Software Engineering, Project Management, and Effectiveness
For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF 3.5 Security Guidelines. Each guideline is a nugget of what to do, why, and how. The goal of the guideline format is to take a lot of information, compress it down, and turn insight into action.
The downside is that it's tough to create prescriptive guidelines that are generic enough to be reusable, but specific enough to be helpful. The upside is that customers find the guidelines help them cut through a lot of information and take action. We contextualize the guidelines as much as we can, but ultimately you're in the best position to do the pattern matching to find which guidelines are relevant for your scenarios, and how you need to tailor them.
Here's a snapshot of the guidelines, but you can see our security guidelines explained at our WCF Security Guidance project site.
CategoriesOur WCF Security guidelines are organized using the following buckets:
Auditing and Logging
Impersonation and Delegation
My Related Posts
For this week's release in our patterns & practices WCF Security Guidance project, we added new sections to our WCF Security Application Scenarios. We added sections for analysis, code and configuration examples. The analysis section explains the rationale behind some of the decisions.
The idea behind the application scenarios is to show you a before and after look of end-to-end solutions. Rather than a single solution, we give you a set of solutions to pick from. The main parameters that vary in each solution include: Intranet vs. Internet, ASP.NET client vs. Windows Forms clients, TCP vs. HTTP, impersonation/delegation vs. trusted subsystem, and AD (domain credentials) vs. a custom user store.
WCF Security Application Scenarios Intranet
Note that if there's enough interest and time, we'll add a scenario that shows accessing an existing custom user store (i.e. you aren't using Membership.)
My Related Posts
If you know the underlying principles for security, you can be more effective in your security design. While working on Improving Web Application Security: Threats and Countermeasures, my team focused on creating a durable set of security principles. The challenge was to make the principles more useful. It's one thing to know the principles, but another to turn it into action.
Turning Insights Into Action
To make the principles more useful, we organized them using our Security Frame. Our Security Frame is a set of actionable, relevant categories that shape your key engineering and deployment decisions. With the Security Frame we could quickly find principles related to authentication, or authorization or input validation ... etc.
Once we had these principles and this organizing frame, we could then evaluate technologies against it to find effective, principle-based techniques. For example, when we analyzed doing input and data validation in ASP.NET, we focused on finding the best ways to constrain, reject, and sanitize input. For constraining input, we focused on checking for length, range, format and type. Using these strategies both shortened our learning curve and improved our results.
Core Security Principles
We started with a firm foundation of core security principles. These influenced the rest of our security design principles. Here's the core security principles we started with:
Frame for Organizing Security Design Principles
Rather than a laundry list of security principles, you can use the Security Frame as a way to organize and share security principles:
Auditing and Logging
Here's our security design principles for auditing and logging:
Here's our security design principles for authentication:
Here's our security design principles for authorization:
Here's our security design principles for configuration management:
Here's our security design principles for cryptography:
Here's our security design principles for exception management:
Input / Data Validation
Here's our security design principles for input and data validation:
Here's our security design principles for sensitive data:
Here's our security design principles for session management:
Using the Security Design Principles
This is simply a baseline set of principles so that you don't have to start from scratch. You can build on this set and tailor for your specific context. I find that while having a set of principles helps, that you can't stop there. To share the knowledge and help others use the information, it's important to encapsulate the principles in patterns as well as show concrete examples and create precise, actionable guidelines for developers. Personally, I've found Wikis to be the most effective way to share and manage the information.
Dr. Stephen Covey presented at Microsoft today. It’s one thing to know the information; it’s another to experience the delivery live.
This post is a bit longer than usual, but hey, it’s not every day that Covey is in the house. Here are some of my highlights from today’s session.
The Lighthouse Story Covey opened with a story of Captain Horatio Hornblower. As the story goes, one night at sea, Horatio awakens to find that a ship is in his sea-lane about 20 miles away and refuses to move. Horatio commands the other ship to move starboard, 20 degrees at once. The other ship refuses and tells Horatio that he should move his ship starboard, 20 degrees at once. Next, Horatio tries to pull rank and size on the other ship, stating that he’s a captain and that he’s on a large battle ship. The other ship replies, and it turns out it’s not actually a ship, but a lighthouse.
The take away from the story is, there are lighthouse principles. You don’t break them. You only break yourself against them. Don’t break yourself against lighthouse principles.
Values and Principles Covey distinguished values from principles:
The key take aways are:
Personal Mission Statement Covey asked us whether we had personal mission statements? Some folks raised their hands. He then asked us how many have them written down. A lot less kept their hands raised. I kept my hand raised because I happen to have my personal mission statement written down. My personal mission statement is, “To find the best way for any person to succeed in any situation.” I tie this back at work, where I try to help customers be as effective as possible, building on the Microsoft platform.
