Monthly Archives: August 2011

PODCAST: Exploring business-IT alignment: A 20-year struggle culminating in the role and impact of Business Architecture

Listen to this recorded podcast here: Exploring Business-IT Alignment: A 20-Year Struggle Culminating in the Role and Impact of Business Architecture

The following is the transcript of a sponsored podcast panel discussion on defining the role and scope of the Business Architect, in conjunction with the The Open Group Conference, Austin 2011.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011. We’ve assembled a distinguished panel to delve into the role and opportunity for business architecture. We’ll examine how the definition of business architect has matured and we’ll see why it’s so important for this new role to flourish in today’s dynamic business and IT landscapes. We’ll also see how certification and training are helping to shape the business architecture leaders of tomorrow.

Here to help better understand the essential impact of business architecture on business success, is Harry Hendrickx, the Chief Technology Officer, CME Industry Unit, HP Enterprise Services and a Certified Global Enterprise Architect. Welcome, Harry.

Harry Hendrickx: Thank you, Dana.

Gardner: We’re also here with Dave van Gelder, Global Architect in the Financial Services Strategic Business Unit at Capgemini. Welcome, Dave.

Dave van Gelder: Thank you, Dana.

Gardner: And we’re also here with Mieke Mahakena. She is the Label Leader for Architecture in the Training Portfolio at Capgemini Academy and also a Certified Architect. Welcome, Mieke.

Mieke Mahakena: Thank you.

Gardner: Also, Peter Haviland, head of Architecture Services in the Americas for Ernst & Young. Hello, Peter.

Peter Haviland: Morning, Dana.

Gardner: And last, Kevin Daley, Chief Architect in the Technology and Innovation Group at IBM Global Business Services. Hello, Kevin.

Kevin Daley: Hello, Dana.

Gardner: Let me start by addressing both Harry and Kevin. There’s been a new paper that you are working on refining the definition of business architecture, but I’m interested why this is so important now. We see that CEOs around the world really are seeking fundamental change. They recognize that we’re at an inflection point. Why is that the case? Why is the role of business architect so important now? Let’s start with Harry, please.

Business-IT alignment

Hendrickx: Thank you very much, Dana. Yes, it is a very important question, of course. Why are we putting so much effort in getting business architecture on the scene? Over the past one or two decades, business-IT alignment has been number one on the CIO agenda, and apparently the organizations have increasing difficulty getting business-IT alignment resolved.

There are quite a few people pioneering in business-IT alignment, but apparently there was no urgency yet to recognize this role more specifically. HP, in the past two years, interviewed CIOs worldwide, and they all indicated that they face quite large and complex transformation processes. They also recognize that business-IT alignment is one of key issues. We think that the business architect really can provide some resolution to get those processes in better shape and more successful.

Gardner: Kevin, your thoughts. Why is it so important right now?

Daley: At IBM, we have a CEO study and a CIO study that come out in alternating years. One of the things that started coming out loud and clear in 2010 was that managing complexity and building operating dexterity required a better understanding across the entire company.

We’ve started seeing a trend to move not just from business IT alignment, but to business and IT convergence. There’s an understanding more and more that information technology, and technology in general, is a core part of the business model now. There’s an understanding that now we have a situation where business and IT aren’t so much aligned, because of the fact that IT is part of business.

Where we did interviews and surveys and then compiled them for thousands of CEOs, we came up with three key elements. Amongst those was managing and taking advantage of complexity while building operating dexterity. That’s the key theme.

One of the problems that we’re seeing from the CEOs is having for decades separated IT as if it was its own business unit, instead of part of the true sense of the business. It’s been an interpretive science. To manage that complexity they needed a means by which to start with the design of where they’re going and have have a business strategy.

How do they take that strategy and transform it into technology and into information management? They needed an ability to have a framework in which to have that substantive discussion between the people who were responsible, such as the CIO who is responsible for technology and the operations and the COOs, who are really about the execution of the overall picture.

What we’ve seen from our CEOs is a need to start being more integrated. There have been market pressures that they having to respond to. The big economic downturn was a big change for everyone, and they are trying to address it.

They’re looking at means that they can start integrating more globally. They can start to increase their cost variability and start becoming more agile in how they operate their business. To do that they need a means by which they can more effectively communicate.

Driving understanding

So far, we’ve been seeing that business architecture is a perfect way to start driving an understanding. It’s a place where both people who are used to seeing standard business models like revenue and capability are able to associate that to the different types of architectures and designs that we see coming out of the technology group.

It’s giving them a common place to meet and jointly move forward with what they’re trying to do in terms of managing the complexity, so they can be more agile and dexterous.

Gardner: Dave van Gelder, it sounds as if what we’re trying to do here is at a very high level in the organization. Does a business architect and architecture have to be at a high level to be successful? Where in the org chart do we typically see this role? Is it near the top? Does it matter?

van Gelder: It depends on the maturity of an organization. Within Capgemini nowadays, we talk about business technology. As Kevin said, business and technology are not separate. Technology is part of the total business.

When we started the Business Architecture Working Group in 2006, there was a lot of discussion about two words, business and architecture, and nobody knew exactly what we were talking about. Everybody had a different understanding of those words. In the last years what you have seen is that business architecture is looked at in a different way. Currently in the Business Architecture Working Group, we see business architecture as something that brings the balance between all the other architectures in the company — that’s IT architecture, financial architecture, money, people architecture, and a lot of other architectures.

If business architecture is bringing the balance between the different aspects of a company, then business architecture is something that should be handled in the top of the organization, because balance should be created between all the different aspects in the organization.

Gardner: Based on what Dave said. it sounds, Mieke, as if we’re talking about a federation of architectures,. What then is the fundamental problem that the business architect needs to solve? Is this getting into the actual mechanisms or is it about organizing the people around some sort of a vision or strategy?

