There’s an old saying in car racing that goes something like “you can’t win the race in the first corner, but you can lose it.” There is a similar truth when talking about software. The right software will not fix your problems, but the wrong software will surely exacerbate them. This, then, is a little story about choosing the wrong software.
Just prior to Christmas 2015 I took on a small project in Vermont. It was a bit of a weird situation in that the project was a mashup of two projects I’d done the previous year; the client was in the same business as another client, and the project was the same as a different client. No matter.
The client wanted to find out why their staff wasn’t in love with the Enterprise Content Management (ECM) solution they’d deployed a few years earlier and why things were failing. With a few exceptions this could have been a copy of an assessment I did for a university (detailed in this post & case study). The key differences were the technology chosen and the business the two organizations are in. In the case of the university, at least they chose the right type of technology for their needs. The folks in Vermont kinda, sorta, almost made the right choice, but not quite.
Back in 2008/09 their legal folks decided that they needed something to manage all their documents, so they went out and sourced a document management product targeted to professional services organizations. At the time no one was thinking holistically about what the organization needed. Whatever, it’ll all work out. Uhm, no.
As they were researching what to buy, they determined that their compliance and procurement departments had similar document management needs, so decided to deploy whatever they bought to those groups as well. There’s nothing wrong with trying to get more bang for your buck, assuming that the fit is right. Right?
My client went out and selected a product and got it implemented. Now, the implementation did not go smoothly, but that was nothing to do with the product and everything to do with selecting a less than stellar implementation partner. However, that’s not what this story is about, though you really need to be careful about selecting an implementation partner.
Once they got the implementation under way, they decided that the product they chose would be their ECM standard. There was a tiny problem; the product they selected was not an ECM product. As stated on their website [name withheld] “is the global leader in professional work product management”. The vendor’s target market is primarily law firms. Over the course of the project I spoke to the vendor and a couple of peers that work for organizations that use the vendor’s tools. They all agree that the product is not suitable as an ECM platform. The two peers I spoke to said that the product is very good if you use it for what it’s designed to do, but you’d be mad to try and use it as an ECM platform. To get back to my race car analogy; it’d be like trying to compete in the Dakar with a Formula One car.
But really, how bad could it be? Well, prior to implementing the product, everyone in the company knew where to find stuff, even though it was a pain. While they weren’t thrilled about using file shares, FTP, and email to store and share content, they knew how to work with the tools they had, regardless of how prehistoric they were. Now that they have the new platform, most people in the company are more than a little fed up:
- They file stuff and can’t find it again;
- They’re supposed to send links to colleagues, but have to rely on email because security is borked;
- Where previously there were standards, now many have their own way of doing things;
- Irritation with previous tools has been replaced, in many cases, with hostility;
- This list is not complete.
It’s gotten so bad that my client is seriously considering ripping out the solution they implemented and going back to using file shares. I wish I were kidding.
As my university client found out, choosing the right technology is no guarantee of success. However, as my Vermont client found out, choosing the wrong technology is a guarantee of failure. Choose wisely and do all those other things that come before selecting and implementing technology. After all, a solution / system is a combination of people, processes, and technology.
Earlier this year I completed an assessment of Alfresco for a university client. The university licensed Alfresco several years ago and did not have much success. They hired me to find out why, and what to do about it. The options they wanted to look at were to continue on with Alfresco or switch to SharePoint. An option they weren’t willing to consider was a cloud based option. I gave them one anyways, based on Box. Unfortunately I was asked to remove that option from the final report. Oh well.
While the platform in question was Alfresco, I can’t stress enough that the failure had nothing to do with the platform. Under the circumstance nothing would have succeeded. You can read a bit about it in an earlier post here.
I’m trying something a little different; because of my altruistic nature I am making the final report available as a downloadable PDF. I figure there’s stuff in it that many could use, and perhaps critique that would be helpful.
I want to thank Laurence Hart for his contribution to the report and the overall project. Thanks, Laurence. You can follow Laurence on twitter at https://twitter.com/piewords and check out his blog at http://wordofpie.com/.
Anyways, just follow the link and you ought to get to the report (no fees, no signup, no tracking). Feel free to provide feedback.
University ECM Assessment – I’m using Box to share this content. Please let me know if you have any issues.
