ITNOW magazine: June 2014 (sample)

SPR

ING

2014

bcs.org/itnow

SUM

MER

2014T H E M A G A Z I N E F O R T H E I T P R O F E S S I O N A L

PROJECT MANAGEMENT04 TWEETING PROJECT MANAGERS06 PROJECTS AREN’T FLAT08 THREE STEPS TO SUCCESS

HEALTH16 TO SHARE OR NOT TO SHARE

SECURITY12 PREPARING FOR ATTACK14 WHAT IS RISK?

...THE REST10 THE ROLE OF THE CIO18 COMPUTER ARTS20 THE LAST PAGE

EDITORIAL TEAMHenry Tucker Editor-in-ChiefJustin Richards Multimedia EditorGrant Powell Assistant EditorBrian Runciman Publisher

PRODUCTION Florence Leroy Production Manager

AdvertisingJack St ValeryE [email protected] +44 (0) 20 7978 2544

Keep in touchContributions are welcome for consideration. Please email: [email protected]

ITNOW is the membership magazine of BCS, The Chartered Institute for IT.It is sent to a wide variety of IT professionals, from systems developers to directors, consultants to training and education specialists. A subscription to ITNOW comprises four issues. All prices include postage. For subscribers outside the UK, delivery is by Standard Air.

Annual subscription rates Institutional: print edition and site-wide online access: £250/US$473/€373; print edition only: £230/US$436/€344; site-wide online access only: £200/US$303/€239. Personal: print edition and individual online access: £184/US$348/€275.

ITNOW, ISSN 1746-5702, is published quarterly (March, June, September, December) by BCS, The Chartered Institute for IT, North Star House, Swindon, UK. The US annual subscription price is $299. Airfreight and mailing in the USA by agent named Air Business Ltd, c/o Worldnet Shipping Inc., 156-15, 146th Avenue, 2nd Floor, Jamaica, NY 11434, USA.Periodicals postage paid at Jamaica NY 11431.US Postmaster: Send address changes to ITNOW, Air Business Ltd, c/o Worldnet Shipping Inc., 156-15, 146th Avenue, 2nd Floor, Jamaica, NY 11434, USASubscription records are maintained at BCS, The Chartered Institute for IT, North Star House, North Star Avenue, Swindon, SN2 1FA UK.

For payment details and terms and conditions, please see: www.oxfordjournals.org/our_journals/combul/access_purchases /price_list.htmThe current year and two previous years’ issues are available from Oxford University Press. Previous volumes can be obtained from the Periodicals Service Company, 11 Main Street, Germantown, NY 12526, USA. E [email protected] T +1 518 537 4700, F +1 518 537 5899

For further information, please contact: Journals Customer Service Department, Oxford University Press, Great Clarendon Street, Oxford OX2 6DP, UK. E [email protected] (and answerphone) +44 (0)1865 353 907 F +44 (0)1865 353 485

The opinions expressed herein are not necessarily those of BCS or the organisations employing the authors.© 2014 The British Computer Society.Registered Charity No 292786.

Copying: Permission to copy for educational purposes only without fee all or part of

this material is granted provided that the copies are not made or distributed for direct commercial advantage; BCS copyright notice and the title of the publication and its date appear; and notice is given that copying is by permission of BCS.

To copy otherwise, or to republish, requires specific permission from the publications manager at the address below and may require a fee.

Printed by RotolitoLombarda, S.p.AItaly.ISSN 1746-5702. Volume 56, Part 2.

BCS The Chartered Institute for ITFirst Floor, Block D, North Star House,North Star Avenue, Swindon, SN2 1FA, UK.T +44 (0)1793 417 424 F +44 (0)1793 417 444 www.bcs.org/contactIncorporated by Royal Charter 1984.

Liz Bacon BCS PresidentDavid Clarke CEO

Feedbackemail: [email protected]

Imag

e: iS

tock

phot

o/17

3390

168

PROJECT MANAGEMENT

June 2014 ITNOW 0504 ITNOW June 2014

Not everyone wants to be socialYou can have the best tools in the world, but getting your team to start working in a different way can be a huge barrier to overcome. Commonly it is a generational issue. People born since 1985 are what I term born digital.

That is to say they do not know a time before the internet. Their communication style is more open, shorter form, multi-device. They are used to information coming from different directions and much more accepting of the notion of being always on. For many of us (that’s me too) who are pushing 40, 50 or older this just isn’t the norm. Not everyone wants to publicly share their views or respond to an instant message at 10pm.

The most surprising issue I get given in boardrooms and when training senior managers is a concern for saying the wrong thing and looking bad. Ironically it is the people with the most experience and most knowledge that fear this the most.

Notice, however, (as I point out when faced with this concern) that the people who you think look bad are the people that we are talking about now. If it was you that was confidently and publicly sharing your experience then it would be you who would be getting the plaudits and increasing your reputation.

Get people to push past their concerns by focusing on their skills and the value they can add to others by sharing them.

Characteristics of a social businessHaving chosen your tools and instructed your team all that is left is to work on the culture of the business to ensure adoption of social technologies and social project management success.

In my personal experience it is hard to enforce new working practices and get

people to stay on board after the initial fanfare and training. What often works well is using a smaller group to champion the process and become a case study that will inspire the rest of your project teams.

It may also pay dividends to consider the more commonly associated social media channels of Twitter, LinkedIn, Facebook, Google Plus and YouTube as a way to show the increasingly social nature of your business. Encourage and invite people into the program in a way that suits them; this might be leaving areas of your social project management tool open for more general topics so that people can arrange drinks after work or borrow a power tool off a colleague. Anything to get them in the habit of using it.

McKinsey’s Social Economy report of 2012 noted common characteristics of successful networked organisations, i.e. they’ve gone social, as:

• persistent approach to trying new things, learning and adapting;

• role modelling and vocal support of leaders as a catalyst;

• social technologies are embedded in to their day-to-day work;

• high degree of trust and willingness to collaborate between colleagues.

Time to go socialYou don’t really have a choice about adopting social project management practices. Your people or future employees, your custom-ers or simply your competitors are going to force your hand. It is such an exciting time for anyone in business. Our lives are being made easier and success put within closer reach.

For anyone who enjoys their work it should be a boom time filled with opportunities.

www.bcs.org

From crowd sourcing business finance to collaborative mapping and traffic reports, from renting out your spare room by the night to controlling your central heating by mobile, everything is becoming intercon-nected.

Rolls-Royce, the engine manufacturer, has fitted around 100 sensors to its aircraft engines and they report live information back to a 24 hour team of 30 engineers who pour over the data and make decisions that impact the aircraft at 500 airline companies around the globe. It is the combination of these applications, people and data that are making decisions that impact the world we live in.

Many people (still) see social media as inane chat about who had what for lunch. The reality, however, is that social technologies are allowing people to collaborate, absorb information and make better decisions faster. For the most part the technology is an enabler for people to be social and it is simply human nature that we use this to

make better things. For businesses that embrace this transformation it can be startling. For those that do not the impact may be much more negative.

Project management has to changeTraditionally, a project manager was the lynch pin of any project. The hub of all the information and the leader who ensured everyone was doing their job on time. No matter how effective the project manager or the systems are though this very linear approach can lead to bottlenecks and breakdowns.

