Australian Certs

I met with Greg Dark from the Australian Tax Office today. Australia and the UK have followed broadly similar e-government agendas over the last couple of years with each country moving a little ahead of the other alternately. Today, I think the ATO are a bit ahead again. They have a new tax portal that looks pretty good – it offers a lot of interactive services (which you won’t be able to see unless you are living in Australia and have a reference number for your business – an ABN). But, most interestingly today, they are moving ahead with certs … but not government issued certs which is where they’ve been to date. The big 4 banks are going to issue token-based (i.e. smart card) certificates, along with the readers needed. I am sure that there are going to be hardware problems and operating system configuration issues with this, but it’s great to see someone else taking a punt on this. And, because it’s coming from the banks, there will be commercial support and useful things to do with the certificate that are not just government based. More than a year ago, maybe as long as 2 years ago, the banks here were talking about something similar, using the same vehicle (Identrus) but with software certificates. That just doesn’t seem to have got anywhere. Will it ever?

Open e-government Sauce?

John Gotze’s been getting excited about open source opportunities in recent posts, driven by the usual suspects promoting laws to prevent it being given preference over proprietary solutions and a couple of conferences here and there (the latter ‘there’ being a Danish ‘there’). I’ve been reading all the stuff for a while now, partly driven by pointed comments from John Lettice, partly by our own open source policy and partly by excitement such as John’s. I guess I’m struggling a little over some points and, in trying to get clarity over these points, all I get is the usual positional arguments. This (the e-government agenda) is not a religion for me – but it is a passion.

So, a few points, questions or issues:

Let’s say I get some software that’s open source – maybe JBOSS (an app server that competes with weblogic amongst other things). Being government there are bound to be some things we’ll want it to do that it doesn’t do today – perhaps give it better clustering support, enhanced performance, stronger security features or more advanced administration tools (all problems with the present version from what I can see). It may not be in my best interests, as government, to put the code that I’ve modified back into the public domain, especially not in the security features. If I do, then people know (far, far better than they know today) what we’re doing and can look for ways to exploit it. If I don’t, then next time there’s an upgrade (based on work of all the people who do put their work back, I’ve got to do lots of integration testing, regression testing and so on. So … do I put the enhancements in the public domain or not?

Let’s then say that using the software I create a product – like a DIS box that connects departments (and local authorities etc.) to the Gateway. The software that I develop will need to be installed around dozens or even hundreds of departments. Now, I don’t do that … commercial organisations do that and they handle the integration and whatnot too. But how do they do that if I’ve built the open source version of a DIS? Do I just give it to them, can I sell it to them to recoup the costs that I have incurred in putting the thing together in the first place? What about if it’s not me that puts the DIS together, but a commercial organisation … how do they recover their costs? They can’t just sell the hardware … and if they sell a support agreement, then isn’t it going to cost about the same as the software licence in the first place (on the basis that it must recover costs)?

Something else that is puzzling me is all of the talk about open source and not much sight of it actually happening. I hear a lot about people not wanting to go public because they worry that it will send a signal to someone or other and that it might be misinterpreted. This strikes me as crap, but there are not major stories every day on new adoptions of open source. Or are there and I’m just missing them? I mean the German government announced not long ago that they were going to pretty much mandate it; IBM is putting at least a billion dollars into open source developments …. but what’s being done? And I mean on a scale, commercial, fully performant basis here. I know that this site runs on linux – and that’s a part of open source but I don’t think it’s the big part. For me it’s the packages and integration of systems that are going to be important – how do you take JBOSS and some open source content system and an open source caching software and piece them all together to deliver a fully functional portal with no commercial software in it? When it’s built, how do you keep it current, add functions and capability, block security holes, deliver scheduled releases with fully tested feature sets and so on. Is it just too early in the programme to expect this?

I don’t want to be flamed here – I want to know how to get round (or over) what appear to be the early obstacles in the roll-out and scale deployment of open source software.

Cascading along

At the beginning of the year I read a piece on Acts of Volition about Cascading Style Sheets, XHTML and other stuff. At the time, I wasn’t sure that I fully understood it all, but shortly after we kicked off work on a further refresh to ukonline. Right up front, it was clear that this was the way to do it. We’ll be relaunching before the end of the first calendar quarter next year and, although there won’t be dramatically visible change to the citizen, the work that’s gone on under the hood is significant. Load times will be faster, support for screen readers will be improved, a greater range of browsers should be supported more easily (let’s not talk about digital certificates here). So, I was gratified to read having made this move that Wired was doing the same. We’re doing extra work with uko so that other departments will be able to drop their content into our existing platform and then manage their site directly, without needing to to endless design work, without needing to implement a content management system and without needing to buy hosting environments. Lessons learned and all that.

