Monthly Archives: January 2011

What’s the future of information security?

Today, Jan. 28, is Data Privacy Day around the world. While it’s meant to bring attention to personal privacy, it’s also a good time to think about organizational and global challenges relating to data security.

What is your organization’s primary cybersecurity challenge? Take our poll below, and read on to learn about some of The Open Group’s resources for security professionals.

The Open Group has several active working groups and forums dealing with various areas of information security. If your organization is in need of guidance or fresh thinking on information security challenges, we invite you to check out some of these security resources (all of which may be accessed at no charge):

  • The Open Group Jericho Forum®. Many useful guidance documents on topics including the Jericho Commandments (design principles), de-perimeterization, cloud security, secure collaboration, and identity management are available on The Open Group website.
  • Many of the Jericho Forum® members share their thoughts on a blog hosted by Computerworld UK.
  • The Open Group Security Forum: Access a series of documents on the topic of risk management published by the Security Forum over the past couple of years. These include the Risk Management Taxonomy Technical Standard, Requirements for Risk Assessment Methodologies, and the FAIR / ISO 27005 Cookbook. These and other useful publications may be accessed by searching for subject = security on our website’s publications page.

Cybersecurity will be a major topic at The Open Group Conference, San Diego, Feb. 7-11. Join us for plenary sessions on security, security-themed tracks, best practices, case studies and the future of information security, presented by preeminent thought leaders in the industry.

Comments Off

Filed under Cybersecurity, Information security

It’s a mad, mad, mad, mad world!

By Garry Doherty, The Open Group

Why is the world such a crazy place? Why does it seem that everything is crashing down around our ears, bringing chaos, confusion and uncertainty?

http://www.freedigitalphotos.net/images/view_photog.php?photogid=1804 Well, there is a very, very simple reason. The universe is entropic*.

Things were pretty simple back then when the Big Bang kicked off. All that existed was electromagnetism, gravitation and  nuclear interaction, but, as the space/time continuum, er… continued, something troublesome came to light.

Just when matter had started to get going nicely and shape of the universe began to emerge from the Big Bang itself, complexity was born! Nowadays of course, with complexity being almost as old as the universe itself, it’s also been around the block a few times and knows a thing or two about getting its own way, but it is possible to fight back. Entropy isn’t necessarily the only fate that awaits us.

Scientists expect the universe to exist for around 15 Billion years… then there’s going to be a hard stop — a very, very hard stop! Now I’m not saying that TOGAF™ can save the universe, but from where I’m sitting, it looks like our best bet at the moment!

*http://hyperphysics.phy-astr.gsu.edu/hbase/therm/entrop.html

Garry DohertyGarry Doherty is an experienced product marketer and product manager with a background in the IT and telecommunications industries. Garry is the TOGAF™ Product Manager and the ArchiMate® Forum Director at The Open Group. Garry is based in the U.K.

TOGAF™ will be a topic of discussion at The Open Group Conference, San Diego, Feb. 7-11. Join us for TOGAF™ Camp, best practices, case studies and the future of information security, presented by preeminent thought leaders in the industry.

Comments Off

Filed under Enterprise Architecture, TOGAF®

Underfunding IT security programs

By Jim Hietala, The Open Group

A news story in my local newspaper caught my eye today. State fails “hacker” test was the headline. The state of Colorado (U.S.) hired an outside security assessment firm to perform penetration tests across various state agency IT infrastructure.

The findings from the assessment firm were sadly predictable. The pen testers were able to find their way into many state networks and IT systems, and they found many instances of common security problems, including easily guessable logins and passwords, system default passwords that were never changed, and systems that were never hardened and had unnecessary ports open and services running. The assessment firm was able to access lots of private data and personally identifiable information. The story also had predictable comments from lawmakers expressing indignation at the sorry state of security for Colorado’s IT systems.

http://www.freedigitalphotos.net/images/view_photog.php?photogid=659The real story, however, was buried in the article. The state agency in Colorado that was tasked with securing state IT systems estimated that the cost of implementing an adequate cybersecurity plan across all state IT systems would be $40M… and the office had a budget of $400K! Is it any wonder they failed their security audit? For every $100 that they need to perform the job adequately, the IT security professionals are getting a whopping $1 to implement their security plans and controls.

With the present economic climate, I’d guess most governmental entities (and probably a lot of businesses as well) are in a similar situation: They don’t have the tax revenues to adequately fund IT security, and therefore can’t effectively protect access to information.

The “reality disconnect” here is that in the U.S., at least 45 of the 50 states have passed something similar to the groundbreaking California data privacy law, SB1386. It calls to mind that old hypocritical saying from parents to children, “Do as we say, not as we do”.

I talk with and work with many security professionals, and I rarely hear one say that things are getting better on the threat side of information security.  Underfunding IT security programs is a recipe for disaster.

Situations like this also point towards the need for better alignment of security controls with business objectives, and increased use of metrics in information security. The Open Group’s Security Forum is working on initiatives in this area… Watch this space for announcements of standards that security practitioners will find useful in driving more effective information security management.