In the age of web 2.0, and the rise of social technology, such problems are being resolved by solutions that bring collaboration and agility. Core to this also is the open use of and access to data.

Regardless of the size of team traditional project management would also have likely happened mostly via email and face-to-face meetings. Thus creating silos of information that are hard to review, analyse

or share. This is inefficient.

Social PM improves effectivenessSocial project management by virtue of interconnected systems makes collaboration core to the project team. It creates efficiencies and delivers better end results because of accountability and the collective intelligence of the group.

Rarely does a new system bring cost savings and increased productivity, but using social technologies and working socially could, as suggested by McKinsey Global Institutes’ 2012 Unlocking the Social Economy report, increase productivity by up to 25 per cent and unlock up to $1.3 trillion of annual value in the world economy. Naturally two objectives many finance directors are keen to hear about.

Your customers will also be very grateful and increasingly loyal as they benefit from the improved communication and access to information. In a commoditised world your collaborative culture and strong client

relationships can become a differentiator, which is almost impossible to recreate.

How to make a project socialDeciding to make your project and project management more social is not difficult. There really are a great many tools that have been launched that can be used with minimal cost or training.

Podio, Trello, Basecamp (all .com) and now even SharePoint are social at their heart. Google Apps including Google Plus (which is a social network) is, because of its tool set, an excellent option also. A social project will be open in its nature, with people being able to see what each other is responsible for and the status of that work. The common features to ensure you have are:

• project management and permission setting by leader;

• team member pages and profiles;• shared schedule and work flow;• collaborative work spaces;• document repository;• search engine functionality;• remote, multi-device access;• message alerts via email and live chat;• open conversation with tagging,

commenting and sharing.

Video conferencing and group communication are also commonplace, meaning that as well as being able to collaborate on documents, team meetings can happen easily and regularly.

Carry out a review of your systems and choose your tools based on how simple it will be for your company to adopt this new way of working. Simply creating shared workspaces and making everybody accountable to each other through an open community is a great stepping stone to embracing social project management.

The technology world has changed massively in recent years, but how much has project management changed and how have project managers changed the way they work? Jonnie Jensen, social business strat-egist and founder of Live And Social, looks at what it is going to take for more project managers to confident-ly go social.

PROJECT MANAGEMENT

TWEET?

doi:1

0.10

93/i

tnow

/bw

u033

©20

14 T

he B

ritis

h Co

mpu

ter

Soc

iety

HOW MANY PROJECT MANAGERS DOES IT TAKE TO SEND A

Imag

e: E

R_C

reat

ive/

1850

1001

1

PROJECT MANAGEMENT

06 ITNOW June 2014

1. A grown-up conversation about our ability to estimate business leadership;

2. A value-based approach to design, planning and execution;

3. A grown-up conversation about our ability to estimate.

As Alcoholics Anonymous knows, the first step in finding a solution is to accept that there is a problem.

The truth is that it just isn’t possible to accurately estimate the cost of an IT-based project. Actually, it is extremely difficult to estimate the cost and duration of any activity that we have not done before.

Let’s say you decide to walk from London to Paris. How long will it take? We have clear picture of the destination and the speed at which we might go, but it’s still tricky.

Let’s try something trickier. Say, Paris to Rome? And let’s say you are in a group of seven. Two couples of different ages and three children ranging in age from 12 to 17. It’s complicated, right? You can still find out the distance, but the route takes you over the Alps. Different members of the group will go at different speeds and the amount they can walk in a day will vary. On top of that, the two families have to cooperate on the overall journey.

Now think about a project involving IT. It’s much more complicated than a walk from Paris to Rome. There is no map of the journey. Calculating the distance to

the destination isn’t easy. In fact, it is often pretty difficult to describe the destination at all. And what about speed? You have a bunch of people, of varying abilities and experience, who have come together to do this project - how fast can they go?

The only way that we can estimate any task reliably is to do it over and over again. But we don’t do the same project over and over. Projects might share similar characteristics but each is a different journey, usually with different group of people.

This is why the ‘on time and on budget’ mantra is a nonsense. We cannot estimate reliably, so we cannot come in on time and on budget, unless our guess is generously padded with contingency.

But even with contingency added, Standish tell us that only 32 per cent of projects come in on time and budget. One of the reasons for this is that we all suffer from what psychologists call Optimism Bias.

We all believe that we are better than average drivers. We all believe we are better than average parents. We all believe that we are better than others at anything we regard as important. That includes our own project. We are smarter and better than others, so will not make the same foolish mistakes. And nor will we be over-optimistic, as the others were.

Business leadershipResearching the talks that I referred to earlier, I pulled together all of the publicly

in front of a snow covered building site. The project has cost much more and taken much longer than anyone expected. They have run out of money and Christmas will be in a caravan, at the side of the site.

Alternatively, they could take a value-based approach. To do so, they would have collaborated with their builder to identify chunks of value. For example, having identified a functioning toilet as having particularly high value, they could then have asked for it to be delivered first. Then this might be followed by a shower room, followed by a kitchen, a bedroom and so on.

The total value could have been delivered in chunks. The builder might argue that this approach would make the overall project more expensive. But then the estimate is only a guess anyway, given the novelty of the project. A value-based approach is better because it enables the customer to calibrate the supplier’s productivity and improve the overall estimate with each delivery. And, in any event, wouldn’t it be better to have a four-bedroomed home with a roof, rather than an uninhabitable eight-bedroomed home without one?

The delivery of each increment of the project’s overall value provides an opportunity for a customer to evaluate not just cost and time but also value, quality and the customer-supplier relationship and the project team to learn and adjust course, rather than waiting until the end of the journey to discover that the project has arrived at the wrong place.

The world isn’t flat and nor are projects. Continuing to make believe that they are will only perpetuate the cycle of failure. If we do the same, we get the same.

It’s time for the grown-up conversation, for business leaders to take some driving lessons and to take a lean approach based on the pull of value not the push of requirements.

www.bcs.orgdoi:1

0.10

93/i

tnow

/bw

u034

©20

14 T

he B

ritis

h Co

mpu

ter

Soc

iety

Gary Lloyd posed the question ‘what proportion of IT-based projects deliver what they say they would, on time and on budget?’ at meetings of three different consultancy, project/programme management and business change BCS specialist groups. Most of the attendees were, like Gary, of mature years and had seen a lot of projects.

June 2014 ITNOW 07

available research into why IT-based projects fail. Here is my synthesis of the top five causes of failure:

1. Unclear business objectives and links to strategic priorities;

2. Lack of executive and senior management support;

3. Poor quality and changing requirements;4. Lack of user involvement;5. Poor planning and risk management.

With the possible exception of the last item, these causes point to one thing: poor business leadership. It is the business that has the greatest capability to address all of these points, including the last one. Standish Group agrees. It rates ‘effective executive sponsorship’ as the number one determinant of IT project success.

Interestingly, IT professionals go in for an enormous amount of breast beating, challenging themselves to do a better job at engaging with ‘the business’ and getting good-quality requirements. IT professionals believe that the onus is on them to drag what they need out of business managers in order to get the job done.

But why should it be that way? Shouldn’t business managers be agonising about how they can ensure that they get what they want? Shouldn’t they be demanding customers?

