After the ubiquitous employee complaint about not being able to find anything on the corporate intranet, one of the next most common complaints is about passwords. “There’s too many passwords to remember!”

Of course, more important to satisfying the lazy memories of employees, is your organization’s security – particularly the authentication of any user’s identity. The organization must ensure that bad guys are not impersonating employees.  

The promise of Single Sign-On (SSO) for all an organization’s applications – one login, one password – is something that makes logistical and economic sense. Federated identity extends SSO one step further by integrating passwords across enterprises to include, for example, access to partner or vendor sites (for example, an external vendor site where you order office supplies online).

Of course, as Patrick Thibodeau writes in Hidden challenges of federated identity, the biggest challenge for Federated identify is one of politics and governance.

“For example, federating systems for employee portals raises questions about who owns the data associated with various identities and who has the final say when the data doesn't agree. Ownership issues aren't limited to external partners; federations between the HR and finance divisions of a single company can sometimes be the most acrimonious.”

Organizational politics; perhaps the biggest drag on corporate productivity, and without question the number one corporate problem limiting the evolution and value of the corporate intranet.

To effectively establish governance to combat the political challenge, Thibodeau stresses the four main components to a proper governance model:

• business issues (who does what, who pays, revenue-sharing, etc.)
• liability (auditability and mitigating risk)
• privacy (use and controls for personal information)
• security

RELATED READING:

Federated Identity: Single Sign-On Among Enterprises

Assessing your security risk

Best practices: securing your intranet

Securing your intranet from the inside

© 2006 Toby Ward - Prescient Digital Media

Troubled intranets often share many of the same characteristic problems:

• No defined ownership
• No content standards and policies
• Site proliferation and ‘sprawl’
• Poor usability and navigability (“I can’t find anything!”)
• Low use and employee up-take

This was the case with Atomic Energy of Canada Ltd. (AECL, makers of CANDU nuclear reactors) when I started to work with them two years ago. This case study was presented to today to the 2006 Information Highways conference in Toronto. Turning the dream into reality: Harnessing people power to create a high productivity intranet was a joint presentation with my colleague and client Andre Robillard, CIO for Atomic Energy of Canada Ltd.

A little more than two years ago when AECL started down the road to implementing a new intranet portal, the Canadian crown corporation was saddled with a number of challenges:

• Ongoing news and information not communicated in a timely and consistent fashion
• Business objectives and priorities not clearly communicated
• Absence of a Communication plan
• Too much reliance on email bulletins for communications
• Senior management not taking responsibility for communication
• Employee Intranet not effective:
• No governance or control
• No consistent look and feel
• Information not current or useful
• Publishing requires technical skills
• Difficult to find information

The old AECL intranet:

To address these challenges AECL hired Prescient Digital Media to develop an integrated communications strategy that addressed email communications, people and manager communications, and the intranet. Specifically, the process included the creation of a new intranet plan with a number of key priorities:

• Develop and formalize a governance model
• Develop an  intranet editorial policy
• Hire an Editor-In-Chief
• Develop Standardization policy that enforces intranet standards and limits individual intranet development
• Develop an email “Acceptable Use” policy
• Eliminate all stand-alone sites by consolidating them under a single intranet portal with a single navigation schema.
• Design a new “look & feel” that supports the AECL brand and communication needs.
• Deploy a full database content management platform and full employee self-service and online form submission

The process moved from planning to the technology selection (driven by an aggressive RFP that had a number of vendors work for the business) and an implementation of about 2.5 months of a new content management system/portal product (IronPoint).

New intranet portal: myAECL

Though launching a new intranet portal is all well and dandy, the work does not stop there. AECL still had a number of key issues to address in the months following the launch:

• Hiring and orienting a new Editor-in-Chief
• Developing daily news articles
• Setting up efficient content processes
• Migrating old environment to new
• Changing Behaviors
• Training content providers to use new tool
• Evolving Formatting standards and guidelines

Andre Robillard shared some of the key lessons learned in redesigning an intranet and implementing a new portal with new processes and standards. He has a number of recommendations for any organization attempting the same:

• Clearly define the communication problems in your organization
• Assess where you are today by polling staff
• Create a new communication plan based on best practices, employee feedback, and company needs
• Get executive approval of new internal communication plan
• Create a new Intranet design that provides staff with any easy to use tool, plus satisfies the communication plan
• Issue an RFP
• Implement using the 80/20 rule
• Use a vendor that does this for a living

By the way, have you noticed that the CIO keeps focusing on and talking about “communications” and not the technology?

