivers ‘bad experiences’ such as security breaches, the trend towards the cloud may falter.

The ITIL service strategy publication emphasises the importance of designing and building both utility and warranty into a service. It provides examples of investment approaches and advice on modelling the Total Cost of Ownership and Total Cost of Utilisation.

Selecting a cloud solution and service provider

Deciding whether to implement a business application in-house, out-source or use a cloud service provider depends on the type, level, and cost of the IT skills within your organisation; the budget for capital versus operational expenses; your IT infrastructure and architecture; the level of customisation and integration that your workflows and processes require into other elements of your IT solutions. Experience will also influence a customer’s decision on whether to outsource, retain an in-house service or bring services back in-house.

ITIL helps us to think about why customers switch from one service provider to another. Understanding the characteristics of service providers helps us to understand why we may consider switching to a cloud service provider. In ITIL, the three building blocks of high performance service providers are:

Market focus and position: the service provider understands the dynamics of their market space, and the customers within, better than their competing alternatives. They manage their services through appropriate strategies that enable them to build and manage valuable service portfolios, achieve optimal scale and grow their customer base. This is happening now with the major IT suppliers trying to ‘grab’ market share of the cloud computing services and there are significant cost savings on offer.

Distinctive capabilities: the service provider offers distinctive, hard-to-replicate capabilities that deliver a promised customer needs and experience. The service provider delivers value to the customer and can communicate the underlying capabilities that enhance customer outcomes. Commercial vendors are emphasising their ability to deliver better services more cheaply while emphasising their specialist capabilities to manage security, environmental management of large data centres.

Performance anatomy: this is the creation of cultural and organisational characteristics that enables the organisation to compete with alternatives. For example, how does an external cloud service provider compete with an internal service provider and vice versa.

Moving to cloud-based services

ITIL provides examples of modelling the economic value of a service. What matters is the net difference between the positive gains from the service and the losses from using the service. For example if we can increase the performance of our business activities to deliver a five percent increase in sales by moving to external cloud services, we should consider the additional costs of moving to the cloud and any estimated cost of service non-availability or downtime.

ITIL distinguishes between different types of service provider: internal IT, shared service unit, external service provider. The sourcing model is a key factor in service strategy as each type has a different business model that affects the market space, competition, customers, contract and competition. With a move to cloud computing services a significant consideration will be any changes to the sourcing strategy.

If there is a major change to the ways of working as a result of moving to the cloud, the way that the service management processes are integrated across the enterprise will also need to change. ITIL provides guidance on how to do this and also how to implement new or changed services through the service lifecycle.

As people change jobs, a common challenge is training people in the organisation’s service management practices. Adopting an industry accepted framework based on ITIL means that organisations can adopt a consistent approach to training their personnel round the world and take advantage of the ITIL qualification scheme.

Conclusion

In conclusion, organisations need to take action to make sure that cloud computing services and suppliers will deliver value at the right cost and risk. ITIL provides the foundation and building blocks to establish a service management capability that enables you to support a diverse range of services including cloud services.

www.connectsphere.com

ITIL provides guidance on how to:

•             define value chains and value networks;

•             define and manage the service portfolio – balancing value, cost and risk;

•             select the right sourcing strategy and suppliers for cloud computing services;

•             develop and maintain a service management system and service models;

•             design, build, test, release and deploy cloud computing services;

•             establish the right agreements, contracts and service level agreement;

•             manage service performance and service levels;

•             managing changes;

•             managing incidents.

ITIL key practices

Many organisations are adopting the ITIL service lifecycle to enable them to manage business and technology changes more effectively and efficiently. You can use the ITIL service lifecycle to help you to manage business and technology change for cloud services. The service lifecycle contains five stages: Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement.

Key processes for managing cloud services through the service lifecycle are:

•             Managing the service strategy;

•             Service portfolio management;

•             Demand and capacity management;

•             Information security management;

•             IT service continuity management (working with the business and suppler);

•             Service level management;

•             Supplier management;

•             Change management;

•             Release and deployment management;

•             Service validation and testing;

•             Incident management;

•             Problem management;

•             Continual service improvement.

Most businesses implement a green IT plan primarily in order to save cost, with legislation also driving the requirement for change. Like any other business investment, the bottom line is that if it does not save money, the company will struggle to justify it.

In the last couple of months, green IT has once again come under the spotlight because of the Carbon Reduction Commitment (CRC) legislation that came into force on 1 April. This will start to have a real effect on businesses next year because at the moment, it is still in the measurement phase.

The first impact of the legislation, which will affect companies on a yearly-basis, will be the release of league tables. These will be published in April 2011 and will show how energy efficient businesses actually are. In total, an estimated 5,000 large, non-energy intensive businesses will be affected including most corporations and sizeable companies. It is expected that a company’s position in the league table with respect to their competitors will become an important measure of how green a company is and could have a big impact on their reputation and brand value.

Consequently, companies that end up lower in the league table will pay more and without significant action, the process is likely to add cost to many businesses’ products and services. Coupled with the rising cost of energy prices this will inevitably drive businesses to become more efficient and find ways to cut back on their energy usage to make essential cost savings.