All too often, however, those business leaders who have initiated projects in order to be drivers of change, allow themselves to become passengers on their own projects. Reporting on the government’s Universal Credit Programme, in November 2013, the Public Accounts Committee wrote:

‘Oversight has been characterised by a failure to understand properly the nature and enormity of the task, a failure to monitor and challenge progress regularly, and a failure to intervene promptly when problems arose. Senior managers only became aware of problems through ad

hoc reviews, mostly conducted by external reviewers.’

But my aim is not to point a finger of blame. IT suppliers collaborate with their customers in mutual self-delusion. Solutions are relatively low risk, cost and schedule estimates are robust, and the project is always on course. Until it isn’t.

That grown-up conversation needs to be open about risks and focus on strategies to mitigate not ignore them. We don’t expect adults to be able to drive a car, just because they are adults. Why should we expect business leaders to be able to lead complex projects, without appropriate education and support? We need to help business leaders to become demanding customers who don’t think the job is done, once the ship sets sail.

We need to help time-poor business leaders to understand when, how, where and why they need to contribute to project success. Of course, in order to do so, we need to understand that ourselves.

Design, planning and executionSo let’s say that a grown-up conversation between supplier and customer has taken place. How can we, practically, ensure that the customer’s money is well spent?

I believe that the solution is to adopt a strategy that delivers regular business value to customers and stakeholders throughout the project, not just at the end. This needs to be clear to suppliers at the start of the project. The project team need to know that they have to design a solution that is structured for regular value delivery. Ikea doesn’t design furniture and then work out how to flat-pack it. The delivery strategy is a constraint on the design.

Consider a building project, such as those featured on the television programme Grand Designs. A happy couple decide to take on a huge Tudor barn refurbishment project, vowing to be in by Christmas.

Three-quarters of the way through the programme, we see a disconsolate couple

In answer to the question, an attendee at one of the meetings held up his hand and made the shape of a zero with his thumb and forefinger. I asked the group if they agreed.

On the whole, the answer was ‘yes’, with no one offering a success rate above 10 per cent. It was the same story in the other meetings. Seasoned IT professionals were pessimistic about the ability of IT-based projects to deliver as promised.

Actually, research data shows that track record is better than the groups’ collective intuition, but not that much better and no cause for celebration. Research carried out on behalf of BCS found that less than half of projects delivered what they said they would within budget. The Standish Group, that has a database of over 70,000 projects, paints a gloomier picture. It reports that less than a third of projects delivered within budget.

If that wasn’t bad enough, research by Oxford’s Said Business School, showed that one in six projects overrun budget by 200 per cent or more. When IT-based projects go wrong, they can go very badly wrong. This conclusion is supported by BCS research referred to earlier.

So what’s the problem and what can we, as IT professionals, do about it? IT-based projects are complex and there is no single cause nor is there a single silver-bullet solution. There are, however, three key points of leverage that can make a disproportionately positive impact. These are:

PROJECTS AREN’T FLAT

Imag

e: J

anno

on02

8/47

7268

163

PROJECT MANAGEMENT

08 ITNOW June 2014

managers do habitually are:1. make informed decisions,2. gain management support;3. deal with the unexpected.

I shall now take a closer look at these three distinguishing project management qualities.

Making informed decisionsProject management is often misunderstood and poorly practised because organisations don’t know how to control change. Simply put, they don’t know what they are doing. Senior management believes it is driving change through from the top down when in reality it is basing too many decisions on assumptions.

And here’s the crux of the problem. Every one believes someone at the top knows what they’re doing. This stops everyone from learning and innovating. Let

me tell you a story.

Channel shiftWe have been working to introduce a new content management system. It started out as a technology project. However, I was convinced that this was the wrong approach.

I thought we had an opportunity to save a great deal through channel shift and improved handling of customer enquiries. But a change this big meant a change in the way we viewed the customer and how we engaged with them. I soon realised this would not be possible unless top management saw the opportunity and bought into the idea. This was a big ask because they all thought the project was about technology.

To get to the heart of the problem I asked an analyst to do a small study on website usage. I wanted to know how

We also knew our limitations and when external help was desired. Our approach to the project meant we could anticipate problems and deal with them head-on before they derailed what we were trying to do.

For instance, when parts of the business were too ambitious in their plans we were able to convince the project board that restraint was necessary.

We fully understood the end-to-end transaction costs and the importance of user experience. In contrast, some of the ideas coming from the business made neither economic nor practical sense.

Most business change projects have difficulties. This is not surprising since we rarely know exactly what we are doing or how it is to be done. In other words, project management is learning as you go.

Or to put it another way, dealing with the unexpected. Why this is such a surprise often confounds me.

I think we are all in agreement that the project manager’s job is to deal with uncertainty. However, I believe it is more than this. It is about making a future more probable.

What we learn from the case study is that driving projects from the top does not work because people assume someone knows the answers.

Projects are called projects because we don’t know exactly what we are going to do. We have to learn as we go. The project manager has to learn fast. Only then can the unexpected be handled with any degree of confidence.

So now you know what the project manager has to do: to make informed decisions, gain management support, and know how to deal with the unexpected.

‘There is no such thing as a problem without a gift in its hands for you.’ Robert Bach

Who said project management was easy?

www.bcs.orgdoi:1

0.10

93/i

tnow

/bw

u035

©20

14 T

he B

ritis

h Co

mpu

ter

Soc

iety

Martin Webster MBCS CITP is managing solution architect at Leicestershire County Council and his job is to solve problems, find solutions that enable beneficial business-led change. Project management is a core competence in directing and managing change.

June 2014 ITNOW 09

many pages we had and how often they were visited. I also wanted some insight into the way our customers behaved online.

When the analyst completed the research, she reported that we had over 5,000 web pages, yet more than 80 per cent of them were rarely used or not used at all. When I examined what she had found I learned that customers hardly ever visited the home page and never spent time browsing our pages. Indeed most traffic was via a search engine. I couldn’t believe how bad things were; one of our most popular pages was a not found error.

The key players in channel shift are not top management. They are the project manager and the analyst. The project manager had the conviction to follow his hunch and the analyst the tenacity to uncover evidence.

Project management isn’t simply about following process. It is about challenging the status quo and making sure project objectives and benefits are crystal clear. The project manager must use evidence, hard honest facts, to inform decisions and show people how the project will make change happen.

So, a project manager’s job is making informed decisions to get change started.

Gaining management supportThe next point is about gaining management support. So let us return to the case study.

I have a voiceThe analyst collected all of the information and prepared not one but five reports: one for each business unit and one for each project board member. At the next project board meeting we presented our findings. We decided to hand out unique reports to each board member.

What they read was a service-by-service description of their departments’ web presence. Or rather, how ineffective their department was at engaging customers. For many minutes the

boardroom was quiet. Everyone was intent on reading. They had nothing to say.

Later we were invited to present our findings at management teams across the organisation. Soon afterwards executive management heard about it and we were presenting to the CEO. Through the report we were able to reinforce at every level of the organisation a sense of this is how bad the website is.

In ‘I have a voice we learn that those who think they have little power can make a difference. The overwhelming evidence presented to the project board could not be refuted. They were on side. The project manager had moved them from commanders to sponsors.

Making informed decisions using hard facts helped the project manager win over the project board. The board immediately connected themselves to something important and lent it their credibility.