Then, my weekend was made further when John Leyden at The Register published a great piece showing how e-commerce sites (banks in this case) struggle to cope with the various browsers that are available today. Browser variety is no fun – a webpage is a webpage to me and having to cope with the foibles that each company’s software displays is frustrating. Now there’s a good problem to crack.

Hacked?

Blogger was hacked sometime last night … “Blogger has suffered a security intrusion by a ‘haX0r’. We have all the data that was changed backed up within a couple hours of the attack”. Change your passwords if you use this service.

No wonder I’m no techie

Been having some fun and games today. My limited knowledge of all things technical meant that I killed the template that I use for this Blog. I couldn’t find a way to get it back, so I thought I’d use the loss as an excuse to do a new one – Blogger (it turns out) has quite a big choice. I’m not much of a fan of this green and as soon as I can figure out the hex code of something more palatable, I’ll change that. But I’ve got the titles working, added some links to people I read a lot (in no special order) and got the archives on the front page too – I’d prefer one of those little calendars that you just click the date on but can’t find out how to do that. Some other time. As a complete non-techie the process was a bit of a challenge – make a change, publish, check it’s ok, (it’s not), do it again … repeat until true. No wonder content management systems exist.

20 years on … plus ca change

I’m sitting here, on a Friday night, watching old episodes of “Yes Minister”. Tonight’s episode, first broadcast in February 1980, is on a “big brother” project to build a single database that would store all citizen’s details: health records, tax records and so on. The conversation goes back and forth about why you can and can’t do a project like this. The exact project doesn’t make a lot of difference, says “Jim Hacker” – the issues usually boil down to the same: legal, technical and administrative. The follow-up episode talks about open government and reductions in civil service headcount. Great fun, hugely prescient and wonderfully warming that so much that has gone before is coming again! There’s a little note at the front of each episode that says something about taking the stories after reviewing contents of the Parliamentary Library; wonder how close that is to the truth?

Public sector IT project failures have been in the news recently … Simon Moores commented on the recent NHS e-mail system procurement, Michael Cross published a piece in Computing, Steve Ranger in Computing and this week’s Economist carries a piece on NHS IT, prodded by Richard Granger starting work as head of IT there (you won’t be able to get this last piece unless you are a subscriber).

I’ve heard comparisons between public and private sector before, along with appropriate cautionary tales about them not being directly comparable. Maybe that’s to … but not completely. Private sector projects fail, fail dramatically and fail often – you need only look at the 98% of dotcom companies that have gone under or the telcomms companies that have failed for examples. Public sector projects are significantly more heavily scrutinised than private sector ones – if a project is late, over-budget and under original specification it is audited at least three times in the public sector (local audit, the National Audit Office and the Parliamentary Advisory Committee), each of which is likely to make their results public – and often within the same year that the issue occured. When was the last time you saw a CEO stand up and apologise to his shareholders for spending, say, 50% more than expected on a project? The answer to that is, of course, only in a bear market – by which time the old CEO is gone and the new CEO finds it in his best interest to surface all the issues that he/she can so that there is a clean slate to start with. All issues are blamed on previous incumbents. The list of these is legion: Enron, Worldcom, Tyco etc. If you want to include CEOs that have been given a hard time because their strategy was not working, then the list grows longer (C&W, Vivendi and so on). Steve Case at AOL does not tell us exactly how much AOL v8 has cost to develop; nor does Bill Gates tell us how much the latest release of Windows has cost (versus how much it was expected to cost). There is a big shortage of obvious data for private sector failures.

Turning (at last I hear you say) to the public sector: the fundamental issue is a lack of skills in the civil service. Project management is not a highly valued skill, project delivery is even less valued. Large numbers of what today we’d call “intelligent customers” have been outsourced to suppliers over the last few years as the public sector has, rightly, tried to focus on what it does (policy and government) versus what it doesn’t (IT). In the absence of these smart people, requirements are not buttoned down at the beginning, stakeholders are not consulted fully and often enough, technical issues are not explored and opened up early in the process and suppliers are used for market intelligence and decision processes rather than in-house resource … so projects kick off, get into difficulty and have few choices but to carry on in the hope that they can sort themselves out. Sometimes they do, mostly they don’t.