CIO Robillard understands the driver is communications and customer service, and that the intranet portal is more than just a technology solution; it’s a business system to support the business. As CIO he’s just one of several owners on a governance council that also includes representatives from Communications, HR and Customer Service. I’d like to see more IT organizations like Robillard’s that are less concerned with ownership and more concerned with business results.

If you have a question about this case study – whether its related to process, content, technology, people, planning, etc. – feel free to post your question or comment below and I’ll get back to you shortly thereafter.

© 2006 Toby Ward - Prescient Digital Media

It’s been a hectic past couple of weeks juggling travel, clients, baby, blogging, etc. – with the latter suffering the most.

I had an interesting dinner with James Robertson of Step Two who was in Vancouver for the IA Summit. Over sushi and other nibbles at the Blue Water Café we discussed and debated the process for determining client organizational requirements for content management, and specifically workflow.

James isn’t a fan of surveys or focus groups. So, we agreed to disagree. But James has developed a very interesting process for working with a client to document and  prioritize an organization’s requirements for implementing a content management system. You’ll have to hire him to learn the full details but it involves locking the organization in a room for a full day or two and using cards (representing each functional requirement for a CMS, for example, workflow) and using glass beads to mark or ‘weight’ each of the top requirements (a few dozen in all).

The spicy tuna roll was most agreeable and so too was our joint conclusion of CMS workflow: everyone wants workflow, but almost no one uses it. With rare exception, most content is controlled by very few who use offline systems such as email to solicit and garner content approvals and edits – rendering built-in CMS workflow as redundant and often unnecessary.

“Somehow we need to spread the word that the "accepted wisdom" around workflow is wrong, and that new approaches must be innovated” says Robertson (see Workflow: we have a problem). “Workflow does, of course, work in certain circumstances. Where there is a well-defined, consistent and repeatable business processes, workflow rules can be used to automate them. This is the exception, however, with few (if any) editorial processes working this way for general web content.”

In my personal experience, the top priority of most CMS publishers is a true WSIWYG editor. Everyone promises and advertises a simple, user-friendly editor, but very, very few actually deliver. Of particular priority is a very simple if not automatic feature that strips out all MS-Word code (or cleans tags) and a simple to use syndication manager that allows the content manager to publish one piece of content in multiple places.

If you’re tighter on money than time, Step Two has a handy do-it-yourself Content Management Requirements Toolkit for aiding in the selection and implementation of a CMS.

--

I'm presently back in Toronto speaking this morning at the 2006 Information Highways conference. I'm co-presenting a client intranet case study Turning the dream into reality: Harnessing people power to create a high productivity intranetwith Andre Robillard, CIO for Atomic Energy of Canada Ltd. (makers of CANDU nuclear reactors). Their intranet has come a long way since I first started working with them two years ago... tomorrow I'll provide the detailed highlights of a troubled intranet turned high-powered employee portal. 

Did you know there is software that you can download for free that can crack password protected network in less than 5 seconds? Or that your website can be copied and replicated with a simple click of a mouse? What has your organization done to secure the intranet and the network?

Security – it’s perhaps the top issue on the minds of network administrators. It rarely though is on the minds of those managing the content in communications, marketing and human resources – but it should be.

Of the 556 executive interviewed in a recent Fusepoint/Sun Microsystems/Leger Marketing survey, 55% say that their confidential and private data is at risk of an attack. For good reason: your intranet is open to attack and requires security measures. Attacks happen every day.

GeoTrust’s Best Practices For Securing Your Enterprise prioritizes their “Top 10” recommended security practices for “building online trust both inside and outside your enterprise.” They admit that these are not comprehensive guidelines, but focused on most critical areas you need to adopt at your organization including:

• running SSL on servers
• supplying client side SSL certificates to employees
• establishing solid policies and procedures for security
• embracing paperless transactions
• physical network security including firewalls
• building a secure PKI system
• creating a testing environment

What’s the most important thing?

“The simplest but most powerful thing of all – ensure every security patch for all operating systems and applications is applied on all systems as soon as they come out. Hackers know well the vulnerabilities of Microsoft’s Internet Information System Web Servers and seek sites running them as easy targets. Patches that make IIS not vulnerable have been freely available for years and yet over 30 percent of IIS systems on the public web are not up to date. This one is worth repeating: apply all security patches immediately.”