Green IT

Many of the IT directors that we have encountered are finding themselves in a quandary because they are being asked to contribute to green plans but are struggling to see how IT can make an impact, not realising that the effect that green IT can have can be quite considerable, particularly in terms of cutting costs by reducing energy waste and improving IT processes.

Often, businesses worry about the up-front cost of green IT, in particular the manpower cost. This is a valid concern as a green IT plan is essentially a development programme of actions that staff must take. As we start to come out of recession and re-engage in more projects, employees who may already have been thinned in terms of numbers are already stretched.

Yet properly planned and implemented, green IT can have the combined effect of driving significant reductions in IT-related energy usage, while at the same time achieving multi-million pound cost savings on IT budgets and enhancing business reputation and brand value.

We recently carried out a green IT assessment for Carnival UK, a leader in the UK cruise industry, at its corporate headquarters in Southampton. The final report revealed that the three biggest cost savers were virtualisation, the move from desktop printers to more energy-efficient multi-functional devices (MFDs) and the re-use and extension of the desktops from a year to a five year cycle.

Storage, cooling and airflow in the data centre were also identified as areas in which great savings could be made. Yet the change that saved the least cost – providing facilities to enable staff to work at home – actually saved the most energy, as while it obviously cut travel costs for the employees, providing the technology for home working actually cost money for the business.

Virtualisation

Virtualisation is one of the biggest reducers of power because it lowers the number of machines used. New servers are significantly more environmentally-friendly than older ones both in terms of manufacture and power-use because they are smaller, less power-hungry, more efficient and have software and hardware components that throttle back the power and shut down areas that are not in use.

Conversely, the opposite is true for desktops which are not used so intensively. There is a lot of energy imbedded in the making of the desktop – around the energy equivalent of two years worth of usage. So when you throw away the desktop you are effectively also throwing away two years worth of energy. Extending the usage and refreshment cycle of desktops from around three years to five years through refurbishment or gradual replacement can save money on new equipment while from an environmental perspective, it also cuts back the amount of energy imbedded into the lifecycle of the machine.

Staying cool

Cooling within the data centre is also a big issue as most IT directors are not aware of the cost involved. There is an historical mindset that old computers needed careful husbandry and a cool environment. Yet most new equipment now requires much less cooling and there are techniques that mean that you can direct the cooling far more efficiently, which can equate to as much as a 20 percent reduction in power for the business as a whole.

Many IT workers also think that cooling is difficult because of the way most data centres have evolved – new equipment comes in when old equipment goes out so cooling is not considered at the outset. Yet rather than redesign the entire data centre to optimise cooling, many of the organisations that we have worked with have found that simply moving equipment around to focus the cooling can result in a dramatic reduction in energy usage. If you have a combination of new and old equipment you can simply segregate it into zones and put a divider down the middle.

A holistic process

Green IT should be a holistic process and therefore one that requires commitment from all areas of the business. In our experience, convincing management about the potential benefits of green IT is therefore even more crucial than changing the mindset of IT staff.

The main reason any change management programme fails is because of a lack of vision at CEO or director level. If the project is too ambitious with no ‘quick wins’ or successes in the early part, this can also leave people very disillusioned. A successful project will therefore typically have a combination of vision, quick wins and direction.

The simplest measures, or ‘quick wins,’ tend to be the ones that are easy to implement and invisible to the other areas of the business. For example, if you change the way that the data centre is cooled, or move from real servers to virtualised servers, users will not know or care as these are all things that happen behind the scenes. Some of the more significant changes, however, do require the rest of the company to buy-in.

For example, Multi Functional Devices (MFDs) make printing far more efficient and unlike handy desktop printers, they are shared by many people and typically positioned a short walk away. This means that users must leave their desks to collect material, making it a bit more inconvenient for them to print and therefore more likely to consider what they are printing. One of our customers has seen a reduction of over 40 percent in the volume of material printed as a result.

The fact that MFDs save the business money is unlikely to convince users that the new devices are a good idea. Explaining that they are much more environmentally friendly however, will usually – and validly – persuade users that these cost-saving machines are worthwhile.

Software bloat

At the top end of the green plan are measures to increase the efficiency of applications and reduce ‘software bloat’. Historically, most of these systems have been designed to be in use all the time because energy has always been cheap. Now that energy has become more expensive and there is greater scrutiny of energy usage, more complicated changes such as the move to smaller, more energy efficient systems are well worthwhile and will give demonstrable returns both in terms of money and carbon reductions.

Savings that have been made in this area can be re-invested into schemes that don’t actually save money but do reduce carbon such as home working, with the net result that the business has a cost-neutral green IT policy. Other companies simply want to use the exercise to drive cost savings.

Once a green IT plan has been implemented, there is no reason why a business should not see a return on investment within a year, particularly on those changes that don’t involve huge capital expenditure. Some initiatives will have an early payback whereas others, such as virtualisation programmes, might take between nine months and two years to implement.

It is therefore important to look at the business cases individually and design a change programme that includes a variety of elements that give an ROI within a year and balance the portfolio of other changes. During the initial five year change plan, the business should be in a position to incorporate and evolve green IT as part of existing departmental plans, taking into account new technologies and changes to the business as they happen.

www.externus.co.uk

e-Skills UK – the Sector Skills Council for IT – reports that “Despite the recession and a reduction in advertised vacancies, a lack of applicants for technology posts with the required skills, qualifications or experience is still a problem for many employers.” They go on to say that “110,500 new people will need to be brought in to the technology professional workforce every year until 2013.”   In that sort of climate it’s important to grow your own talent!