In this way project managers must learn to gain proactive support from senior leaders. This is what sponsorship is about. It is holding up an idea or cause as important. And, when the project manager has true sponsorship they are empowered and more likely to succeed in their role.

So, a project manager’s job is about making informed decisions and gaining management support.

Dealing with the unexpectedBut this isn’t enough. We all know that projects are unpredictable and inherently risky endeavours. Therefore, the third and last point is this: project managers must know how to deal with the unexpected.

Knowledge is powerGetting senior management on board was just the beginning. Lots of questions followed and there was an expectation for us to have all the answers. We didn’t have them.

The project team quickly realised it had to learn about customer access, efficiency and channel shift. We needed to be one step ahead of everyone else’s thinking.

Let’s begin with a concise definition of project management taken directly from Managing Successful Projects with PRINCE2, 5th Edition.

‘Project management is the planning, delegating, monitoring and control of all aspects of the project, and the motivation of those involved, to achieve the project objectives within the expected performance targets for time, cost, quality, scope, benefits and risks.’

As far as project management definitions go this is rather good. But what does it tell us about project management? What does it tell us about being a project manager?

In truth, many definitions often leave us out in the cold. Yet this simple definition does encapsulate what we should be doing. It helps identify three important things a successful project manager does.

The three (and yes, this is a three-point sermon) things successful project

SUCCESS

Imag

e: P

hoto

s.co

m/9

2825

837

STEPS TOTHREE

DIGITAL LEADERS

10 ITNOW June 2014

advice; I have a discussion with them about why they are interested in those things in their business.’

Dave went to on to say that he thinks that the I in CIO, information, is very important because information is the lingua franca. He feels that people who can’t speak that language are destined for obsolescence in modern industry.

He then added: ‘What I encourage CIOs to think about is, how do they get the maximum return on the information model in their organisation? How can they focus on the strategy of that information model and how that information model is evolving. We own that information model for the whole corporation and that, for me, is an important and critical role for the business. It is a role that shouldn’t have any competition if the CIO approaches it as their piece of the cake.

pressures. When you are seen as someone who has that technology knowledge and people come to you, it must be very hard to say “no, I’ve got other priorities in my job.” People then just see you as the person who responds to the technology problem rather than information business issues,’ he said.

Ade McCormack agreed with this. ‘It happens every day where CIOs are going in to see the CEO and it turns out that the laptop isn’t working, so you become the chief laptop fixing officer. You get a bit further in and the CEO says “my 13-year-old daughter has this app and I want our payroll to be an app.” So now a 13-year-old girl has more influence over IT strategy than the CIO.

‘I think it is around brand and perception. I believe job number one for digital leaders and aspirant digital leaders is to get their brand act together, of which there are probably four stages to do this.

‘The first is to define what your brand is. Stage two is to reengineer your bio to reflect that, that doesn’t mean lie though. It might mean hiding the fact that you’re a programmer, as that might not help you where you want to go. The third stage is to behave like the new brand and the fourth is communicate the new brand.

‘This works very well with people that don’t know you. If you talk like a business person, they will presume you’re a business person. You may well get push-back from people who want to keep you in a certain place and many business leaders are not comfortable with making that journey.’

www.bcs.org

doi:1

0.10

93/i

tnow

/bw

u040

©20

14 T

he B

ritis

h Co

mpu

ter

Soc

iety

BCS, The Chartered Institute for IT, recently held a summit for and about digital leaders. Included in the summit was a discussion session about the role of the chief information officer (CIO) hosted by Ade McCormack and featuring Nick Millman from Accenture, John Morton from IP3 and Dave Wheeldon from Aveva.

June 2014 ITNOW 11

‘Too frequently CIOs tend to get wrapped up in other CIO topics and, I think, they get too close to procurement and therefore they get too close to technology providers and this means they tend to go towards the IT responsibility rather than the information responsibility. ‘

CIO vs. CDOThe discussion moved on to the subject of other job roles within organisations.

Nick Millman asked: ‘Is the CIO looking at information or are they running the IT function? I think in some sense the trend is already there for organisations to have a chief data officer, which I think does happen when the CIO is running the IT function and people think about who is looking after our data, who is thinking about governance and our data model. Let’s create a new role called the chief data officer (CDO).

‘We are seeing a surge in the number of organisations getting a CDO and we did some research across major organisations in the US and the UK and two thirds of organisations, approximately, said that they had a CDO or that they intended to appoint one in the next 12 months.

‘In some ways if the CIO doesn’t start to tackle the data issue, the answer is that a CDO suddenly appears.’

Mark Say, author of the BCS whitepapers on the next wave of computing, who was in the audience, then asked: does the fact that a lot of CIOs have come from a technology background mean that they get given the IT function, whereas if they came from another part of the business they wouldn’t necessarily get it?

Dave Wheeldon answered first and suggested a CIO’s role is often governed by their previous work experience.

‘The experience I have when I am talking to CIOs is that they have lost their way during their careers. I came into IT as an engineer, but added IT as a way to do engineering and have become a moderately IT-literate IT engineer.

‘Some people, who have gone down the pure information technology route have lost their connection with the business. I feel that I, and others that I meet in our business, have a very strong crossover between a business discipline such as engineering or production plus IT.

‘The people who get stuck and find it difficult to progress are people who are more of a single dimension and work in the IT discipline.’

Ade McCormack agreed with Dave.‘I think you are right. We develop a brand

and, particularly if you have gone through a technology path, the chances are that your brand cries out technology and that’s quite difficult to shake off if you want to make it into the boardroom.

‘I don’t think you can mix the brands of being a business leader and a technologist because your brand will always go to the lowest one you exhibit.’

‘A boardroom-bound CIO must arrive with more than just technology management and even information leadership. They need to be multi-skilled if they are going to get a place in the boardroom.

‘We are seeing non-IT people being successful in CIO roles because they can’t understand what their people are talking about so they force their people to talk in a business language, which I think is a good thing.’

Mark Say then brought up another issue that probably doesn’t help CIOs and that is having to respond to day-to-day IT

John Morton from IP3 added: ‘Sometimes there isn’t a CIO in place, but different personas of CIO. Some have been brought to embrace change projects, some have spent the past years running the business. When new business demands growth or being prepared for growth, come to the fore, you need to ask yourself whether you are the right person to drive change in an organisation.’

Dave Wheeldon from Aveva said: ‘As a CTO (chief technology officer) I think I have a good bridging knowledge of how CIOs and CTOs crossover and where IT can enable us for business process change and technology innovation and so on.

‘What I frequently find, when I talk to CIOs, is that they want my opinion about CIO topics. They want my opinions about big data, about cloud computing and social and mobile computing. I don’t give them

Imag

e: iS

tock

daily

/450

2935

17 The discussion started with each person describing what they see as the role of the CIO. Nick Millman from Accenture said: ‘Based on the conversations that I have with CIOs it is often around two aspects. One, how do they set themselves up for success within the organisation and what should the CIO be doing versus what other C-level executives are doing in the organisation.

‘With the digital world those boundaries are blurring more and more, so how do you set yourselves up for success in terms of who is responsible for what?

‘Secondly, with the shift into these new technologies, how do you get the workforce that you need, how do you find the people with the digital needs and experience? How many should you hire in, how many should you train or what do you give to service providers?’

