Monthly Archives: October 2015

Looking to the future: sustainable IT and HE web presence

simon

Simon Geller
Senior Project Manager
University of Sheffield
Member of UCISA-PCMG

Day Two at Educause

I started the day at 8am – the Yanks get up early! – with a session on Google Apps. Sheffield was an early adopter of Google so I had an in on this but the session got a bit bogged down in questions about account creation and deletion rather than the potential for collaboration.

Sustainable IT
Then I moved on to a discussion session about sustainable IT. This doesn’t get talked about so much these days – I think one of the reasons for this is that the movement into cloud services means that institutions aren’t quite so conscious of their energy footprint. Also, IT shouldn’t beat itself up too much about how green it is – we enable so much green activity in other areas, from maps and journey planners on smartphones that make people feel more comfortable about walking and using public transport rather than driving, pool bike schemes that you register for online, to smart energy management systems and systems that make industrial processes much more efficient. The future is Green IT that you don’t even notice.

A presentation from the University of Edinburgh on helping non-project managers to deliver success
In the afternoon, I thought I’d better support our Edinburgh colleagues and went to their presentation  on how they provide support for non-vocational project managers. Although the AV wasn’t being helpful the level of resource they had brought to the issue was impressive.

Then I continued on my quest to discover where the web would take us in the next 10 years. The key message from What Will Your .Edu Site Look Like in 10 Years?  is that your web presence will be going out and looking for your customers rather than waiting for them to come to you.

Later I found myself in a compliance session I hadn’t really intended to go, but thought I’d take risk and stick with it. The message I took away from that is that there are two types of institutions – those that have been hacked, and those that had been hacked and don’t know about it. Scary!

The final session I attended that day was a trend analysis run by journalists from the Chronicle of Higher Education , and the takeaway from that was that we used to talk about the for-profit sector, now, in the US at least, the whole area is for-profit. Plus two questions to ask suppliers: “What research is (that assertion) based on? and “What’s the upgrade cycle?” – cutting edge tech doesn’t stay there for long.

 

A practical approach to risk management – two perspectives

Tim Banks
Faculty IT Manager
University of Leeds

 

This is a write-up of a session  I attended on Wednesday at Educause 2015  which was delivered by Bill Arnold, Information Security Analyst at the University of Tampa, and Dr Lawrence Dobranski, ICT Security Access & Compliance, University of Saskatchewan (Canada).

Introduction

The University of Tampa, Florida, is a liberal arts institution and has a student population of around 8,000 students, 65% of whom live on campus. There are 1,200 staff and the annual turnover is c. $235m with an estimated annual economic impact of around $850 million. They formally launched their Information Security Program 3 years ago with the appointment of a Chief Information Security Officer, who reports directly to the President (Vice-Chancellor). Their stated aim is to build a culture of risk management, security awareness and data protection, and as part of this, they have created a cyber-security lab. They achieved ISO/IEC 27001:2013 accreditation in July 2015.

The (often misspelt) University of Saskatchewan is one of the top 15 research universities in Canada with 22,500 students from over 100 countries. They have a 16:1 student:staff ratio and an annual budget in excess of $1bn which includes $9.2m of scholarships and bursaries. They have 120 Graduate Degree Programs (taught postgraduate) and over 200 undergraduate degree programs. It snows regularly and can get very cold! They formally launched their information security program in June 2012, which is centred around the following three areas:

  • IT Security
  • IT Compliance
  • IT Access

It is a risk based program, meaning that priorities for investment and action are based around a risk score. Bill observed that in 2014, cybersecurity criminals were making more money than drug cartels.

