Does the business case for IT Security stack up?

I've not yet come across an organisation that doesn't have some kind of group that focuses on IT Security. And, frankly, its hard to imagine any organisation that could get by without one, either.

But am I the only person who wonders whether the cost to remediate IT security issues is actually worth it?

Apparently, there are very few IT security people who ask that question. I was at this event the other day, and I was talking to a security person, someone quite senior. During the course of the conversation, I was informed that the strategy was to remediate every potential vulnerability, no matter how small and how theoretical. When I asked him how he paid for all this, he told me that finding the money wasn't his problem. Going on further, he said that when he issued a security directive, he expected it to be followed, and if it wasn't able to be, the workstream or project got closed down.

I shut my mouth at this point, knowing I was speaking with that most invidious of creatures, the professional security specialist. You know the type: they spend all their days dreaming up the reasons you can't do something, rather than helping you find out how you can. Theirs is the right to kill any change for any reason, so long as it is related to a "potential security issue".

The lack of business-centred thinking amongst security specialist is endemic in financial services.

Let us, for example, force employees to have multiple logins that change all the time. It is so very easy to write a policy and implement technology that enforces various levels of password rules, but it isn't so simple to find the money to pay for the helpdesk calls that result from escalating numbers of password resets.

In one bank I know, the response to this was to implement a complex automated system for self-service password unblock. Wouldn't business centred thinking have suggested that a better way would be to relax the password change rules? Since when is a password the only control on business systems anyway?

Anyway, the cost of all those passwords was shown to be way, way higher than the potential costs of any reasonable incident. Didn't matter to the security people involved though, because they were security professionals. Remediating threats was their business. Finding the money to do so wasn't.

Now, obviously, it is impossible to remediate every single potential threat to any large organisation running IT systems. And quite clearly, some threats are larger than others. The problem, of course, is working out which matter and which don't. Spending millions extra on a helpdesk to reset passwords for systems that have multiple lines of defence is clearly somewhat less urgent that dealing with the latest internet banking threat vector.

Security people, for the most part, don't care because they don't have to justify the financial consequences of what they do.

But what would the effect on an organisation be if the security folk had money? And if they were accountable for paying for remediations they decided they had to have?

I bet the first thing that would go would be the self-service password reset system, and the millions extra on helpdesk calls. Objective assessment of those costs in the light of financial constraints would make both an expensive luxury.

I suspect there are already forward thinking organisations that have worked out that the business case for IT security often doesn't stack up. And I rather hope that I'll be meeting fewer professional security people in the future. Instead, I'll be meeting business people who know security, and will be trying to add up the numbers for what they do.

I am certain, when that day comes, we will not only have more agility in IT, we'll also have a much smaller security bill.

And no increase in incidents either, since all that will be remediated are those issues that matter.

Microsoft responds

My post the other day has resulted in a response from a David McGhee, an employee of Microsoft Australia, in which he makes several points about my conversion to the status of "Apple FanBoy". In it, he clearly reveals his own Microsoftie Fanboyism as he makes statements which go the whole point I was making about the Apple experience:

"A new machine always runs faster than one that has been running for a while… fresh, it can be without bloat-ware, over-installations and configuration".

I cringed when I read this, because it is only Windows that exhibits this kind of behaviour. It doesn't happen on Linux, nor on OS X. It certainly doesn't happen on any of the thousands of high end servers and mainframes we run at the bank. Only Windows. And going to my point about engineering for rudeness, since when did actually using a computer (over-installation and over-configuration, in David's typology) mean that it should stop working? If that's not engineered for rudeness, I don't really know what it is. Unless its engineered incompetence. I prefer the former, since I worked at Microsoft earlier in my career, and I know that Microsofties are almost all very smart people.