CIOTHE ROLE OF THE

BCS has produced a series of whitepapers on a number of leading IT topics. These include 3D printing, augmented reality and cognitive computing. These are available online now at www.bcs.org/nextwave

BCS Whitepapers

They get too close to technology providers and this means they tend to go towards the IT responsibility rather than the information responsibility.

June 2014 ITNOW 13

INFORMATION SECURITY

12 ITNOW June 2014

buy and sell, and the internet still works. Sometimes individual companies are hacked and the consequences are expensive, but modern business reacts, adapts, and then carries on.

For a very long time, the military has conducted military exercises or wargames as part of its normal training cycle.

These wargames take many forms including: Bohemia Interactive’s Virtual Battle Space (think of a realistic first person shooter, but with hundreds of soldiers as the players); mock battles on Salisbury Plain and straightforward table top exercises. Business cyber wargames are closely related to the latter.

One type of cyber wargame is penetration testing. This consists of testing company IT systems for various technical vulnerabilities, for example, checking for unsecured network

ports, unpatched software or staff failing to follow company polices such as opening dubious email attachments.

Usually the attackers are white hat hackers who work for reputable firms who provide services including mock attacks on a company’s systems.

This sort of testing is invaluable for the technical staff involved in network management, but they are not so useful in preparing the rest of the business.

Another type of cyber wargame is a committee or seminar game. This basically consists of staff sitting around a table discussing the situation and making decisions. Such manual pen and paper exercises are focused on the business, rather than the technical, aspects of attacks.

There are real advantages to such a manual game: it’s immediate, it’s simple,

player’s ideas, the scenario will develop and hopefully, as a result of the player’s choices, the crisis will be mitigated and the facilitator will be able to draw the game to a conclusion.

Step 5: hot wash-upAt the end of the game it is important to capture feedback from those taking part.

Everyone should be encouraged to discuss what they could take from the game into a real world situation. It is important for the facilitator to highlight that

any poor decisions are not the fault of a named individual; they are the fault of the organisation for not providing appropriate training or the result of inadequate company policies.

Final thoughtsGames really work as part of a training package. They can be invaluable mechanisms for helping identify potential weakness in a company’s systems.

Research shows that taking part in such games does increase staff’s long-term awareness of information security. These games also help increase the staff’s chances of making better decisions when faced by the huge pressure of real cyber-attack.

www.bcs.org/security

The first stage is to work out the business aims of the training. Perhaps it is to test staff in handling the loss of business reputation in the aftermath of a publicised hack? It is important to remember that the wargame has to be designed to be played in single room with the participants sitting around a table. A successful game should avoid being over ambitious. It is far better to run a few modest exercises that deliver some benefit that a grander scoped one that does not.

Step 2: prepare the scriptOnce the aims of the training are established, the facilitator can then develop the scenario. Potential questions can include.

Who is attacking? What are their aims? How sophisticated are their methods? Are they persistent? The facilitator needs to develop an idea of how the game will progress.

Normally, each stage of the game consists of a short briefing by the facilitator, perhaps with handouts, and then the players should be have time to make decisions.

Step 3: prior trainingWarning the players of the scope of the game is an excellent way to motivate them to refresh their understanding of company policies on the subject.

Step 4: conduct the gameThe players will assemble on the day and the facilitator will immediately present them with a developing crisis. Under time pressure, they will discuss the potential options open to them and then jointly decide on a course of action.

It is good practice for the facilitator to routinely ask them to justify their response. Depending on the effectiveness of the

it’s immune to the usual problems with technology, and it gets people away from their laptops, tablets, smartphones and everything... and so concentrates on the wargame.

By considering information security and practicing incident management and reporting, the game should generate practical insights into security vulnerabilities that attackers may be able to exploit or it may simply allow staff to rehearse their responses before being potentially faced by a real crises.

Experience shows such games work very well as part of a wider company training package. A modest business cyber wargame can be prepared in only a few weeks and be successfully run within a single morning or afternoon.

Step 1: define the scopedoi:1

0.10

93/i

tnow

/bw

u042

©20

14 T

he B

ritis

h Co

mpu

ter

Soc

iety

The idea of cyber wargames usually conjures up a vision of large numbers of staff faced by a developing crisis shown in glorious multimedia and managed by a huge team of umpires. Whilst such large exercises are necessary for government level wargames, it is quite possible to run an effective business cyber wargame with very modest resources says John Curry.

The harsh reality is that practically every business has been successfully attacked at least once over the last few years and from the perspective of information security the business environment is getting more hostile.

As the requirement for maximum efficiency, productivity and communications drives forward innovation in business computing, each leap forward opens up new potential vulnerabilities.

Organised crime, hactivists groups such as Anonymous and state level actors have been added to the threat landscape.

Faced by these powerful threats, information assurance professionals around the world have responded and, as discussed in the Spring 2014 edition of ITNOW, have been largely successful in keeping the situation manageable.

Banks continue to trade, businesses

By considering information security, practice incident management and reporting, the game should generate practical insights into security vulnerabilities.

PREPARING FOR THE NEXT ATTACK

Imag

e: J

ozef

Dun

aj/9

6083

993

John Curry has edited/written over 50 books on various aspects of wargaming. He is the co-author, with Tim Price MBE, of Dark Guest Training Games for Cyber Warfare: Volume 1: Wargaming Internet Based Attacks.

Author

June 2014 ITNOW 15

INFORMATION SECURITY

14 ITNOW June 2014

uncertainty on objectives’: a definition at once irrefutable and effectively useless, as it’s entirely abstract.

Many attempts to create operationally functional definitions have been made, ranging from the elementary ‘risk=likelihood x consequence’ to quite complex combinations of ‘vulnerability’, ‘threat’, ‘opportunity’, ‘impact’ among other terms, multiplied and summed in various ways.

However, I question whether many of these ostensible mathematical relationships are valid, and whether their parameters are specified in ways that allow mathematical operators to be used at all. How do you multiply (or add) ‘wooden shed’, ‘small boy with box of matches’, ‘pyromaniac tendency’, and ‘value of contents’ to arrive at ‘loss of tools’?

But this is not my only concern. Finding evidence-based or ‘quantitative’ risk decision-making rather hard work, risk practitioners have mostly resorted to

‘qualitative’ methods (a.k.a. guesswork), resulting in a drastic loss of both accuracy and repeatability.

Such sloppy thinking encourages the use of crude risk rankings - ‘high’, ‘medium’, ‘low’ - that make it impossible to distinguish with confidence anything but extreme differences in risk. Furthermore, cross referencing ‘medium impact’ and ‘medium likelihood’ may yield ‘medium risk’ or ‘high risk’, depending solely on my personal preconceptions when I designed the corporate risk matrix.

There’s no demonstrably valid (or even accepted arbitrary) axiom to guide us, so someone else in the same organisation (and even the same role) might create a risk matrix quite different from mine, delivering different answers. These failings combine to cause cultural dynamics (‘office politics’ and personal attitudes to taking gambles) to swamp objectivity.

Unwillingness both to bring bad news and to stick one’s neck out frequently

with confidence. However, before the fact it’s possible

to use the reverse of fault tree analysis - consequence analysis - to map the possible outcomes of coincidences of events. This is not strictly ‘risk assessment’ unless it’s possible to assign probability distributions to the events, but it’s nevertheless a powerful tool for identifying possible adverse outcomes that might otherwise escape identification due to the apparent insignificance of their causal factors when considered individually in isolation.

