What if? What if instead of business people being told to justify their plans to security, security had to advise the business regarding the operational impact of their new patches, firewall rules, badging policies, etc?

What if instead of a security audit for operations, there were an operations audit for security?

What if the business people had the last word?  Security would make their case for new restrictions on information flow, advising on the risk rather than deciding to avoid it.  Business then, advised of the risk, can decide upon avoidance, mitigation, or acceptance based on the effect on operations. 

What if the relationship between Operations and Security were reversed? 

I’d like to see what would happen…

This proves a timely request, as I face termination from my day job due to an inability to convince the Decider that the CKO position is still required and worth the investment. Surrounded by C2 management and fiscal leadership, and subordinated to a CIO who is truly a systems manager rather than an information officer – I am walking away from a company that has been essentially acquired through new leadership.

Meanwhile, I find myself associated with a fascinating public sector project where I am trying to introduce the priniples of complexity and systems science to former SES and uniformed types.

So taking on two challenges where I am trying to succeed as change agent, I am living the quote from the Prince, to the effect that change is resisted by most and half-heartedly embraced by those who are not yet convinced it will succeed.

A return to first principles, then. I’ll here capture what I am learning about each topic, and re-purpose that for mentoring, refreshment, reference, and general archival. Too much is trapped and being lost from my head – I will see if I can use the blog as personal notepad.

3rd time’s a charm.

Ok, so I am a few pages into the Michael George book: “Lean Six Sigma for Services.” But I’m putting it down now for good. In the chapter entitled: “The Value in Conquering Complexity,” I am struck with the misuse of the term ‘complexity’ when what is meant is ‘complicated.’ The case study shows that a certain service offering was customized for several hundred clients, each with their own ‘pathway’ towards receiving that service. Mr. George then labels this ‘complexity.’ On the next page, he makes it clear with a parenthetical that defines complexity as “the variety of products and services.”

The failure to understand, or to be less blunt, address, core concepts in organizational theory is striking. Complexity refers to systems (such as Earth, human beings, businesses) whose properties emerge as the system interacts with its environment. A complicated situation as described by multiple customized pathways brings to mind pipes in a boiler room, or network cables under a server room floor. These images can be confusing to the eye, and hard to track, but the relationships are knowable. A complex metaphor moves beyond knowable pathways.

Complex systems defy causality chains. Graph a brainstorming session. What is the exact process by which a team of four professionals gather on a Thai beach and create lasting value? What is the effect of the remote locale, the different food on the cognitive processes within each? What is role of the increased trust network after six weeks swatting bugs and fighting off a rogue monkey? (Read the story, trust me about the monkey.)

This book, and presumably the application of Lean or Six Sigma to services forms, presumes that the findings in organizational theory regarding work being done in the “organizational chart white spaces” represents inefficiencies in human endeavor – not reality. This school of thought apparently holds that the only reason the gossip network is the most reliable form of communication, or the organizational chart rarely represents true power relationships or work networks – is because we have not yet driven humans back to the formal organizational processes.

Believing this is an act of faith that is beyond my abilities. Businesses are actually complex adaptive systems. Wikipedia credits John Holland with this definition:

“A Complex Adaptive System (CAS) is a dynamic network of many agents (which may represent cells, species, individuals, firms, nations) acting in parallel, constantly acting and reacting to what the other agents are doing. The control of a CAS tends to be highly dispersed and decentralized. If there is to be any coherent behavior in the system, it has to arise from competition and cooperation among the agents themselves. The overall behavior of the system is the result of a huge number of decisions made every moment by many individual agents”

Mr. George’s book either ignores the finding that businesses are complex adaptive systems, or he believes that the agents can be made more efficient by mapping how each “gets to Y (results).” I lack the ability to wrap my mind around this, as it violates everything that is known and published regarding CAS. The quality movement is here to stay, and I need to find a way to accommodate those who believe in the LSS silver bullet – while keeping in mind how humans actually work and interact to create value.

Representative from Motley Fool moderates the discussion regarding What, So What, and Now What?

Good questions, these. I’ve been experimenting here with ‘live blogging,’ and have instead merely reported without much context or comment on what I heard. Serves my purpose as I’m using Wordpress to hold my notes, but the results is likely not a compelling read for anyone – including my mother.