A number of barriers to progress were noted which included:

  • Lack of executive support
  • Inadequate investment
  • Ineffective information security leadership
  • Information security ‘unaware’ community
  • Information security gaps especially with respect to 3rd party service providers

Practical steps

  • Ask the right questions to the right people
  • Don’t adopt every aspect of a rigorous standard (like ISO27001), use common sense
  • Focus on information lifecycle
  • Insights will come quickly once you start working with your stakeholders. These will inform your future strategy.
  • Advance planning and effective communication are absolutely essential
  • Don’t use mass surveys (if you actually want people to provide useful information)
  • Decide how you will engage – either in person or through focused surveys
  • Keep the process simple
  • Focus on business processes and impacts on information (e.g. loss / unauthorised access) rather than using technical jargon

The University of Tampa developed a very simple spreadsheet that included each major business unit on campus, each major process within the units and the process owner. The process owner was asked to rank each of their processes on a scale of 1-5 in three areas:

  • Degree of sensitivity of the data
  • Impact of loss of integrity
  • Impact of loss of availability

The average was taken of each of the three scores for each process to arrive at a risk score for the process. A discussion was held with the process owner about the information handling lifecycle involved with each process which covered:

  • Accessing the data
  • Processing the data
  • Transmitting the data
  • Sharing the data
  • Storing the data (in both paper and electronic forms)

They also looked into whether there were any compliance requirements associated with the type of information that was being stored, and determined whether the University IT department or a third party provided the service.

Summary (University of Tampa)
Bill provided the following summary of the University of Tampa’s risk based approach to managing information security.

  • Data Discovery – find out where your confidential data resides
  • Opening the Doors to positive change in University departments. You should be seen not as people who stop departments from doing things, but the people who help them to do it securely.
  • Re-engineering information handling, which will require a change in mindset from both IT and the business
  • Getting everyone to participate
  • Security Awareness (education is key)
  • Once they trust you, they will come (bringing information about risks right to your door)
  • Rinse, wash repeat (continual process)
  • Collaborate to reduce risks

Blog_4__slide1Always remember there are a lot of things we don’t know that we don’t know, as demonstrated by this slide.

 

 

 

 

Summary (University of Saskatchewan)
Lawrence focussed mainly on the best way to present information security risks to University senior management. This is done most effectively when the senior officers of the University understand and accept the cyber-risk. In addition:

  • The information presented must be in a familiar format, as we cannot afford for the busy people we are trying to communicate with wasting time trying to understanding the presentation format.
  • We need to focus on risk information and focus on the high risk areas when talking to the University executive group.
  • Don’t make the visuals too complicated or people will stop listening to you and start focussing all their attention on trying to understand the graphics.
  • Read the IEEE publication (Slide Rules)

During their audit, they discovered an internet accessible incubator control unit with a built in web server. On further investigation, if this had been hacked and the incubators shut down, then thousands of cute little chicks would have died (and research would be put back two to three years). They also found a robot roaming the hall talking to patients which the department was trying to control remotely by adding it to the wireless network. This robot was big enough to cause serious injury to somebody if an authorised person managed to take control of it.

Blog 4_slide2The key stakeholders that Laurence identified were cyber security professionals (never be afraid to ask for help) and the staff and students at the University. It is vital that those closest to the business processes are closely involved in the threat and risk/privacy impact assessment process. The world of cyber security is a fast changing one, so dedicated cyber security professionals, either internal or external are vital in order to keep abreast of emerging threats and techniques to combat them. As an institution, we need to own risk and manage it.

Some particular suggestions for ways in which to present the information security risks included using a Gartner-style quadrant with likelihood on one axis and impact on the other. Then encourage your senior team to only focus on the top-right quadrant, whilst being able to see at a glance the entire risk landscape.

slide3

An alternative is to use a radar plot to display how well the University is doing with multiple aspects of a particular IT security concern.

Overall this was a very informative session with some practical takeaways on how to both manage information security risks and communicate this to senior managers.

 

 

 

 

Project management tools and project management offices

michelle

 

 

Michelle Griffiths
ITS Project Manager
IT Services
University of Oxford
Member of UCISA-PCMG

 

 

This Educause session presented by Randall Alberts, Assistant Director, Ringling College of Art and Design, was led as a discussion session, which was started off by all attendees logging onto a direct poll website and answering questions about their organization and what topics they would like to discuss during this morning’s session.