Insight, innovation and professionalism should characterise the application of IT; architectures for enterprise, infrastructure and applications should provide a forward-looking platform to support business strategies. These are some of the things that crucially depend on a high level of competency. If an organisation is not in this happy state, it is unlikely to get there by stealth or by the actions of individual enthusiasts. Nothing short of top-level commitment and enforcement will cause the change. However, given that commitment, the organisation can build a consistent way of doing things, supported by a common language of skills, that encourages a sense of community and best practice, and that is a tool for the management of individuals and for the top-level management of skilled resources.

The Capability Management Cycle

The management of individual capability can be seen as a cycle:

-              Human resources are acquired, either by recruitment, merger or re-organisation;

-              People are deployed on projects or longer term assignments;

-              Their performance is assessed;

-              Development plans are produced and carried out;

-              At some point in time decisions are made about reward;

-              The overall resource management process plans for the future, and sets and enforces policies.

Integrating these processes into an effective scheme for skills management depends on the existence of a common set of definitions that represent the organisation’s common language of capability. Having a unit of capability – a competence – means having the appropriate behavioural characteristics supported by professional skills and knowledge. Experience is also needed, both to consolidate the fundamentals and as evidence that the competence is real; it can be validated by qualifications such as the CompTIA qualifications, university degrees, Chartered status, and so on.

The knowledge could be of technologies, products, techniques, methods, internal systems, corporate processes, and so on. Most organisations have their established way of looking at behavioural competencies – assertiveness, business awareness, communication, etc. For a resource providing the professional skills we need look no further than the Skills Framework for the Information Age – SFIA – that has become a worldwide phenomenon.

So we can prepare definitions of the competencies required (or acquired) by our people. But how will we use those definitions? Most of the stages in the cycle require detailed information about a person’s capabilities – either those currently possessed or those that must be developed.

The traditional approach would be to put those definitions into job descriptions. Typically, organisations have a large number of different job descriptions. They can be used as sources of information when recruiting, selecting people for projects, assessing them and making their development plans. But for someone trying to plan the organisation’s overall resourcing profile over the next year or two there is just far too much detail. Fundamentally, job descriptions exist to describe the liability – the work that has to be carried out. Resource planning is about managing the asset – the skilled people who will carry out that work. What is needed is an asset register of the skilled resources. To achieve that it helps to go a step beyond job descriptions – towards professional profiles.

Professional profiles

Professional profiles define a relatively small number of categories of IT Professional. It is a simple idea: we all recognise some simple terms, such as software engineer, service manager, architect, service technician, etc. Of course, the organisation probably has job descriptions with names of that sort, but we are not talking about jobs now; we are talking about people and their capabilities. We are talking about pegs, not holes.

The professional profile for, say, a service manager does not describe a specific service management job. It is a simple summary of the essential capabilities of any service manager, the key words being summary and simple. This is not meant to be a list of all the things a service manager should be able to do. It is something brief that captures the essence of service management. It probably describes more than one level of service manager, either by name (service manager, senior service manager, service director etc) or number (SM/1, SM/2, SM/3 etc). The profile contains a simple statement of the raison d’être of service managers and lists the core SFIA skills, knowledge areas and behavioural competencies required at different levels. This is then a standard, commonly understood throughout the organisation.  We can now have an asset register, telling us how many people we have at each level of each profile. It is in those terms that we express future needs, and plan future resources.

Communities

The professional profiles effectively define communities. These could simply be informal arrangements through which people of the same professional profile share experiences and ideas about best practice and skills development.

Alternatively, those groupings can be building blocks of an organisation formed of communities of practice. In such a case, one practice is likely to contain people in more than one profile. For example, the Service practice might contain service managers, service technicians and service administrators. That group becomes the repository of the organisation’s collective wisdom on how to manage services, how to develop service people and how, for example, the roles in ITIL map on to the professional profiles.

Individual Capability

When recruiting people the professional profile forms the basis of the requirement, qualified by some specific needs, such as “with experience of retail finance” or “with in-depth knowledge of distributed databases”. If the recruitment agency has copies of the profiles, they can do a more accurate job of selecting candidates for interview.

Internal deployment in an assignment-based system is rather like recruitment. The need is expressed in terms of a professional profile with certain specific characteristics. What is not always exploited is the fact that deployment decisions are probably also the most important developmental decisions. An organisation based on communities of practice can provide the management focus that ensures the individual’s and the organisation’s need for capability development are to some extent taken into account: it’s not just a question of finding the right person for the assignment: whether it is the right job for the person is also relevant.

When assessing individuals we need to have the full details: they can be compared with the professional profile. At first it is likely that the individual does not quite match all of the core requirements – developmental actions will be needed. Over time, the individual’s profile becomes a superset of the professional profile, updated after projects or assignments, and reviewed in appraisals.

The appraisal reviews performance against objectives. The individual’s skills, knowledge and behavioural characteristics can then be used diagnostically to shed light on why some things were done well while others were done less well; this puts objectivity into the preparation of personal development plans.

When it comes to reward, the organisation can express its pay scales for IT staff in terms of the various levels of professional profile. This can help integrate IT pay scales into a corporate pay scheme.