Mahakena: It’s more like making sure that, whatever transformation you’re going to implement, you align all those different aspects. As Dave told us, there are a number of aspects in an organization that might need to change, and you can have all those different architectures for those aspects. But, if every aspect goes its own way in changing, then they will never be aligned. Business architecture is meant to align all of those aspects to make sure that you have a balanced, consistent, and coherent set of operations at the end.

Gardner: It sounds as if we’re in agreement that this is a high level function, but what is it that people might stumble upon, if they direct this in a wrong direction? What is business architecture not good at? Peter, what should we avoid? What’s a misstep in terms of either the level in the organization or the target of the activity?

Many things at once

Haviland: 

Business architecture is similar to other forms of architecture, in that it tends to try to do many things all at once. The idea of enterprise alignment is definitely the right outcome, but there is enough complexity there to blow steam out of your head for many, many years to come.

Certainly in our experience of implementing these types of functions in organizations, functions that constrain scope very well also tend to communicate very well around what their status is, what their progress is against milestones, and what outcomes they’ve achieved: and they tend to articulate those outcomes in terms of real business value. What business architecture is not very good at are broad-reaching types of goals that don’t have measurable outcomes.

Gardner: So, it’s not just let’s have a designated business architect and a laurels-wearing individual, but move more towards something that’s very practical and that shows results. That leads to a question about how to professionalize this role.

Anyone could stand up and call themselves a business architect, but what is The Open Group, in particular, doing about actually certifying and moving towards a standardization of some sort. Does anybody have any thoughts about how to make this more rigorous?

Hendrickx: The first question we get asked is, what’s the difference between a business consultant and a business architect or a business analyst and a business architect? We also have enterprise architects and technology architects. Is there a reason for being for the business architect?

This is something we did a lot of research on at HP and we delineated the role of the business architect quite clearly from the business consulting and the business analyst aspect. The business architect’s role is distinct, because he combines the organizational strategy with the operations. He identifies the implications of this strategy, as well as that of the technology for the business operations. This is opposed to the business consultant, who is more outwardly looking to the commercial aspects of the organization and what that means for the structure. The business analyst is looking more at not the structure of the operation, but at the solution level.

When we look at the enterprise architect and the solution architect, the business architect focuses more on the complete implications of the strategy and technology trends on the operations, whereas the enterprise architect is more interested in the IT and the implications for the IT strategy and how IT should be deployed. The business architect is much more focused on the complete performance of the business operations.

So, the bottom line of these delineations of the past one-and-a-half years is that there is a reason for being for a business architect. It is a distinct role and it has a real solution for a problem.

Gardner: Thank you, Harry. Anyone else with some thoughts about how to make the certification and standardization of this stick?

Defining the profession

Mahakena: What we’ve been doing in the Business Forum, after we decided that business architecture has its own reason for existence, we described the business architecture profession – what’s the scope and what should be the outcome of business architecture. Now, we’re working on the practice of business architecture by defining a framework, looking at methods, and defining approaches you can use to do business architecture.

Parallel to that, if you know what the profession is and what the practice is, you’re able to create the business architecture certification, because those things help you define the required skills and experience a business architect needs. So, we are working on that in the Business Forum.

Daley: Let’s look at business architecture from the concept that has existed, combining the thoughts of what Mieke and Harry have already talked about. When we work with clients, for those of us that are in consultancies, we see that there is normally something that’s similar to business architecture, but it’s either a shadow organization inside a purely business unit that isn’t technology focused, or it is things like the enterprise architects who are having to learn the business concepts around business architect anecdotally, so that they can be successful in their roles.

I’d suggest that we’re seeing a need to make it more refined and more explicit, so that we’re able to identify the people that fit for this. They have specific things, instead of having general things that we have today. For me, the certification helps provide that certainty as a hiring manager or as somebody who is looking to staff an organization.

It provides that kind of clarity of what they should be doing, giving them specific activities, specific things they do that create value for the company. It takes out of the behind the scenes action and pull something that’s critical to success into the front with people who are specifically aligned and educated to do that.

Gardner: Thank you, Kevin. Let’s speak a little bit about why the strategic and top-level aspects of this certified individual or office is so important. It seems to me that, on one hand, we have more need for different technology competencies in an organization, but at the same time, we’re starting to see consolidation, particularly at the data center level, fewer data centers, more powerful and vast data centers and consolidation across different regions. How does globalization fit into this? Do we need to think about the fact that if we have fewer data centers but more technology requirements, doesn’t the role of somebody or some group need to come together so that there is a pan organizational or even global type of effect?

Let’s start with you Peter. How does the globalization impact the importance of this role?

Haviland: Globalization is creating more and more complexity in the business modelsthat organizations are trying to operate. Over the last couple of decades, with the science and the engineering of IT, there has been enormous investment by companies to actually operate, maintain, and improve their IT in their current world.

In many cases this IT work has outpaced the comparable business efforts inside those organizations when they think about their business, their business models, and their business operating principles. What we’re actually seeing now is that the rigor, the engineering, and the effort that’s put into technical architecture and IT architecture is now being proposed on the business side, with many businesses managing process improvement activities. These tend to be at quite a low level, however, when you compare them to business architecture initiatives at the enterprise level.

What we’re actually seeing now is that the rigor, the engineering, and the effort that’s put into technical architecture and IT architecture is now being proposed on the business side and many businesses have process improvement activities. Many of them see to be at the process level. Those processes are defined at quite a low level, when you compare it to some architecture initiatives that are enterprise wide.

Scope and challenge

If those architecture initiatives are at the high levels that are needed, you start to consider the scope and challenges that come into play, when you start talking about globalization. So, with the increase in scope and the global way that people are operating across cultures, geographies, and languages, that requires this discipline, which does operate at that high level to start to organize the other areas, but perhaps at a lower level.

Gardner: Harry Hendrickx, thoughts about this issue of increased complexity and yet more consolidation in terms of where IT is housed, managed, and governed?

Hendrickx: There are two aspects that need to be paid more attention to with globalization and more complexity. First, the business architect is, or should be, equipped to look at the organization, not only within the boundaries of an organization, but also the ecosystem of organizations that will mold together and have to be connected to produce the value.