Such outcomes can then be pre-empted by preventing as many of the causal factors as practicable from acting.

To make reliable risk judgements we must: understand the basic principles of probability, including recognising that statistics don’t describe individual events and knowing when probability theory can’t be usefully applied; completely understand the process or system risk being assessed; have no vested interest in the outcome of the assessment and apply a repeatable standard process that demonstrably yields results that consistently accord with reality.

Sometimes likelihood’s contribution to business exposure must be ignored, particularly when a potential outcome could be catastrophic.

www.bcs.org/security

the coincidence of multiple independent events. Some of these events, individually or in concert, may trigger dependent intermediate events, forming chains of causality. The ultimate result may sometimes be a single outcome, or there may be multiple alternative or simultaneous outcomes. Each event has a likelihood of occurring at the required point in the mesh of causality, depending not only on its intrinsic properties but also on the properties of any other events that contribute to it.

Furthermore, some events are binary (they happen or they don’t) and some have multiple discrete effects, but the effect of many events varies over a range, and not necessarily in an intuitively determinable way.

The probability of each possible outcome is a function of the aggregate of probabilities of all the events in all the contributory chains of causality, so

clearly there is usually a range of possible outcomes and consequences. Such ranges of possibility are ‘probability distributions’.

Although they can be highly informative, they are almost universally ignored in the sphere of information risk management, partly because they are hard to define for some of the events we deal with, but mainly because most practitioners don’t even know they exist.

That said, events driven by human decisions - including most cyber attacks - tend not to have constant probability distributions over time. This is why trying to deduce future exposure from past information breaches is so uncertain.

Although fault tree analysis is a widely adopted technique for finding causes after the fact, because we often don’t know the probability distributions of the contributory factors at the time of the incident it’s often impossible to recreate its causal matrix

leads to most risks being ranked ‘medium’, so we don’t make much progress in prioritising our risk treatment, even supposing our criteria were trustworthy in the first place.

Considering the large number of entries in a realistic corporate risk register, granularity is essential - there’s no real hope of prioritising the treatment of 649 ‘medium risks’. And ultimately, that’s what corporate risk management is about: not arriving at absolute values of risk as an intellectual exercise, but working out the optimum priorities when allocating a limited protection budget.

These failings (ill-defined formulae, low resolution poorly quantified ‘risk scales’ and uncontrolled or biased guesswork) contribute significantly to what are often essentially meaningless risk decisions. However, their malign influences are usually dwarfed by an

overriding conceptual error. Corporate risk assessments commonly assume a single cause leads to a single outcome with a single (if vaguely expressed) likelihood and consequence. Unfortunately, the real world ain’t quite like that.

This has frequently been ignored, even in life-critical arenas. For example, a coincidence of one ‘medium risk’ and two ‘low risk’ independent events is unlikely to be considered a high risk, even supposing we know what low, medium and high mean in the first place. But those were the assumed risks of the three most significant causal factors of the NASA Challenger accident3 (reduced rocket segment ‘O’ ring resilience at low temperatures, distorted re-usable rocket segments, leaks in segment joint insulating putty).

Most adverse incidents (and indeed many business opportunities) result from do

i:10.

1093

/itn

ow/b

wu0

43 ©

2014

The

Bri

tish

Com

pute

r S

ocie

ty

In addition to Donald Rumsfeld’s much quoted ‘known unknowns’ and ‘unknown unknowns’ there’s another class of misapprehension that he failed to recognise - things you’re convinced of that happen to be wrong (in his case, WMD). For many of us in corporate information assurance, the real nature of risk is in this category. We all perform what we believe to be ‘risk assessments’, but Mike Barwise asks, are they really any good?

Fortunately (or for me as a methodologist - unfortunately), information breaches are quite rare so the majority of our risk assessments never get tested. If they did, I suspect they would exhibit a long-term success rate approaching 50 per cent.

That makes them about as useful as tossing a coin - not because we’re stupid, but because we’re simultaneously largely uninformed, and widely misinformed by ‘experts’, about the true nature of risk.

So what is risk? Many supposedly authoritative sources refer to events or outcomes as risks, whereas risk is actually an attribute of an event: a measure of its probable consequence. Nevertheless 95 per cent of risk professionals responding to a survey in 20011 agreed that ‘a risk’ is an event.

Having defined risk, let’s consider how to quantify it. We might hope to be guided here by standards, but the ISO Guide 732 definition that has influenced almost all other risk-related standards is ‘effect of

Unwillingness both to bring bad news and to stick one’s neck out frequently leads to most risks being ranked ‘medium’.

WHAT IS RISK?

Imag

e: In

gram

Pub

lishi

ng/1

2239

9113

1. Hillson, D. What is ‘Risk’? Results from a Survey Exploring Definitions.www.risk-doctor.com/pdf-files/def0202.pdf2. ISO Risk management - Vocabulary, 20093. Report of the Presidential Commission on the Space Shuttle Challenger Accident, Chapter IV: The Cause of the Accidenthttp://history.nasa.gov/rogersrep/v1ch4.htm (section 70: Findings)

References

June 2014 ITNOW 17

HEALTH INFORMATICS

16 ITNOW June 2014

During his introductory plenary of the second day of the conference, Professor Haslam, Chair of NICE, said: ‘It’s astonishing that despite the fact that GPs have had computers for twenty five years, the rest of the NHS hasn’t yet caught up with them and, in some cases, are still using paper-based systems!’

In fact according to Kingsley Manning, Chair of Health and Social Care Information Centre (HSCIC), in a recent audit carried out by his office it was found that 80 per cent of all records were written by hand before they were retyped into a PC. Hence, it’s understandable that the recent Francis Report1 found that there was not enough good, reliable information available.

With calls for a more joined-up approach to sharing data and making available data more accessible to interested parties, NHS England rolled out their ambitious care.data programme

with the intention of collecting together as much data about NHS patients as possible to be used in… Well, that’s the main problem for most the scheme’s many detractors; there are just too many unanswered questions at the moment for the public and many clinicians to be happy to get behind the programme.

According to Geriant Lewis, Chief Data Officer from NHS England, ‘Across the country there’s a lot of data missing. For example, there’s no information about in-hospital prescribing, investigations, obscurities or about care outside of hospital, and no information about social care.’

Lewis seems to think we can’t currently answer questions such as:

• How many patients in England received chemo last year?

• What proportion of patients in a

of safeguards in place for dealing with this sort of data. All identity and access governance (IAG) will be overseen by the HSCIC.

Identifiable data is flagged as being ‘red’, potentially identifiable data as ‘amber’ and unidentifiable data is coded as ‘green’. The Consumer Action Group (CAG) will oversee the movement of red data, the use of which will be decided by the Data Access Advisory Group (DAAG).

According to Lewis, patients will be able to access their own ‘red’ data and some universities and research establishments will be able to access ‘amber’ data. In some cases ‘green’ data will be published, at cost price.

Apparently patients can halt the flow of data at any point, if they object to its transfer, although how will they know that a) their data is being used and b) for what purpose, is harder to say. Will the NHS phone us up before they plan on doing anything with our data?