The Asset

A set of professional profiles, broadly-based and probably numbering less than twenty, can be the currency in which the skilled asset is counted. It is also the basis of the common language that enables effective skills management. Managing the IT workforce as an asset transforms it from mere resource into a powerhouse of wisdom and professionalism based on best practice. The tools are available. It just needs a decision.

*Ron McLaren is a consultant in skills and capability management, specialising in improving the management of IT skills and capabilities in large organisations. He is a contributor to the development of the Skills Framework for the Information Age (SFIA) in his work as operations manager of the SFIA Foundation.

SFIA

Developed and regularly updated in a collaborative effort by organisations both providing and using IT, SFIA is the world’s preferred way of looking at IT skills, used in over 100 countries.

SFIA defines 86 professional IT skills across a framework of seven levels of attainment from 1 (“follow”) to 7 (“Set strategy, inspire, mobilise”). Each level has a full, generic definition. Each skill has an overall description and a differential description at each of the levels at which the skill can be recognised.

SFIA is owned and is the copyright of The SFIA Foundation, a not-for-profit organisation whose members are BCS, e Skills UK, The IET, IMIS and itSMF.

www.sfia.org.uk

SFIA and CompTIA

Recently The SFIA Foundation has published a mapping showing the levels of skill that might be expected in people obtaining the internationally-recognised CompTIA accreditations.

www.comptia.org

Certification has recently become a dirty word in the world of software application development; fuelled in part, by the rising popularity of the Scrum Master certification (which appears to be escalating at a varied and alarming rate). While I am not disputing that the associated education undoubtedly adds value, the declaration that an individual (no matter how intelligent), could be a ‘certified’ master of anything after spending a couple of days listening to someone in a classroom, is completely absurd.

A simple commodity

I believe, as many others do, that this ‘badge’ has to all intents and purposes, become a bit of a scam. Surely no one in their right mind would truly believe that such a certification is somehow equal to an official ‘qualification’? Sure, it is a nice tag and one that is cost-effective and relatively easy to obtain, but the idea that many HR professionals are citing it as a ‘must-have’ requirement in job applications/criteria has left me quite bewildered. It is not a qualification and it doesn’t prove anything; it is a commodity and labelling the title as a ‘must-have’ has simply fuelled an industry that is focused on supplying, promoting and primarily making money from its existence.

That said, I’m not suggesting that certification doesn’t have its place generally, but I believe it’s deceptive to those who are led to believe it is far more significant than it actually is. A certification scheme that insists on demonstrable experience and includes the skills for successful project delivery would be a good step forward.

But the potential issue also includes the credibility of the assessors themselves, who are they? How are they assessing and on what benchmark? That combined with more confusion caused by yet another certification scheme doesn’t really fill me with much confidence or enthusiasm.

While I don’t claim to know all of the assessors for certifications of proven capability personally, I would imagine that they are highly credible, upstanding members of the community; however, not all certification schemes have the same level of maturity, and as such it will be incredibly tough for this certification type to stand apart from mediocrity.

Keeping it in perspective

In an era where many in the IT industry feel compelled to attach a ‘certified’ badge to their name at every opportunity, we have to ask ourselves why people feel they have a need for certification. Is it purely about differentiation in a difficult market? Is it to meet a certain criteria set out by their HR department or boss? Or, do they truly believe they won’t be considered for the job without it? Either way, people with any kind of certification would do well to keep such titles in perspective – I recently saw a job applicant with a PhD in computer science who listed his ‘Certified Scrum Master’ tag above his PhD credentials!

Consider certification claims with caution

Some of this nonsensical behaviour unfortunately comes from how the recruitment process is conducted and how training budgets are spent (or wasted). All too often, and sadly for most, job applications are ranked by a certification as opposed to making the relevant checks to uncover the real experience and success demonstrated by a potential candidate. What also concerns me is that so many learning and development departments are setting targets for attendance at commodity training sessions where certification is immediately achieved – but is this really achieving anything worthwhile? I don’t believe so, but how you measure people, will ultimately determine how they behave.

While I do agree with evidence-based certification where sensibly governed, I also believe that these worthier schemes will soon get lost in the haze of other less-credible ‘certification options’ if the rising popularity in commoditised training sessions is anything to go by. Until such a time as a new evidence-based certification has gained momentum and has proven with some gravitas, to be worth its weight, I believe we must continue to consider any certification ‘claims’ with extreme caution.

www.upmentors.com

With the release of Windows 7, Microsoft has made a new operating system available for both individuals and businesses to consider. Many IT managers are already thinking about when to make the move to Windows 7 and how to make the process as painless as possible. With sales of more than 90 million licenses so far, Windows 7 has been Microsoft’s fastest selling operating system release ever.

According to Dimensional Research, around 58 percent of IT professionals are looking to deploy Windows 7 during 2010. This is not a small project, as a Windows 7 migration involves much more than just the deployment of a new OS. There are three phases that a company will go through during their migration: preparation, migration and maintenance.

Doing the ground work

The preparation phase for a migration first involves getting an overview of what the organisation has in place, and involves building an inventory of the PC hardware that is installed and what assets are in place. Based on this data, you can see which systems can be moved over to Windows 7 easily, and those that might require hardware upgrades or replacement.