Since these are more formalized contracts or relationship with different organizations connected to each other, there is a dynamic that is hardly seen anymore, that is not transparent anymore. There clearly needs to be some more detailed insights and transparency for each organization, so that people understand what the impact of certain developments or events will be. This can’t be done just by logic or just by watching carefully. This really needs some in-depth analysis for which the business architecture is built.

The second part of it is that the due to the complexity, the decision making process has become more complex and there will be more stakeholders involved in the different areas of decision making. The business architect has a clear task and challenge as well. By absorbing the strategy, technology trends, and the different developments and focusing on the applications for operations, he has the opportunity to discuss with the different stakeholders. He has the opportunity to get those stakeholders either mobilized or focused on specific decisions: the deliverables you will provide.

Gardner: We certainly see a lot of important characteristics in this role: global, strategic high level, encompassing business understanding, as well as technology. Dave van Gelder, where do you go to find these kinds of people? Who tends to make a good business architect or is there no real pattern yet established as to who steps up to the plate to be able to manage this type of a job?

van Gelder: To all the complexity already mentioned, I’d want to add something else that we found in the Business Architecture Working Group, which is more research in the whole field. That’s the problem of communication. How do people communicate with each other?

If you look in the IT world, most people come from an engineering background. It’s hard enough to talk to each other and to be clear to each other about what’s possible and how you should go or what you should go for. If you start talking to all those other areas in the business, then suddenly people have a completely other way of thinking. Sometimes they use the same words and don’t understand each other.

It’s not easy to have these kinds of people that need very good communication skills next to all the complexity that you have to handle. On the other hand, you need an architect when it’s complex. You don’t need an architect when it’s simple, because everybody can do it. But an architect is just a person. I say if I am a simple person, I can only handle simple things. What you need are people who can structure. I can only work with things when I can structure it, when the complexity is fairly well-structured. I then have overview of all those complexities, and then I can start communicating with all the parties I have to communicate with.

No real training

At the moment, I don’t see any real training or development of these kinds of people that you need. Most of them come with a lot of experience in a lot of fields, and because of that, they have the possibility to talk to all kinds of people and to bring the message.

Gardner: Mieke, at Capgemini Academy, you’ve obviously encouraged and encountered folks moving towards a business architect role. What are your thoughts on what it takes and where they tend to come from?

Mahakena: Let’s have a look where they can come from. What you see is that this role of business architect can be a next step in one’s career. For example, a business analyst, who has been creating a lot of experience in all kinds of fields, and he could evolve to watch a business architect. This person needs to get away from the detail and move towards the strategy and a more holistic view.

Another example could be an enterprise architect who already has analytics skills and communication skills. But, enterprise architects are more or less focusing on IT, so they should move more towards the business part and towards strategy and operations.

One could be the business consultant who is now focusing on strategy, also should have those communication skills, and will be able to communicate with stakeholders in high positions in companies. Business consultants have a lot of industry knowledge. So they should need more knowledge about technology and perhaps improve their analytics skills and learn more to how to structure operations.

So, there are number of existing roles that already have a lot of skills required for business architecture. They just have to enhance skills and get new skills to do this new role.

Gardner: We talked about how this is important because of the internal organizational shifts and the need for transformation. We’ve seen how globalization makes this more important, but I’d like to also look a little bit at some of the trends and technology.

We’ve seen a great deal of emphasis on cloud computing, hybrid computing, the role of mobile devices, wirelessly connected devices, sensors, and fabric of information which, of course, leads to massive data, and they need to then analyze that data.

This is just a handful of some of the major technology trends. Kevin Daley, it seems to me that managing these trends and these new capabilities for organizations also undergirds and supports this need. So how do you see the technology impetus for encouraging the role of business architect?

Daley: I’m seeing from my work in the field that we’ve got all these things that are converging. Certainly, you’ve got all these enabling technologies and things that are emerging that are making it easier to do technology types of things and speeding them up. So, as they start maturing and as organizations start consuming them, what we’re seeing is that there’s a lack of alignment.

Business relevancy

What this trend is really doing is making sure that you have something that is your controlling device that says what is the business relevancy? Are we measuring these peer-to-peer — measuring something such as massive data and information fabrics compared to something like cloud computing, where you are dispersing the ability to access that more readily. It creates a problem in that you have to make sure that people are aligned on what they’re trying to accomplish.

We’re seeing that the technologies that are emerging are actually enabling business architecture in a fashion. It provides that unified vision, that holism, that you can start looking at combinations of these technologies, instead of having to look at them as we’ve had to in the past of siloed elements of technologies that have their own implications.

We’re using business architecture as a means to provide the information back to the business analyst who is going to look and help. You can provide the business implications, but then you have to analyze what that implication means and make decisions for how much of that you’re willing to accept within your organization.

In the notions around how I investigate risk, how I look at what is going to improve market, and what is the capacity of what I can do, there’s a disconnect that business for which architecture is helping provide the filler for to get to the people that are doing these corporate strategies and corporate analysis at a level. That allows them to virtualize the concept of the technology, consume what it means and what that relates to for a business or in terms of its operation and strategy and the technology itself.

We’re seeing this become the means by which you can have that universal understanding that these are the implications, and that those implications can now be layered, so that you can look at them in combination instead of having to deal with each technology trend as if it’s a standalone piece.

We’re seeing this as a means by which to provide some clarity around what any adoption would be. When you adopt technology, it obviously has a level of maturity it has to reach, but it also has a level of complexity. It’s being able to start taking advantage of more than just one technology trend at the same time and being able to realistically deliver that into their business model.

What I have been seeing is that the technologies are driving the need for business architecture, because they need that framework to make sure that they are talking apples to apples and that they are meaning the same thing, so that we get out of the interpretation that we have had in the past and get into something that’s very tactical and very tactile, and that you can structure and align in the same way, so you understand what the full ramifications are.