Family Mission Statement Covey then challenged the audience whether we had mission statements for our families? That one made me think. He then challenged, if you asked your loved ones, would they know it? Now there’s a good test!
He challenged us to go home and ask, “What’s the purpose of our family?” He warned us though, that our families will know that we’ve been seminar’ed!
Write and Visualize to Imprint on Your Subconscious Covey reminded us that writing down your mission imprints it in the subconscious mind. He added that visualizing also imprints on the sub-concsious mind.
The take away is that you should write and visualize your mission statements.
Keys to a Mission Statement Covey put it succinctly that a good mission statement is:
Why a Mission Statement Covey told us that the power of a mission statement is that it governs every other decision.
Sean Covey Covey introduced his son, Sean Covey. Sean wrote The 7 Habits of Highly Effective Teenagers and The 6 Most Important Decisions You Will Ever Make. When Covey introduced Sean, he also mentioned a 49th grand-child on the way. 49 … WOW! That’s quite the impressive team.
Point to True North Covey had us close our eyes and point to true North. When we opened our eyes, it was obvious there was little consistency. He said he gets similar results when he asks any department, group, or team – “what’s your purpose?” Urgent But Not Important Covey asked us how many struggle with work/life balance. Many hands went up. He then asked us what we think is the percentage of time we spend on things that are urgent, but not important.
He said people often report they feel they spend 50% of their time on urgent, but not important tasks. Why is that? Covey stated it’s because everybody defines purpose differently. Office Politics and Dysfunctional Activities Covey asked us how much time people spend in office politics. By office politics, he meant, reading the tea leaves, dealing with hidden agendas, fighting cross-group conflict, … etc. The data says that 75% of people claim they spend 25% of their time on these things. 25% say that 50% of their time is spent in dysfunctional activities. Urgency replaces important activities.
The key take away is that people feel they spend a lot of time on dysfunctional activities. Six Metastasizing Cancers (Victimism) Covey showed us a slide that listed what he called the Six Metastasizing Cancers:
The take away here is that these are ineffective behaviors and you end up acting like a victim.
Are You Utilized to Your Full Potential Covey asked us whether we can use our full talent and capacity in our organization. He then asked us whether we feel the pressure to produce more for less. The point here was to emphasize how there’s a demand for greater results, but that we’re not necessarily utilized to our full potential.
It’s Not Behavior, It’s Not Attitude … It’s a Bad Map Covey gave us a scenario where somebody gets a map of Seattle. The problem is, the map maker made a mistake. It’s not really a map of Seattle. It’s a map of Oregon. With this map, you can’t even make it out of the airport. There isn’t one corresponding point.
Trying harder isn’t the answer. If you double your speed, now you’re lost twice as fast. Thinking negatively isn’t the problem. Covey said some people might try to use a PMA (Positive Mental Attitude.) Well, that doesn’t help either. Now you’re all psyched up, but really you are just happy and contented in a lost state.
The take away here is that it’s not behavior and it’s not attitude. It’s a bad map.
Self-Educating Covey told us that we need to be self-educating. School taught us how to learn, but we need to continue to learn. He said we need to be willing to pay the price to be self-educating, which includes being systematic and disciplined.
Industrial Age vs. Knowledge Worker Age Covey points out that 20 years ago, it was about goods and services. Today, it’s about knowledge workers.
Expenses and Assets Covey asked us what we are called in spreadsheets. He said that in spreadsheet and financial accounting, people are called expenses and cost centers, while things like microphones, tools, and machines are called assets. He said this is left-over from the industrial age.
Finding Your Voice Covey asked how do you help people find their voice? You ask them what are they good at? What do they love doing? What is your greatest unique contribution?
The key is finding a voice that meets a human need.
Inspiration Over Jackass Theory The Jackass Theory refers to the carrot and the stick. Covey asked us what kind of supervisor do you need when you have a job that you are passionate about and is using your talents and you feel you are appreciated.
People are volunteers. You want them to contribute their greatest, unique contribution.
Keys to Effective Large Team Covey outlined the keys for effective large teams::
One person may represent the group, but accountability is to the team versus the boss. Accountability to the team versus an individual is a knowledge worker concept.
How To Find the Win / Win Performance Agreement Covey suggested an approach for finding the Win/Win for teams and organizations in terms of performance:
When you have that, you have a win-win. The key is to have a win/win performance agreement where it is mutually beneficial between the individual and the organization. The individual should be able to use their full talent and passion (there voice.)
Information is the Knowledge Worker's Disinfectant Covey mentioned that light is the greatest disinfectant in nature. For the knowledge worker, it’s information. For a knowledge worker to be effective in a team, they need information, they need the criteria for success and they need to be accountable to the group.
The Whole Person According to Covey, the whole person includes four parts:
Control-Paradigm to a Whole Person Paradigm Covey reminded us that today’s workforce is about directed autonomy. You manage (things) that can’t choose. You lead people. People have the ability to choose.
