Thursday, April 17, 2008

Mashups in the financial sector aren't just for the back office

I spent last week in NYC talking about mashups to a number of customers in the financial sector. I love going to NY, and last week the weather was beautiful and all the designer dogs were out in force in Central Park. The outlook from our financial institution clients wasn’t quite so perfect, however.

Here’s the message I heard over and over again: Mashups in the financial industry were only good for the back-office, not the front-line. So while we can help make their order-to-cash process mean and lean, we can’t help them bring innovative products to their customers.

I understand the reasons. Financial institutions have to be conservative. When bankers and investment institutions stray from the straight and narrow, somebody will likely be in front of Congress right before they go to jail. S&L bailout anyone? Would you like to invest in some junk bonds? Let's depend on Enron for our retirement portfolio. Oh yes, let’s not forget subprime mortgages.

So while I understand their reluctance to adopt mashups on the front-end of their business, I think it is a mistake. I wouldn’t expose the banking systems until we get better mashup security. But financial institutions have a lot of other offerings that aren’t tied directly to their transactional back-end systems.

Why should they bother?

Financial institutions have to walk a fine line. They are in a constant struggle to balance the need for governance, the heavy load of compliance, and a cutthroat competitive landscape. And the financial sector depends heavily on technology to be competitive. And not necessarily technology within a traditional IT organization.

According to a Booz Allen Hamilton study, for every dollar spent on ‘real’ IT, most industries also spend 78 cents on ‘shadow IT.’ That is, IT funded directly by, and implemented within the business. In the financial sector I’d be willing to bet the ratio is much higher. One bank employee I talked to said that embedding IT within the business is a necessary practice just to stay competitive. When one bank innovates, the others have to be right behind. That means tight coupling between the technologists and the business so new and innovative offerings can be out the door fast.

This sounds like a perfect job for mashups.

I’m not an expert on the institutional side, but I do have a number of personal and small business accounts with a couple of handfuls of banks and investment firms. As a consumer of financial services, I’ve got a number of ideas for how they could use mashups without compromising their core banking systems.

How about a money management mashup? Most banks have money management information, but wouldn’t it be a good idea to mash information from multiple sites, mashing book sales from Amazon? Then not only could the company provide good value to their customers, they might also be able to turn their website into a profit center.

Ditto for investment information. I have accounts with several investment firms, yet when I want to do any investment research, I have to search Yahoo! finance to get the financials and Google for any relevant news. I’d use a mashup that pulled that information together into a single page.

How about a mashup that pulls together many investment strategies? Again mashing up books from Amazon and information from some of the leading personal finance strategists. How about a mashup that lets me compare and contrast a company’s performance against some of its nearest competitors? Then mash in some Google Docs to let me save my analysis so I can retrieve it later.

And on the other side of the equation, banks and investment firms should turn some of their free web content into widgets. For example, Fidelity has a DJIA chart on their home page. If this was a widget, and they modified it to show provenance, Fidelity would get free advertising whenever someone added the widget to a mashup.

I’m not buying that mashups aren’t a good fit for the financial services industry. Most of the innovation, at least on the consumer side, isn’t in the back-end transactional systems. It’s out front, providing services, information and advice to customers.

Again, a perfect job for mashups.

Friday, April 4, 2008

Smoking pot and stealing music. Some things never change.

OK, I admit I wrote that title to see if I could trick some people into reading this post. But really, I will actually compare the two. My motivation is a recent article by Linda Tucci, a writer for It made me smile because it was about how millennials don't respect organizational, hierarchical or other boundaries. These millennials are going to cause security headaches because they don't respect IT policies and procedures either.

This is a hot news flash?

In her defense, Tucci was simply reporting on the results of a Symantec survey, first blogged by Symantec employee Samir Kapuria. But those of us who have either been interacting with these younger workers, or have children of that age who are about to enter the workforce, already know we've got an IT compliance disaster waiting to happen. I know that my own daughters have absolutely no respect for IP rights. In their minds, anything on the public web is and ought to be theirs for the taking. Lectures about the morality of downloading music and video fall on deaf ears. As do discussions about network security and malware.