Gardner: Peter Haviland, we have these multiple technology developments overlapping. They can be opportunities for businesses, but they can also perhaps be problems, if you don’t manage them.

What are the stakes here for business architecture and for organizations that can master this? It seems to me that they would have a significant advantage. For those that don’t, it could mean a significant cratering of their business potentially. So are we talking about an existential level importance for business architecture? How important is this now?

Haviland: IIt’s extremely important. What I see is that this is a discipline that’s just crying out for more people and more maturity. You almost need it to become pervasive throughout organizations now.

Feeding technology

The most common story I encounter is simply that organizations spent a lot of time in the past creating their processes and then they spent a lot of time feeding technology solutions to those processes. In recent times, the pace of technology change has moved faster than that previous paradigm.

What you’re looking at is at people saying, well, I am the business, there are all of these technology options out there. I cannot find a way forward and so how do I exploit those? That is where the business architecture profession is really being pushed to the front.

That said, there is a slight risk here that it may be considered too much in isolation. I mean, it is an architecture profession, it is a part of architecture, and the value of architecture is to provide that aligned view across the various domains that are important in terms of business, technology, information, security, and those types of elements.

When it comes back to what’s at stake for businesses that are investing in this particular area and for businesses that are trying to reconsider the way that they can operate themselves to support technology, they are moving ahead and they have competitive advantage. Businesses that aren’t doing that tend to be left behind, because the pace of change of technology is going to get faster.

Gardner: We’re here at The Open Group Conference. I wonder if any of you could fill us in on what The Open Group is now doing to advance this definition, mature the role, promulgate certification, and hasten the effect and benefits of business architecture in the field. Who can update us briefly on where we stand with The Open Group’s movement on certification and definition?

Mahakena: All those subjects you mentioned are part of the work of the Business Forum. The Business Forum is working in parallel on all those things. For example, it’s defining the profession and defining business architecture, working on methods and frameworks and approaches, and working on certification.

We need to do that in parallel, because all those aspects have to be aligned. We also need alignment in our own work to make sure that the certification, for example, are just the skills you actually need to do the business architecture and to create the outcomes we have defined in the profession and practice part.

We’re on our way as a Business Forum and we have done a huge amount of work, but we’re not ready yet. There are still a number of subjects we need to discuss, and we need to align everything we have now to make sure that we have a consistent package of deliverables that can be used by the members of The Open Group and anyone outside as well.

That’s where we are at this moment, and we are hoping to deliver a set of documents that will be accepted by The Open Group, by the members, and then they can be shared.

Hendrickx: I want to extend a little bit on where we are, because there has been some investigation in the 28 frameworks, which are very close or are meant to be frameworks for business architects. From this it resulted that none of these really had a complete holistic approach, as the role is identified currently, or at least how the needs have been identified in the marketplace.

Some have gaps

Some are quite close, but quite a few have gaps in one of the areas that should be touched, like strategy, operations, processes, or technology. We currently try to identify and fill that gap. That’s one point.

The other one is that most of the techniques used by the business architect are very well- embedded in academic research and are often and sometimes already used by different roles as well.

I’m thinking of things like the systems approach, and the systems thinkers have quite a few techniques. There are also techniques developed by IBM, HP, and Capgemini on the business architecture, which are well-versed and well-embedded in academic research of the past 20, 30 years. So, it’s not just a set of techniques that are built together. These are really based on insights which we have gained over several decades.

Gardner: Very good. I understand that many of these resources and the ability to take part in some of these working groups are all available on the newly redesigned Open Group website. That would be opengroup.org online and easily found from search.

I want to close up by thanking our guests. We’ve been discussing the burgeoning role of, and the opportunity for, business architecture and its practitioners in a dynamic global business environment.

This podcast is coming to you as a sponsored activity in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011.

So thanks to our guests. We’ve been joined by Harry Hendrickx, Chief Technology Officer, CME Industry Unit in HP’s Enterprise Services, and also a Certified Global Enterprise Architect. Thank you, Harry.

Hendrickx: Thank you, Dana.

Gardner: And also Dave van Gelder, Global Architect in the Financial Services Strategic Business unit at Capgemini. Thank you, Dave.

van Gelder: Thank you, Dana.

Gardner: We’re also here with Mieke Mahakena. She is the Label Leader for Architecture in the Training Portfolio at Capgemini Academy, and also a Certified Architect. Thank you, Mieke.

Mahakena: You are welcome, Dana.

Gardner: Peter Haviland, Head of the Architecture Services for Americas at Ernst & Young has also joined us. Thank you, Peter.

Haviland: Thanks, Dana. Thanks everyone.

Gardner: And lastly, Kevin Daley, Chief Architect in the Technology and Innovation Group at IBM Global Business Services. Thanks so much, Kevin.

Daley: Thank you, Dana. Again, thanks to everyone else also.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com.

Copyright The Open Group 2011. All rights reserved.

Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirect™ blogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.

2 Comments

Filed under Business Architecture

Monet revisited (or: non-traditional approaches to developing TOGAF® Next)

By Stuart Boardman, Getronics

Right now work is starting on the next major release of TOGAF®, which for now is known as TOGAF® Next. That makes it a very good time to look at what else is going on in the world and what kind of contribution that might make.