Keeping Top Talent Covey told us about how Admirals in the Pacific were losing people to better paying jobs. There was an exception. Covey got to meet the group that kept their top talent. The keys to a committed group included:
Indian Talking Stick Communication Covey shared a technique for improving empathic listening. It’s the Indian Talking Stick:
You don’t need to use an Indian talking stick. You can use any object. The value of the object is that you don’t get it back until the other person feels understood.
Industrial Age Concepts Throughout the session, Covey made reference to some "industrial age concepts":
Lighthouse Principles Throughout the presentation, Covey referred to some lighthouse principles that govern behavior:
Continuum of Communication Covey showed us a continuum of communication that moves from hostility and transaction-based communication to transformation:
Empathic Listening is the No. 1 Communication Skill Covey stated that communication is the number one skill in life. He went on to say that empathic listening is the number one communication skill. Covey explained that empathic listening is listening within the other person’s frame of skills. Listening empathically is listening with the other person’s frame of reference. The key is to listen until the other person feels heard and understood. Empathic Listening Over Telling and Selling A satisfied need, no longer motivates. Covey used the example of air – it’s a satisfied need. When the other person feels heard and understood, it’s more likely they will listen to you and that you can seek a better solution, that’s mutually beneficial. You are no longer telling and selling.
Our Experience is the Lens We Use to Interpret Life Covey showed the audience three pictures. One half of the audience looked at the first picture. Next, the other half of the audience looked at the second picture. Then the full audience looked at a third slide which was a composite of the first two slides. Depending on which of the pictures you saw first, influenced what you saw in this third picture.
The key take away here was that what you saw was influenced by your experience and that rather that impose your view, first understand the other person’s perspective – there’s a good chance, you’re both right! (This is a good case where the Indian Talking Stick could come in handy.) Resolving Conflict By Finding the Third Alternative Covey shared a technique for resolving conflict that works for him in 95% of the cases he runs into around the world. Here’s the key steps:
The key here is to listen to the other person first and listen empathically. The proactive part here is that you can choose to listen to the other person first (seek first to understand, then to be understood.) Listening to Loved Ones One of the audience members asked for advice on counseling a loved one. Covey responded with the following solution:
The key here that Covey mentioned is that most people will not pay the price of listening empathically.
7 Habits of Highly Effective People Covey shared a slide that framed out the seven habits of highly effective people in terms of private victory, public victory, dependence, independence, and interdependence.
Habits 1,2,and 3 are the foundation for private victories and integrity. Habits 4, 5, and 6 are the keys to public victories.
Peace of Conscience Over Peace of Mind Covey made a distinction between peace of mind and peace of conscience. He explained that integrity is more than honesty. Integrity means that if you make a promise, you keep it. If you’re honest, you might have peace of mind, but if you don’t have integrity, then you won’t have peace of conscience. You have peace of conscience by avoiding duplicity.
Loyalty to the Absent Covey made his point very simply – only talk about people as if they are there. You can be critical, but speak as if they were there in front of you. Don’t bad mouth them behind their back and then sweet talk them to their face. This is a lack of integrity and creates deep duplicity inside you. This inhibits your ability to have peace of conscience. Use I Messages Over You Messages Meet with the people you have a problem with directly. Practice the following:
Genuine Happiness Covey said the key to genuine happiness is to develop integrity. The key to developing integrity is the first three habits (your Private Victories):
Greek Philosophy of Influence Covey shared the three parts of the Greek philosophy of influence:
You Are the Creative Force of Your Life Covey challenged us to be a creative force: 1. Get out of victimism – You’re not a victim of your circumstances. 2. You are the creative force of your life.
Empathize first. Grow your circle of influence. Make tremendous impact.
The Most Important Thing You’ll Ever Do Covey closed with a powerful message we could take away:
The most important thing you’ll ever do is in the four walls of your own home.
The most important thing you’ll ever do is in the four walls of your own home.
Personally, I want to make more use of the Indian Talking Stick Communication technique, particularly at some of my more vibrant meetings.
We published an updated set of our WCF Security application scenarios yesterday, as part of our patterns & practices WCF Security guidance project. Application Scenarios are visual "blueprints" of skeletal solutions for end-to-end deployment scenarios. Each application scenario includes a before and after look at working solutions. While you still need to prototype and test for your scenario, this gives you potential solutions and paths at a glance, rather than starting from scratch. It's a catalog of applications scenarios that you can look through and potentially find your match.
IntranetCommon Intranet patterns:
Internet Common Internet patterns:
One Size Does Not Fit AllWe know that one size doesn't fit all, so we create a collection of application scenarios that you can quickly sort through and pattern match against your scenario. It's like a visual menu at a restaurant. The goal is to find a good fit against your parameters versus a perfect fit. It gives you a baseline to start from. They effectively let you preview solutions, before embarking on your journey.