Projects need full weekly reviews, sometimes daily reviews – with all participants. In government, project boards meet monthly, have papers a week in advance and do not usually consist of “intelligent customers” either so are unable to get into the detail of an issue (how could they? Project boards are made up of people several steps away from the specifics of the project). Project boards are there to give direction – to decide what the scope should be, to make choices between several courses of action; to cover issues that are not absolutely time critical. But if a decision needs to be made TODAY about whether something should be in or out, a project board meeting is just too far away; the issues are too complex and the attendees unlikely to have grasp of the day to day detail. In the private sector, the team is likely to be able to take the decision and tell the board what has happened so that they know.

Public sector techniques are improving here – Peter Gershon’s OGC Gateway reviews are a big part of the improvement. But there is a need for more … questions need to be asked in a couple of ways “is this the right thing?” and “are we doing it right?”; bad projects can be killed off early with the right controls. Resource can be focused on the “right things”.

The second issue relates to “intelligent suppliers”. There are few suppliers that are able to manage their client, especially when the client is as complex and difficult as government. Despite the transfer of resource, the middle tier of managers at the supplier end are not good enough at spotting the issues above either; not good at managing risks and putting in place the right mitigation or dealing with more than one issue at a time. So, both sides bumble on with issues buried at the coder level, deep in the technical architecture or just in plain bad requirements – and they are not realised until it’s too late. Typically, we have relied on a “prime” supplier to manage the dependencies between companies. What this has resulted in is prime suppliers that struggle to integrate a range of different providers, add layers of cost on the initial quotes and reduce the transparency available to the project management team.

The third issue is one of scale. Few private sector projects touch quite the same number of people as the average public sector project. Many private sector companies have reached equivalent scale – eventually. But not so many have to launch on day one catering for benefit payments for 10 million, 20 million or more. Scale delivery requires a different mind set when it comes to building systems and, especially, testing them. There is limited specialist testing capability in government – people that can really think through the end to end issues, simulate the scenarious, figure out what the right result should be – all with a vast set of circumstances to consider.

So … what to do?

– The public sector needs to make “delivery” a firm competency that is rewarded – both financially and organisationally. Projects should not be the poor relation to policy. The solution is not to dump more Prince2 documentation on people or provide more training. It is to establish a career structure for technically competent project staff where they are rewarded and even incentivised directly for successful delivery.

– “Intelligent customers” need to be recruited from around government and deployed on the most significant projects. These are going to be specialist people who will move around from department to department. They will manage big programmes for two to three years at the very most and then move on. They will also be deployed into failing projects (because some will always still be on the critical list) for short periods to put them back on track. A solid career structure will be needed if these folks are to be civil servants, else the departments will forever have to rely on capable contract staff recruited at high rates for short term roles with minimal skills transfer involved.

– Suppliers should be encouraged to move away from the traditional “prime contractor” process where issues are hidden several layers down. Instead they work in a “top table” fashion – all represented on the project team and equally able to identify, raise and resolve issues. Suppliers will need to work in new ways with the new types of project managers that government needs – the old way of hiding issues, negotiating from a position of strength (after all, who else is government going to choose?), blaming scope changes on the department and not on inflexible methodologies and poor discipline … all of those have to go.

– OGC Gate reviews are already well entrenched. Their scope should be expanded to include not only “is the project doing things right” to “is this the right project to do”; i.e. does it really make sense to do this project, or can we use something that has been done elsewhere, perhaps with minimal customisation, to deliver faster. Departments should not replicate what has been done elsewhere.

– Departments should be focused on deploying technology as it is, not with making endless tweaks and changes to a system so that it fits their process. Changing large systems is more expensive – probably by an order of magnitude – than changing business process to match a system.

– Finally and, I think most importantly, the lesson from “Yes Minister” is that there is not a single lesson to be learned that government has not already learned. Since the time when Cromwell signed himself above the Monarchy, projects have started and stopped, succeeded and failed … and government has, somewhere in its files, the details of them all. Those lessons need to be easier to find, widely reviewed, embedded in training, kept up to date and checked up on over and over. If you, as a project manager, can stare at the history of all those who have gone before you and can see what they did wrong, you are unlikely (unless you are very stupid) to make the same mistakes. Suppliers, of course, will get to see the same lessons, whichever supplier was responsible. Without true open-ness here, we will never emerge from the swamp we are in (for we are already neck deep in aligators). We can but hope.

Not my day

It’s not my day today. I’m trying to get “titles” to work properly on blogger – some blogs have a title ahead of every post. I thought this might encourage me to think up some catchy headings for my posts, but I just can’t make it work. And the blogger help pages are all “unavailable” today. Ho hummm. This e stuff has a long way to go, huh?