Randall told the group about the committee that he chaired, the Educause Project Management Constituent Group (PMCG) . The group brings together like minded people who have the same interests and areas of focus, sometimes referred to as “birds of a feather”. You can post questions to the group and get answers from your peers. This seems a very similar setup to the UCISA Project and Change Management Group. He also went onto say that they have monthly call-ins with guest presenters on various topics. The website contains past archive information so that you can tune in and watch past presenters.

The direct poll stated that the top topic that the group wanted to cover was project management tools.

Project management tools
Randall suggested that you must first start with pen and paper to define your user processes before you touch on tools. He stated that at his institution they use spreadsheets and share point. Each of their projects will have a share point site that they use as a document repository and to host project plans and schedule information.

The discussion was then opened up to the floor, and the following points were made:

  • Different departments tend to use different tools; it is difficult to get an institutional strategy rolled out so that they could all use common tools. People don’t tend to use the tool if it’s not in their culture.
  • Dynamics and Trello seem to be a commonly used combination of tool sets, along with Microsoft Project online and Office 365.
  • The culture of the Project Management is very important, along with resource allocation tools, which would prove to be very useful.
  • Plan view is another tool that was mentioned (resource & portfolio management tool, capacity planning, scorecards and dashboards)
  • Google Gantt was also mentioned.
  • If you want to roll out a project management office (PMO), you need full support from the CIO.
  • Timesheets are submitted on-line.
  • Service Now  was also mentioned, but with a caveat to say that there are better tools out there, such as Team Dynamix.
  • Tools are not just tools.

What defines a project?
Randall asked: “What defines a project?” The answer from the floor was that whatever is on the CIO goals list will be run. This is defined by a set of categories, which form the basis for project prioritisation. The group discussed categories of projects and what defines a small, medium and large/strategic project. A substantial project was seen as being more than 80 hours and consisting of cross-departmental working.  Returning to theme of what defines a project, Randall suggested that it could be defined as a “Temporary or new endeavour to deliver a service”.

Project management offices
The topic of discussion moved onto project management offices (PMOs), which resulted in the following points:

  • It is important to get buy in from the top when establishing and funding a PMO, difficult to justify the cost of setting it up and on-going.
  • Some institutions don’t call it a PMO as it is seen as a fashionable buzz word
  • Vendors can charge up to $175 per hour for a contract project manager who that essentially manages your internal project management. If the vendor thinks it’s important, then so should we!
  • Academic affairs don’t trust IT Services to manage their projects for them!
  • A lot of the time, IT Services is expected to fund business systems projects. Randall Alberts gave an example of one department that he loaned a server to, which they wanted to keep and use to host a critical worldwide deployed web site.
  • Project managers need to get involved on day one to gather requirements and start off on the right track.

Perpetual Honeymoon: How to build the (almost) perfect business collaboration

Tim Banks
Faculty IT Manager
University of Leeds

I have just attended a really interesting session delivered by Bill Hogue, Director of IT (CIO) at South Carolina University. He started by telling us that in 2014, he received a phone call from the Vice Chancellor (President) of the University with news of a new initiative, partnering with IBM for delivery of some of the core University IT services. His exact words were “It’s a great opportunity and I know you’ll be excited by it”

Bill has been seeking new model for IT delivery at University of South Carolina since 2004 and was convinced that the future of IT was going to be about partnerships, not least because the world of IT was changing so fast and the staff and students at the University now had access to world-class IT services at commodity items in their everyday lives. On January 1st 2015, the University of South Carolina entered into a 10-year partnership valued at an estimated $100m dollars. The actual contract value is less than this figure, but Bill is sure that more opportunities to work with IBM will present themselves over the contract period. He summarised the whole 15 month contract negotiation period and the first 10 months of the partnership into two basic principles:

  1. Know yourself
  2. Know your collaborator

He also sounded a note of caution which was an idea commonly attributed to Peter Drucker, namely “Culture eats strategic planning for lunch”. In other words, no matter how much strategic planning you do, if you don’t have a grip on your organisational culture and haven’t prepared your organisation for change, then your strategy will fail.

http://www.strategy-business.com/blog/Strategy-or-Culture-Which-Is-More-Important

Assumptions

Bill then went on to list five assumptions about IT in Higher Education, as follows:

1: ‘Keeping the lights on’ is necessary but not sufficient on its own to deliver world class IT service. The important thing is how we serve the University and how we serve the Faculties. He told of the Director of Facilities at a University where he had previously worked who had a sign on the back of his door which he saw every time he left his office which read: “What have you done for the students today?” We should always remember why do we do what we do at the University.