How We Make Application ScenariosFirst, we start by gathering all the deployment scenarios we can find from customers with working solutions. We use our field, product support, product teams, subject matter experts, and customers. We also check with our internal line of business application solutions. While there's a lot of variations, we look for the common denominators. There's only so many ways to physically deploy servers, so we start there. We group potential solutions by big buckets.
In order to make the solutions meaningful, we pick a focus. For example, with WCF Security, key overarching decisions include authentication, authorization, and secure communication. These decisions span the layers and tiers. We also pay attention to factors that influence your decisions. For example, your role stores and user stores are a big factor. The tricky part is throwing out the details of customer specific solutions, while retaining the conceptual integrity that makes the solution useful.
Next, we create prototypes and we test the end-to-end scenarios in our lab. We do a lot of whiteboarding during this stage for candidate solutions. This is where we spend the bulk of our time, testing paths, finding surprises, and making things work. It's one thing to know what's supposed to work; it's another to make it work in practice.
From our working solution, we highlight the insights and actions within the Application Scenario so you can quickly prototype for your particular context. We then share our candidate guidance modules on CodePlex, while we continue reviews across our review loops including field, PSS, customers, product team members, and subject matter experts.
Our patterns & practices WCF Security Guidance Project is in progress on CodePlex. This is our first release of prescriptive guidance modules for WCF Security.
How Tos Our How Tos give you step by step instructions for performing key tasks:
Videos Our videos step you visually through key guidance:
About WCF Windows Communication Foundation (WCF) is a service-oriented platform for building and consuming secure, reliable, and transacted services. It unifies the programming models for ASMX, Enterprise services and .NET Remoting. It supports multiple protocols including named pipes, TCP, HTTP, and MSMQ. WCF promotes loose coupling, supports interoperability, and encapsulates the latest web service standards. With WCF, you get flexibility in choosing protocol, message encoding formats, and hosting. For more information, see the MSDN WCF Developer Center.
About the Project WCF provides a lot of options and flexibility. The goal of our patterns & practices WCF Security Guidance Project is to find the key combinations of security practices for WCF that work for customers and share them more broadly. At a high-level, you can think of the project in terms of these main buckets:
The plan is to incrementally share our guidance modules on CodePlex as we go, then build a guide, then port the guidance to MSDN once it's baked.
How do you identify the bull's-eye among your stakeholders? Nothing's worse than finishing a project and missing the mark you didn't know was there. At patterns & practices, one of our effective project practices is to use "tests for success" to help avoid this scenario.
What are Tests for Success "Tests for success" are the prioritized success criteria that the stakeholder's agree to. It's basically a set of test cases, that if the project passes, the project is perceived as a success. They help clarify outcomes and priorities.
Example Tests for Success Here's an example of "tests for success" from one of my projects:
Stakeholders for the project created and prioritized this list, with prompts from the project team. This exercise helped clarify a lot of ambiguity as well as do a level set for the team.
How Can You Use This Whether it's a personal project or a project at work, you can create your own tests for success. I think a small list of the vital few works better than a laundry list. Phrasing the tests as one-liner questions makes them easy to create and use. Here's some prompts to trigger your own tests for success:
When you're in the thick of things, you'll appreciate having a small set of criteria to go back to and help keep you and everyone involved on track.
Have you ever been on a project where key stakeholders don't have skin in the game, but they have a controlling vote? This is a bad situation. It's like multiple backseat drivers, except they won't be there if the car crashes. What's the solution? You turn chickens into pigs!
The Chicken and the Pig You may have heard the story about the chicken and the pig. The chicken says to the pig, "We should should start a restaurant." The pig asks, "What would we serve?" The chicken responds, "Bacon and eggs!" The pig says, "No thanks!"
The point in the story is the pig's "committed" while the chicken's "involved."
The Solution Recognizing the situation is more than half the battle. When you've identified that chickens have controlling votes over pigs, your options include:
How can you differentiate what you do? This can be particularly difficult in problem spaces that seem over-crowded. It helps if you have a frame. One of my mentors gave me a useful lens for differentiating that helps solve this problem.
Problem, Approach, or Implementation You can differentiate based on problem, approach or implementation:
If you differentiate at the problem you solve, it's good to be able to call that out. If you solve the same problem, but use a different approach, unless it produces a big difference in results, it's probably not worth it. If you differ only by implementation and the experience or results aren't valued by the customer, again, it's probably not worth it.
Using the Frame for Differentiation First identify whether you differentiate at the problem, approach, or implementation. Next, determine whether the level at which you're differentiating is worth it. For example, consider safety among automobile makers. Volvo's approach to safety stands out. They work the same problem but differentiate by approach.
By having clarity around where you differentiate, it's easier to communicate your deltas in a meaningful way to others.