Building this inventory can also help show where software licenses are not being used, or where additional IT hardware has been implemented. It also helps to reduce the cost of migration: Gartner estimated that the cost to upgrade from XP to Windows 7 amounted to between £620 and £1160 in migration costs per user. This makes it essential to optimise the migration process as much as possible in order to trim costs. If application licenses can be rationalised or re-assigned, then this can provide some additional cost savings as part of the project.

The second part of preparation is testing the new operating system with existing applications, and then establishing a process for managing user data and settings. Dimensional Research’s findings showed that this is one of the biggest issues that IT managers foresee around deploying Windows 7, with around 86 percent of respondents listing application compatibility as a concern. Some applications may not support the new OS, leading to upgrade costs or new systems being required in the future. This can therefore be a substantial additional cost to be considered.

One way around these problems is to use application virtualisation: instead of a traditional install, the application can be moved into a virtual package that is separate to the OS. This has an additional benefit in that different versions of the same application can be run side-by-side, which can be useful for testing purposes. Application virtualisation can also make the job of providing applications to users easier, as the work on preparing applications can be done centrally and then users simply click on a link in order to get their service.

The third activity to undertake before any migration occurs is a full backup of all the files and settings that end-users have in place. One of the biggest issues to overcome is that Microsoft does not support direct upgrades of Windows XP to Windows 7. A clean installation of Windows 7 is required in order for the migration to take place, but getting the old system settings over requires more preparation. It’s therefore essential to make sure that users retain critical files and settings during the migration process in order to minimise end-user downtime.

Separating these user-specific files and settings and saving them centrally means that they can be deployed alongside the new operating system. Taking this approach can help users to get up and running again quickly, as they can build up familiarity with the new OS faster. It can also reduce the risk of losing critical information during the migration process.

Making the move

Once you have carried out all this preparation, the next phase is the migration itself. Deploying the OS to individual machines can take a lot of time, so automating this where possible can reduce the amount of manual work required. Windows 7 does have some free tools to help here, but when you are looking at more than a handful of machines, the value of the time saved through automated deployment can justify the cost of an automation solution. Systems management tools can help in this rollout, as well as ensuring that each installation is carried out in the same way.

Once the base Windows 7 implementation is in place, the next step is to distribute the application set and user settings to machines on the network. This is also the right time to think about patches and updates in the future. Since Windows 7 has entered the market, there have been several updates that are relevant for the new OS included in Microsoft’s Patch Tuesday. Even with the newest of operating systems, getting the right patch strategy in place will help to reduce the amount of time and effort that is spent on keeping systems up to date.

Now you are here, what’s next?

Following this migration, you should also look at how to keep the benefits that the move over to a new OS can provide for as long as possible. For example, many organisations still do not have an official asset management policy in place. A large project such as Windows 7 migration can provide the impetus to reconsider how you manage assets: if you are engaging in a full-scale move to a new OS, then a list of everything that is installed across the organisation’s PCs is vital. Once the migration is completed, keeping this going should be easy, and the ability to report on licenses and software use can provide a long-term benefit in the future.

Another consideration for the future is performance, which initially can be great. However, as updates are added and the number of files builds up, the operating system and applications can start slowing down. Taking the right approach to how you manage those systems, as well as the level of control you want to exercise around the applications that users can install, are therefore important considerations for the longer term.

When going through a migration, there are several potential pitfalls that should be considered. For example, training users on the new operating system interface can be a significant overhead, particularly if you don’t update the user settings based on their previous workstation environments. Factoring in this training cost is one choice, while using systems management tools to replicate the look and feel of the previous desktop environment is another option.

Downtime is another cost that can potentially affect organisations in the midst of a migration. The need for additional hardware to support the new operating system can also be a potential cost, especially if you have not audited your estate prior to the move. However, having the right process and tools in place can negate or minimise the risk.

This is the end

While Windows XP continues to be popular with IT professionals, it is reaching its end of life. It is therefore essential that IT managers begin planning for an effective Windows 7 migration today. This means understanding what preparation is required, and what steps can be taken to keep any new implementation delivering value.

Cutting down on the manual intervention required during a migration and automating the deployment, patching and software packaging can really help to ensure that the organisation gets the most benefit from its move, as well as longer-term productivity gains for IT staff and end-users.

www.kace.com

Information and IT security has long suffered from being a ‘necessary evil’ for many businesses and an area that appears sometimes to have an unquenchable thirst for funding; as one threat is addressed, another layer of risk is uncovered or another threat grabs the headlines and demands attention.

Security and availability/resilience are the top two concerns for data centre users. We found this both when asking end-users what they looked for in new data centre space and when asking service providers what were the most important decision criteria for their customers. The report also describes how a structured approach to managing security is essential.

What lies behind this high ranking of security at a time when cost containment, green issues and cloud computing are also garnering attention? One answer appears to be increasingly complex and demanding compliance requirements essential for doing business. Certainly we found that more data centres are going to market proudly displaying their certification “badges” (e.g. ISO 27001 and SAS 70 Type II).

End-users also confirmed that compliance is a big factor in moving security projects from discussion to action. Compliance needs such as PCI for credit card processors are now not open to debate when ranked alongside other business demands. At the same time, we found evidence that increased awareness of security in the boardroom and among customers is putting the spotlight on security. Stories of lost customer data and prominent cases of credit card data theft have made it difficult to argue that the threats are hypothetical.