Image: “Paris Tuileries Garden Facepalm statue” by Alex E. Proimos – http://www.flickr.com/photos/proimos/4199675334/. Licensed under CC BY 2.0 via Wikimedia Commons
You’re out of your mind if you think blocking access to file sharing services is filling a security gap. You’re out of your mind if you think making people jump through hoops like Citrix and VPNs to get at content is secure. You’re out of your mind if you think putting stuff in the cloud is dangerous.
When I mentioned to a client of mine that some of their users were using consumer file sharing services there were noddings of heads, murmurs of assent, and an “OMG how does he know?” Less than five hours after I mentioned it in a meeting, an exec from one of the stakeholder groups got a call from security stating that her team was violating policy by using Dropbox. This client had deployed an Enterprise Content Management platform. One of the key drivers for the platform is sharing of content among collaborators. One of the key inhibitors is Citrix. So, what do the users do? They email documents to each other. They store stuff on local drives. They get laptops with intellectual property and personal information stolen, and can’t wipe the laptops or recover the content. They use cloud services to store sensitive information. And security struts around proudly thinking they’ve done something. They have; they’ve created a security hole bigger than the one they tried to plug. Hell, even the frickin’ President was storing company confidential documents in his personal Dropbox account.
So I mention to the client that they may want to use an Enterprise File Syncing and Sharing (EFSS – I really don’t like this term) service like, I dunno, BOX! (Yeah, I like Box. So what?) Their Director of IT Infrastructure tells me that the execs are scared of any service that stores data in the U.S. because of the PATRIOT act. Really? Do they not know that Canada has an equally odious piece of legislation? Do they not realize that if the U.S. government wants to get at stuff in Canadian data centres they will? And dig this … Box is working on something that would let the customer (that’s you, btw) maintain control of, and access to, encryption keys. No more sneak attacks by those pesky gubbmint people. Hey, they can still come to you and ask, but at least you’ll know, no? Can you imagine!?!
Every time I have these types of conversations with people I usually end up wanting to lay a choke hold on someone. Whether it’s for spreading FUD (Fear, Uncertainty, Doubt) or for believing it … I’m not sure which irritates me more.
Blocking access to file sharing services doesn’t work. People will find other ways to connect (e.g.: phones make great wi-fi access points) or email documents around. Instead of blocking access to consumer services, IT and security ought to: 1) find out why staff is using the services in the first place; 2) identify and provision SECURE enterprise grade services; 3) develop appropriate policies for using EFSS services, including remedial action for violating the policies. If staff are using consumer services to share business content it’s a pretty safe bet something is wrong with the corporately provided tools. Fix them.
Part of the fix may actually be to provision EFSS to staff. Think about it before you have a freakin’ hissy fit. EFSS providers make money by providing a secure way for people to share content and collaborate. How do you make money? What’s your core strength? Hell, you can’t even stop your staff from sharing content unsecurely (is that even a word?).
I wanted to try something a little different for this post. I’m doing an assessment of what went wrong with Alfresco for a Canadian university. They purchased Alfresco back in 2008/09, initially to handle some of their web content needs. Things haven’t gone so well. Below is a quick wrap up email I sent to the project sponsor after the first few days of stakeholder (patient?) interviews …
I just wanted to give you a quick recap of the last few days:
- Of the people I spoke to, no one advocated for getting rid of Alfresco
- Unless something to the contrary comes up in the next few weeks, there is no reason to believe that Alfresco is the problem
- Alfresco was likely the wrong choice back in 2008/09, but the product and company have since matured to the point where it’s no longer the case
- There is a general feeling that Alfresco is/was underfunded, under-resourced, and lacking in executive buy-in / mandate
- It appears that there is no executive support or commitment to mandating Information Management practices using Alfresco as a standard tool set to implement
- There was/is an element of Alfresco (or any ECM platform) being a magic bullet, rather than a platform on which to build solutions
- It seems that all the Alfresco initiatives over the years have been done as individual projects, rather than under a program of managing information
- The consulting services engaged focused on the mechanical & “how to” aspects of Alfresco and related tools, without any of the advisory & “what should we do, why we should do it” services
At this point it’s my opinion that the problems are cultural and environmental. If the culture and environment change Alfresco will succeed, providing the right resources are engaged in the right way. If the culture and environment don’t change Alfresco will fail, as will any other platform brought in.