Jim HietalaAn IT security industry veteran, Jim Hietala is Vice President of Security at The Open Group, where he is responsible for security programs and standards activities. He holds the CISSP and GSEC certifications. Jim is based in the U.S.

Cybersecurity will be a topic of discussion at The Open Group Conference, San Diego, Feb. 7-11. Join us for best practices, case studies and the future of information security, presented by preeminent thought leaders in the industry.

1 Comment

Filed under Cybersecurity

Cloud spending: What do you think?

A recent article estimated that 65% or more of new enterprise IT spending will be cloud-based by 2015. Tell us what you think.

Comments Off

Filed under Cloud/SOA

Are you sure that ‘good’ is what you want?

By Garry Doherty, The Open Group

The great English writer GK Chesterton once mused that if a man were to shoot his grandmother at a range of five hundred yards, he would be a good shot, but not necessarily a good man.

http://www.freedigitalphotos.net/images/view_photog.php?photogid=721That, of course, lies at heart of the difficulty with language. Words, simply put, are words; they carry no further attributes unless linked in some way with other language elements. Additionally, words, in isolation, do not usually convey contextual information, and without the appropriate context, misunderstanding is inevitable.

Nang is where it’s at!

Much to the consternation of many of English speakers, our language changes to meet the needs of its users; so, as a middle-aged man, I don’t really need to know what words like hamstered, bokoo or nang* mean (even though I might like to). So, Enterprise Architects too, will evolve their own languages to meet their own, very specific needs.

ArchiMate® is an early attempt to populate the void, the result of a multi-party €4M research and validation project involving the Dutch government, academia and industry. EA is still a fledgling profession and the adoption of languages is not an overnight activity, but interest in ArchiMate is growing and there is a real momentum building.

Heavenly partnership

We all know the importance and nature of stakeholders… they are not usually evil, but we do need to keep them happy, informed and we need their feedback… and at times that can be a real challenge. So what’s that got to do with ArchiMate?

Well, yes, ArchiMate is an open and independent graphical modeling language for enterprise architecture, but that’s only the start of the matter. It’s much more appropriate to see it as a stakeholder management tool. When used in conjunction with an EA framework like TOGAF™, ArchiMate takes on a new dimension and delivers an ability to communicate and collaborate with stakeholders through the creation of clear models, based on viewpoints that have a common foundation in both TOGAF and ArchiMate.

It may be a match made in heaven, but only time will tell!

*Go on, Google it. You know you want to.

Garry DohertyGarry Doherty is an experienced product marketer and product manager with a background in the IT and telecommunications industries. Garry is the TOGAF™ Product Manager and the ArchiMate® Forum Director at The Open Group. Garry is based in the U.K.

4 Comments

Filed under ArchiMate®, Enterprise Architecture

New year, new certification

By Steve Philp, The Open Group

At the beginning of every new calendar year, many organizations discuss with employees specific job-related objectives and career development plans for the next 12 months and beyond. For many individuals, certification is highlighted as something that they should be working towards during the course of the year.

Until recently, virtually all IT certifications have been based on an individual’s recollection of a body of knowledge and his/her ability to pass a computer-based test. Unfortunately, these certifications do not prove that you can apply this knowledge successfully in practice. To achieve certified status you usually have to attend the relevant training course or read the appropriate self-study material before taking the examination. However, knowledge in itself is not an accurate measure of competence and, while question-based tests are practical and objective, they are also more susceptible to fraud.http://www.freedigitalphotos.net/images/view_photog.php?photogid=1152

Perhaps a better method of evaluating competence to carry out a specific role is to examine the skills and experience that an individual has demonstrated in his/her work. This type of certification usually requires you to prepare some form of written application followed by either an individual or panel interview which may or may not involve a formal presentation as part of the process.

In recent years, The Open Group has developed the IT Architect Certification (ITAC) and IT Specialist (ITSC) programs that are based entirely on skills and experience, and that assess an individual’s “people skills” as well as their technical abilities. There is no test-based examination but instead, applicants must complete a comprehensive application package and then be interviewed by three existing certified board members. Each of the interviews last for one hour and gives the candidate the opportunity to explain to the interviewer how they have met the conformance requirements of the program.

Many organizations around the world have identified this type of skills- and experienced-based program as a necessary part of the process to develop their own internal IT profession. These certifications can also be used in the recruitment process and help to guarantee a consistent and quality-assured service on project proposals, procurements and on service level agreements. As a result, the benefit of achieving this type of IT certification often proves to be much more rewarding for both individuals and organizations.

Steve PhilpSteve Philp is the Marketing Director for the IT Architect and IT Specialist certification programs at The Open Group. Over the past 20 years, Steve has worked predominantly in sales, marketing and general management roles within the IT training industry. Based in Reading, UK, he joined The Open Group in 2008 to promote and develop the organization’s skills and experience-based IT certifications.

3 Comments

Filed under Certifications, Enterprise Architecture