Technical debt, depreciation and risk

Technical debt, depreciation and risk

I wrote and posted a piece on Technical Debt on my linkedin blog. Its post comment, based on the concluding paragraph says, “I look at “Technical Debt” in the context of IT budget planning and suggest that it is not such a useful concept. Using standard risk management analysis is a more effective means of planning a maintenance budget which should consist of funding for both error & risk remediation. Depreciation is a better financial model for the problem.”

There must be much written about the nature of depreciation from physical wear and tear, to the need and cost to replace due to increasing failure; perhaps I should look for some reading on how this applies to information systems. I question if software is an asset in terms of accounting theory, I suppose so because it has value in more than one accounting period, but can it be realised? I also question the value of placing a cash value on software in use, identifying its cost to acquire is potentially simple, its residual value is much harder and synchronising this change to a single corporate depreciation rule can be difficult.

Some things I considered writing about include the number of times while trying to clean up or rationalise corporate IT estates to be told that, “you’re not touching that!”. We used to joke that they’d lost the system which pays the board’s bonuses, but these systems were almost always obsolete and acted as a technology sink keep product in the portfolio that should have been abandoned. Recently I came across the phrase, fictional capital, these systems had an unknown value and the decision to leave them alone seemed based on a pessimistic and fictional view of their value. I sometimes suggested turning them off to see who squealed but this advice was never accepted.

Also it needs to be considered that the maintenance budget is a function of the size of the information systems portfolio and much of it is a fixed cost. If you don’t spend the money the systems stop and they do not vary with output.  …

Excel and Track & Trace

Excel and Track & Trace

The UK’s world class “Track & Trace” application “lost” 16,000 cases for over a week, as reported in the Register. Plenty of people have decided to comment and so I thought I’d join in and posted my thoughts in a linkedin blog, although I start this post with a quote from the Register, including the fabulous phrase, "Ridicule and despair, those shagged-out nags of our Johnsonian apocalypse, once again trudged exhaustedly across the plaguelands of England". For more see below/overleaf ...

There’s no divorce in Bitcoin

There’s no divorce in Bitcoin

I attended a presentation hosted by the BCS, and given by Ron Ballard, based on his article in IT Now, “Blockchain: the facts and the fiction”. What he said inspired some thoughts and reminded me of others, some of which I have previously published on my blog. I wrote an article, called Learnings of Bitcoin, which was meant to be a spoof on the Borat film title and posted it on my linkedin blog, The article looks at the tight coupling of Bitcoin, and its consensus mechanism, the proof of work, together with its costs and vulnerabilities. It examines the goal of eliminating trust authorities and its questionable ability to meet the necessary roles of money as a means of exchange and a store of wealth. In the comment pushing it, I say, "This might be a bit basic for some, but you can't have a coinless immutable blockchain, at least not one based on 'proof of work'.", at which point you need to consider if there are better data storage platforms for your use case. I use more words to explore these issues below/overleaf ....

On Record Management

On Record Management

As part of my series on devising systems to create logs to protect an organisation and its staff against charges of criminality, I posted an article on my linkedin blog called “Doing Record Management well”. It doesn’t surprise me that there is an ISO Standard (ISO 15489) on the subject, but it does surprise me that I hadn’t heard of it until I started to research some of the articles in this series.

I have a research note on my wiki, which links to the Bank of England policy and also quotes Deutsche Bank’s policy, which is available because they post it on internet. I quote it here,

Deutsche Bank’s code of conduct, see page 25, says, among other things,

“Maintaining accurate books and records is fundamental to meeting our legal, regulatory and business requirements. You are responsible for maintaining accurate and complete records and for complying with all the controls and policies our bank has in place. You should never falsify any book, record or account that relates to the business of our bank, its customers, employees (including your own activities within our bank) or suppliers. You must never dispose of records or information that may be relevant to pending or threatened litigation or a regulatory proceeding unless you are authorised to do so by the Legal Department. You must also comply with applicable record retention policies.”

DB Code of Conduct
 …

Knowledge Graphs

Knowledge Graphs

I attended a Capco/Semantic Web Company webinar, on Knowledge Graphs which provoked these thoughts, on how far we’ve come, new solutions to old problems and the social inhibitors to new technology adoption. The complexity of the data administration problem is why specialist tools have been developed and matured to the point that Gartner produce a Magic Quadrant on Meta Data Management tools, in which the Semantic Web company’s Pool Party appears as a visionary. The MQ report is currently being distributed, as is normal, by one of the “Leaders”, Informatica.

Andreas Blumaur, who was one of the speakers, repeated his suggestion, start small with committed users and that possibly the best 1st solution is a semantic search. (I thinl I’ll have another look at implementing something on my wiki.)

I have felt for a while that semantic web technology could be used to match work to resource in the cloud, with cloud entities advertising their capability using XML, it shouldnn’t be a stretch and with Azure, these systems are being defined in XML. The other application that interests me is if the XML/RDF models can be used to create a model of the person in the enterprise, maybe implemented in SQL; my current researches have not been fruitful. …

Can’t make it up

Can’t make it up

A note on LinkedIn on why managements need IT usage policies to prove their compliance and to act legally and fairly towards their employees. I suggest that ISO27001 is useful as a technical standard and COBIT as an organisational one.