2: Most of us are not receiving A+ grades from the staff and students at our institutions for our delivery of production services. It might be OK, but we are not doing a terrific job.

3: Our grades will get worse unless we do something different. Our expectations in IT are driven by consumer IT services; the challenge is only going to get harder. Currently there are 13 billion devices on the internet and this number is growing daily.

4: Running world class IT services is not a core competency of the University. The focus is teaching, learning, research and partnerships and we tend to be just ‘OK’ at delivering IT.

5: Most of us are in the early stages of transformation programs that promises to be disruptive. The IBM Institute for Business Value said in a recent report: “Demands on and in University IT Services continue to rise […] Both academic and industry leaders believe the current HE system is broken. We need a more practical and applied curriculum to exploit disruptive technologies and develop more partnerships.”

The Deal

Seventy three positions were transitioned from the University being the employer to IBM (without the individuals changing location / office etc.) Bill spoke about the need to handle this process very carefully and to ensure that all the University senior managers, including HR are on board with the process. The contract is mainly centred on delivery of Enterprise Resource Planning (ERP) systems, as this is where it was felt that IBM could deliver the best value.

A brand new Centre for Applied Analytics and Innovation is being built. This will house IBM experts in this field alongside University researchers. There were many similarities with the recently launched Leeds Institute for Data Analytics (LIDA) http://www.lida.leeds.ac.uk  at my own University of Leeds.

There are also plans to launch several apprenticeships with both staff and students working closely with IBM to develop new skills at the leading (or possibly bleeding) edge of IT development. A key factor in the partnership is the University’s access to IBM’s Watson technology, which IBM describe as ‘Cognitive Computing Systems that understand natural language’. http://www.ibm.com/smarterplanet/us/en/ibmwatson/

One of Watson’s main benefits is undertaking large scale real-time data analytics to identify ways to improve operational efficiency in finance, purchasing, facilities management etc. If the University of South Carolina is able to save just 1% on its annual $1.5bn budget, then that is a lot of money that can be reinvested in core business. This also opens up new areas of research opportunity for both staff and students to work with the Watson technology.

Bill then went on to expand on his two core principles, as follows:

Know yourself

  • Why are we doing this?
  • We can’t assume that we have a unified agendas. He could think of at least a dozen potentially competing agenda for wanting to develop a partnership such as the one with IBM that include:

o    Economic development
o    The Leader’s Legacy
o    Getting free stuff from the partner
o    Wanting to improve services
o    The need to save money
o    Minimising or spreading risk associated with IT delivery

  • IT will continue to develop over time
  • It takes a firm commitment from the senior management at the University

o   Partnerships such as this can and most probably will be very disruptive
o   Needs total support from senior leadership team (Finance, HR, Student Education, VC, ProVCs etc.)

  • You need a comms strategy to manage the message that stakeholders are receiving
  • You need to be understanding towards affected employees. You can’t turn you back on staff who have worked at the University for many years and think of them as ‘IBM’s problem’

Things that can go wrong

  • Deals don’t always work out – you need an exit strategy
  • You need to get good at negotiating terms with the private sector with people who do this all day long for IBM
  • You need to recruit new ‘talent’ including people who love to read contracts
  • You are dealing with an organisation that is in this to make a profit and they will do this at your expense if they can get away with it.
  • That’s not a bad thing so long as you manage to negotiate fair terms and the University gets what it wants out of the deal too
  • There will always be ‘cave people’ who are always against everything. Be prepared for scrutiny and criticism.
  • Be prepared for inconvenient truths. You may find some things out about your organisation, staff and even yourself when your partner takes a long hard look at your with their world-class perspective. You may find out that some of your operations are not as world-class as you would like to believe.
  • Some of your customers will resist the new business model

o    Your customer base has to change as well. That can be a hard sell
o    They may not be interested in engaging in new processes “The old ones were just fine thank-you very much.”