Bastions of security

Data centres need to be bastions of security helping businesses to meet these challenges. It is perhaps no surprise then that security and availability rank highly for end-users seeking data centre space.

What about organisations who choose to or must keep data centres in-house? How can they ensure that they achieve value for money from security? The flipside of boardroom attention to security can be security spending lacking in focus. In the UK, laptop encryption for example became a ‘must have’ for some companies in the wake of stories of laptop and data losses in the media. But what priority did addressing this risk have alongside other risks including those which affect the data centre (where much larger sources of valuable data reside)?

Data centre security is a vast topic and the range of potential measures which can be applied when one considers physical, network, application and data security appear limitless. Any approach to implementing or improving security which does not include a way to prioritise spending in a structured and justifiable manner might be considered negligent.

ISO 27001 is an international standard for information security management systems which requires a structured approach based on assessing actual risk levels. Although ISO 27001 is undoubtedly gaining traction with data centre providers and some end-users (about 50 percent of our end user respondents are certified or currently progressing certification), many end-users still choose to assess data centre security themselves rather than seeking evidence of independent certification backed up by regular audits.

ISO 27001 appears to suffer from an image problem. Some service providers and end-users told us that they wished to avoid the administrative overhead that certification would create. It is difficult to assess how many of those who claimed to be following ISO 27001-like approaches without certifying were doing this effectively, but there has to be a suspicion that it is not just the overhead of certification that they are avoiding, but some of the security management costs as well.

There is also another side to the argument. What is the cost of not having effective security management when investing in the data centre? Unwarranted cost can arise firstly because spending may be addressing an area which is not a significant risk for the business at that point or by addressing it too well. To take a micro-level example, British Loss Prevention Certification Board, standards classify physical security according to attack resistance at 1, 3, 5, 10 and 20 minutes. There can be a big cost difference between levels. Which does your data centre need for each door, grill and lock? This is just one micro-area of data centre security, but the point is that without assessing risk, many poor choices can be made and security may cost more than needed or worse leave important areas starved of funds.

Secondly, consider an example where new detection technology is deployed on a data centre network, but then a flood of alerts overwhelms the security team. A management system calls for measurement to be put in place to ensure that security controls are effective – or put another way, delivering value for money.

Best practice

Putting ISO 27001 to one side, what are the security measures which organisations are putting in place in the data centre? In our approach we looked for best practices from industry experts (at data centre providers, end-users, consultancies and product vendors) ensuring that we considered all of the categories set out within ISO/IEC 27001 and 2. This produced a long list of measures which can appear daunting until one remembers that they are areas to consider for specific risks at an organisation rather than a shopping list.

Unsurprisingly, physical security remains critical at the data centre, but while a few sectors (eg Government) may be looking at increasing protection levels for threats such as ram-raiding and bomb attack, most service providers and end-users are focused on ensuring that their operations are working as they should. Often this costs little because it is about improving procedures and enforcing them rather than buying a new security gadget.

Application security (and especially web applications) is an area which has matured over several years and appeared to gain wider acceptance in 2009 with easier to acquire solutions incorporated within mainstream security vendor products. A related emerging area is data security which seeks to directly protect data where it is held and accessed rather than by protecting the network or applications. A lot of industry hype in 2009 was about data loss prevention (DLP) which (simplistically) focuses on end-point/client applications to prevent certain identifiable data such as credit card numbers being transferred (eg to an email).

‘Database Activity Monitoring’ vendors now offer solutions which both seek to discover data on a company network and then to identify any access to that data regardless of source. Amongst the claimed advantages are that these solutions detect and protect data which companies did not know about and avoiding the need to fit security measures to all applications. It remains to be seen whether this approach gains favour.

This is a good example where organisations should apply risk-assessment thinking to determine how best to reduce their risk level; choosing measures for the specific risk within their own organisations rather than hyped solutions (regardless of how good they sound in isolation).

Revenge of the botnets

Protection against Denial of Service (DoS) attacks is an area which has proven difficult to address. Distributed (DDoS) attacks (from so called botnets) are particularly challenging for end-users to mitigate because their networks can be overloaded before attack traffic reaches a protection measure. Some service providers are now offering anti-DDoS services which combine their much greater network capacity with detection to remove attack traffic before it reaches an end-user’s infrastructure. With botnets increasing in number and size (making attacks larger), we believe end-users will increasingly turn to such service providers and that the prevalence of such attacks (which often involve extortion attempts) is probably currently underreported.

Indeed, while we believe that organisations should decide on in-house versus outsourced on a case-by-case basis, there will be a growing willingness to outsource responsibility for some aspects of data centre security. Many aspects of security can in theory be handled better on a larger scale because items like physical security, security teams and even the above-mentioned DDoS mitigation are much more cost-effective at scale.