Example At Microsoft, when I tackle a problem that's been "solved" before, I use the frame as a lens to quickly find the useful differentiation. For example, doing security reviews wasn't a new problem. However, changing the approach by using inspections and building a set of reusable criteria from a team of experts changed the game. By using criteria based on principles and patterns, and then organizing the criteria within a frame of actionable categories produced exponential results for all of our customers that adopted the approach. Old problem, new approach, great results.
What is your life frame? What are the key buckets in your life that you need to balance across? If you have a frame, you can balance your life through thick and through thin. If you have a life frame, you can more thoughtfully allocate your time and energy for maximum results. More importantly, when things aren't going well, you have a tool to help you spot where you are not investing enough.
Life Frame This is a baseline of your personal portfolio of your most important assets:
Note - if those buckets don't work for you, change them. It's a starter set.
I've been sharing this life frame with those I coach, and some colleagues and they've found it helpful, so now I'm sharing it more broadly. It's a great starting point when you're not getting what you want out of life.
Spread Your Energy and Time Across Your Buckets Spread your energy and time across them. If your current investment's not working, turn up the dial on some. If your stuck in one area, then try turning up another. For example, if you're not getting the results you want at work, then crank up your relationships dial. Remember that with this portfolio, the sum is more than the parts. It's the net effect.
What Can Happen When You Don't Use the Frame When I first got to Microsoft years ago, I didn't have this frame. Sure I knew about these areas of my life, but I didn't have the mental model of a portfolio. Instead, all I knew was that I would throw all my energy and hours at my career bucket. To put that in perspective, 80, 90, 100+ hours a week. The problem is I consistently got rated highly and produced results. But at what cost? Well, if you spend 100+ hours in one bucket, guess how much energy you're spending in others? Granted some buckets overlap, but I'm talking about when you really shine the spotlight on them.
Improve Your Approach Over Spend More Time Time is a limited resources. So is your energy. Interestingly, while working on performance modeling, the light bulb went off. If I carve out a minimum for some buckets and a maximum for others, it would be a forcing function. What's the maximum I would throw at my career bucket? 60? 50? 40? Timeboxing my career bucket forced me to identify the real value of all my work and to heavily prioritize. It also forced me to find the most effective principles, patterns and practices for project management, personal productivity, running high-performance teams, ... etc. Which is better ... more time at the problem? ... or better techniques, more value, and a sustainable pace?
Set Boundaries (Minimums and Maximums) The real lesson is that if you don't first set your boundaries, then you never really have a way to prioritize. For example, if you allocate fifty hours to your career bucket weekly, now you know how much to bite off at a time. Otherwise, you'll just work until everything's done, but there's always something more to do. Priorities, focus, and value are your friends.
As another example, I now continuously invest in my relationships bucket. For example, each week I have lunch with an old friend, and lunch with someone new. At Microsoft, and in life, it's what you know and who you know.
How To Use This To get started, just put these categories on your whiteboard or a pad of paper. Take a look across your portfolio and figure out your current investments in time and energy. Look at your results. How well are you balancing? If you're on track, great. If not, try increasing your investment is some areas and lowering another. The goal is to improve the quality of your life. If you want to really put some focus in an area, try a 30 Day Improvement Sprint.
I know success means a lot of things to a lot of people. My favorite definition is "success is when the response meets the challenge."
How do you make the most of any situation? Figure out whether you need to adapt, adjust or avoid.
Adapting to the SituationAdapting to the situation, means changing yourself for the situation. While flexibility is good, you need to be careful. You can trade your less effective behaviors, but don't adapt to the situation in a way that takes away your strengths. You'd be better off finding a situation where you can play to your strengths.
Adjusting the SituationAdjusting the situation, means changing the situation to suit you. Sometimes this is the best option, particularly if you can set it up to play to your strength. For example, when you take on a project, can you get the right people on board that compliment your ability?
Avoiding the SituationSometimes this is the best path. Learn to spot the situations where you don't do well. This is my caution. Because I turn any situation into a learning opportunity or challenge, I need to know when it's low ROI. Life's too short to spend energy in low ROI situations.
Self-Awareness is the KeyIf you know your personal strengths and passions, this is your key to success. You avoid adapting to situations that take away your strengths. You learn to setup situations in a way that you succeed. You learn the situations that you should avoid.
How do you get the people on your side or inspire a vision or change the world? First win the heart. I'm blogging on this because it's a lesson I've learned that shows up in so many ways, time and again. I see it in thought leaders. I see it in people leaders. I see it in everyday, conversational exchange. This is one of those ah-ha's that when it sinks in, you find opportunities to apply it every day to improve your effectiveness.
Connecting at the Heart vs. Connecting at the Intellect If you connect at the heart, the mind follows. Interestingly,if you connect at the intellect, you may not necessarily get the heart to follow.
