A student wrote:

“Who has time to share information? Codifying one’s knowledge can be a very time intensive task. While many people share their knowledge via blogs, wiki’s and other such tools, getting individuals who are already overburdened to do this can be a challenge.  I’ve seen organizations try to force its employees to do this kind of thing resulting in very shallow products.”

From this conversation, I started to consider how this relates to some of the work my company, Powertek Corporation, www.powertekcorporation.com, has been doing with knowledge management. It seemed to me that in the end in the simplest sense knowledge management like information sharing solutions are all built upon the foundation of tagging information in a fashion that allows retrieval.

In the interactions I have had with Jeff Jonas, http://jeffjonas.typepad.com/, one of the smartest people I have met who studies all of this, he has impressed on me the importance of tagging information when it is ingested. Doing so afterwards is something liking trying to add the Dewey Decimal coding to a book after you put it on the shelf in the library. It would take so long to find the untagged books you typically wouldn’t get around to it.

If I can digress for a moment, and since this is my blog I guess I can write anything I want anyway I want to, while I was at the Department of Transportation and while watching what Vivek Kundra is trying to do with dashboards, I have pondered a similar issue – what tends to make some performance measurement systems and dashboards successful and some not.

I have come to believe that those dashboards whose metrics are automatically generated by the performance of the action being measured have a greater chance of surviving over time. The reason is that whenever an intermediate step is needed to generate the dashboard entries, organizations have many reasons to reassign or eliminate altogether the resources used to perform the intermediate step. Thus useful and even pretty successful measurement systems often last only as long as their sponsor stays and stays engaged.

So the common thread would be that the ‘sharing’ and ingesting into the knowledge management system, that is the tagging, should be accomplished when the information is created.

Looking specifically at knowledge management implementations that I am familiar with, most do the knowledge management part after, and often long after, the knowledge creation. The question then becomes whether it is necessary, or practical, to move tagging and ingesting to the actual knowledge creation.

I am sure experts in the field already know the answer to these questions, but if so, they often don’t seem to have sufficient impact on the large number of unsuccessful knowledge management implementations.

I have been part of a number of panels over the last few months which focused on the subject of Cloud Computing, the current state of the’art’, and as usual what barriers exist that need to be dealt with to make it easier to utilize. There certainly has been much written about it both pro and con and it remains a high-priority focus for the current Administrator and, in particular, Vivek Kundra, the Federal CIO.

For one of the graduate classes I am teaching this semester at the University of Maryland University College, the subject is touched upon as part of a broad look at technology changes and implications. The topic generated much comment by my students.

It seems to me that the subject starts from the wrong side of the discussion, the technology side. When the discussion turns to the impact, it starts at an important but not the most important concern, that of return-on-investment (ROI).

Today and in a number of future blog entries, I will talk about what I think are the current important issues associated with cloud computing. Today I start with what I perceive as a foundational issue, cost, but later in the week will move to what I believe are more important considerations and goals.

Note: I do not plan to rehash what cloud computing is, or is not, there are too many other write-ups that do this. Look at the National Institutes of Standards work on such definitions, I think it is pretty good.

SAVING MONEY. To me the least important, though I hasten to say not unimportant, goal of cloud computing is to reduce costs.

In the simplest sense, the provisioning of IT services costs money because of an overhead cost associated with buying computers and putting them somewhere as well as the operating costs of running them. When you spread that cost over more users then the cost per application usage goes down.

With cloud computing you have the potential, emphasis on the word potential, to achieve these savings by running multiple applications on the same computing equipment. This can be achieved when you use techniques to allow more than one application to run at the same time on the same computer increasing its utilization or when the peak levels of demand are different for each application, or both.

This much can be achieved by using what is called a private cloud, that is one that you run yourself. For organizations that have not centralized the provisioning of IT services, this one change can have a significant cost savings. The barriers to doing this are to some extent technical, it is necessary to gain experience in how to do this; but in large part cultural and organizational, it requires different groups within an organization to plan and work together.

Historically, computer usage in data centers is amazingly low, on average between 5 and 15 percent of capacity. By running multiple applications at once, using techniques such as virtualization, this capacity usage can usually be brought up to over 50% and often higher. This reduces the need for additional computing resources and cuts down on environmental costs such as cooling and power.

Moving to a more public cloud, which is one provided outside the organization, has the potential to achieve greater cost savings (maybe). Again looking at this in the simplest fashion, it spreads the overhead cost across still more users, with a public cloud perhaps in the thousands or more.

The other added advantage is that those organizations who have recognized that running data centers is not actually their core competency can out-source, currently a politically complex word, data center operations. On the other hand, organizations that do so need to develop a core competency of working with outside providers, which many organizations do not do.

It is interesting also to realize how many organizations want to move to externally provided IT resources because they feel they are too disorganized internally. This hope generally is not realized. There is an old saying that IT cannot organize a disorganized situation. I can promise you that outsourcing IT will not bring management controls to a situation where none currently exist. You first have to organize internally and only then look for outside provisioning. Electric power providers do not untangle the wiring in your house.