  • The timing of introducing a change like this will never be right. You have to accept that it will be inconvenient and disruptive.
  • You must remember to have some fun, be creative and sustain a spirit of adventure.

o    Remember to keep talking about the 10-year strategy, not the 10 day problems.

Know your collaborator

  • They are not a 501C3 (US speak for non-profit organisation)
  • Understand their culture. The University is not going to go corporate and your partner is not going to become an academic institution. You must find your common ground.
  • Your collaborator will bring their very best people “the A-team” to the negotiating table. You have to be aware that the actual delivery may be by the B-team or the C-team. IBM has 435,000 employees worldwide. Not all of them are in the A-team. Make sure you retain the right quality of delivery once the contract has been signed.
  • Who are the champions? What are their strategies? You must understand their agenda.
  • Be prepared to receive help from a lot of different sources (not all of which will be helpful).
  • You need to be prepared to stay the course.

It was a fascinating account of a very ambitious project. I couldn’t help but think that we need to increasingly take a lead from organisations such as the University of South Carolina. There are of course challenges, technical, human and cultural but we shouldn’t let these alone prevent us from taking brave decisions to do the right thing for the future of IT in our institutions of learning and research.

Motivation and the Nobel Prize

michelleMichelle Griffiths
ITS Project Manager
IT Services
University of Oxford
Member of UCISA-PCMG

A keynote presentation at Educause

In The Cascade Effect – How small wins can transform your organization, Daniel Pink began by discussing motivation from a perspective of science. He said that everyone in the room was an expert in motivation but they might just not realize it! He explained that we also have an explicit knowledge in physics, even though we may not have studied it as our major.

He invited the audience to consider: “When do you reward good and bad behaviour?” and asked us “Does this change behaviour?”  He added that if a larger reward is provided it leads to a poorer performance, according to research, quipping that “this could not happen in the USA but maybe in France!”

Key points

  • Controlling the contingent record: – If, Then, Else
  • Rewards ensure performance, they also get our attention
  • Even for rudimentary cognitive skill, larger reward led to poorer performance
  • Pay people fairly and pay people well

Daniel then cited the following Gallop statistics: three in ten Americans are engaged in their jobs; five in ten are not engaged in their jobs and two in ten are actively disengaged in their jobs.

Key points

  • Engage by being self-driven not by being managed or controlled
  • Traits of a good manager 1. High Standards, 2. Autonomy, 2. Expertise

Outside the day job
Daniel went on to discuss a case study focusing on Graphene which is a material developed by the University of Manchester that is lighter but stronger than steel (it recently won the Nobel prize in Physics). The product was developed not in people’s day jobs but as part of Friday evening experiment time. Staff were advised that do anything they wanted to as long as it wasn’t boring!

He suggested that management teams need to look at putting some time aside. Even if it’s just an hour per week that the staff are away from the ‘phones, they can develop new strategies/improvements in working.

He added: “An email a day keeps the micromanagement away” and advised us to log the progress we make each day as it important to keep our motivation up.

He advised that we schedule weekly 1-2-1 sessions with our staff and vary what we cover, with topics such as:

  • What are you working on?
  • What do you need?
  • What barriers are you facing?
  • What is your long term career goal?

Insights from US and Canadian institutions on risk management and information security

michelle

 

 

Michelle Griffiths
ITS Project Manager
IT Services
University of Oxford
Member of UCISA-PCMG

 

 

Here are some highlights from a session I attended today about the application of practical risk management strategies, presented by the University of Tampa and the University of Saskatchewan.