He then proceeds to say this:

"…if you have been around technology for a while you will appreciate how Microsoft has commoditised and taken the user experience, devices and network beyond the black screen, the mainframe and point to point.  And at the same time software is now more accessible, cheaper and better than when it was a mass of small disconnected applications"

Firstly, I wouldn't really credit Microsoft with taking the user experience beyond the black screen and the mainframe. I think that honour goes initially, to Xerox and then, um, Apple. But whether that point is conceded or not, I can't argue with the fact that Microsoft has, in fact, made software more accessible and cheaper. It may even be better than before. Microsoft has changed the world, and for the most part, the changes have been good.

The thing about the "mass of small disconnected applications" is that engineering for politeness in the base operating system is one way of making sure that, overall, we as users get a decent experience. On iPhone, for example, what you have is a mass of small, disconnected applications, and I suspect the success of AppStore has proved that a decent user experience is the result when you make the operating system polite.

But the final argument from David is really the one that really drills home the point for me:

"No-one designs software to be rude… but old software can be frustrating…. My suggestion [for frustration] is to keep current".

As a current Vista users, a current XP user, an evaluator of Windows 7, an ex-user of Windows Mobile, and lots of other Microsoft products besides, I've got to tell you David, that just having your latest stuff does not fix the underlying problem of engineered rudeness.

Engineered rudeness is a cultural problem at Microsoft. It's the result of a feature-centricity, and needing to shove more code into the tin in every release to justify upgrades. It's about what Robert Scoble calls a "strategy tax" – the engineered dependence between multiple products (whether that makes sense or not) so that your company can expand its share in aligned markets.

Ultimately, it is the result of focusing first on what can be sold, rather than what we might like to buy.

The reason I'm a convert to Apple is they do exactly the opposite.

Microsoft engineers for rudeness, Apple designs for polite

Last week, I reported that I'd lost my iPhone on a train. Because it is impossible to actually do any meaningful work without a phone, I found I was forced to resort to my old Windows Mobile device, and just assumed that I'd make do for a while.

Now this was a quite late-model, latest version of operating system, all singing, all dancing handset.

And it was appalling.

The problem, you see, is that you get so used to the intuitive design centricity of iPhone that using anything else reminds you of going back to the dark ages. By no means am I an Apple fan-boy, by the way. That iPhone was the only Apple thing I own.

But losing it, and being forced to go back to what I thought was the ultimate mobile device makes me see just how programmed my thinking had been about Microsoft. Once you get into a habit, you just don't see the flaws in what you're doing. For example, I really noticed the fact that at least 25% of calls just aren't even received on Windows Mobile. It fails to notice, apparently, that someone is ringing. Before, I accepted that. Now, I can't tolerate it under any circumstances.

So I've gone out and bought a new iPhone, one of those 3GS versions. It is an incremental improvement on the old version, but I don't care. I'm back.

Here is the experience: get new phone. Plug it into iTunes. iTunes notices it is new hardware and asks me if I want to restore everything to the way it was on the old phone. I say yes, and voila, the phone is exactly the way it was before I lost it.

Emboldened by this experience, I then decided that I'd really better just try out OS X, the Macintosh operating system as well. Those who've been reading here for a while know that I spent some time experimenting with various flavours of Linux, and waxed lyrical about the performance and stability of those systems. In the end, though I was forced back to Microsoft because I had to use some remote connection software I just couldn't get to work on Linux.

Anyway, so I loaded the Mac OX X on a netbook (yes, I made a Hackintosh), and oh-my-god. Intuitive design centricity again. It just feels like its been designed with the user in mind. It makes you want to load apps and exit them just to play with the little dock thing. I love the way the little icons bounce up and down to let you know that something needs attention, rather than the approach in Windows which is to steal the focus away and throw a dialogue box in my face. Of course there are no freezes, or crashes, or anything else like that either. Bliss.

Now these experiences have taught me something.

Apple designs things to be polite. Like asking me if it might help me bring my phone back to life.

Microsoft engineers things to be rude. Like phone that can't be bothered to answer calls, or dialogs that demand my attention right now.