These conversations reminded me of discussions I had with my parents about pot smoking when I was a teenager. My parents lectured me on the evils of marijuana, but in my peer culture at the time, nearly everyone smoked it. In fact, the University of Michigan and Michigan State University had parties every spring, called the Hash Bash , to protest pot laws. While I never had the guts to light up on the steps of the capital and get carted away in nonviolent protest, I wasn't above cutting class (I was in High School at the time) and joining in the party.

Bear with me. This isn't just a stroll down memory lane. It really is about mashups.

In my view at the time, and the view of many in my generation, pot was not only a civil right, it was symbol. Sure, flaunting the anti-pot laws was fun. But it was also morally defensible to break the laws in protest of unnecessarily restrictive rules and regulations. I believed my parent's views were not only behind the times, not just old fashioned. They were wrong, and nothing they said changed my mind.

That's the attitude I see in my children. Talking to them about network security, IP rights, privacy, and even footnoting, is like talking to a brick wall. For them, free access and use of all information is not only a civil right. Breaking IP and security rules is a form of political protest against unnecessary and restrictive rules and regulations. Here's the money quote from the article.

When asked whether they feel entitled to use whatever application or device or technology they would like, regardless of source or corporate IT policies, 69% of millennials said yes, compared with 31% of other workers. Indeed, 75% of millennials have downloaded software on their work computer for personal use, vs. 25% of other workers -- even though 85% of the organizations surveyed indicate their policies restrict that practice. Millennials also regularly store their corporate data on personal devices: 39% on personal computers, 38% on personal USB devices, 20% on personal hard drives and 16% on personal smartphones.

CIOs should be very afraid of these survey results. Especially since the same survey showed that IT and other corporate leaders believe they have good rules in place, and that everyone understands and mostly obeys them. Those who don't comply get fired.

Most of the Millennials I know aren't afraid of losing their job. They aren't going to get intimidated by getting yelled at by the boss. Organizations who try to restrict the use of personal devices, who prohibit social networking and other Web 2.0 applications, who try to legislate the use of web content, are either going to be mired in lawsuits, or are going to find that they can't hire innovative and out-of-the-box thinkers.

What's the alternative? I'd like to fall back on the agreement I've now forged with my children. I've worked for companies that blocked sites, monitored email, recorded web access and filtered out 'bad' words in IM. I didn't care for it, and I wasn't going to turn around and do the same thing in my own home. Nor could I simply ignore the problem. While I know pirating is illegal, I also believe it is wrong.

We finally came to a compromise that we worked out together. They don't completely like it, still believing I'm backwards-thinking. I don't completely like it, believing they will have ample opportunity to break the law. But because it is a negotiated agreement rather than a dictated policy, I have some hope of success.
  • They are now free to download anything that is really free, not pirated free. MySpace is full of 'really free' music and video, and a lot of it is quite good.
  • They can keep their MySpace accounts, but they must allow me access to their profiles. (Neither of them like Facebook. Probably because I use it.)
  • They have an iTunes budget. It isn't large, but it is enough to buy a few songs now and then.
  • They won't download software without my approval. I can only deny the download if the software is harboring malware, if it's content is objectionable or if it will cost too much.
  • They agree not to store any pirated content on their computer.
  • I've asked them not to 'borrow' pirated content from their friends. I've told them I'll throw away any media that I believe has pirated content.
So far it's either working or they are very good at making it appear to work. I won't take bets.

I think IT has to do something similar. In old paternalistic, hierarchical organizations it might be considered a sign of weakness to negotiate policy with subordinates. Our millennials are going to change that mindset. Corporate leaders will need to work with their employees rather than dictate to them, or they will face not being able to recruit or retain the quality of worker they need. So instead of a restrictive IT policy based on sanctions and Big Brother thinking, we'll probably end up with something similar to the agreement I have with my kids.

With respect to mashups, I think we'll also end up with something similar.
  • If you mash content from the web, note the source.
  • If you mash content from behind the firewall, make sure the content isn't sensitive.
  • If you are mashing services from the web, make sure they don't have viruses, understand the costs, and try to use reputable sources.
  • If you are mashing services from behind the firewall, make sure the services don't expose sensitive information.
Are these guidelines bulletproof? Of course not. There isn't an IT policy today that's bulletproof. What these guidelines do is help the masher understand what the issues are and why he/she should be concerned. These guidelines treat the masher like an adult, not like a naughty child or convicted felon that must be monitored.