The take home message from these discussions on the subject of care.data and with regard to data sharing in general seemed to be that whatever the NHS does in this space, it needs to be as transparent as possible and actually engage more with both patients and their GPs otherwise there will continue to be very limited support for this programme going forward.

Dr Ian Herbert FBCS Health, perhaps summed it up best when he said that ‘an extended and ongoing conversation about the whole data sharing conundrum needs to be had and in a transparent way.’

www.bcs.org/health

appreciates that data sharing can be a good thing (and history has shown this to be the case), but no one agrees on exactly how it should be done and what the parameters will be.

According to Tim Carter, the negative reaction to the care.data programme has ‘led the health service to try to understand what it is that people really want, take that on board and then explain how it’s going to take care of people’s data, all the while being realistic about the risks.’

It’s a fact that the Francis Report has driven the NHS to collect more data and Geriant Lewis briefed the conference saying: ‘The initial consultation revolved around what information was currently held by the health service and how easy it was to collect it.’ He then went on to say that ‘the updated consultation themes are focusing on:

• resourcing;• timescales;• the variety in provider capacity;• data entry and the point of care;• responsibility for datasets;• clarity of benefits.

It appears that NHS England is currently examining the barriers getting to patient data, its safety, assessing data that’s easiest to obtain (probably drug charts and patient movement from ward to ward), and looking at which data it already has access to.

The key objection to data sharing appears, understandably, to be data security. With this fact in mind NHS England has categorised data into three types, namely: non-identifiable, potentially identifiable and identifiable data and awarded them with a traffic light colour coding system.

Identifiable data is strictly controlled by the law and includes information such as a person’s date of birth or their postcode. Potentially identifiable data contains a unique pseudonym for each person and there are a wide-ranging number

particular hospital, were reviewed by a consultant, at least once a day?

• The average time a GP took to diagnose bowel problems.

• The proportion of patients on a ward who had a highly abnormal diagnosis.

Hence NHS England thinks the care.data programme will be able to help address some of these issues once the NHS has a more structured data sharing culture.

Dr Peter Flynn, Director of the care.data programme, stated that the programme’s initial priorities would include the expansion of GP and hospital data and to increase the information storage capacity at the HSCIC.

However, despite reassurances from NHS England regarding the care.data information gathering programme, stating that ‘the information would only be used benignly and that all information about patients would be stored in a secure way’, the general public and many clinicians have not bought into the idea, resulting in the programme being put on hold for six months while NHS England rethink their approach and try to bring us all on board as enthusiastic stakeholders.

According to Tim Carter, Communications & Awareness Lead, NHS England, the care.data programme ‘has been put on hold for six months in order for a more comprehensive consultation to occur with all the various stakeholders.

‘The care.data leaflet drop was seen by some as a failure and the NHS was accused of just talking a bit louder rather than actually engaging with people. In fact the noise became so loud that stakeholders were soon asking: “what is the NHS really doing?” This then led to various newspapers creating a furore over “what the NHS is doing with our data.”’

It became quickly apparent at the various plenaries and discussion groups that the next six months can’t just be about awareness-raising for the programme, it has to be more substantial. Everyone do

i:10.

1093

/itn

ow/b

wu0

52 ©

2014

The

Bri

tish

Com

pute

r S

ocie

ty

With a medically-orientated menagerie of clinicians, health informaticians and software suppliers meeting at HC2014, it wasn’t long before BCS Health Editor, Justin Richards MBCS, realised what was foremost on almost everyone’s mind, namely care.data.

SHARE

Imag

e: d

olga

chov

/457

7757

97

1 http://www.health.org.uk/areas-of-work/francis-inquiry/about-the-francis-inquiry/www.england.nhs.uk/[email protected]

Reference and useful info

OR NOT TOTO

June 2014 ITNOW 19

COMPUTER ARTS

18 ITNOW June 2014

I had the great pleasure recently to spend the afternoon with this month’s artist Barbara Nessim, a pioneer in digital art and illustration; it was fascinating to hear first-hand about her career spanning six decades.

She was one of the first prominent (non-fashion) female illustrators working in the industry and has also seen major changes in computer graphics. Now a significant body of her work has been donated to the Victoria & Albert Museum, where it was exhibited in 2013 accompanied by the (highly recommended) monograph Barbara Nessim: An Artful Life.

In the 1950s it was rare for women (especially single women) to have a career in the arts, outside perhaps of teaching, the norm being to marry. However for Barbara work and the ability to support herself financially was important, believing that she wouldn’t be able to find her true self if she married.

Commercial illustration allowed her to continue her painting and fine art. She tells me, ‘I don’t understand the snobbishness associated with illustration.’ In fact she only knows of one other woman, Lorraine Fox, in the 1950s, but by the 1960s the field had opened up to women somewhat more.

A life-long New Yorker, Barbara’s work often reflects the energy of that city and the goings-on of its hip inhabitants including her fellow artists, among them Zandra Rhodes and Richard Avedon, who she has collaborated with.

Her work has a focus on women and gender roles; she’s interested in exploring the relationships between women, men and women and women and the world including social norms and ‘rules’ for women - how you are supposed to act, to look, and so on.

From the 1970s she was producing strong graphics and illustration for famous magazines such as Time, Vogue, Rolling Stone (including a famous John Lennon

remembered cover in 1988), Harpers, New York Times and many others.

From the first, sketchbooks became an essential part of her practice. These she carries wherever she goes and are the well-spring of her creative energy - she tells me, ‘it all starts here.’ As she explained these are unlike commercial jobs that come with specific constraints: - the brief, the art director, his boss, the story, ultimately the public, all of these have to work together and as Barbara points out, ‘you do have to please yourself within that framework too.’

The production of sketchbooks allowed her to ‘still keep my own self and produce work for other people.’

The drawings, paintings and collages within these sketchbooks are diverse in style and subject matter but are characterised by a graceful, flowing line. Looking through these beautiful books it is clear what an inspiration they must be, reflecting aspects of daily life in NYC or concerns at a particular time or an image that catches her eye. (A selection is reproduced in An Artful Life and they are also available to print on demand.)

Of her unique style she says, ‘I didn’t look for a style, it just found me.’ She is keen to point out however that her vibrant, colourful and life-affirming women are not psychedelic, as is sometimes described in the press.

Her reputation as an artist was such that in 1980 MIT called with an offer to come and work on its computers. Although at that time she was unable to take the necessary time off teaching and other commitments, the possibility of making art on the computer intrigued her and she set out to find a computer at home in NYC.

Barbara recalls, ‘At that moment, I knew that computers were a radically important shift from the norm, which would be life-altering and completely change the way we were all working and doing things. Instinctively people don’t like change. It took

didn’t know how to use a computer, or didn’t want to accept them, you were out of a job.’

Throughout this early period she had to invent ways of exhibiting and displaying this new type of art, as there wasn’t a norm already in place to follow. The longevity of the work and its durability and permanence for the future has always been an important concern.

To this end the artist developed her own methods to ensure the archival qualities of her work. This involved the use of gatorfoam board (for its strength) and then wrapping the board in rice paper before hanging with attached magnetic strips. She would also Xerox images before hand-colouring them with pastel, as, again, she knew this method would last.