I'm sitting here writing this on my work XP machine, and wishing I had my netbook instead. It has about 25% of the power, mind you, but runs at least twice as fast. Let me have snappy over laggy any day. XP reminds me of that surly waiter in a restaurant who strolls over the second before you get up and leave. Engineered rudeness again.

Is it possible that Microsoft don't get this? Or perhaps their engineers and designers are too arrogant to think it matters. Either way, the comparison between the experience on Apple compared to Microsoft is extremely unfavourable to the latter.

Oh, ok, I'll admit it. The whole iPhone loss thing has made me an Apple FanBoy. Not one of those tragic ones that queue up to hear a Steve speech or waits outside an Apple store to be the first to get the new iPhone. But I am eyeing off a new MacBook Air. I will keep it in my briefcase next to my klunkarama XP machine and use it for everything possible from now on.

PS: To those Microsofties who will no doubt rush to regale me with stories of the miracle of Windows 7, I make this commitment: I will try it, when you release it, and evaluate with my recently opened mind. I might do so first inside a virtual machine on my MacBook Air, but I will give it a good go at least.

This time I’ve lost it. No, really.

My iPhone. Lost. Really, this time, and I've blocked it with O2 already.

Actually, I left it on a train last night, after texting to say what time I'd be home. Obviously I dropped it after doing so, and it could be anywhere in the UK by now.

Such a bother, but really, just the excuse I was looking for to do an upgrade. Am off to look at 3GS later this morning.