    Overview – University of Tampa

  • Tampa – 8000 students from 50 states and 140 countries
  • 65% of full time students live in campus housing
  • Information security programme was started three years ago
  • CISO (Chief Information Security Officer) reports to the UT President
  • Co-manages a cyber security lab
  • Only school in the States that has reached full ISO/IEC 27001:2013 accreditation
    Overview – University of Saskatchewan

  • Member of Canada’s U15, top 15 research universities
  • 22,500 students from 100 countries
  • 16:1 faculty to student ratio
  • Info security programme formed in June 2012
  • Three representatives – ICT Security, ICT Compliance and ICT Access
  • Risk based programme not enforced
  • SSO (Single Sign-On) – for all systems that is managed by five staff
  • Cyber security challenges – Profit, risk and loss
    Risk management should focus on:

  • Lack of executive support
  • Inadequate investment
  • Inefficient investment
  • Inefficient info security leadership
  • Info security gaps
    Risk management challenges:

  • Things you don’t know/realize
  • Things you realize you don’t know
  • Things you realize you know
    Practical approach to risk management:

  • Answers are at your fingertips
  • Don’t worry about adopting every aspect of a rigorous standard approach
  • Focus on Info security lifecycle
  • Get Exec level buy-in
  • Get the stakeholders’ perspective on risk – admin staff and faculty

Resource:
Educause security awareness resources

Conversations and opportunities – the American way

Tim Banks
Faculty IT Manager
University of Leeds

Reflections on Day 1 at Educause 2015

Observation 1: This conference is big…really big. Over 7,300 delegates are attending this year’s Educause conference, which is being held in the Indianapolis Convention Centre. The venue is mind-bogglingly big, covering an area of 120,000m2 (1.3m square feet), including 50,000m2 (566,000 square feet) of open exhibition space across six blocks. IMG_8891There are 71 separate meeting rooms, which have been used by over 30,000 Star Wars fans during the two Star Wars Conventions that have been held here in recent years.

The exhibition hall is vast, with stands from over 250 suppliers, from small start-ups to global IT giants. There are up to 30 parallel sessions at any one time, making selection of the right one based on a short text description quite daunting.

Observation 2: The conference is very well organised (and sponsored). Despite the huge numbers of people and enormous scale of the venue, everything runs very smoothly, with few or no queues. The venue and organisers seem to have struck the right balance between the number of people attending and quantity of essential facilities on offer (catering, toilets, drinks stations etc.). Sessions start and end on time (by and large), and there is enough time built into the programme for the 10 minute walk between rooms.

Observation 3: The quality of the parallel sessions is variable. Some parallel sessions are most definitely better than others, although I have not found one today which I would class as truly ‘excellent’. This situation is helped by the fact that if you are really not getting on with a particular session, then nobody bats an eyelid if you stand up in the middle of it and walk out; it seems to be quite normal practice, and something which I have put to good use today on more than one occasion.

Observation 4: The people are very friendly and approachable. Conference delegates are happy to just talk to you if you approach them. I spent lunchtime sat on a table with attendees with varying degrees of hearing impairment, and we had a very interesting (sign-language interpreted) conversation about delivery of IT services and optimisation of hearing aids for listening to music. I was fondly referred to as ‘UK Guy’ by another attendee in the one of the sessions, so am thinking of a requesting a new conference badge proudly displaying my new pseudonym.

Observation 5: We are not going to starve or go thirsty. Cans of Coke, Sprite and other hot and cold drinks appear at regular intervals throughout the day; at lunchtime, enough food to feed several armies appeared from nowhere; cakes, pastries and chocolates were provided during the mid-afternoon break, and then during the early evening canapes, mini burgers, pasta and nachos were being served…

IMG_8898Observation 6: The suppliers’ fair is very useful. Due to the size of the conference, anybody who is anybody in the world of IT delivery is represented here with their top sales and marketing teams. I have had many extremely useful conversations with major global IT suppliers that just wouldn’t be possible if I tried to make contact by phone or e-mail. The quality of the freebies seems to be significantly better than previous conferences I have attended.