The conversation is touching on location-aware services. We will increasingly give up privacy in order to get targeted advertising that will be more relevant to our interests. This also can be useful to us as good citizens. What if we could receive SMS alerts that told us a child abduction had just taken place within the last 20 minutes, within a thousand yards of our current location? The price is privacy, the common good would be enormous.

This field of location aware services will grow, not only through consumerization, but also due to advances in government activities, law enforcement and military operations, etc. I make no opinion here, just observing.

Another conversation regarding the ROI of social media. What happens when the marketers arrive? We have an opportunity to help them use the tools correctly. It is very difficult to connect an online community to bottom-line results. But the question isn’t going away. What suffices right now is an adjacency model. “We did x and y and then realized z revenue.” This will persist until firms accept social media behaviors as core to the business, just as marketing is.

More conversation about how to quantify this anyway. Sigh.

I return to the first blog post in this tiny site: there may be no correlation between these behaviors using social media and financial results. Connecting to your users/constituents/voters/employees and prospects carries with it strategic ROI. In the excellent book by Patti Anklam, she steered me to understand the elements of a firm as being human capital, structural capital, and relationship capital. It is how we leverage these, well, levers for organizational value that contributes to the bottom line. I need to connect activities to how they help us execute corporate strategy by building relationship capital – and get away from trying to quantify the effect of specific initiatives on the bottom line. If I did answer that question, I would be pretending there was no role for strategy and other factors that allow success to emerge.

This will be even more sparse than the previous session notes, as I was dual-hatted to update the conference wiki for our breakout…

Questions to be addressed in this session:

• Where should community management team sit in an organization?
  • Very dependent upon context, look to where the resource streams are coming from. Whoever provides the investment will want some ownership of the process.
  • Wherever it starts, the emphasis and interest will cross organizational boundaries due to politics, shifting alliances and investment profiles internal to the organization. In some business cycles, the marketing organization has the lion’s share of investments that may shift over time.
  • One large firm has developer communities, which are managed within the developer organization. They matrix in marketing or writing talent to assist in community growth. This community leader model means the leader is working across the firm to ensure his community gets the resources and talent it needs.
  • One firm with internally-focused communities is managed from within the strategy group, which provides top-level leadership and visibility. They are early in the process, and user traffic is being driven by the new ERP rollout (see my paystub, etc.).
  • How do users know what other initiatives (blogs, portals, wikis) are related to or in conflict with the community initiative? Where do they place community content, and how do they identify this as opposed to file shares, ERP systems, etc.
  • Cross-functional governance appears to become more important as communities proliferate. From an employee point of view, I will belong to multiple communities. How else to get common look and feel, common experience, etc.
    • Questions of infrastructure abound, but some communities are successful even existing only as listservs or mailing lists.
  • Group is converging on the idea of an overarching steering (advisory) committee (or community!), perhaps not engaged in management of communities, but advising regarding common infrastructure needs, best practices, rules of the road, etc. Techpubs example.
    
  • One firm has steering committee and operating committee, whose combined efforts help provide the prioritization among the “necessities,” (SSO, search, community autonomy, etc.)
    
    • Separate conversation about SSO: Lacking central enterprise SSO, one firm leveraged the login information from their community forums to *be* the corporate SSO.
      