Go For the Heart If you have great ideas, but people aren't on board, chances are you've been ignoring the heart. Change your approach. One way to invoke the heart is to address core values: loyalty, commitment and contribution, individual worth and dignity, and integrity.
Example One of my former leaders is known for inspiring people. For example, whenever I would tell him about a project, he would first ask me how I was going to change the world and who the dream team would be to make it happen?
While he couldn't always get me the dream team, he first focused on a compelling vision and that was inspirational. Where the heart goes, the mind follows. In fact, in many cases I was able to get the dream team, because of the emotional commitment to make it happen. Inspired visions trump purely intellectual ones.
Posts with Pictures While studying effective blogging practices, I noticed a success pattern. The pattern is to start your post with a picture. Ironically, I fought this pattern because the engineer in me wants efficient, effective value in text. So do a lot of engineers. However, many don't.
Choosing the right picture can cause your readers to have an emotional reaction to your information, and draw them into your post. If you don't believe me, take a look at Alik's post Glue Audience To Your Presentation With ZoomIt. Tell me that picture doesn't get you curious? While your picture should be relevant, it should also cause your readers to feel something, and have a reaction. An extreme anti-pattern is to use pictures to trick readers into your posts.
It Works On You If you know this, you can inspire yourself. Rather than smart talk yourself into something, try winning over your heart first. How can you get leverage on yourself? What inspires you? Win your heart and your mind will follow.
How do you pick the right theme for your blog? The challenge is that it's not a linear decision and it requires satisficing to balance content, function, and design ("look and feel"). As part of my research on effective blogging, I've been analyzing themes. I’ve literally evaluated more than 2,000 themes and heavily modified more than 20. I see a lot of patterns now. I've decided to share my lessons learned, since they might save you considerable time.
Summary of Lessons Learned Here's a summary of my key lessons learned:
Vital Factors in Your Blog Theme It's the sum of the parts that creates your overall blog theme impact. Part of the problem that cost me so much time is I didn't know what to look for at first. I had to go through hundreds of themes before I started to see patterns that made some themes more effective than others. The other thing that cost me so much time is that it's a combination of factors over any one thing. The overall look and feel is the sum of the parts. Here's what I found to be key factors in overall look and feel:
Key Blog Features Here's a quick list of the features that my focus group seemed to care about the most:
How I Did My Research My research was pretty basic, but time consuming and challenging, particularly because there's a lot of variables and not much prescriptive guidance that I found actionable. Here's what I did:
Key Galleries I Explored I explored several galleries, but here's a few of the key ones:
Key Themes I Tested While I tested a lot of themes, her's a few key ones that stood out:
How I'll Use This This has definitely shaped my perspective on blog themes. It's night and day from when I first evaluated themes. Knowing what to look for helps me test and experiment faster. I now have a more systematic way of figuring out why some blog themes work and why some don't. I'll be helping some colleagues with their blog themes and I'll be using what I learned as I launch new blogs.
What's the difference between tags vs. categories in your blog? A lot. Knowing the difference between tags and categories can help you better structure your blog for browsing and SEO. Personally, I hadn't noticed the issue before because I only have tags on my MSDN blog. As part of my research on effective blogging practices, I hit the issue. Now that I've experimented with a few blogging platforms, the difference between tags and categories is more obvious. For example, WordPress 2.3 supports tags in addition to categories.
Categories, Internal Tags and External Tags
Tag CloudsI think the big benefit of tags is creating browsable tag clouds where you can discover related content. Whereas categories are just one topic, you can use tags to find related content. For example, you might browse a "security" tag and then browse a "performance" tag to find the intersection of content tagged both "security" and "performance".
Notes from LorellIn Categories versus Tags - What’s the Difference and Which One?, Lorelle makes the following points:
Notes from ProbloggerIn Using Categories and Tags Effectively on Your Blog, Michael Martin makes the following points:
The End in MindIn the ideal scenario, to use tags and categories more effectively (assuming your blogging platform supports it), you would have the following in place:
Turning It Into Action
My Related Posts
What's the full patterns & practices catalog? I created a quick index of the patterns & practices catalog since I've needed to hunt down a few things. I figured this might be useful to share.
I thought it might be helpful to walk through a deliverable so you can see my current approach for building prescriptive guidance in patterns & practices.
Stage 1: Knowledge BaseWe start by building the knowledge base:
In this stage, we do a lot of solution engineering. This includes framing out the problem space using Scenario Frames. After all, you can't fix a problem if you don't know what it is, and you don't know when you're done, if you don't know what good looks like. It also includes creating repros for problems and solutions. I think of this as Test-Driven Guidance.
At this stage, we create what I call "guidance modules." These are focused nuggets. At a high-level, we factor reference from action. Our key types include guidelines, checklist, how-tos, and practices. I think Weinberg's term, the Fieldstone Method, applies to what we do.