RELATED READING:

© 2006 Toby Ward - Prescient Digital Media

Why would I, as an intranet consultant and the owner of a firm specializing in intranet consulting, try and dissuade you of hiring said consultant? Well, it’s still ski season here in Vancouver and there’s epic ‘pow’ at Whistler this year… combined with an intense sleep deficit wrought by a newborn baby at home (who likes to eat A LOT past midnight)!

No, in reality, I want to spend more time studying all of the subtle nuances and politics in this particular Survivor series… No seriously, there are two good reasons (and a whack of lesser reasons) why you would not hire a consultant:

1-     Limited budget

2-     “Knowledge is power”

Knowing what makes a powerful intranet and putting that knowledge to practice should be a requisite of any intranet or portal manager.

Australia-based Step Two Designs has released version 1.1 of The Intranet Review Toolkit. The toolkit is free and it’s designed to empower intranet managers with a comprehensive set of heuristics (guidelines) for evaluating an intranet.

Coinciding with this release, a new home for the Intranet Review Toolkit – released under a Creative Commons license – has been established at:

www.IntranetReviewToolkit.org

This site provides a central clearinghouse for resources related to intranets, including:

• The latest version of the Intranet Review Toolkit
• A commentary on the heuristics in the Toolkit, along with links to supporting resources, reports and books
• A simple mechanism for providing feedback or suggestions

 Step Two Designs, one of the lead authors of the Review Toolkit, has high hopes for the toolkit. “This will hopefully grow into a definitive resource for intranet teams, going beyond just explaining and supporting the Toolkit,” says James Robertson, one of the lead authors and Managing Director of Step Two.

This is a resource that every intranet team should download, to get a "health check" for their intranet. Comments and suggestions should then be posted on the site, to help the team at Step Two further grow the resource.

© 2006 Toby Ward - Prescient Digital Media

Knowledge management is a funny subject – it’s such a hot buzz word and yet its rare to read anything meaningful on the subject. In fact, most managers and executives are under the illusion that KM is something that can be purchased from a vendor.

I’ve not done a study on this but I’ll wager $1000 that if you were to ask 10 executives to define KM, 9 of 10 would make some reference to a plug-and-play solution.

I know this is old hat for some of you, but let’s redefine KM. Of course, depending on the vendor, there are also varying definitions, but I define KM as KM is how corporate knowledge – both tacit and explicit – is stored, retrieved and reused for achieving corporate objectives. Notice there is no direct reference to technology.

Effective knowledge management requires three key components:

·         Participatory individuals – employees who are willing, able and active sharers of tacit knowledge.

·         Process and rules – defined rules and standards (e.g. corporate taxonomy) for categorizing and storing information and knowledge.

·         Technology – physical infrastructure including software that enables the above and allows for effective knowledge retrieval.

A recent article It's what you know and how you use it in the Sydney Morning Herald takes a look at KM placing an importance on business and process…

And while technology plays a supporting rather than lead role in knowledge management, it is also providing ASIC with a method of measuring the effect of its knowledge management initiatives. Ms Sbarcea has implemented an open source social network analysis system which "visualises in a map the connections and pathways between people".

There are many, many tools and systems that fall under the KM umbrella – from search to social media such as blogs and wikis to content and document management. The future of KM may in fact be glimpsed by looking at Google.  In a recent ZDnet article Google dodges knowledge management question, Andrew Donoghue writes that Google is extremely well positioned to be a major player in the KM space, but as is typically Google, is sufficiently vague about its plans.

Google has hinted that it could create an extremely powerful corporate knowledge management or information management platform by integrating products such as its search appliances with its other search and communications applications.

Speaking at the launch of Google’s latest Mini search appliance on Thursday, product marketing manager Arvind Desikan admitted that integrating different Google enterprise-class search technologies together, such as the Enterprise Desktop Search and Google Enterprise Toolbar, would benefit business customers. "The more things we have integrated, the more useful it will be," he said.

Personally, I think KM is still in its infancy. So don’t despair if you find the subject matter confusing and daunting. It is confusing – and daunting. I’d watch Google closely as I also would watch Autonomy and Microsoft. In the meantime, focus on people and process. Build a strong, central intranet portal with an intuitive information architecture and a powerful search engine supported by well-defined and rigorous rules and policies including a corporate taxonomy.

RELATED ITEMS:

No silver bullet for Knowledge Management

© 2006 Toby Ward - Prescient Digital Media

Those scam artists are getting bold. The ROI from the Nigerian and Cameroon email scams are no longer the bounty they once were despite the compelling and well-written tales of woe and potential riches. Fool me once shame on me. Fool me twice… well Bush got re-elected so it’s no surprise phishing works; even in the U.S. military.

