Reason for Software Project Failure Number 2: Most organizations utterly fail to understand the complexity of developing enterprise software applications.

I watch this kind of meltdown happen with depressing frequency. "We can do it in ninety days!" is inevitably the tolling of the death knell.

Let me be clear about what I'm discussing: I'm talking about applications with a broad audience, for instance web sites holding State databases, accessed by hundreds or thousands of users with accounts. Anyone who has managed an enterprise directory knows this involves serious architecture. This is what distinguishes enterprise applications: they have a much larger scope.

It's not just the complexities of authentication and authorization that make this job tough. It's requirements like availability, redundancy and failover. And coding for security, and dealing with the inevitable attacks. And coding to standards, so teams can work together. And unit testing, and integration testing. Would you like me to go on? Because this is a huge list, and organizations that don't know this are doomed to ugly, ugly failures.

Such a negative title: Why Software Projects Fail. And part 1, no less. Is this too depressing?

Don't worry: there will be a corresponding series, Why Software Projects Succeed.

But for now, I actually do want to depress you. I'm not even going to quote figures on how many application development projects fail, though there are all kinds of numbers. If you're involved in this business, you SHOULD worry about these issues.

Which brings me to Number One on the list of reasons that software projects fail:

1. Organizations should not be developing software if they are not primarily software development entities.

Sounds harsh, doesn't it? As if I'm saying, run to some development house for every specialized piece of software you need? But no, that's not it. Many organizations have strong Excel and Access talent, or decent web language skills. Small custom applications are totally appropriate for them to build in-house. And it's utterly to be expected that these applications will sometimes be down, for hours or days, and it's not that big of a deal.

What organizations like charities, schools, courts and government administration do NOT have is enterprise application development project management skills. If people are going to be making panicked phone calls if they can't use their application, Mom and Pop should not develop it. If legislators are going to rely on it, agencies shouldn't take a do-it-yourself approach.

Unfortunately, very, very often they do. From here the branches on the tree of disaster can go every direction, from the inherent risk of relying on the one "guy that does all that stuff" to the software and infrastructure failures that will dog every entity learning to manage IT.

Still, don't take my word for it. I try not to grind people's face in "I told you so." But the process of a software project meltdown is too ugly, and I've seen it too many times.

We all know what the new business environment means: You Are Expendable.

Given that, every American should be looking hard at where their future opportunities lie. IT and security people, and software developers, should be looking toward the opportunities the changes in the business landscape bring. One of the dead-certain growth areas is electronic medical records (EMR), also known as electronic health records (EHR). This was already a hot area before the federal stimulus package, but now it’s set to explode.

Do your homework: take a look at the Wikipedia entry for the American Recovery and Reinvestment Act (ARRA) http://en.wikipedia.org/wiki/American_Recovery_and_Reinvestment_Act_of_2009

And go to the Government Printing Office site and download a PDF of the text of the act at http://www.gpo.gov/fdsys/pkg/PLAW-111publ5/content-detail.html.

Executive summary: there is substantial federal money available as 10-to-1 matching funds. Now that’s interesting. But wait; there’s more.

Peruse this Department of Health and Human Services document: http://edocket.access.gpo.gov/2010/E9-31217.htm. It’s tremendously verbose, packed with legalese and terrifically long, but then comes the meat: incentive payments.

There’s a graduated scale of payments over five years, starting at $15,000 the first year and then reducing, which gives every qualified provider up to $41,000 for an EMR implementation. That’s a lot of money for private practices, my friends.

Now, there are significant challenges in all of this. First is getting involved with this business: there are some very big gorillas in this cage, for one thing. Everyone from Microsoft to McKesson (http://www.mckesson.com/en_us/McKesson.com/) wants in on this.

But small practices are just annoying to these big guys, and that’s where IT consultants and other people involved with EMR implementations are going to have a heyday. There are hundreds of thousands of small practices across the US that are going to have to get on this train. And what do they want? Millions of features? Whiz-bang user interfaces?

Heck no. They want competent, intelligent people who know IT, security, networking, and hopefully a little bit about the medical environment. Above everything else, they want someone they can trust, someone responsive to their needs and their emergencies, someone who can help guide them through choosing a system, implementing it, maintaining it, and getting paid by the Feds for doing it.

That’s where I come in. And where you can too, if you have the inclination. Drop me a line if you have experience in this business, are interested in getting into it, or are a physician or practice looking for an EMR consultant.

So Google is pulling out of China. Because their networks were hacked. By people who wanted names and addresses of Chinese dissidents. I wonder who could have done that.

The simple truth, the one that every American network administrator already knows but that most Americans don't, is that we are already in a cyber-war with the Chinese.

When I was running a State-funded website, mysterious people coming from Chinese IP addresses were endlessly trying to hack into our firewall, penetrate our website and attack our databases. Chinese universities were the primary source. I have wondered whether Chinese tech students casually attack American targets. Or if they're encouraged. Or if their servers are just so unpatched and unmaintained that other people were using them as stalking horses.

Regardless of the reason, we were casually attacked every day, and attacked with diligence from time to time. SQL injection attacks, Coldfusion attacks, Javascript attacks, malformed URLs, attempts to "pop a shell," you name it, they tried it.

And they're trying it against big-time targets too, like Google and the Pentagon and the Department of Homeland Security. They're hacking into White House emails and leaving malware on the networks that control the flow of electric power.

We just keep letting them. Heck, we outsource our software development, R & D, technical services and everything else to the Chinese! I sure hope we're growing some good hackers and coders here in the States. Someday America is going to realize we desperately need them.