Advice for newbies starting their careers in large companies

1. Know the end-goal now. Not just the next year goal or the five year goal. Have an idea of the actual final job you want in a perfect world. Now, I know this is difficult. You're young, and it seems like a vista of possibility awaits. Wrong. There is a vista, but you can only have one slice of it, so decide the slice right this second and start planning how to take complete ownership of it.
2. You got your degree. Now get over it. That was the ticket to start playing. Now you have to get on with the real game. And by the way: nothing you have been taught will likely be any use whatsoever once you get into a big company.
3. Your aren't special. No matter what your grades were or how intelligent you are. Special is a function of what people think of you, especially your manager. To be special, you have to be above average at something the company needs. Doesn't matter what, but something.
4. Your career will now be a race to get as specialised as possible in order to prove you are good enough to be management. Then you will spend the rest of your career becoming generalised enough to run big teams of specialists. The first part is a race to be better than everyone else. The second part is a race to make sure you know more people than everyone else.
5. Oh, you don't want to be management? I'm sorry to hear that. Your career options have a finite upper ceiling through which there is no possibility of breaking. Don't believe management when they tell you otherwise.
6. You might have to go into a CV battle for your first job – that's where your CV is compared to everyone else's CV before you get an interview. That should be the last time you ever allow that to happen. Its too random, because there is always someone with a better CV than you. Your subsequent jobs should be obtained through your personal network. These are all about you and nothing about CVs.
7. Getting specialised as quickly as possible means you can hang your hat on something in the workplace. Beware of graduate programmes that seek to make you a generalist "and give you broad experience". Broad experience is what's needed when you're a senior manager. Broad experience in new starters is only good for ensuring you are not employable outside your graduate programme. No one likes a person with 2 years experience who can't do anything very well, even if they can do lots of things poorly.
8. Your personal network will be the greatest asset in your career. No matter how good you are as a specialist, you will only be mediocre in a large organisation without one. Start building it right this second. Don't lose track of anyone you meet. Make sure to keep relationships alive, and make sure you have relationships both inside and outside the organisation.
9. Get a mentor. Make sure they are at least one level more senior than your boss. A mentor will open doors for you and you'll need the help. On the other hand, your boss will be highly motivated to make sure doors are kept shut in order to spare him or herself the bother of training another newbie. Anyway, having a senior mentor is just as much about marketing yourself at a high level than getting decent advice. In fact, even if the advice is terrible, having someone senior on your side is great for your network.
10. Start doing the night work. The night work is the set of social, learning, and networking things you have to do after the day job is finished in order ensure you know more people than everyone else. You need to spend three nights a week doing it. Trust me, if you aren't someone else is.
11. Each new job requires active planning to get. Never allow random processes – like a CV battle – to control whether you get it or not. Jobs are awarded as a result of who you know, and that's true even when there is a formal recruitment procedure. Believe me when I tell you, that a manager who wants to hire someone will find a way to do so no matter what the rules say. Since you know the last job you want, you can plan each career move along the journey, and you can start adding the next hiring manager into your network right now. The day to start planning for the next job is the day after you win the job you're in now.
12. You're worried about the performance management system and need to get top marks? All very admirable if what you want is to achieve is a bonus (which will not be significant when you start anyway) or a payrise (which will equally not be that significant). The actual requirement here is that you get an above-average performance rating so you don't get fired and can be seen to be solid. The other requirement is that you do the work to know the right people that will get you the next job. Killing yourself for the top mark will mean you won't have time to do anything else.
13. The other-other requirement is that you make your manager look good. This is not sucking up. It is making him or her look good. Find every chance to do it, and if you do, they will love you and help you. Do anything else, and they'll get rid of you. Simple really.
14. Get international experience. It makes you special. It is also fun.
15. Do not under any circumstances allow your career path to be limited to a single company. It makes you average. And it closes down options, especially after ten or more years.
16. Don't believe me? Look at the senior management team in your organisation. How many of them have worked their way up from graduate programmes? There may be some, but I bet most of the new senior hires will be coming in from outside.
17. Break a little rule every so often. But first get a bit of wisdom about what rules you can actually break and get away with it. And when you do, make sure the outcome reflects well on your manager.
18. Get the skills you need to manage people as early as possible. You really want those skills developed in the first few years, because the longer you wait, the more valuable your reports will be to the company. You will absolutely screw up your first people management job in some way. New managers always do, largely because the people-interplay is so complicated, and your people will probably know more than you and will likely resent you. If you lose any of them, it is better that happen before they are so valuable to the organisation that it gets noticed at a high level.
19. Having read all this, make a decision now about whether you want to commit yourself to several decades doing all of the above. There are alternatives to big companies, and it's not too late for you to go and try a small one out before you make your decision.
20. Evaluate every day and see if what you are doing is still fun and interesting. Do not continue with what you're doing if you can't see a pathway in the short term to fun and interesting. I have seen so many unhappy people in workplaces who don't take positive action to change their circumstances. They are unpleasant people to be around, and I think it is probably habit forming.

Whatever you make, someone will make something of it

If you've been reading here for a while, you'll know that I am a big proponent of the idea that crowds of people doing things can create synergistic outcomes which are much greater than the sum of the parts.

I know that some of my statements in that area have been somewhat controversial: for example, I suggested that 20 graduates with 1 year of experience may result in better outcomes than 1 senior manager with 20 years of experience.

Regardless of age, though, there is one fact about crowds which is impossible to ignore: they will often rally themselves around specific problem spaces in order to make themselves a solution which works.

In other words, they'll take the set of resources they have access to, including the products and services of other companies or groups, and recombine them uniquely to make something for themselves.

I was put in mind of this, the other day, when I discovered the Hackintosh movement on netbooks. The lack of an Apple product in this category has resulted in groups of people who have "hacked" the Apple operating system so that it runs on commodity PC hardware. Neither Apple, nor the manufacturers of these commodity systems had expected or designed for this, but it is being done anyway.

There are so many examples of this going on. I've been watching a project that Chris Anderson, author of recently released book Free has been running for a few years. He decided that he'd be interested in creating a DIY UAV (unmanned aerial vehicle). It started with a remote control airplane and a robot made out of Lego Mindstorms. Then they made autopilots out of mobile phones. Now they are selling open source autopilots (that's right, open source hardware) with specific capabilities for UAVs.