Observation 7: The US Universities are quite some way behind the UK in several key areas of IT service delivery. It is clear from listening to both speakers and delegates from the USA that they are several years behind the UK in areas such as Information Security, IT Service Management, implementation of the ITIL framework, and splitting budgets into ‘business as usual’ delivery and project work. This came as quite a surprise to me, as I had assumed that US institutions were at the same level of maturity or better than the UK sector.

It has been an exhausting, but very productive day. My next blog post will give a detailed overview of today’s sessions.

Snake oil or common sense? Demystifying risk management

Tim Banks
Faculty IT Manager
University of Leeds

Let’s face it; risk management doesn’t have the best reputation. Many institutions see it as a necessary evil; something to keep the auditors happy, a document to pull out of the filing cabinet once a year. Something that has to be done, rather than something that people want to engage with. Proper, active IT risk management can be of enormous benefit to an institution and is the foundation upon which professional quality IT services should be built. However, this requires IT staff at every level to see risk management as a live, ongoing process, rather than just an annual activity. We all undertake risk assessments on a daily basis, not because we feel we ought to but because we see the value in doing so. Every time we cross a road, pick a child’s toy up from the floor, prepare a meal or get in a car we are (often unknowingly) assessing likelihood, impact and making judgements on how to proceed based on the overall risk level.

Let’s focus on that last example of driving a car.  The bad thing that could happen (impact) is serious injury or death resulting from a crash. The chance that it will happen (likelihood) depends on a series of triggers such as excessive speed, mechanical failure, poor weather etc.

In order to manage the risk of something bad happening, we implement a series of control measures, each of which requires checking (auditing) at different intervals.

Examples of control measures that reduce the likelihood of a crash are as follows:

  • For example, we make sure that our driving speed is appropriate to the road conditions and monitor this every few seconds whilst driving.
  • We make sure that our car is mechanically sound by putting it through an MOT test every year. However, if we hear strange noises before the next MOT is due, we don’t just ignore them – we make sure that the car is checked out by a mechanic.
  • Tyre condition is something that we would (or at least should) check weekly and when it’s wet, we use windscreen wipers to reduce the problem of poor visibility in wet weather.

Control measures to reduce the impact of a crash might include:

  • Wearing a seatbelt (which we check is securely fastened each trip; the actual belt is tested every year with the MOT).
  • Airbags (again checked every year).
  • Motorway crash barriers (installed and checked by the Highways agency).

When driving, we don’t think it’s acceptable to just check your speed once a year, but equally don’t try and test the airbags every trip. We have an audit schedule that is appropriate for each control measure. Each control measure is audited by somebody appropriate (e.g. qualified, experienced MOT tester, driver, highways agency engineers). Some are within the direct control of the driver, some need to be actioned and checked by the driver and others have to be entrusted to 3rd parties. We should take the same approach to managing risk in IT services.

I have signed up to attend several risk management sessions at EDUCAUSE 2015 and will report back on them in other blog posts.

Disruptive statistics, Linux containers, extreme web performance for mobile devices

Giuseppe Sollazzo

 

 

 

Giuseppe Sollazzo
Senior Systems Analyst
St George’s, University of London

 

 

 

 

Day one at the Velocity conference, Amsterdam

What a first day! O’Reilly Velocity, the conference I’m attending thanks to a UCISA bursary, is off to a great start with a first day oriented to practical activities and hands-on workshops. The general idea of these workshops is to build and maintain large-scale IT systems enhancing their performances. Let me provide you with a quick summary of the workshops I have attended.

Statistics for Engineers
A statistics workshop at 9.30am is something that most would find soul-destroying, but this was a great introduction on how to use statistics in an engineering context – in other words, how to apply statistics to reality in order to gather information with the goal of taking action.

Statistics is, indeed, very simple maths and its difficult yet powerful bits allow practitioners to understand situations and predict their outcomes.

This workshop illustrated how to apply statistical methods to datasets generated by user applications: support requests, server logs, website visits. Why is this important? Very simply because service levels need to be planned and agreed upon very carefully. The speaker showed some examples of this. In fact, the title of this workshop should have been “Statistics for engineers and managers”: usage statistics help allocate resources (do we need more? can we reuse some?) and, in turn, financial budgets.

