Sunday, September 20, 2020

Proving a Negative

Proving a negative is a tautological impossibility right?

That’s the security business. Prove that you haven’t been hacked. Of course, many vendors realize this is impossible. Fact is, it would require the customer to understand everything they do in total detail so they could call out what was bad behavior. Once again, impossible.

What else could be described this way? Quality Assurance. Prove that the software doesn’t have any unacceptable bugs. Maybe you dedicate people to this function and therefore spend the fixed costs of a sub-department with its own bureaucracy, or maybe you ask developers to spend time on it and therefore move at half speed. Maybe you strike a balance somewhere down the middle. Or you could outsource testing, either to a paid third party or your paying second party. No matter what, you’re more hopeful than certain. Sounds a lot like security.

Security vendors and thought leaders can just flip the argument: you can’t prove you’ll catch the incident of hacking, so we’ll focus on finding bad activity after the incident. Assuming the malicious actors will stay in the system as long as they like and take what they can, there should eventually be a misstep that the security team can see. Still proving a negative, but it’s tipping the scale in defense’s favor a little bit.

What’s the QA equivalent? Fuzzing comes to mind, though there are certainly humans who bring an artful chaos to their manual testing. Long term monitoring of systems can also uncover funny bugs.

In both cases, there is an argument to be made that the cheapest way out of an impossible situation is to buy insurance. The argument goes: “We can’t prove we are free of risk, so we’ll just do the minimum of due diligence for compliance and buy risk coverage.” Or from a vendor perspective, “we’ll offer a cyber warranty that we did due diligence, and caveat emptor past that.”

I am pleased that the majority of organizations I’ve worked with as a long term software monger have been motivated to act beyond the bare minimum. Whether working at a customer or vendor or partner, people want to have some pride in their work. Corners are going to be cut sometimes, but tech debt gets paid down too.

Sunday, September 13, 2020

Conference Giveaways

Remember going to conferences?

When I was a young sales engineer and going to my first conferences, it was clear that an attempt to attract visitors with a freebie or a lottery for a big thing was a strategy. Maybe not a great strategy, but there it is. Notable factors: the thing should be something that the audience would like, and a thing that’s portable for the flight home, right? Computer parts, personal electronics, lightweight clothing. Some link to your product is nice, but slapping a logo on a small toy is fine too. I fondly remember the rubber duckies in space shuttles that the customers threw into the conference center‘s fountain until it was jammed full of them and the organizers came to yell at us. Or the poor guy trying to give away Zunes who had to keep explaining that it was a thing like an iPod. If you’re really desperate, you could just give away software licenses, I suppose.

But the funniest, most bizarre conference give away I’ve ever seen was at one of the first conferences I supported. There are many overlaps between tech conferences and hurricane warning season, something about cheap conference center space I suppose. Imagine if you will, a business casual event in Miami in August with a tropical storm deciding what it wants to do a few miles away. It was hot and miserable, and the conference center was surrounded by construction that helped to keep people away. The sales critter felt that a really interesting draw would be needed. And so, a little unclear on the parameters and yet technically correct, they tried to raffle off a stack of Omaha steaks at a tech conference. 

Traffic was low. We were pitching a service that the already small audience wasn’t very interested in. And so we had plenty of time to stare at this decision and think about it, chatting with the occasional puzzled conference goer who would stop by to ask why we had a pile of vacuum packed meat in the booth. “Shouldn’t that be in a refrigerator or something?” Good question. Seems the sales critter thought that vacuum sealing was sufficient to stop spoilage. (It is not.) Some of those people would stop and chat about grills and cookouts, conversations that never went anywhere close to business.

Sometimes I think of that when people pitch their conference ideas — a couple of dozen chunks of plastic wrapped meat in cardboard boxes piled on a tiny podium in a half-empty conference center, zero connection to the intended purpose. Could be far worse though, one of these days I’ll write about my experiences with team building in the late 90s.

Monday, September 7, 2020

Consulting’s Bad Rap


Naming no names... but there’s a type of management consulting shop with an unsavory reputation among middle managers and individual contributors. Let’s look at how the reputation is earned: by training to a model that produces failure as often as not, but always successfully deflects blame.

It’s easy to find problems, and easy to sell impractical solutions to those problems. A lot harder to execute, but if you can deflect blame for unsatisfying outcomes, there’s good money to be made for a very long time.

The model is: interview, sell, train, disengage. In another post, I’d like to go into the outsourcing services variation of this model, but today’s focus is on management consulting.

Interview playbook goes like this:

  1. find the bright and moderately disgruntled. No organization is perfect, and there are respected voices with wasted cycles in every team, observing imperfections and thinking about alternatives. If they’ve discussed these ideas, they may also feel resentful or unheard. The consultant’s job is to find them and amplify their feelings.
  2. unify a group of them behind an idea. There will be a common thread or cluster of complaints, just keep digging until it appears. Remember, the most consulting friendly problems are actually problems with people communicating, so look for breakdowns between teams: process gaps, slow transactions, rework from mistakes.
  3. document and present. The artful step is now to make the problem you’ve discovered seem generally soluble, something that other organizations have faced and conquered. We need a deck chock full of industry statistics, colorful graphs, and quotes from your own organization’s respected voices. The kill slides will present estimated losses from the discovered problems.