Not that this kind of thing is anything very new. Kids have been modding their cars, their game consoles, and every other sort of comsumer device for years.

The thing is, though, that most of the time till this point, companies have been trying to make sure that their products are not composed into other things without their permission. Apple, for example, apparently had a behind-the-scenes fight to get Dell to discontinue their mini-9 netbook. It was, I'm told, too easy to turn into a Hackintosh. Now this may just be a rumour circulating around the Hackintosh community,or it might be real. But we do know that Apple are very dedicated to controlling every aspect of their product's eco-systems.

The change that is coming is that organisations are realising that no matter what they make, someone else is going to make something of it. They key question is whether they will fight to stop it, or build innovation to encourage it.

It is my view that the most successful companies will be active in trying to encourage this kind of modding of their services. And that goes even for banks and other service organisations. The power of a community that depends on you for a key part of a solution to a problem – even if the problem has nothing to do with the products and services you sell – is significant.

Of course, this brings into question the whole question of where exactly competitive advantage will come from in the future. For bankers and service organisations, it's traditional to believe that customer experience is that advantage. But when you let just anyone in to mash together new things, you don't really have control of experience any more. This is why so many companies are so rabid about making sure their stuff can't be used in unauthorised ways.

But for companies that allow their products to be recombined and recreated, competitive advantage does not come from the product itself. It comes from the number of new products that depend on the original. In other words, the advantage is having the biggest crowd of people dependent on you for solving some other problem.

How do you get the biggest crowd? By making sure your platform is the easiest to modd, of course.

Now, if only I could think up a way to make banks agree that opening everything up and letting people build new things for themselves was safe and responsible…

Retention thinking is so dark ages

The other day, I wrote this on Twitter:

Why do you care about staff attrition when you are winning the war for talent and can hire anyone you want?

It caused a few people to write back with contrarian views:

@NickDellaRiva said:

Corp knowledge must count towards speed of execution / delivery? If not, why does education matter at all?

If that were true, we would let start ups innovate & then buy them out. Except Newsltd can't $ google, changed barriers entry

Final word..bcse no company can attract all of the talent & leverage. Individual stars vs teams. TDF 4 examp. join wch team?

And @RafManji said:

because you lose the soul of your business

And finally, @GerdShenkel concluded:

what matters is "regrettable" attrition. @ubank we measure that we a lot of care.

These are interesting arguments, but they don't go to the real point I was trying to make. Mind you, it is difficult to make any point on Twitter, since the truncation of 140 characters means you must be overly brief. Since that's the case, I thought I'd better clarify.

Imagine this scenario. You create a company that is so interesting, and so innovative it is the default choice for everyone in the marketplace. The sort of company, for example, that Google used to be. The sort of place where there is instant street cred the moment you disclose to everyone you work there – sort of like Microsoft was once. Where there are free meals, staff benefits beyond belief, and above all, the most interesting work available.

In such a company, you can pretty much get any skill at all you need. All you have to do is advertise the fact that you're looking and you get a whole buffet of choice. Ignoring the fact for a moment that such an oversupply of qualified people will likely exert downward pressure on financial compensation, in such a company, you can't care much about attrition, and here is the reason.

The new, young, workforce you'll be hiring (with all this choice available) won't be thinking in terms of staying around for long. It is one of those things I've begun to notice as I get older, and the people I'm working with get younger. They don't sign up for careers any more. They do gigs. Short term, interesting work fulfilling them right now, but unlikely to do so for more than a year or so.

Our next generation workforce is much more transient. They think, in fact, that CV blocks of more than two years are almost worse than 2 years without work at all. The other day, for example, I was talking with one of our new hires, and he asked me this:

"How long do you think I can stay in this bank before I won't be able to leave it?".

This was not a questions related to any particular golden handcuffs we might have wrapped him up in either. No, his concern was that the longer he spent in our institution, the less transferable he would be elsewhere.