A lot of the best ideas come from unexpected directions. Enterprise architects (fortunately) often have passions that don’t have much directly to do with that discipline. Let’s be honest, the best ones almost always do. Peter Bakker recently drew our attention to a current debate in the world of photography and photo journalism. People are using apps like Hipstamatic to make deliberately grungy images – to make the results less “realistic” and more “impressionistic” (same thing Claude Monet and his pals came up with in the late 19th century except they didn’t have apps back then). Apart from the intrinsic interest of the topic, Peter suggested this might be applicable in EA. That made me think. We’ve invested vast amounts of time and effort (and therefore money) in being able to specify things in enormous detail according to increasingly tightly defined models. In fact, people used to complain that those tight models were what TOGAF® lacked. Hmmm. Sometimes the result is not seeing the wood for the trees. Or assuming that detail equals fact. Or getting realism muddled up with reality. Or information with knowledge (never mind wisdom). The Impressionists wanted people to be able to get a feeling of what it was like to be there — not precisely what it looked like at a specific moment in time. So while I’m sure they weren’t thinking about quantum mechanics (that would have been quite an achievement!), they were certainly leaving things open for probabilistic interpretations. Could we do the same in EA – without just producing vagueness? Why not – at least down to a certain level? If you use the Business Model Canvas, for example, you can build up a very meaningful picture of an enterprise’s business model without vast amounts of detail. It provides a lot of knowledge and even some wisdom on the basis of an optimal amount of information. And that has the great benefit of allowing you to fill in the detail where it’s actually going to be useful to you. So why wouldn’t we do something similar in general in EA?

Ross Button is developing an idea he calls Scatter Architecture. You could visualize it as a lot of puzzle pieces that you scatter on a board and see what kind of a picture you can make out of them. They might turn out to fit together in more than one way. That’s actually a good thing, as it probably makes you more adaptable and less exposed to change. Some of the pieces will duplicate each other wholly or partly. Viewed from a TOGAF® perspective we can say that these duplicates occur both on the Enterprise Continuum and on the Solution Continuum. Duplicates are allowed in this architecture. I don’t suppose you’d find them in the Enterprise Strategy or in the Architecture Strategy but you might well find partial duplicates among your propositions, activities, resources and partners – particularly the latter. After all, you probably don’t really want to be dependent on one supplier but that doesn’t mean they’re all exactly alike. So your architecture strategy might even codify that, which means your architecture models will need to take account of it. On the solution side of things it’s just as likely. Ross has explicitly pointed to Cloud as an example of this. Just as in the “real” world, if you can avoid being locked into just one supplier (without the cost implications being too high), you have much more room to manoeuver. The Amazon crash a couple of months ago provided some good positive and negative examples. Moreover, just as in the “real” world, these partners might become part of your value creation process as opposed to just cost elements. So this introduces my second theme, multiplicity.

Louisa Leontiades has just launched a social media integrated business. It’s a great example of how enterprises are changing and why we need to understand them in non-traditional ways. What can we say about her business? Well, it’s an Internet company but it’s not selling technology. It sells real people skills but everything lives in the blogosphere. You can buy her stuff via the site but it’s not an eShop. It’s Louisa’s company but in some ways it’s a virtual enterprise. What does that mean? Well, there will be multiple contributors generating and selling content and the quality and commercial success of the content will shape how the company develops. Or to put it another way, the contributors are not merely suppliers but actually investors, who benefit from the success of the company. Oh and it has its own website but the marketing happens via separate blog sites, via Twitter, Facebook, Google+, LinkedIn – you name it. It’s easy to see then how capturing the architecture of such an enterprise is about capturing the essence and not getting distracted by detail that can change at any moment – exactly due to the multiplicity of contributors and propositions. It’s a daring concept – jumping into the unknown – and of course we won’t see this model in the large enterprise world for quite some time but in the non-profit world or perhaps even in education one could imagine a more rapid adoption. In fact you might reasonably expect to see it adopted in education. It was after all educational and research organizations that gave us the Web in the first place. And back then the web was all about collaboration and sharing – co-creation.

Tom Graves has been looking at extending the Business Model Canvas into Enterprise Architecture as a whole. One part of this is extending it upwards (or outwards – depends how you look at it) to reflect the extended enterprise context in which most organizations “live” today. This involves taking concepts which we already apply to the single enterprise and applying them to a world we don’t control, where multiplicity is the rule and in which our objective is to be an equal partner. This gives rise to relationships, which are both complex and shifting. I would argue that one consequence is that we need to put the emphasis on capturing the entirety of the situation, so we can understand its dynamics and reach (breadth), and we need to avoid the distraction of those details, which we know can and will change without our being consulted (anyone see a similarity to Cloud here?). Another part of what Tom is doing is a mapping with Archimate. I don’t know whether Tom sees it exactly the way I do, but I think one of the advantages is that it combines the impressionist approach with a standardized modeling technique and allows us to provide detail where it’s meaningful and useful. And what it also does is provide a semi-formalized way of using techniques coming from a different discipline within (or along with) familiar EA frameworks. Well, I say “does” but I should say “will do”. It’s work in progress, just like Scatter. Just like TOGAF® Next. You can contribute to these things, influence them or adapt them to your own purposes. You can read and leave them aside but at least you’ll have thought about it. And that in and of itself will enrich your practice.

Stuart Boardman is a Senior Business Consultant with Getronics Consulting where he co-leads the Enterprise Architecture practice as well as the Cloud Computing solutions group. He is co-lead of The Open Group Cloud Computing Work Group’s Security for the Cloud and SOA project and a founding member of both The Open Group Cloud Computing Work Group and The Open Group SOA Work Group. Stuart is the author of publications by the Information Security Platform (PvIB) in The Netherlands and of his previous employer, CGI. He is a frequent speaker at conferences on the topics of Cloud, SOA, and Identity. 

1 Comment

Filed under Enterprise Architecture, TOGAF®

PODCAST: Why data and information management remain elusive after decades of deployments; and how to fix it

By Dana Gardner, Interabor Solutions

Listen to this recorded podcast here: BriefingsDirect-Effective Data Management Remains Elusive Even After Decades of Deployments

The following is the transcript of a sponsored podcast panel discussion on the state of data and information management strategies, in conjunction with the The Open Group Conference, Austin 2011.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, we present a sponsored podcast discussion in conjunction with the latest Open Group Conference in Austin, Texas, the week of July 18, 2011. We’ve assembled a distinguished panel to update us on the state of data and information management strategies. We’ll examine how it remains difficult for businesses to get the information they want in the way they can use, and why this has been a persistent problem. We’ll uncover the latest in the framework approach to information and data and look at how an information architect can make a big difference.