Organisations should take care that whatever choices they make they do not outsource overall security management and accountability. Effective security management is critical to ensuring that good in/outsourcing choices are made and so that service providers may be effectively managed and audited. End-users should review security offers critically and look for evidence of independent certification and even contract liability cover as the best ways to cut through competing marketing claims.

www.broad-group.com

As we enter a new decade, IT departments are faced with a proverbial ‘perfect storm’ when it comes to securing data. Departments are dealing with reduced operating budgets resulting in them having to do more with less. There is a growing movement from various levels of government to regulate the security of data, such as the recent announcement by the UK Ministry of Justice that the Information Commissioner’s Office (ICO) would have the power to fine organisations up to £500,000 for serious breaches of data protection principles.

The European Council has approved a data breach notification rule for Europe’s telecommunications firms. This amendment to an EU Directive will force telcos to inform customers if they lose their data. The growing enactment of regulatory legislation related to the securing of data will force the hand of corporations to establish necessary processes to ensure the integrity of data. To not do so could result in them being subject to significant negative financial and reputational repercussions if a data breach were to occur. According to the Ponemon Institute, the average cost of a data breach to an organisation in the UK is £1.7 million, while in Germany it is €2.41 million.

Along with reduced operating budgets and growing government legislation, the general public has become acutely aware (and concerned) about the security of their personal data as the instances of lapses in data security continue to increase. In fact, according to the ICO, the number of recorded data breaches in the UK increased by nearly 65 percent last year over the previous year.

Then there is growing mobility of the workforce – from people travelling with their data to people telecommuting from their homes. According to the Ponemon Institute, over 3,500 laptops go missing every week in European airports. That’s one laptop every three minutes. While mobility creates business opportunities, it has accelerated the use of corporate owned devices outside of the traditional workplace. Especially as more and more employees work from “home offices”. The result is the creation of an information perimeter outside of the traditional enterprise perimeter.

Encryption

This perfect storm therefore begs the perfect question for any IT department: How do you secure data that you cannot track?

Encryption has, for some time, been the de facto standard in securing data and is one of the most important security tools in the defence of data. While it is an important part of any approach to data security, encryption alone is not enough. It does not enable IT to track the data and it does not provide any details as to what type of information was stored on the missing or stolen laptop. In fact when an encrypted laptop goes missing, all IT really knows is they have a laptop with potentially damaging information in the public domain with no means of retrieving the data. And, according to the latest research from the Ponemon Institute, there is no guarantee that encryption was set up properly on the device in question. Surveying non-IT business managers in the UK, it was found that 66 percent of them either wrote down their password on a private document, such as a post-it note or shared it with other individuals in case the password was forgotten.

IT departments, in this mobile environment, require more than encryption to securely track manage and protect their data. What they need is a layered approach to security that enables them to track data on and off the local area network and provide them with various options to access the data in the case a laptop does go missing, instead of being left wondering if the encryption was disabled. In order to be effective, encryption requires organisations and users to take appropriate steps to make sure sensitive and confidential information is protected as much as possible

The human factor

As shown in research conducted by the Ponemon Institute on The Human Factor in Laptop Encryption, a cultural divide exists between non-IT business managers and IT practitioners when it comes to security.

Too often IT is being bypassed, losing control, yet they remain accountable to data security and ensuring performance, integrity, availability and compliance of that data. It was found that a high percentage of employees surveyed in business functions (referred to as business managers) were not taking such precautionary steps as using complex passwords, not sharing passwords, keeping their laptop physically safe when travelling or locking their laptops to their desks to protect sensitive and confidential data. Further, many respondents believe that encrypted solutions make it unnecessary to take other security measures.

In contrast, their colleagues in IT and IT security functions (referred to as IT security practitioners) are diligent in taking all or most precautionary steps to safeguard the sensitive and confidential information on their laptops. They believe encryption is an important security tool, but believe it is critical to follow certain procedures to ensure that data is protected if a laptop is lost or stolen.

Key security findings

The following are some of the most salient IT security findings from the Ponemon research:

-              86 percent of IT security practitioners report that someone in their organisation has had a laptop lost or stolen and 61 percent report that it resulted in a data breach. Only 45 percent report that the organisation was able to prove the contents were encrypted.

-              59 percent of business managers surveyed strongly agree and agree that encryption stops cyber criminals from stealing data on laptops versus 46 percent of IT security practitioners who strongly agree or agree.

-              53 percent of business managers have disengaged their laptop’s encryption solution and 43 percent admit this is in violation of their company’s security policy.

www.absolute.com

As some companies adopt the theories of the Information Technology Infrastructure Library (ITIL), they will be committing staff from affected IT departments to so-called ‘ITIL Foundation’ courses. Routinely, this is the only non-technical training some IT staff may get. And, having trained hundreds of IT support staff and managers, I would suggest that the ITIL ‘Foundation Course’ as it is currently designed and taught is too often the absolute opposite of what good IT staff training should be.

In order to be licensed to use the ITIL brand, training courses must be accredited by an appointed industry body. Accreditation insists that the course focus on teaching about ITIL’s complete content, even if, as is overwhelmingly likely, your company implements only a tiny fraction of it. There is virtually no doubt that all of your attendees on an ITIL Foundation will be compelled to sit through hours of content that is irrelevant to your business, to your ITIL implementation and to the practicality of their jobs, meaning that much of your ITIL training may waste your money and your staff’s time and even breed resentment. What is more, the content is often likely to have been written by somebody other than the trainer and so delivered from a script rather than out of genuine field expertise.