I see this effect all the time, and the thinking is quite different to that of workers in previous generations. When I speak to freshly minted bankers practically anywhere in the world, I get the same reaction.

So in other words, as the younger workforce becomes a more significant percentage of the overall total, attrition is going to increase, no matter what you do.

The ultimate point of all this, and which I failed to communicate in my tweet in the first place, is that thinking retention is very dark ages, very traditionalist. It implies that something is lost when people do gigs instead of work. I don't think that is true, because collaboration and other digital technologies enable the "soul" of a company to transition rapidly. You don't need to have heroes and multi-year experience to preserve capability any more.

What you do need, however, is to get a super-star at short notice to solve specific problems. Increasingly, that's what we'll be spending most of our time on anyway, as the cores of our business become more commoditised and more like utilities.

And to do that successfully, you need to think attraction not retention. You need to build the company that is the default employment choice for a significant percentage of people in a given market.

Book now available for pre-order

My new book, Innovation and the Future-proof Bank, is now available for pre-order on Amazon. Publication date is 29^th August.

I will have a certain number of review copies to give away. If you've got a blog or are otherwise social-media connected, and would be willing to write a review, please email me. I'll ask my publisher to send you a copy, though I haven't yet checked how many copies I'll be allowed to give out. But email me anyway, and I'll see what I can do.

In the meantime, when I posted the availability message on Twitter, @seankain asked for a table of contents be made available. I'm told it will be available in the next week or so as well as "look inside" on Amazon, but I can't explain why it isn't there already. Publishing seems to operate on a timeframe rather more protracted than that we've become familiar with in this real-time world.

Anyway, here's the table of contents:

1 Introduction

What you will find in this chapter

1.1 What is innovation anyway?

1.2 What happens when you don't futureproof

1.3 Five things that innovation is not

1.4 150 years of innovation in banks

1.5 The innovation downside

1.6 An overview of the futureproofing process

1.7 Where to go now

 

2 Innovation Theories and Models

What you will find in this chapter

2.1 The innovation adoption decision process

2.2 Personal innovativeness

2.3 Innovation from the perspective of the market

2.4 Characteristics of innovations

2.5 Innovation from the perspective of the firm

2.6 Case Study: The internal adoption of social media

2.7 Theory of disruption

2.8 Case Study: PayPal's continuing disruption of the payments market

2.9 Thoughts before going further

 

3 Innovating in Banks

What you will find in this chapter

3.1 The innovation pentagram in banks

3.2 The Five Capability Model of a successful innovation function

3.3 Case Study: Innovation at Bank of America

3.4 Building out the futureproofing process

3.5 Technology, business, and innovation

3.6 Autonomic innovation

3.7 Case Study: ChangeEverything, a project by Vancity in Canada

3.8 The banking innovation challenge

 

4 Futurecasting

What you will find in this chapter

4.1 The purpose of futurecasting

4.2 An overview of futurecasting

4.3 What futurecasts should innovators be doing?

4.4 An example

4.5 Constructing the futurecast with scenario planning methods

4.6 Prediction methods

4.7 Case Study: AMP Innovation Festival

4.8 Some final words about futurecasting

 

5 Managing Ideation

What you will find in this chapter

5.1 An overview of the ideation phase

5.2 Campaign and create

5.3 Collect, catalogue, and compare

5.4 Scoring

5.5 Customer insight

5.6 Customer co-creation

5.7 Case Study: Royal Bank of Canada's Next Great Innovator Challenge

5.8 Concluding remarks

 

6 The Innovation Phase

What you will find in this chapter

6.1 Should we? Can we? When?

6.2 The innovation portfolio

6.3 What happens next?

6.4 Tools for 'Should we?'

6.5 Tools for 'Can we?'

6.6 Tools for 'When?'

6.7 Selling innovations

6.8 Case Study: Bank of America and the Centre for Future Banking

6.9 Wrapping up the innovation phase

 