Some may think this is mere kowtowing to these new bad boys entering the workforce. Further proof that the world is going to Hell in a hand basket. Me? I can't wait until these younger workers roll in and shake everyone up. Will we have chaos? Will there be security problems? Are there going to be mistakes, upheavals and disasters?

Most certainly. But there will also be progress.

(Note to horrified readers: I stopped smoking pot in High School. I didn't then, and still don't, think there is anything wrong with it. I just needed to get my act together academically. After HS I always ended up in jobs that required a security clearance. And now it just doesn't interest me.)

Tuesday, April 1, 2008

Can I take back what I said about BPM and mashups?

Back what seams a very long time ago, but was actually only October last year, I wrote a post suggesting that BPM was another form of business mashup. Like-minded blogger Sandy Kemsley agreed, and bemoaned the lack of mashup understanding in the BPM community.

I've kept an eye on the BPM community looking for activity around mashups. I've seen a few comments around the edges, but nothing I would call a trend.

I was confused. Presentation mashups and BPM may have little in common, although I would suggest that Tibco, with their focus on RIA composite applications, have been playing in the presentation mashup space for a while. (Others will likely disagree, and we can have a discussion.) However, once you get 'out of the map' and start considering mashups from a business or enterprise angle, the overlap becomes pronounced.

(Note: my good friend Summer Ficarrotta coined the term 'out of the map' months ago to help people understand that Google Maps mashups at the glass weren't the only mashups on the block.)

I think I fell into the trap of thinking that because two things look the same and act the same, they should be the same. (Do you remember Papa Bear in The Big Honey Hunt?) I have a recent article by TechTarget writer Rich Seeley to thank for getting my head out of my trap. Through his insights about BPM and SOA roles and responsibilities, I now understand just how different BPM and mashups are.

In his article about the business and IT roles within SOA and BPM, he lists eight different roles involved in creating a BPM/SOA application, four each in business and IT.

Business Roles
  • Business Leader: Responsible for overall business performance, compliance and governance.
  • Business Professional: Manages business performance and decides on strategic and tactical needs for a specific area of responsibility.
  • Business Analyst: Interprets business professional and business leader requests and documents them into process models.
  • Process Analyst: Specialized business analyst who concentrates on the simulation and analysis of processes in their business environments and their interactions.
IT Roles

  • IT Leader: A Business Leader responsible for delivering technology solutions that enable the business.
  • IT Analyst: Interprets business analyst inputs/requirements in the context of IT capabilities, works with team on IT-based business process improvement.
  • IT Architect: Defines basic operational imperatives in the provisioning of IT services with a focus on resiliency, reuse and adaptability.
  • IT Developer: Follows IT architectural principles to create "building blocks" for the construction of applications.
Whew! Imagine putting a mashup together where you needed four different roles to put an idea together before tossing it over the wall to IT where four more roles did the implementation. I'm not saying this is too much for BPM. High-value and highly-complex systems need governance and discipline during their ideation and construction, regardless of whether they are implemented as a custom application built from scratch by App Dev, or as a business process built atop a BPMS.

What I'm saying is this is too much for mashups.

The premise of Serena's paper on the long tail of applications development is that there are many applications that IT never implements because they aren't high value or complex enough to merit IT involvement. This is 'The Long Tail' of Applications Development. At the time we wrote the paper I thought that BPM could be one of the answers. After all, BPM was all about empowering the business to define and build applications.

And that's where I made my bloomer. Mashups need to be easy to build, easy to deploy and easy to maintain. Mashups need some governance, as I've written about here, here, and here. (Yes, this is a subject I care about.) Just not as much as an expensive and complex App Dev initiative. They also need some lifecycle management. Again just not as much as a typical App Dev initiative.

Now I'll go on record as saying they don't need as much governance and lifecycle management as Big BPM either.

Applications Development has a long tail, a tail that can be serviced, in part, through the use of mashups. Contrary to what I've said before, BPM also has a long tail. A tail that can be serviced, in part, through the use of mashups.

What I won't say any more is that BPM is a business mashup platform. It may look the same. It may act the same, but it isn't the same at all.