A few people asked me to post my presentation, but I have found that my current job as the COO at Powertek Corporation has caused me to miss many of my self-imposed deadlines for doing many things, including updating my blog.

However, has now been overcome, at least for a few moments, and here it is.

UMUC Slides 

My talk was divided into four parts:

• Context where I discussed what I call First Principals, what I feel are the underlying causes of much of the technological disruptions happening these days
• Some thoughts on security trends, after all this was a Cybersecurity Symposium
• Comments about the demand for security professionals, after all this also was a Job Fair
• Ending with some thoughts on the goals for security and some general advice

I think the slides are pretty self-explanatory though I keep hoping to turn some of them into individual blog entries.

I had two key pieces of advice.

First, I related an old joke by Steve Martin that talked about how to make a million dollars and not pay taxes. The first step was to ‘find a million dollars’. I find that many proposed solutions to security, well, actually to almost anything hard is the functional equivalent of that first step.

Second, I told them to remember that the primary mission of almost every organization they will work for is NOT security. Because of that fact, one of the primary jobs of a senior security professional is to learn how to articulate the reasons for security investments in the context of the actual mission goal. Otherwise, organizational senior management will not make the right decisions.

In the Pentagon that joke morphed. Whenever someone wanted to get additional budget, the reason was to ‘Deal With China’. Well, in fact, maybe that is still true.

In technology today, the current budget justification phrase is ‘Cloud Computing’. Except in this case, exactly what Cloud Computing is or what it can do is even less clear than normal. On the other hand, that lack of clarity means there are lots and lots of meetings, seminars, and conferences that deal with trying to define Cloud Computing and provide advice on what to do about it.

In that context, I was on a panel Monday, May 3, that discussed Cloud Computing and the kinds of new skills that would be needed to support Cloud initiatives, http://events.1105govinfo.com/Events/Cloud-Computing-Summit-2010/Sessions/Monday/CC4.aspx.

I had three major themes.

My first theme was that people tended to mean one of a number of radically different concepts under the general topic of Cloud Computing.

Many actually were talking about consolidating multiple applications on a fewer number of servers – virtualization. It was this step that accomplished much of the savings, if there were to be any, from Cloud Computing. In fact, it was certainly possible to do server consolidation and application virtualization without actually implementing anything that actually was ‘in the Cloud’.

Others used the term Cloud Computing to putting applications on the Internet; in the web. This approach is also often described as Service Oriented Architecture, SOA. I am probably not capturing all of the nuances of SOA but to me this basically means taking a program which traditionally was self-contained and isolated and treating it like a service which others could access or integrate into a larger set of combined services. Doing so efficiently requires writing programs a bit differently, adding the ability for a service to be discovered, that is found by others, and adding the capability to expose aspects of the service to others.

SOA in the end requires not just technology change but also cultural change. To be most effective it requires an organization to be much more collegial and standards based in how it designs and develops software.

Finally, some people meant having applications, or aspects of an application such as the platform it runs on, provided externally; that is, through a cloud. The big challenge here is that when using only internal resources it is possible, though in my opinion unwise, to get by without taking the time or applying the necessary rigor to develop service level agreements (SLA’s) for all of the aspects of your system.

You can tell if people are working hard by peering over their shoulders. You can measure performance by users calling and yelling at you, and dynamically reallocate resources by yelling at someone down the hall.

However, when you move a resource out of your internal operation it becomes absolutely critical to develop robust SLA’s to manage your provider’s performance and define your expectations. It turns out that this is very hard to do especially in areas that historically have not been defined in very precise terms such as security or privacy. This is, again in my opinion, one of the major underlying reasons why there is such resistance to moving applications to the cloud.

My second theme is derived from that last point. It was always useful to create business architecture’s to drive technology development. While it might be inefficient, it was historically possible when everything was accomplish internally to ignore that benefit and instead do what was in effect the opposite approach, develop technology solutions that ended up impacting the business.

However if an organization wants to move to the not-well-defined cloud, it becomes necessary to define the business architecture’s and business goals associated with the applications. Without that definition, the likelihood of achieving the promised benefits associated with Cloud Computing are highly unlikely to be achieved.

My third theme was that the major human capital impacts were:

• Technical and operational IT assets were likely over time to move to external service providers and away from user organizations
• The demands on procurement and legal professionals were going to change as their responsibilities became more and more ‘horizontal’ between organizations and their providers of service and less ‘vertical’ supporting internal hierarchical organizations
• The importance of technical staff who also were comfortable with business issues would dramatically increase.

Federal Computer Week, http://fcw.com/Articles/2010/05/04/cloud-computing-implications.aspx, covered the panel.