This was written in the light of a couple of cases I had to deal with as an accompanying rep. or as an advisor.

You can’t claim that users are not performing if you can’t prove the IT systems work as documented. You can’t pursue a conduct disciplinary against people operating a policy. You can’t fulfil FOI or SAR requests if the data retention policy is suspect. You can’t be sure that corruption has not occurred if there is inadequate segregation of duties.

Having policy will help the organisation answer the following questions. Is our software supported?  Why and how was that data deleted? What should be logged? Who has permission to read, amend and run these programs and/or this data? Are our vendors signed up to our IT security goals? Why do you not know this?

This is all defined in these standards, and the GDPR makes certification to good practice evidence of good will. ISO27001 and COBIT are the big boys in town to prove technical and organisational protection.

You can’t make it up anymore. …

Some IT technology & economics history

Some IT technology & economics history

I have finally installed a version of CA-Superproject under W98/Virtualbox and the experience reminded me of a couple of things, about the software, about its final custodian, Computer Associates (CA) and also some critical software project management issues. I have written a more formal note on Linkedin and this is my mirror/pointer to that; the rest of this article précises that article. For more, see overleaf/below. …  …

Technology lessons

Technology lessons

It seems there is insufficient evidence to prosecute Boris Johnson for misconduct in a public office; the police had been investigating him as a result of his alleged relationship with Jennifer Arcuri  in the light of decisions taken by the Mayor’s Officer to support her business. It should be noted that he did not declare his relationship as a potential conflict of interest. His day-time visits to her home, so presumably during working hours, were, it seems, for ‘technology lessons’; it reminds me of the private eye euphemism of “Ugandan discussions”. One disturbing part of the affair is that the emails seem to be unavailable., possible in contravention of the GLA’s & Mayor’s statutory record keeping rules and duties. The rest of this blog looks at alternative legal approaches to investigating if wrong doing has occurred; it highlights the role of ISO 27001 in specifying good IT Management and Security practices and that compliance/certification may be seen as part of a legal defence against liability for a security breach. Without good IT Security controls, essential audit questions cannot be answered.

In order to help consider how that might have happened, I have just written a short note on how ISO 27001 deals with deletion. It is clear that the rules and means of making data deletions need to be specified and controlled. ISO guidance on “Asset Management” specifies good practice for data management and the section on “Logging & Monitoring” details how business actions need to be, well …, logged and monitored. Without these tools, we cannot know who took any actions, and who instructed that these actions occur. I talk about the well known exception to the storage principle, that data needed for disputes or compliance must not be deleted until these needs aee no longer in place. If these tools, are not available, perhaps we should be asking, why not? Who said that these controls were too expensive? The GDPR establishes that using a certified code is an important indicator that the organisation has “adequate technical and organisational protection”.

While Johnson’s relationship with Arcuri is not what led me to look at the Bribery Act, I wrote a short note on that and discovered that a bribe is

[any] act designed to obtain or having the effect of obtaining advantage through the ‘improper performance’ of another person.

Now it’s over to the GLA’s Oversight Committee. …

Fighting Corruption

Fighting Corruption

Sadly I have been looking to see what’s being said about Corruption and Anti-Corruption. I made a wiki post which includes some links on management strategy, which includes an article from McKinsey’s Journal which offers a brief taxonomy of corrupt practices, this is augmented by Transparency International’s tool kit, to which I link. TI also note that, “The UK Bribery Act, which was passed in 2010, introduces an offence of corporate failure to prevent bribery.”. There are also some specific action plans inc. current advice from the MoJ. Interestingly, to me, the action plans share many ideas from risk management practices and IT Security controls that I have been working with for many years, and that having a robust programme of controls is the only defence against the aforementioned corporate crime.

Construct a taxonomy, develop controls, measure the effectiveness of the controls and fix those that are broken.

This costs money and time, and companies may lose business because of it. No-one says it’s easy.

I have now made a post on my linkedin blog, which while repeating some of that I say here, looks at the MOJ Guidance and their six principles and offers some important definitions of pertaining to bribery.  I highlight the concept of ‘improper behaviour’ from within the legislation. …

Theory matters!

Theory matters!

I have just posted a blog on linkedin about business and IT strategy.  I say a bit more here! This was provoked because I was doing some research for a job application which involves IT strategy. I was considering the alignment of business strategy with that of the IT department and what I might say. I outlined three models, although they were all developed a while ago, I think they all have relevance today. The three models address business strategy, software portfolio management and architectural pattern selection. Business strategy should drive portfolio and project management choices. While business strategy will outline how to do what must be done, it also defines what will not be done.  Portfolio management determines the allocation of development funding, priority, maintenance funding, project risk appetite, people skills, project governance and software sourcing policy and as result of choices made, one can select the appropriate platform super architectures, of which you may need more than one. I conclude that theory matters. See more below/overleaf … …