7 Execution

What you will find in this chapter

7.1 Ways to manage execution

7.2 Building the new thing

7.3 The launch

7.4 Operations post-launch

7.5 Signals for futurecasting

7.6 Case Study: Innovation Market

7.7 The end of futureproofing

 

8 Leading Innovation Teams

What you will find in this chapter

8.1 Leadership styles

8.2 Things the leaders should do

8.3 Signs of a bad innovation leader

8.4 What next?

 

9 The Innovation Team

What you will find in this chapter

9.1 The changing shape of the innovation workforce

9.2 Creators, embellishers, perfectors, and implementers

9.3 Team working

9.4 When innovators go bad

9.5 A last word about innovation teams

 

10 Processes and Controls

What you will find in this chapter

10.1 Oversight

10.2 Metrics

10.3 Rewards and recognition

10.4 Innovation and the organisation

10.5 Funding innovation

10.6 The visible face of innovation

10.7 And finally . . .

 

11 Making Futureproofing Work in Your Institution

What you will find in this chapter

11.1 Case Study: Civic banking at Caja Navarra

11.2 Starting your innovation programme

11.3 Making ideation work

11.4 The innovation stage

11.5 Execution

11.6 Doing futurecasting

11.7 Innovation leaders and teams

AMPlify09

Today I want to write about something amazing, and that amazing thing was Amplify09, the corporate innovation festival organised by financial services company AMP in Australia last week.

Corporate innovation festival, I hear you ask? Well, yes indeed, and when I first heard about it, I was impressed, but couldn't for life of me see how anyone could possibly get a business case together to support such a thing.

Let me paint you a picture: get your Head of Innovation to go around the world and find the most interesting people she can. Doctors, political advisers, new media people, web psychologists, and, yes, even a banker. Then bring them all to Australia and let them talk about their work to the whole institution. See if it inspires new and creative thinking in your people.

But don't just stop at internal. Have an event in a pub where local ph.d students can pitch their research on a mic in two minutes of less, and give prizes to the best as voted by the crowd. And then have your CIO decide that everyone deserves a prize and give each struggling student $1000 to roaring applause.

And since you're not just doing internal, how about you broadcast the whole event, including all these expensive internal guest speakers, so that the world can share the inspiration. Do this even though traditional thinking would suggest that allowing just anyone, including competitors, to participate, would reduce any potential competitive advantage you might generate from the investment.

And just as icing on the cake, bring all your top customers and investor in to meet all these interesting people. Don't just stop at confronting traditional thinking in your staff, make sure your most valuable customers get their thinking challenged as well.

Finally, finish it all off with a staff expo where everyone gets to show how off their work in new and creative ways. Have, for example, a mock cave complete with cavemen to explain how your legacy systems have evolved to their present state.

You can understand, being somewhat a traditionalist myself, that when I looked at all this, I couldn't understand the business case. That's because the results aren't obvious when you just look at the numbers. I'm very busy running an innovation function that tries to get all these nice predictable returns from investments, so doing a festival hardly seems a great use of money.

But then I realised this: Amplify09 is the most magnificent ideation campaign I've ever seen. It makes the ones my team and I run internally at the bank look ridiculous in comparison, and we know how to turn our little attempts into money predictably.

Can you just imagine how much differentiation AMP will have as it actualises all that out-of-band thinking it generated from this event?

But the more important point is this one: quite obviously, AMP is an institution that's realised that the real competitive advantage it has is the people who choose to work there. Who cares about technology and products and processes, when you have the ability to invent uniqueness whenever you want?

Meanwhile, the rest of the industry is very busy with dark ages thinking about the nature of competitive advantage. They're all still doing trade secrets and patents, and trying to close down the ability of their staff to collaborate in, and outside, their institutions.

Want to bet which institution I think will really differentiate in the long term?