Here to help us better understand the role and impact of the information architect and also how to implement a successful data in information strategy is our panel. We’re here with Robert Weisman. He is CEO of Build The Vision Incorporated. Welcome to BriefingsDirect, Robert.

Robert Weisman: Thank you.

Gardner: We’re also here with Eugene Imbamba. He is Information Management Architect in IBM‘s Software Group. Welcome, Eugene.

Eugene Imbamba: Thank you very much.

Gardner: And we’re here also with Mei Selvage. She is the Lead in the IBM Community of Information Architects. Welcome to the show, Mei.

Mei Selvage: Thank you for having us.

Gardner: Tell me, Robert, why it is that it’s so hard for IT to deliver information access in the way that businesses really want.

Weisman: It’s the general insensitivity to information management concerns within the industry itself, which is very much becoming much more technology and tool-driven with the actual information not being taken into consideration. As a consequence, a lot of the solutions might work, but they don’t last, and they don’t, generally speaking, get the right information to the right person at the right time. Within The Open Group, we recognized this split about four years ago and that’s one reason that in TOGAF® 9 we redefined that information technology as “The lifecycle management of information and related technology within an organization.” We didn’t want to see an IM/IT split in organizations. We wanted to make sure that the architecture addressed the needs of the entire community, especially those requiring information and knowledge.

Gardner: Eugene, do you think if we focus more on the lifecycle management of information and the architecture frameworks like TOGAF, that we’ll get more to this requirement that business has that single view of reality?

Imbamba: Definitely, focusing on reference architecture methodologies are a good way to get going in the right direction. I don’t think it’s the end of all means to getting there. But, in terms of leveraging what’s been done, some of the architectures that have been developed, whether it’s TOGAF or some of the other artifacts out there, would help organizations, instead of spinning their wheels and reinventing the wheel, start building some of the foundational capabilities needed to have an enterprise information architecture.

Getting to the finish line

As a result, we’re seeing that each year with information management, projects starting up and projects collapsing for various reasons, whether it’s cost or just the process or people in place. Leveraging some of these artifacts, methods, and reference architectures is a way to help get started, and of course employing other areas of the information management disciplines to help get to the finish line.

Gardner: Mei, when it comes to learning from those that have done this well, what do we know about what works when it comes to data and information management? What can we point to and say, “Without question, moving in this direction is allowing us to be inclusive, move beyond just the data and databases, and get that view that the business is really looking for?”

Selvage: Eugene and I had a long debate over how we know that we’ve delivered a successful information architecture. Our conclusion comes out three plus one. The first piece is just like any strategy roadmap. You need to have a vision and strategy. To have a successful information architecture vision you really have to understand your business problem and your business vision. Then, you use applicable, proven referenced architecture and methodology to support that.

Once you have vision, then you come to the execution. How do you leverage your existing IT environments, integrates with them, keep good communication, and use the best practices? Finally, you have to get implemented on time and on schedule within the budget — and the end-user is satisfied.

Those are three parts. Then, the plus part is data governance, not just one-time project delivery. You’ll have to make sure that data governance is getting consistently implemented across the projects.

Gardner: How about in the direction of this organizational definition of what works and what doesn’t work? How important is it rather for an information architect role to emerge? Let’s start with you, Robert. Then, I’d like to take this to all of you. What is it about the information architect role that can play an important element here?

Weisman: The information architect will soon be called the knowledge architect to start realizing some of the promise that was seen in the 1980s and in the 1990s. The information architect’s role is essentially is to harmonize all manner of information and make sure it’s properly managed and accessible to the people who are authorized to see it. It’s not just the information architect. He has to be a team player, working closely with technology, because more and more information will be not just machine-readable, but machine-processable and interpretable. So he has to work with the people not only in technology, but with those developing applications, and especially those dealing with security because we’re creating more homogenous enterprise information-sharing environments with consolidated information holdings.

The paradigm is going to be changing. It’s going to be much more information-centric. The object-oriented paradigm, from a technical perspective, meant the encapsulation of the information. It’s happened, but at the process level.

When you have a thousand processes in the organization, you’ve got problems. Whereas, now we’d be looking at encapsulation of the information much more at the enterprise level so that information can be reused throughout the organization. It will be put in once and used many times.

Quality of information

The quality of the information will also be addressed through governance, particularly incorporating something called data stewardship, where people would be accountable, not only for the structure of the information but for the actual quality of the informational holdings.

Gardner: Thank you. Eugene, how do you see the role of the information architect as important in solidifying people’s thinking about this at that higher level, and as Robert said, being an advocate for the information across these other disciplines?

Imbamba: It’s inevitable that this role will definitely emerge and is going to take a higher-level position within organizations. Back to my earlier comment about information really becoming an issue, we have lots of information. We have variety of information and varied velocity of information requirements.

We don’t have enough folks today who are really involved in this discipline and some of the projections we have are within the next 20 years, we’re going to have a lot more information that needs to be managed. We need folks who are engaged in this space, folks who understand the space and really can think outside the box, but also understand what the business users want, what they are trying to drive to, and be able to provide solutions that really not only look at the business problem at hand but also what is the organization trying to do.

The role is definitely emerging, and within the next couple of years, as Robert said, the term might change from information architects to knowledge architects, based on where information is and what information provides to business.

Gardner: Mei, how far along are we actually on this definition and even professionalization of the information architect role?

Selvage: I’d like to share a little bit of what IBM is doing internally. We have a major change to our professional programs and certification programs. We’ve removed IT out of architect as title. We just call architect. Under architect we have business architecture, IT architecture, and enterprise architecture. Information architecture falls under IT architecture. Even though we were categorized one of the sub components of IT architecture.

Information architect, in my opinion, is more business-friendly than any other professionals. I’m not trying to put others down, but a lot of new folks come from data modeling backgrounds. They really have to understand business language, business process, and their roles.