Phishing of course is the rarified art of fraudulently obtaining an Internet user’s personal information – such as banking information – for criminal gain. The famous ones are of course the aforementioned Nigerian and Cameroon scams where the son of a former head of the national bank needs just a little cash to free up $10 million just sitting in some bank corner and waiting for your little ante. Of course, your little ante is worth at least a million or more if you’re willing to back this get-rich-quick plan of a most noble Nigerian aristocrat. God bless that they could find your e-mail address to let you know of this fabulous opportunity! Hey if they can find $10 million…maybe they know where to find all my lost socks from the dryer…??!!?

The big dog phishers have strapped-on a big set of brass you-know-whats and are now phising U.S. Navy and Marine Corps soldiers and civilians using the world’s biggest intranet – the Navy Marine Corps Intranet (NMCI).

NMCI headquarters has warned Navy and Marine Corps intranet users of a scam involving the myPay website, run by the Defense Finance and Accounting Service's (DFAS) myPay website. DFAS are the very small, naive and easily conned group who pay military people and contractors – more than 20 million of them – more than US $530 billion every year. Small fry.

NavyCompass.com reports (see Phishers scamming with myPay) that NMCI users get emails that resemble something like the following:

"Hello user of navy.mil email server, our main mailing server will be temporary unavailable for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding server. For details see the attach. Password: Kind regards, the Navy.mil team. http:/www.navy.mil."

Hmmmm, misspelled words, bad grammar, and no sender name – an uncannily lame attempt altogether. Yup, these must be those poor sons of former Nigerian dictators! Man, the kahonas to go after the U.S. Military… but I can see the leap in logic: “Hey, remember those grandmas we scammed with that Nigerian bank thing!?! Let’s try the U.S. Navy AND Marine Corps!! Man, those guys are so gullible!!”

Despite the eloquent prose waxing poetic contained in the phish email, the Navy has issued a warning (in case there people were born yesterday or within a few weeks of yesterday):

NMCI Users who get emails or popups requesting personal information for "legitimate" reasons should contact the agency directly if they suspect they're a being targeted by phishers. Supervisors should train new workers on typical scams, and advise the chain of command and NMCI if repeated attempts are being made to infiltrate DOD information systems and obtain sensitive information.

If these great criminal minds are phising the U.S. military, it’s for a reason – because it’s working. Sadly, but likely true. Now, if these klowns (no relation to Krusy) are duping soldiers who are normally kind of cautious folks, then they can fool your employees too. Better make sure your security polices are up-to-date, well-publicized and communicated often.

RELATED ITEMS:

World’s Biggest Intranet

Assessing your security risk

Securing your intranet from the inside

© 2006 Toby Ward - Prescient Digital Media

Twisted Sister. P. Duddy. Professor Finklestein. Yes, now your kids will soon be slamming and jamming to their professors latest lecture, campus events, even the campus magazine program -- downloaded from the campus intranet.

The Ross School of Business at the University of Michigan has sold-out to Applie and will offer free access to events, seminars and news content (Ross School of Business partners with Apple iTunes).

The partnership will allow users to download audio content to their Mac or PC and transfer the information to their iPod or MP3 player. Other schools have launched podcast (digital audio recordings) efforts on a smaller scale, including lectures and interviews.

The podcasts will be accessible to business school community members with an iMpact intranet login. Four podcast channels, including content related to the school's Center for Positive Organizational Scholarship, alumni magazine and student-run newspaper and the U-M's William Davidson Institute, will reside on the Apple iTunes U Web site, which uses the same technology as the iTunes Music Store.

The School of Dentistry was the first at U-M to offer the application, and has been providing podcasting to its students since September 2005. In addition, the U-M School of Music's Block M Records label licenses its content to Apple for distribution through the iTunes Music Store.

Intranet managers and consultants are the consummate knowledge workers. And as Francis Bacon has screamed to us from over the ages, knowledge is power!

In particular, an intranet manager needs to intimately know:

·         the requirements of the business

·         best practices

·         the preferences and needs of employees

On the last point, understanding the needs of employees, there are a number of tools at the disposal of managers including log analysis, surveys, focus groups and usability testing.

Each tool has its place and its pros and cons. A recent attendee to a seminar of mine in Chicago asked me: “When is it best to do usability testing? User surveys? Focus groups?”

The answer is, of course, it depends. It depends on…

·         the organization’s culture

·         the present position of the intranet on the evolutionary curve

·         the extent of “research fatigue” at the organization

·         what data “sells” best

While not necessarily applicable to other commodities such as, say, consumer packaged goods, I prepared the following table as a quick cheat sheet for comparing the various tools applicable to researching intranet target audience requirements.