Enterprise sales is a two-step operation: produce desire, then conclude the transaction. 

Sales playbook goes: 

  1. As my first sales weasel explained it, “find their pain”.  The interview process and presentation have produced the desire, but a good salesperson will double check that this hook is set. In consulting sales, they’re also hunting for the internal stakeholders who will champion this project, sign the purchase order, and consummate the sale.
  2. magnify the problem. Steve again: “jam your thumb into that pain and twist it around”. The salesperson is working to produce a compelling call to action, a feeling that opportunity is going to pass the organization by. The clock is ticking. How much longer can you afford to let this problem persist? “What’s it going to take to put you in a Cadillac today?”
  3. offer tools and procedure. “Sell ‘em a bandaid.” And now we are back to the consulting side of the house: what is the deliverable that the customer organization will actually get?

Suddenly our analysis deck has returned as a set of recommendations for proposed changes! Process, tools, re-organization, and suddenly your creaky old org could be shiny and new. What if you simply did better?

Some notably missing bits in this deck: 

  • why will people start behaving differently than they have in the past? 
  • How will the organization adopt this tool, process, or organizational structure without stopping the revenue stream?  
  • how will we get clean data to drive the KPIs or OKRs we’re expecting to improve?
  • do we have room from customers and competition to make this change?

Perhaps these questions are asked. Perhaps there are answers. Maybe your organization pulls back from the proposal. But if it does go forward, the next link in the chain comes into play.

Training playbook is wheels within wheels... it goes:

  1. let’s get started! The consulting leaders and consulting  juniors meet with the organization to plan. How will the proposal be made real? Typically by reduction of scope, hand off of the hard parts, and distracting preliminary projects.
  2. let’s do some stuff! Once a regular cadence of activities is established, the leaders vanish and some even more junior juniors are brought in to fill the gaps. Software is purchased, presentations are given, teams spend weeks in training and reforming to their new organization. Critically, this is where responsibility is handed from the consulting firm to the organization, if that wasn’t already clear.
  3. book-cooking. Now it’s time for another deck, showing that progress was made. Numbers, charts, at least flat with hints of improvement if not rocketing skyward. This one will be delivered by the internal stakeholder who bought the consulting engagement, finishing the process of tying their reputation to the consultant’s work. Project better work out, because bills are getting paid and other work has been impacted already.

And now, disengagement... can’t guarantee that the internal organization will be successful at this change they’ve taken on, so it’s only in the consulting team’s best interests to make some distance, and give that little fledgling project room to leap from the nest! Maybe it will succeed - after all, there’s a motivated internal champion now, possibly with a job on the line. Maybe it won’t... but the magic lies in this statement: the consulting organization is no longer connected to the project’s outcome. It’s all on the organization to sink or swim. Meanwhile, there’s another problem to investigate...

How does this model continue to find customers? Shouldn’t the marks dry up? Well, it’s a deeply interconnected web in the enterprise...

  • Appearances matter: like the mark in three card monte, the customer stakeholders left holding the bag are easily convinced to hide their mistake, or even shill with a good reference. Mixed with the base of customers who actually have a good outcome, these voices overwhelm the bitter complainers.
  • Pressure from above: the consulting organization may have pull in unexpected places, making their selection for projects a foregone conclusion
  • Potential opportunity: relationships matter, and the consulting organization could be a vein to recruit from, or a place to jump to in the event of hard times.

And so, there’s good money to be made selling clothes to the miners.

Wednesday, July 1, 2020

Sunday, March 22, 2020

Remote culture

Fully remote is a culture, not a technique — a company that is not already equipped for it can handle individual contributors working from home temporarily but will struggle to let anyone go completely remote. Tellingly, these organizations almost never support home office work for managers or executives, because their decision making processes rely on face to face.

Those managers and executives certainly do whip out their laptops and iPads at home and on planes, and it’s rare not to find some weekend hours clocked by this group of people. But the work that they do at home is typically solo work: asynchronous communication (long form writing or email exchange) is the majority, and synchronous communications (calls and instant message) are used to handle emergencies or set up a meeting at an office. Organizations have to have processes to communicate information up and down, and to make decisions based on that information. If those processes are built around office meetings, they stop working properly when important team members aren’t present, because remote meetings suck.

I think there’s lot of remote-oriented folks posting about their tools out of a genuine sense of helpfulness, and just as many blank stares on the receiving end. Instead, it would be more helpful to repost Chelsea Troy’s blog. Tools don’t fix people and process problems: the first corporations made do with quill and parchment and sailing ships, while modern corporations fail in the midst of plenty every day (never mind hard times). Extolling different collaboration tools misses the point because it doesn’t address the cultural differences between remote-rare and colocation-rare teams.