When we have this advantage, we need to leverage those and not just keep thinking about how I create database structures and how I make my database perform better. Rather, my tasks today contribute to my business. I want to doing the right thing, rather than doing the wrong things sooner.

IBM reflects an industry shift. The architect is a profession and we all need to change our mindsets to be even broader.

Delivering business value

Weisman: I’d like to add to that. I fully agree, as I said, that The Open Group has created TOGAF 9 as a capability-based planning paradigm for the business planning. IM and IT are just two dimensions of that overall capability, and everything is pushed toward the delivery of business value.

You don’t have to align IM/IT with the business. IM and IT become an integral part of the business. This came out of the defense world in many cases and it has proven very successful.

IM, IT, and all of the architecture domains are going to have to really understand the business for that. It’ll be an interesting time in the next couple of years in the organizations that really want to derive competitive advantage from their information holdings, which is certainly becoming a key differentiator amongst large companies.

Gardner: Robert, perhaps while you’re talking about The Open Group, you could update us a bit on what took place at the Austin Conference, particularly vis-à-vis the workgroups. What was the gist of the development and perhaps any maturation that you can point to?

Weisman: We had some super presentations, in particular the one that Eugene and Mei gave that addressed information architecture and various associated processes and different types of sub- architectures/frameworks as well.

The Information Architecture Working Group, which is winding down after two years, has created a series of whitepapers. The first one addressed the concerns of the data management architecture and maps the data management body of knowledge processes to The Open Group Architecture Framework. That whitepaper went through final review in the Information Architecture Working Group in Austin.

We have an Information Architecture Vision paper, which is an overall rethinking of how information within an organization is going to be addressed in a holistic manner, incorporating what we’d like to think as all of the modern trends, all types of information, and figure out some sort of holistic way that we can represent that in an architecture. The vision paper is right now in the final review. Following that, we’re preparing a consolidated request for change to the TOGAF 9 specification. The whitepapers should be ready and available within the next three months for public consultation. This work should address many significant concerns in the domain of information architecture and management. I’m really confident the work that working group has done has been very productive.

Gardner: Now, you mentioned that Mei and Eugene delivered a presentation. I wonder if we can get an overview, a quick summary of the main points. Mei, would you care to go first?

Selvage: We’ve already talked a lot about what we have described in our presentation. Essentially, we need to understand what it means to have a successful solution information architecture. We need to leverage all those best practices, which come in a form of either a proven reference architecture or methodology, and use that to achieve alignment within the business. Eugene, do you have anything you want to specifically point out in our presentation?

Three keys

Imbamba: No, just to add to what you said. The three keys that we brought were the alignment of business and IT, using and leveraging reference architectures to successfully implement information architectures, and last was the adoption of proven methodology.

In our presentation, we defined these constructs, or topics, based on our understanding and to make sure that the audience had a common understanding of what these components meant. Then, we gave examples and actually gave some use cases of where we’ve seen this actually happen in organizations, and where there has been some success in developing successful projects through the implementation of these methods. That’s some of what we touched on.

Weisman: Just as a postscript from The Open Group, we’re coming with an Information Architecture and Planning Model. We have a comprehensive definition of data and information and knowledge; we’ve come up with a good generic lifecycle that can be used by all organizations. And, we addressed all the issues associated with them in a holistic way with respect to the information management functions of governance, planning, operations, decision support and business intelligence, records and archiving, and accessibility and privacy.

This is one of the main contributions that these whitepapers are going to provide is a good planning basis for the holistic management of all manner of information in the form of a complete model.

Gardner: We’ve heard about how the amount of data is going to be growing exponentially, perhaps 44 times in less than 10 years, and we’ve also heard that knowledge, information, and your ability to exploit it could be a huge differentiator in how successful you are in business. I even expect that many businesses will make knowledge and information of data part of their business, part of their major revenue capabilities — a product in itself.

Let’s look into the future. Why will the data and information management professionalization, this role of the information architect be more important based on some of the trends that we expect? Let’s start with you, Robert. What’s going to happen in the next few year that’s going to make it even more important to have the holistic framework, strategic view of data information?

Weisman: Right now, it’s competitive advantage upon which companies may rise and fall. Harvard Business School Press, Davenport in particular, has produced some excellent books on competitive analytics and the like, with good case studies. For example, a factory halfway through construction is stopped because they didn’t have timely access to the their information indicating the factory didn’t even need to be constructed. This speaks of information quality.

In the new service-based rather than industry-based economic paradigm, information will become absolutely key. With respect to the projected increase of information available, I actually see a decrease in information holdings within the enterprise itself.

This will be achieved through a) information management techniques, you will actually get rid of information; b) you will consolidate information; and c) with paradigms such as cloud, you don’t necessarily have to have information within the organization itself.

More with less

So you will be dealing with information holdings, that are accessible by the enterprise, and not necessarily just those that are held by the enterprise. There will also be further issues such as knowledge representation and the like, that will become absolutely key, especially with demographics as it stands now. We have to do more with less.

The training and professionalization of information architecture, or knowledge architecture, I anticipate will become key. However, knowledge architects cannot be educated totally in a silo, they also have to have a good understanding of the other architecture domains. A successful enterprise architect must understand all the the other architecture domains.

Gardner: Eugene, how about you, in terms of future trends that impact the increased importance of this role in this perspective on information?

Imbamba: From an IBM perspective, we’ve seen over the last 20 years organizations focusing on what I call an “application agenda,” really trying to implement enterprise resource planning (ERP) systems, supply chain management systems, and these systems have been very valuable for various reasons, reducing cost, bringing efficiencies within the business.

But, as you know, over the last 20 years, a lot of companies now have these systems in place, so the competitive advantage has been lost. So what we’re seeing right now is companies focusing on an information agenda, and the reason is that each organization has information about its customers, its products, its accounts like no other business would have.