What to use first?

The enquiring mind was also having a debate with their boss about what should be done first – in-depth interviews or usability testing or focus groups or survey – when orchestrating their site design. I personally think it’s best to lead with in-depth interviews of the business stakeholders as the first step. It’s critical to understand what the business needs and expects from the site.

Generally speaking I like to do in-depth interviews first, followed by a target audience survey, followed by planning and information architecture and design, followed by focus groups, and then do usability testing once you’ve built a prototype. Focus groups can come at anytime… depending on the issues at play. Sometimes it’s good to do FGs up front if there are contentious issues or you want to explore new ideas or concepts. If not, leave them until after you’ve done your site plans and played with a couple of design concepts.

There are of course many subtleties to site research – and always exceptions to the rule. Many factors come in to play when choosing your research tools and the time to implement each. A lot depends on the culture of the organization and the intranet’s position on the evolutionary curve. For example, if money is the only thing that sells a project, it’s better to invest your time and energy in measuring return on investment.

A final note: never conduct the research yourself on your own product (website or intranet) as your results will be biased and the end result flawed. No, this isn’t a sales pitch (I’m busy enough as is!). I money is an issue there is always a way to conduct low-cost research… just make sure the person spearheading the research knows what they’re doing! (When we recently began work with a new intranet client who convinced us they need not do any employee research as they had recently completed a survey they proudly produced the survey… three questions, all open-ended.)

RELATED ITEMS:

Measure your efforts

Intranet ROI

Intranet kingdom remains an unknown quantity

Intranet measurement strategy (case study)

© 2006 Toby Ward - Prescient Digital Media

The top two IT-related problems are operational incidents and staffing issues, according to a global survey commissioned by the IT Governance Institute (ITGI). A previous top priority, security has fallen to seventh on the list of the top eight IT priorities.  Compliance was reported to be the least important problem—likely due to the significant efforts that have been put into information security projects and compliance programs, such as those for Sarbanes-Oxley in the US.

The survey consisted of 695 interviews with CEO/CIO-level executives in 22 countries, and the full results can be found in the IT Governance Global Status Report 2006.The study assessed the C-suite’s IT governance priorities and actions executives have taken related to IT governance. It is a follow-up to ITGI’s 2003 report and tracks IT governance trends over the past two years.

The study found several improvements since 2003. For instance, IT is included more often on boards’ agendas—63 percent regularly or always include it, compared to 58 percent in 2003.

Even though 57 percent of respondents said IT is very important to the delivery of the corporate strategy, compared to 52 percent in 2003, the study found that CEOs are responsible for governance over IT in only 24 percent of the responding organizations.

"As in 2003, CEOs and business executives are still hesitant to discuss IT governance,” said Everett Johnson, CPA, international president of ITGI. “This finding is troubling because boards and CEOs are ultimately responsible for oversight over all major assets—including IT.”

Other findings include:

• IT is more critical to business than ever. For 87 percent of the participants, IT is quite to very important to the delivery of the corporate strategy and vision.
• For 63 percent of the respondents, IT is regularly or always on the board’s agenda (up from 58% in 2003).
• The IT department at more than half (56 percent) of the organizations surveyed understands and supports the business users’ needs.
• IT outsourcing is no longer seen as the most beneficial way to resolve IT problems—45 percent of US respondents believe it is ineffective.
• The number of companies that indicated they had no IT problems increased from 7 percent in 2003 to 21 percent in 2005.
• IT governance is not as easily implemented as respondents originally estimated.
• Only 9 percent of the responding organizations are not considering implementing any IT governance solutions—down from 17 percent in the 2003 survey.

The survey was conducted from July 2005 until October 2005.

One other interesting tidbit from this survey… a lot of non-IT clients often complain about IT being unresponsive and uncommunicative. Not surprising then are the results from the following question: “How regularly does your IT department inform the business about potential business opportunities enabled by new technologies?”

Never or sometimes was the response of 45% of the CEOs and CIOs. Only 55% said regularly or always. It would be interesting to repose the same question to marketing, human resource and communications managers… the finding would be far worse (I suspect). However, those same communications, marketing and human resource managers are just as guilty of failing to properly document, plan and communicate their needs. Instead, non-techie business people lean far too heavily on their IT families. IT is a corporate service, and not necessarily a driver of the business.

© 2006 Toby Ward - Prescient Digital Media