We also publish our modules to Guidance Explorer at this point so you can build your own guide on the fly.
Stage 2: The GuideAt this stage, we build the guide.
The guide helps put the story together. The guide is divided into roughly two parts. The first part is a series of fast-paced chapters that paint the broad strokes and highlight key concepts. The second part is the hard-core reference section. This gives us a combination of top-down and bottom up.
We share the guide in HTML and PDF. This ways it's easy to share URLs and play in the community, or download and read the guide offline.
Stage 3: MSDNAt this stage, we port the guidance to MSDN:
Stage 4: AmazonAt this stage, we partner with Microsoft Press and we bake the printed book:
Team GuidanceOne of the things you'll notice about the guides is the breadth of participation. I'm a fan of integrating customer perspective, product perspective, field perspective, and expert perspective. I think the best way is to involve key folks that represent those perspective. Here's an example of the contributors and reviewers for the TFS guide. For a more extreme example, see the team behind our Threats and Countermeasures Security Guide.
Measuring SuccessAt the end of the day, I measure success of the guides based on how well they improve your effectiveness. I think our best guides improve your confidence and competence. As much as I'd like you to enjoy reading the guides, I assume you're reading the guides to get your job done. That's why they are dense with insight and action.
Why Guides?Not everybody is a fan of the guides. Personally, I see them as a way to share expertise. You don't get the benefit of working alongside all the product team members, the field, our various customers, subject matter experts, ... etc. That's what the guide is for. It's a way to consolidate and share the expertise. While they won't solve your every problem, you don't have to start from scratch. I think the best guides help you bootstrap your success and avoid reinventing wheels. Why go it alone, when you can stand on the shoulders of giants and learn from what works?
Key tips -- if you want to become a security and performance expert, learn the principles, patterns and practices for security and performance from Improving .NET Application Performance and Scalability and Improving Web Application Security.
What practices can we learn from the leaders in innovation? How can you improve the success of your R&D efforts? In "Smart Spenders, the Global Innovation 1000," an article in strategy+business magazine, Barry Jaruzelski, Kevin Dehoff, and Rakesh Bordia write about the key practices that the most successful innovators use.
About the Study In the study, Booz Allen Hamilton set out to find which companies have been getting R&D spending right, and then to identify common attributes. They analyzed the data for the Global Innovation 1000 using seven performance screens: sales growth, gross margin percentage, gross profit growth, operating margin percentage, operating income growth, total shareholder returns, and market capitalization growth. They analyzed the following industries: Aerospace & Defense, Auto, Chemicals & Energy, Computing & Electronics, Consumer, Health, Industrials, Other, Software & Internet, Technology, and Telecom.
Lessons Learned Jaruzelski, Dehoff, and Bordia identify some of the key practices for successful innovation:
There's No Silver Bullet Jaruzelski, Dehoff, and Bordia dispell the idea that there's a silver bullet: "How did they do it? There's no silver bullet; we found examples of many different models and approaches. If these high achievers have one thing in common, it seems to be a focus on building multifunctional, company-wide capabilities that can provide them with sustainable competitive advantage. They design their innovation investment for the long run, and create superior growth and profitability over time."
Innovation in the Nonprofit Sector Jaruzelski, Dehoff, and Bordia shine a spotlight on St. Jude Children's Research Hospital as both a success story and to compare and contrast with corporations. Here's a rundown of the key points:
What are the key stages in the innovation life cycle? What is the end-to-end value chain for bringing innovation to market? In "Smart Spenders, the Global Innovation 1000," an article in strategy+business magazine, Barry Jaruzelski, Kevin Dehoff, and Rakesh Bordia write about the four key stages of innovation that the 94 high-leverage innovators have in common.
Four Stages of Innovation According to Jaruzelski, Dehoff, and Bordia, the four key stages of innovation are:
High-Leverage Innovators Jaruzelski, Dehoff, and Borida write:
"Based on press coverage and interviews with executives, we conclude that each of the 94 high-leverage innovators has built sufficiently strong capabilities in all four links of the value chain, and has seamlessly integrated them, to provide a high level of performance over time."
"Based on press coverage and interviews with executives, we conclude that each of the 94 high-leverage innovators has built sufficiently strong capabilities in all four links of the value chain, and has seamlessly integrated them, to provide a high level of performance over time."
Key Take Aways Here's my key take aways:
What are the high-leverage strategies that the leaders in innovation use? In "Smart Spenders, the Global Innovation 1000," an article in strategy+business magazine, Barry Jaruzelski, Kevin Dehoff, and Rakesh Bordia write about the successful strategies that the 94 high-leverage innovators use.