Because it is a cultural shift, going from a fully on-prem culture to a fully remote culture over the weekend is not going to just happen without some active and intent work. The good news is that there is now ample incentive to put that work in, because the alternative is to stop communicating or making decisions. Going all the way remote as Coronavirus-driven shelter-in-place orders are demanding is better than the hybrid that is tried in better times, even though it is under duress.

To be clear, I’ve worked equal amounts in remote-first and colocation-first companies, and I think that remote-first companies have a distinct advantage in the marketplace. The advantage is because there’s often more thoughtfulness and discipline devoted to communication practices. Communication processes are clearer, because chance encounters and overheard conversations aren’t a thing. A manager that is used to getting their 1:1s done by dropping by desks or taking a coffee walk will have to pay atttention and think about how to maintain communication with their team.

Decision-making processes are also clearer in remote-first, because osmosis towards a shared consensus is nearly impossible. Executives should take this time to consider how decisions are made; if the final word only happens in a room full of people, that’s going to need to change.

Unfortunately, remote-first is not a panacea, and a fully remote organization can still squander their opportunity. Anti-patterns such as closed-loop communication cells, HIPPO decisions, and analysis paralysis absolutely can and do happen.

Those are all flaws for any organization though; the worst way to fail that is remote specific is to forget about time zones. In order to work as a team, a group of people has to have some common hours for synchronized problem solving. If you don’t have that overlap, then you’ve got multiple teams. Multiple teams can depend on and serve each other just fine, but don’t mistake them for a unified whole.

Saturday, March 21, 2020

Engines and Fuel part two

Why don’t companies make content?

The best answer is that they have decided not to invest (or similarly, have not decided to invest yet). Companies are often aware of the gaps their customers complain about, and yet choose to prioritize other things.

A less good answer: they are not hiring the right people or incentivizing the right behavior, but still hoping or expecting that the content will magically appear. This company may still get lucky if their product is well aligned as a place for partners to work. A vendor with the perfect match of demand and platform can attract and support ecosystem with little effort, much as a flipped coin could land on its edge and balance there.

Next, the company that has hired and incentivized for content creation, but is still unsuccessful because the platform is lacking. Customers and field tech/service partners will use the tools to solve problems, more or less happily, but those solutions are on a black market for the company. Because there’s no official path to share, validate, or optionally monetize, the company is disconnected from its own content. At worst, it can find itself in the terrible position of trying to suppress content built by its own employees. Good news: these are simply product problems, fixable by a product team. Build a safe content development and execution chain and you’ve got an answer.

Finally, the company that has built tools, but cannot find people to use them: I don’t have a lot to say here, because it’s a basic product management problem. The product exists but does not fit the market, so it needs to be changed to do so.

Sunday, March 1, 2020

Finding the Price

Let’s dive once more into the licensing breach! Here’s the background:

What’s not covered? Well, when I wrote this post about evaluating a side business, it came close to the process for defining the price of a cost-plus service or product. That’s not a particularly hard task in theory:

  1. Find the cost
  2. Add a margin
  3. Adjust as needed per your favorite Economics 101 textbook

Of course, this simple approach will provoke sniffs of disdain in most software circles, where the dream is to write code once and deliver it forever. In software, the task is supposed to go like this:

  1. Find the value
  2. Subtract a discount
  3. Adjust as needed per textbook

If your software solves a million dollar a year problem and costs you $5,000 to write, you’ve got a lot of room to negotiate a price in.

Running a successful enterprise of course requires you to think about both approaches, because if you find yourself negotiating prices that are below your cost, that won’t end well.

Furthermore, the Platonic ideal of writing software once and never touching it again is pretty rare; most complex software needs to be continually maintained in order to fix bugs and keep up with changing fashions. This makes cost a little more challenging to determine, as it’s an ongoing function of R&D team size (not to mention support functions, cost of sales, &c).

Even worse, Software as a Service and other, simpler forms of term licensing require you to predict costs and values into the future and spread them out, probably in a way that front-loads your costs and back-loads your profits. In some ways this matches the realities of software development more accurately since it allows for ongoing cost and value increases, but it can also set off a treadmill of expectation increases. That is to say, a SaaS which does not continually improve will not compare well with one that gets gradually more feature-rich and nicer to use. As discussed before you could also use bands or freemium models to disproportionately allocate costs and profits across different classes of users. Or you could aggregate one class of customers into a service that you sell to another class of customers, if you’re feeling particularly Silicon Valley. All of these approaches are just abstractions over the core problem of pulling in more money than you pay out, don’t let them distract you.

So, just like license models, price is deceptively simple:

  1. More expensive than your costs
  2. Less expensive than non-consumption
  3. If you’re going to spread the cost out, make sure that you don’t drop average prices below average costs. 

Glad I could help.