“Welcome to the first Upstate CIO Conference, where CIOs from Upstate New York will connect, discuss industry trends and emerging technologies, and inform course content for information executives.

The Upstate CIO Conference is a one-day conference, held on Friday, April 16, 2010, at the School of Information Studies (iSchool) on the Syracuse University campus. The conference brings together Upstate CIOs and information technology professors to explore how academic research and professional experience come together to create innovative solutions to industry challenges, create industry trends, and educate professionals who can meet the needs of the 21st century global workplace.”

I was invited to give the keynote for the conference and to serve on a panel focusing on IT Governance. My keynote will discuss my thoughts regarding governance and how it differs between the private and public sectors. I’ll also cover what I call First Principals which are some of the key trends that are underneath some of the current technology trends.

I have included a copy of the slides below. In the interests of full disclosure, I also serve as an adjunct professor at the iSchool teaching graduate distance learning classes related to CIO Management and Cyber-security Policy.

Upstate CIO Conference Slides

The link to the conference site is: http://ischool.syr.edu/newsroom/cio/conference.aspx.

I discussed two topics under the topic of Bringing Governance, Performance Management, and IT Together.

Here is the presentation:

My Potomac Forum Presentation

The presentation is divided into parts.

The first part discusses my thoughts about what should we are trying to do with the Open Government initiative. I am a very enthusiastic supporter of these initiatives.

My major point, however, was that much of what has gotten public attention such as Transparency or externally published data sets are not the goal, it is what they are intended to accomplish that is the goal. Specifically, we want to cause something to happen that would not have happened if they were not performed.

As one of the other speakers noted, if this only became a compliance exercise then we would not be accomplishing enough.

The second part of the presentation dealt  with how I attempted to use transparency and a status dashboard at the US Department of Transportation during my last year at the Department to improve oversight of cyber-security status. The approach turned out to be partially effective.

Our ability to see into the various networks, most of which were independently managed, improved a great deal. However, I was unsuccessful in setting up a process that carried over across the chasm of the change in Administration. I indicated some of the lessons learned and how I would have improved our approach.

My focus, as usual, will be on the strategic reasons behind the movement to SCADA. Oops, perhaps I should back up. SCADA is an abbreviation for Supervisory Control and Data Acquisition. It usually is used as a catch-all term dealing with computer controlled equipment or machinery (or plants or smart grids or, well you get the idea).

Many of these systems were controlled individually by locally provised systems and thus security, while relevant, wasn’t the most critical factor when designing such solutions. Now that many of these systems are managed over the Internet and an increasing percentage of what most would consider our/US economic critical infrastructure touches these systems, cyber issue have become a very hot topic.

So my presentation will focus on why this is happening and also touch a bit on some of the issues the Government is facing in this space. The second presenter from CSC is an industry expert in the utility, chemical and natural resource market and will provide some more detailed oversight and advice.

I adapted some of my past talks on this issue starting with my standard discussion about transaction cost economics and the internet and then push on to cloud computing.

I have started to try and generalize the concept of cloud computing and wanted to get some feedback from anyone who cared to give it regarding what I wrote up. This does NOT include the second part of the presentation which I mention above.

Dan’s SCADA Presentation

My thought is that in a sense every computer and in fact in a broader sense every aspect of an organization could be looked at as being part of a private, community, or public cloud. Your desktop could be considered a small, generally unoptimized private cloud for example.

For the purposes of this presentation, each ‘thing’ has a governance question relating to how decisions are made and a security question relating to how security is provisioned or at least who is responsible for the provisioning of it.

The purpose of this thought experiment ties back to my premise as to why cloud computing has taken off, transactional cost economics + some technological developments, and the difficulty in avoiding these implications.

The whole thing needs work but I think the direction I am heading is increasingly clear.  All feedback welcome either as comments to this post or as emails directly to me.

It was great interacting with the attendees and hearing the kinds of issues that local officials face, as well as spending a little bit of time in New Orleans, where the meeting was held. It was the first time I was in New Orleans.

The panel I served on discussed Government 3.0, what it might be, and some of the issues associated with it.

My major points were that the ‘classical’ description of 3.0 has been that the next step is to implement what is called the Semantic Web. The term is generally used to mean that the web will understand its own content and with that knowledge allow more robust searches and interactions. I call it the “Return what I want, not what I ask for” web. I expressed some skepticism about the likelihood of this happening.

I pointed out that there was much to do with the old-fashioned Government 2.0 approach, which still is very young. And I brought up my favorite topic, the integration of fast sensors into networks and its implications to local and state government.

My NATOA Government 3.0 Presentation