• What do we do when international divisions want their own community, in their own language and addressed to their local community? When are they separate and parallel, when should they be centralized? How do you coordinate across these?
  • Multi-lingual challenges. The technology issues aren’t the big hurdle, but multi-lingual translates to different localized requirements, investment sources, etc.
  • Some success in finding international champions, who establish their own community sites in their own language for their needs. Content is not aligned in this model.
  • Projects have their own community pages, and these can be done in different languages – but we don’t try to establish search or discovery across sites of different languages. So locally owned is easier, still challenging to do on an enterprise level.
  • Ideally, some community members should be available to the same community interest across languages. How would we do this?
  • One firm is seeding new communities with a snapshot of like communities from the English site.
  • It may not be a desirable goal to have one overall community. We may be better served recognizing the different languages, cultures, approaches to similar problems; and not trying to homogenize these by making it one corporate site just translated into different languages.
    • This may be true for support communities, but if you’re talking about distributed coding, then separate repositories do not make sense. The code will not change.
  • SSO and shared profiles remain critical, there is no way to move identity across these sites.
  • Who monitors to make sure the questions on the international sites get answered? Local management ensures this.
  • Issues may be global, but solutions may be local. Integrating across these communities remains highly manual. The primary focus is not integration, but helping provide global solutions through local communities. One firm uses HITL to do “thread management” instead of “community management.” When they find a promising thread in one community, they make it available to others.
  • Adoption curves for various community tools appears to vary across nations. But there is still a flow, at least within a certain U.S. firm, with the main U.S. site – where the critical mass exists.
• Placeless vs place. Embedding community functionality into the main website, “placeless” interactions. When should these be brought into the overall community framework? Marketing, management and technical issues.
• Do we separate communities of practice apart from use of collaborative technologies?
  • One division is to break it into externally facing and internally facing
  • Another example is project focused vs practitioner support for internal groups. Governed differently, but using same technical infrastructure
• Brings up overarching question of governance and support.
• Communities should grow up organically, but corporations still to plan top-down taxonomy for communities.
  • Changing communities are easier than “killing” them. An existing community that has fallen quiet can be re-purposed, or subsumed into another community.
  • When change is needed, or refreshment, bring in new leadership.
  • How to kill? Do you first make it read-only, then archive, then finally delete?
  • Perhaps you can maintain a large community model, and recognize the lifecycle of
• How to govern communities in an era where records management is becoming more of a risk to firms? Related to this: policies to protect health-related information.
• There is a culture clash between the old model that emphasized secure exchange of information and the openness of the culture associated with social media. Irony is the rules that are casting a chill over these for a are designed to enable openness of process and content – to improve visibility.
• Some experience with firms who have stifled community interaction, etc., in fears of being open to risk.
• Firms who have a set governance structure, have done better. Those who have set up communities without thinking through the governance and strategy have faltered and experienced backlash.
• Even within large firm, or same organization, the governance varies based on the targeted audience. And that is intentional, necessary
  • One approach is to establish and maintain a cross-functional governing body or steering group. Allows for many governance models, but enforces overall corporate strategy
  • Enforces good practices as well
  • But this top-down decision model can also be seen as a problem. Better to set the environment so that a community can evolve.
• One firm has evolved from this old model of a proprietary view of information to a more open-source approach allowing for emergent communities
• Another firm sets up rules of the road, but allows for externally hosted solutions, and lets the community decide the platform – these are all customer facing communities. Problem here is that while the community has maximum flexibility in establishing its experience, it appears to be more expensive than a single solution that also would permit SSO, and identities across communities.
• What do you do in a firm that is engaging in M&A? How do you “integrate” or “assimilate” the existing communities in these firms?
• How to get to SSO, integrated search, etc.? Need to maintain this throughout the acquisition cycle?

Topic introduction by Peter Cohen from Amazon.com

Overview of Amazon’s Mechanical Turk, a reference to their “artificial artificial intelligence.” This is a software interface that simply allows humans to interact with each other. Amazon has established a market for workers who largely do pattern-matching for online information.

Data-oriented problems that uniquely benefit from human interactions of high volume. The software allows for many people to work on ‘human intelligence tasks.’ “What problems could I solve if I could get tens of thousands of people to contribute to the task?”

200,000 people have signed up and completed tasks under Mechanical Turk. Last week, they had participants from 146 countries. These are tasks that are inherently difficult or impossible for a machine to do. Use cases include:

• Data augmentation for Amazon catalog, to get richer information for their products or de-duplicate
• Improve search results, using humans to establish relevance. Search doesn’t give answers, it gives results. The humans on this task are helping to provide answers. This reminds me of a “best bets” search capability in enterprise portals – where a human points to the right document when an employee is searching for things like HR policy items.
• There is a company who provides transcription services using Mechanical Turk.
• A firm uses MT to look at and identify ‘tone’ in online articles or forum postings.
• Verify quote attribution.
• Write product reviews.

The most active users are working to supplement income, these are not just technical experts. One high-visibility task involves the searching for aviator Steve Fosset in September, where humans searched online imagery for signs of his missing aircraft.

Great question about how to avoid underage users on MT, you must be 18 years old to “work” here. Every online commerce with any aspect of anonymity will invite mischief, and there was a concern that someone would exploit children to work these often rote tasks.

One goal is to create a global democratic marketplace for labor.

Q: What of communities? Communities have emerged among MT users/workers, including one called “Turker Nation.” They built a lot of anonymity into the MT system, perhaps they will add a “real identity” option for people who are willing to reveal who they are.