Whether or not you have taken or plan to take the ‘ITIL route’, every minute of training you give your staff should enable them to do their job better, enjoy it more and give more of their talents to their customers and the company. A training seminar is a unique opportunity for your people to consider not just the method but also the underlying meaning of their work. It should never be wasted. It must always be good, not just perfunctory. It must be about you, not somebody else’s theories.

Five key areas that for me make the difference between effective and mediocre training are ‘purpose’, ‘relevance’, ‘argument’, ‘knowledge’ and ‘emotion’.

1. Purpose of change

You’re not investing time and money in the hope that things will stay the same, but because they must change. You have goals of how IT services should deliver improved customer satisfaction, faster and more reliable responses to user enquiries, fewer repeat problems, flawless implementation of new IT and so on. Your staff training should help you achieve that. When they come out of their training it should be with skills they did not have before, increased confidence in their ability and a readiness and motivation to apply all this – noticeably different to how they were when they went in.

So the training too must have a purpose of change, not just of re-education. If all your people have to show for three days’ attendance is a certificate saying they can recognise sixty-five percent of the terminology of a theoretical framework, then they have not changed themselves, but merely survived an attempt at indoctrination.

There is a simple reason why people fail to change – because they are comfortable in the niche they have carved for themselves and they will not risk being dislodged from it. The training must show them how and why to change and why there is no risk to them in rising from that niche.

2. Relevant and specific

Training must be relevant. It must strike at ‘now’, not merely pertain to some theoretical ‘whenever’. It must raise issues the attendees readily recognise from their everyday and provide resolutions that can be put in place the day the training ends.

This is where generic training often fails, for it is relevant to nothing in particular. Generic training cynically aspires to little more than the maximisation of its own profitability by attempting to appeal to the widest possible audience. And of course, the wider the spectrum of appeal, the less the impact anywhere on that spectrum.

ITIL’s oft repeated, foot-shooting declaration that it is ‘non-prescriptive’ is its claim that it cannot tell a company how to run its business, so it refuses to try. Instead it offers generalisations that could theoretically apply anywhere, while expecting that these will be adapted to deal with the specifics of a given business. That’s all very well for strategists and process designers – but IT support managers and staff are line operatives, frontline workers who face cold, hard, hourly realities. They don’t need generality – they need method, practice, technique, prescription. Anything less is mere background.

ITIL accreditation verifies only that the course covers ITIL. It is financially impractical and technically impossible to get accreditation for a course dealing specifically with your business. Therefore your ITIL staff training cannot be both accredited and specific. Either-or, not both – a stark and serious choice.

3. Structured argument

Most IT support people are diagnosticians who, as a matter of instinct, training or experience, use logic to understand a situation or solve a problem. Having seen the challenge of A, and decided upon C as a desirable outcome, they will find a route via B. They seek mechanism and take satisfaction in identifying it. To engage them, any training must respect their developed intellect.

This means that soft skills cannot be taught in isolation of a good reason why and how to use them. Take the simplistic cliché “Always smile while you’re on the telephone”. The response that often gets is “Why bother? The other party can’t see you. Besides, this caller doesn’t need somebody nice, he needs a professional problem solver.”

But that doesn’t understand the other dimensions at play, the negotiation techniques that make the solution easier to accept and understand; the rapport that can give the caller confidence and provide more information to aid the diagnosis. Smiling on the phone is much more than a mere, bland courtesy, although it is sadly often taught as just that – it is part of a logical perspective that can be deployed as a tool to make the exchange more successful. But its logic must be explained and understood. So it is for everything on the course – not just what, but why.

4. Knowledgeable trainer

Training should be delivered with credibility and confidence by somebody who has been where his attendees came from, who knows not just what happens but what causes it and how it feels. The trainer should know the real way to solve the snags and gotchas that crop up in candidates’ real lives.

Without that, sooner or later, he’ll be found out. There will be a question from the floor that isn’t in the script. He must deal with it competently and knowledgeably, giving an answer of recognisable reality. If he waffles, the wolves will pounce and have his and the course’s credibility for dinner and your money for dessert.

5. Emotionally engaging

Ever attended a training course where the course leader had no personal involvement in nor enthusiasm for what he was teaching? For the duration of the training intervention, he is an appointed leader – it is his professional duty to invest himself in what he is teaching, for that very investment is part of the lesson. It is a demonstration that the same is required of the training attendee who genuinely wishes to learn from what is being imparted.

All the good things about work success – enjoyment, enthusiasm, satisfaction, pride, motivation, drive, thoroughness, loyalty, even professionalism itself – are emotional factors. Any trainer who fails to appeal to these, risks his training being seen as mere dry instruction. The emotional involvement of the training’s recipient is crucial. The relevance of the course and structure of the argument will deal with the mind – but to turn that into real change requires heart.

Crazy choice

Because of official insistence, it seems we’re stuck with this crazy choice – relevance or accreditation but not both. Fortunately, there is nothing stopping real IT support experts from creating purpose-built, to-the-point staff training that fits with your IT support improvement strategy, whether or not you use ITIL. Go bespoke – and choose your trainer as carefully as you choose your managers.

*Noel Bruton is a long established, UK-based consultant and trainer specialising in IT support management and delivery. He is the bestselling author of ‘How to Manage the IT Helpdesk’ and ‘Managing the IT Services Process’.

www.noelbruton.com