This last step, moving from an internally provided centralized IT provisioning process, private cloud, to an externally provisioned process, public cloud, is made still more complicated for Government due to security and privacy issues as well as fear of embarrassment issues; who needs to read in the Washington Post that your personnel system was hacked while sitting on some public provider; I speak from personal experience that testifying on the Hill about security issues is not why most people go into public service.

Having said that the first step, centralized provisioning, achieves a large percentage of the gain, and is worth working toward.

The other challenge associated with saving money is that many organizations do not do such a great job of tracking the costs which they are trying to reduce. Government organizations in particular often have in place rudimentary, or non-existent, cost accounting systems which keep track of all of the overhead associated with doing such work in-house. Thus the cost comparisons relate lower than actual internal costs against actual external costs. It is not a surprise that different organizations produce different conclusions.

I used to joke when I was at the US Department of Transportation that if you wanted to achieve a certain ROI I could help do so with 10 minutes and Excel.

To be continued …

The theme of the conference was Lowering the Cost of Government with Technology though the panel’s comments ranged from cost issues to government 2.0 and social networking to cyber-security in general.

The panel was moderated by Chris Dorobek, the afternoon co-anchor for WFED. The other panelists included Vance Hitch, the Department of Justice CIO, Pat Howard, the Chief Information Security Officer, CISO, for the Nuclear Regulatory Commission, Dr. Ron Ross, a key figure in defining security requirements and policy at the National Institute of Standards and Technology, NIST, Gary Galloway, the Deputy Director for Information Assurance at the Department of State, and Rue Moody, the Director of Strategic Technology at Citrix.

I was called on first after the introductions to frame the conversation based on the pre-meeting discussions the panelists had held. I discussed four issues.

First, there is an inherent conflict between data sharing and data protection. In my opinion, you cannot do both perfectly. Even though almost everyone will take the position that you will have to pay attention to both, it is important to pay attention to which way you lean and why and the implications. I noted how impressed I was towards the end of the last administration, when Mike McConnell, then the Director of National Intelligence, DNI, talked about if he had to take some security risks in order to increase the ability to share information within the Intelligence Community, he would. I am sure that I am not capturing the nuances of his talk, but the messaging was very powerful. It is a position that those who know me recognize I agree with very strongly.

Second, security is difficult to measure and more importantly there is little agreement among security experts as to what metrics to use. This is a particular problem for those agencies and departments who do not have security as part of their day job.

What I mean by that last sentence is that those departments who have security as part of their primary mission have a great deal of day-to-day experience in making tradeoffs involving security spending. Even if the rationale for decisions is merely experiential as opposed to quantitative, over time senior management gets to be fairly experienced at making these kinds of decisions.

For most civilian departments and agencies this is not as true. Trying to decide if taking money from safety inspections, which might be an agencies primary mission, and spending it on cyber-security is a difficult decision to make. Without defined metrics the likelihood of making the correct decision isn’t very high.

I was heartened in reading recently about the establishment of a Security Metrics Task Force by Vivek Kundra and the Federal CIO Council, http://it.usaspending.gov/?q=content/blog, chaired by Vance Hitch, who discussed this during his remarks at the panel, and Rob Carey, the Department of the Navy CIO.

Third, it is hard for people in large organizations, especially governmental organizations to prioritize; that is, to implement the results of risk analysis. The fundamental reason is that prioritization requires someone to decide to work on one set of requirements and thus to NOT work on the rest of the requirements. Few, if anyone, wants to be the person who is associated with the latter decision, the not work on part. If anything bad happens that could be associated with a requirement that is in the lower set of priorities, that will get extra attention from the various oversight groups that look over the shoulders of IT providers in the Federal Government. As someone who had the pleasure of testifying on the hill I can promise you it is not a goal for most people.

The end result is that often organizations try to do everything and thus end up doing very little of anything.

Finally, I noted that the general overemphasis on protecting the end-points of networks is starting to be balanced against the need for creating systems that are resiliant and have high-availability. Obviously, it would not be a good plan to ignore investments in protection against bad guys getting into networks. But it is equally important to recognize that regardless of the level of protection built into an architecture, at least some bad guys will get through. Therefore, it is also important to think about how to make sure systems stay up and running with protected data even while a system has been otherwise penetrated.

As hard as it is to build in protections and to measure the results, it is harder still to do the same for regarding building resiliant systems. Thus the greater emphasis on protection first, which i believe still needs to be adjusted further.

One point which I didn’t make as well as I would have liked at the Conference is the fact that security has both positive and negative cost implications. It can be positive if there is greater standardization which tends to lower support costs and can do so dramatically if done well. It can be negative if there is no clearcut methodology to making investment decisions. Without associated risk management and security metrics, security spending becomes an endless investment with no well-defined result.

Many thanks to Goldy Kamali for inviting me to be part of the panel and for putting together a great conference. Everyone who missed it missed some great discussions and networking opportunities.