Example High-Leverage Strategies Here's a sampling of the high leverage strategies:
I created a snapshot of the top 100 blogs according to Technorati. I'll be starting with these blogs to identify patterns and practices for effective blogging. I'll be analyzing blog design, user experience patterns, key features, content, style, frequency, information management, community interaction, impact ... etc. I think there's a lot of lessons to be learned.
Top 100 BlogsThis is the list I see in Technorati as of 02/23/2008.
How can you read faster while improving your comprehension? A few of my colleagues who follow my Book Share blog asked me how I read books. Simply put, I don't focus on reading faster. I focus on learning faster.
5 Tips for Reading FasterHere's the five things that help me read and comprehend faster:
That's how I read insightful, informational or technical text these days.
Stop and Smell the RosesIf it's pleasure, then I slow down and focus on experiencing the author's story and world. Savor the moment.
Additional ResourcesHere's a couple of relevant posts:
What's the best way to build momentum and get results? Start with something simple. Seriously. I get to see folks who get results and those who don't. The difference nine times out of ten isn't smarts. It's simply action. The smart folks who don't get results, either get stuck in analysis paralysis or add too many dependencies up front. The folks who get results start taking action and adjust along the way.
Why This WorksStarting with something simple works. It's not that thinking up front doesn't help. It certainly does. The problem is, three things can happen along the way:
The best way to fuel your fire is to incrementally get results. Start with something simple. Results feed on themselves. If you start with something small, you'll learn faster and you'll start to adapt. You'll inform your thinking.
How To StartStart with the smallest thing you can personally do. If you don't know where to start, here's key questions to help:
Personally, I find asking what I can do today to be the most effective. Time is a great forcing function. It's very easy to cut scope using time. If you don't respect time, then it's very easy to add way too many things that will never happen.
Fail FastWhile starting with something simple helps build momentum, you'll also want to quickly spike on your risks. You can do this separately, after you have some success under your belt.
To fail fast, cut your idea into thin end-to-end slices and test your results. For example, take one story or usage scenario and try to instantiate it. Even before you build the solution, simply doing a dry run will reveal a lot of questions you can use to shape your approach.
The purpose of failing fast isn't to fail. It's to uncover your risks and pick better paths.
Self-Start Techniques for the Action-challengedIf you know your pattern is to think a thought to death before daring make a move, then here's a quick way out. Here's two proven practices:
Once you get in the habit of just getting started, you'll wonder how you ever got stuck in the first place.
Success SnowballsAt the end of the day, nothing succeeds like success. Success is a snowball, so build on your successes. Good luck, and get started, on whatever it is that you've been thinking about starting.
I'm in the process of analyzing my blogging strategies and practices. As part of the process, I'm doing a post roundup for this blog. I did a 2007 post roundup for my Book Share blog and it helped me get a bird's-eye view of my post content. Seeing my posts at a glance, helps me both rekindle the year and spot patterns for improvement. With the benefit of 20/20 hind-sight, I then carry the lessons forward. Here's my 2007 posts at a glance:
October 2007 - Posts
How do you improve your results? How do you consistently increase your success? Have you ever wondered why somebody's *advice* was useless for you at the time? Maybe, they were giving you ideas to change your thinking when what you really needed was better techniques. Have you ever spun your wheels and churned all your energy, only to realize later that you needed to think differently about the problem and change your approach? The first thing to figure out is where you need to change. Here's a simple frame I've been using to help colleagues understand where to change, so they play their best game.
The Change Frame You
How To Use the Frame As simple as this frame looks, it's very powerful. If somebody gives you advice and you feel a tug in your gut that it's not helpful, there's a good chance that it's not the advice itself, but it's at the wrong level. Telling you how to think about a problem won't help when you really need a technique and action for the problem. You can use this frame as a vantage point and to analyze your approach to be more effective.
Changing You The fastest and most effective thing you can change is yourself. You should also know that changing your thinking, changes your feelings, changes your actions. If you know this, it's a powerful concept. If you don't have the energy you need to get results, then you might have to start with changing how you're thinking about it. If you're stuck in analysis paralysis, then you might just need to start taking action and tuning your results.
Changing the Situation Some people spend too much time trying to change for the situation that's not right for them. They ultimately change, but at the expense of their strengths or passion. Another approach is to get better at figuring out up front where you can play to your strengths.
While you want to be flexible and adaptable, you also need to be self-aware. If you know your strengths and weaknesses, you can either avoid situations where you won't be successful or you can set situations up for your success. If you know your strengths and weaknesses, you can also be more deliberate about how you change for the situation and whether you are giving up your strengths.
Adapting, Adjusting or Avoiding For example, if you are used to position authority for getting results, then you'll want to either find those situations where it works or you'll want to avoid them. If you want to be more effective across a wider range of projects, situations and roles, then you'll want to learn how to influence without authority. The key to remember is that it's not a question of can you change for the situation -- of course you can. It's really a question of should you, or is there a way to set the situation up for your success, or is another situation a better fit for you.