The workshop illustrated how to generate descriptive statistics and also how to use several mathematical tools for forecasting the evolution of service levels. We have had some experience with data collection and evaluation at St George’s University of London, and this workshop has definitely helped refine the tools and reasoning we will be applying.

Makefile VPS
This talk presented itself as a super-geeky session about Linux containers. Containers are a popular way to manage web services that does not require a full-fledged physical or virtual server. They can be easily built, deployed, and managed. However, they are rarely properly understood.

The engineer who presented this workshop showed how in his company, SoundCloud,  they build their own containers to power a “virtual lab” in order to simulate failures and train their engineers to react. His technique, based on scripts that build and launch containers at the press of the “Enter” button, is an effective solution both for quick prototyping and production deployment whenever docker or other commercial/free solutions are not a viable option (due to funding or complexity).

As much as this was quite a hard core session, it was good to see how services can be run in a way that makes their performances very easy to manage. This is definitely something that I will be sharing with my IT colleagues.

Extreme web performance for mobile devices
A lightweight (so to say!) finale to the day, discussing how mobile websites present a diverse range of performance issues and what techniques can be used to test and improve. However, the major contribution from this session was to share some truly extraordinary statistics about mobile traffic and browsers.

For example, the fact that on mobile 75% of traffic is from browser and 25% from web views (i.e. from apps) – 40% of which is from Facebook. Of course, these stats change from country to country and this makes it hard to launch a website with a single audience in mind. For universities, this becomes incredibly important in terms of international students recruitment.

Similarly shocking, we have learnt that the combination of Safari and Chrome, the major mobile browsers reach 93% on WiFi networks but only 88% on 3G networks; this suggests that connections speeds still matter to people, who might opt for different, more traffic-efficient browsers in connectivity-challenged environments (for example, OperaMini goes up from 1% to 4%)

One good practical piece of advice is to adopt the RAIL Approach, promoted by Google, which is a user-centric performance model that takes into consideration four aspects of performance: response, animation, idle time and loading. The combination of these aspects, each of which has its own ‘maximum allowed time’ before the user gets frustrated or abandons the activity, requires a delicate balance.

There was also some good level of discussion around the very popular “responsive web design”, a technique that has become a goal in itself. The speaker suggested that this should be just a tool, rather than a goal: users don’t care about “responsive”, they care about “fast”. Never forget the users is a good motto for everyone working in IT.

Summary
Velocity’s first day has been a very hands on day. The overall take-home lesson is simple: managing performance requires some sound science, but with adequate tools and resources it’s not impossible to do it on a shoestring budget and in an effective way. As I’m an advocate of internal resource control and management with respect to outsourcing, today’s talks have surely provided me with some great insight on how to achieve this smartly.

Aside from this summary, I’ve also been taking some technical notes, which are available here and will also contain notes from the future sessions.

Risk management and learning from failure

simon

 

 

 

Simon Geller
Senior Project Manager
University of Sheffield
Member of UCISA-PCMG

 

 

I made it to Indianapolis in time for Peter Tinson’s induction session. That was helpful, and it was good to meet up with UK colleagues or dinner.

The morning plenary started at 8am – not a problem for me as my body clock is still fixed halfway across the Atlantic – with the usual welcome from the CEO of Educause and thanks to the organisers.

Then we got into the star performer of the morning – Daniel Pink on motivation. He’s a good speaker and kept the audience engaged, as indeed a good motivator should!

Risk management and learning from failure
I then attended “A practical approach to risk management” (up my street, as I was lead author on the UCISA-PCMG Toolkit on risk).  However, this session really just focussed on well-known tools and techniques and how they had been implemented at particular institutions.

Of more interest was the following session on how organisations can learn from failure – this was run in a highly collaborative and participatory way, with an open Google doc used to capture thoughts from the participants.  As well as comments in the room and the session had its own Twitter tag, #edu15fail.