Our image this month shows the artist in front of her work ‘A Current Past’ at the Condé Nast building in NYC, 2010 where she held a three month show. This very large work - 28x12 feet - occupies the 3rd and 4th floors on the Eventi Hotel in NYC (30th St and 6th Ave.). It is the centrepiece of the complete 13 artwork commission called ‘Chronicles of Beauty’, all of which are digitally printed on brushed aluminium and demonstrate Barbara’s digital collage technique of using found images with hand drawn elements to explore historic and contemporary notions of femininity.

more than 20 long years for it to mature and for people not to consider it a fad.’

Eventually she was able to access systems at Time Life, becoming artist in residence at the newly formed Time Video Information Services in 1982. Here she used a Norpak IPS-2 (a Canadian invention) used by Time for games and television graphics. Barbara recalled that the console looked like a big desk and describes working on it as ‘a challenge’; she had only six primitive shapes: an arc, circle, dot, rectangle, polygon and a line that could be defined and used to draw.

Further, the system did not allow mistakes to be erased, you had to start all over again.

Output consisted of a Polaroid or a 35mm slide. As is typical of many pioneering artists using state of the art computing at this time, Barbara was allowed access to the machines after hours so she worked from 5pm to 9pm.

In fact her love of the arc command earned her the nickname ‘arc-angel’ in the office. She worked at Time for about a year or so before the office was shut-down and was the only artist to use this system there to create a body of work. (See a 1984 video made the last night of her residency documenting her work)

Her very first computer works appeared in a four-page spread in the German publication Frankfurter Allgemeine Magazin (1984). Another early work, a portrait of the head of the statue of liberty - Ode to the Statue of Liberty, (1986) is now in the collection of the V&A.

In 1991 she was hired as the Chair in the Illustration Department at Parsons the New School for Design and during her 12 years there was responsible for bringing computers into the studios and overhauling the curriculum, with the result that her popular course became the genesis of the Digital Design Department. As Barbara says ‘the digital shift had happened.’ By the mid-1990s, ‘If you do

i:10.

1093

/itn

ow/b

wu0

57 ©

2014

The

Bri

tish

Com

pute

r S

ocie

ty

Catherine Mason MBCS is the author of A Computer in the Art Room: the origins of British computer arts 1950-80.For more information on the computer arts please see the Computer Arts Specialist Group website: www.computer-arts-society.com

More on this month’s artist: www.barbaranessim.com

Credit: Barbara Nessim, ‘A Current Past’, from the ‘Chronicles of Beauty’ series, digital painting on brushed aluminium, installed EVENTI hotel NYC, 28 x 12 ft, 2010.Copyright the artist, reproduced with permission.

LIFEANARTFUL

ITNOW June 201420

LEFT OF THE INSIDE BACK COVERdo

i:10.

1093

/itn

ow/b

wu0

61 ©

2014

The

Bri

tish

Com

pute

r S

ocie

ty

DAYS PAST 1984Because the last couple of columns here at the left of the inside back cover have looked with a sardonic eye at some of the sexism in 50-year-old Computer Bulletins I thought we would go back just the 30 years this time...what will I find? asks Brian Runciman MBCS.

Let’s skate over the proliferation of Norman Tebbit mentions - he was guest of honour at the 1984 AGM and the annual dinner and go straight for an interesting little piece of computing history.

RS-232 interface leadThe issue has an obituary for Dennis Victor Blake, drawing particular attention to his work in networking. He came up, with colleague Derek Barber, with an interface that the magazine calls ‘analagous to a three-pin plug.’ This led on to being involved in the British Standard Interface BS4421, with these principles later appearing in the still-in-use RS-232, which was version 24 of BS4421.

That’s a pretty big contribution. As the article reports: ‘The real impact of the pioneering work of Dennis is that we expect “alien” devices to communicate and to have a general purpose interface or connection.’

An expectation that we still very much have of course.

And this wouldn’t be complete without

a mention of the classic Spitting Image sketch from around the same time: www.youtube.com/watch?v=CDlj0jBtYmQ

It depicts a paean to the RS-232 lead with ‘songs’ from the likes of Status Quo, David Bowie and Dolly Parton. Also the ‘fat lady’ sings in a spoof Tosca opera that the eponymous lead ‘hasn’t solved my local networking problems, so I’m going to kill myself.’

The arts in the late 20th centuryHere’s something editorially interesting: even in 1984 we had a computer arts column.

Our current computer arts pieces, which appear monthly on the website, with an occasional piece in ITNOW, are very popular. We have even got some well-known names to contribute: David Hockney www.bcs.org/content/conWebDoc/43630 and Grayson Perry www.bcs.org/content/conWebDoc/42643

In 1984 this was not such a high profile area, but we still had a two-page spread from John Lansdown: Portrait of the artist as a bug.

This article explored the concept of art arising from errors. John shows a shell-like spiral which, when requiring a perspective view grew legs to become, in a John’s words, ‘a self-portrait of a (computer) bug, if ever I saw one.’

He goes on to talk about a 1981

Reproduced from the excellent xkcd.com

Preliminary Report on the Japanese Fifth-Generation Project. He was impressed not just by the technical matters being discussed but by the ‘social requirements expected of computers in the 1990s.’

They included increasing productivity in various fields with the goal of reducing social imbalances; energy saving schemes to use the world’s finite resources more effectively; developing streamlined medical and other related systems to help address the aging population issue; and working toward international cooperation by exploiting Japan’s highly educated workforce.

Interesting goals for the 1990s, some of which may need a bit more work even in 2014...

What of the sexism in 1984?Well I suppose I must admit to a tiny twinge of disappointment. No dreadfully portrayed female secretaries or tactless gender implications anywhere that I could see.

The only thing may be a design issue. ITNOW sometimes gets criticism for its pictures - particularly when they are big - But March 1984 Computer Bulletin just went with a lot of small pictures of chaps (all chaps) with unkempt facial hair...no stereotypes there!

Find out more at: www.engc.org.uk/ieng

EngineerAM AN

Incorporated Engineer (IEng) professional registration not only recognises yourproven commitment, skills and experience, but also identifi es to employers that you have the competences, expertise and work ethics that they value.

Do you have the talent to apply technology in a practical and creative way? Do you see yourself working in an engineering role where on a daily basis it is your skills and know-how that ensure success? If the answer to both is yes, then why not get your professionalism recognised by gaining the letters IEng after your name?

Nothing says professional like letters after your name

Why wait when you could be one step closer to becoming IEng TODAY?

Becoming registered as IEng:

■ Demonstrates that you are a professional ■ Can improve your career prospects and earning potential ■ Provides high status and self esteem ■ Gives you an internationally recognised qualifi cation

Find out more at: www.bcs.org/ieng or call +44 (0) 1793 417 424

IEng_ad_fp_itnow_ma.indd 1 01/08/2011 10:38

Further your career with BCS business analysis certification

Wherever you are in your BA journey, we’ll help you develop your capabilities and confirm your position as a vital catalyst for business change.

bcs.org/businessanalysis

BC8

09 /L

D/A

D/0

514

© BCS, The Chartered Institute for IT, is the business name of The British Computer Society (Registered charity no. 292786) 2014

Lasting change.Starting now.

BC809_ld_ad_BA_itnow_fp_ma.qxp 12/05/2014 16:15 Page 1