So, what we’re seeing today is leveraging that information for competitive advantage, trying to optimize your business, gleaning the information that you have so that you can understand the relationships between your customers, between your partners, your suppliers, and optimize that to deliver the kinds of services and needs, the business wants and the customer’s needs. It’s a focus from application agenda to an information agenda to try and push what’s going on in that space.

Gardner: Mei, last word to you, future trends and why would they increase the need for the information architecture role?

Selvage: I like to see that from two perspectives. One is from the vendor perspective, just taking IBM as an example. The information management brand is the one that has the largest software products, which reflects market needs and the market demands. So there are needs to have information architects who are able to look over all those different software offerings in IBM and other major vendors too.

From the customer perspective, where I see a lot of trends is that many outsource basic database administration, kind of a commodity or activity out to a third-party where they keep the information architects in-house. That’s where we can add in the value. We can talk to the business. We can talk to the other components of IT, and really brings things together. That’s a trend I see more organizations are adopting.

Gardner: Very good. We’ve been discussing the role and impact of an information architect and perhaps how to begin to implement a more successful data and information strategy.

This comes to you as a sponsored podcast in conjunction with The Open Group Conference in Austin, Texas in the week of July 18, 2011. I’d like to thank our guests. We’ve been joined by Robert Weisman, CEO of Build The Vision Incorporated. Thanks so much, Robert.

Weisman: You’re very welcome. Thank you for inviting.

Gardner: And we’ve been here with Eugene Imbamba. He is Information Management Architect in IBM Software Group. Thank you, Eugene.

Imbamba: Thank you for having me.

Gardner: And Mei Selvage, she is Lead of the IBM Community of Information Architects. Thanks to you as well.

Selvage: You’re welcome. Thank you too.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks to our viewers and listeners as well, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com.

Copyright The Open Group 2011. All rights reserved.

Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirect™ blogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.

Comments Off

Filed under Data management

The future – ecosystems and standards

By Mark Skilton, Capgemini

This article is a continuation of a series on standards by Mark Stilton. Read his previous posts on “Why standards in information technology are critical and “Innovation in the Cloud needs open standards.”

The evolution of standards has become a big domain issue. The world has moved from the individual languages of resources and transactions into architectural standards that seek to describe how different sets of resources, interfaces and interactions can be designed to work together. But this concept has now gone further in networked societies.

In this new “universe” of online and physical services, new channels, portals, devices and services are emerging that create new integration and compositions of services. New business models are emerging as a result, which are impacting existing markets and incumbents as well as creating new rules and standards.  Old standards and policies such as digital privacy and cross-border intellectual property are being challenged by these new realities. Ignoring these is not an option, as companies and whole countries are realizing the need to keep up-to-date and aware of these developments that impact their own locations and economies.

This means the barriers and accelerators to individual markets and new markets are evolving and in constant dynamic change. Standards and interoperability are at the center of these issues and affect the very levers of change in markets.

Cloud Computing is one such phenomenon rewriting the rules on information exchange and business models for provisioning and delivery of products and services. The impact of Cloud Computing on competitive advantage is significant in the way it has lowered barriers to access of markets and collaboration. It has increased speed of provisioning and potential for market growth and expansion through the distributed power of the Internet. The connectivity and extensions of business models brought about by these trends is changing previously held beliefs and competitive advantages of ownership and relationships.

The following diagram was presented at The Open Group Conference, Amsterdam in the fall  of 2010.

The Internet of Things (IOT) is an example of this trend that is seen in the area of Radio Frequency Identification (RFID) tags of materials and products for automatic tracking. But this is just one example of interoperability emerging across industries. Large-scale telecommunications networks now have the ability to reach and integrate large areas of the marketplace through fixed and now wireless mobile communications networks.

This vision can create new possibilities beyond just tagging and integration of supply chains; it hints towards a possibility of social networks, business networks and value chains being able to create new experiences and services through interconnectedness.

Mark Skilton, Director, Capgemini, is the Co-Chair of The Open Group Cloud Computing Work Group. He has been involved in advising clients and developing of strategic portfolio services in Cloud Computing and business transformation. His recent contributions include the publication of Return on Investment models on Cloud Computing widely syndicated that achieved 50,000 hits on CIO.com and in the British Computer Society 2010 Annual Review. His current activities include development of a new Cloud Computing Model standards and best practices on the subject of Cloud Computing impact on Outsourcing and Off-shoring models and contributed to the second edition of the Handbook of Global Outsourcing and Off-shoring published through his involvement with Warwick Business School UK Specialist Masters Degree Program in Information Systems Management.

1 Comment

Filed under Cloud, Standards

PODCAST: How the role of certification impacts professionalization of IT and skills management

By Dana Gardner, Interabor Solutions

Listen to this recorded podcast here: Architect Certification Increasingly Impacts Professionalization of IT in Cloud Era

The following is the transcript of a sponsored podcast panel discussion on certification and its impact on the professionalization of IT and skills management, in conjunction with the The Open Group Conference, Austin 2011.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011. We’ve assembled a panel to update us on the impact and role of certifications for IT professionals. We’ll examine how certification for enterprise architects, business architects, and such industry initiatives as ArchiMate® are proving instrumental as IT organizations seek to reinvent themselves.

There are now a lot of shifts in skills and a lot of movement about how organizations should properly staff themselves. There have been cost pressures and certification issues for regulation and the adoption of new technologies. We’re going to look at how all these are impacting the role of certification out in the field. Here to help us better understand how an organization like The Open Group is alleviating the impact and importance of IT skills and role certification amid this churning change in the IT organizations is Steve Philp. He is the Marketing Director for Professional Certification at The Open Group. Welcome, Steve.

Steve Philp: Thank you.

Gardner: We are also here with Andrew Josey. He is Director of Standards at The Open Group. Welcome, Andrew.

Andrew Josey: Thank you, Dana.

Gardner: And we’re here with James de Raeve. He is Vice President of Certification at The Open Group. Hello, James.

James de Raeve: Thanks, Dana.

Gardner: Let’s start with you. As I said, we’re seeing a lot of change about many things in IT, but certainly how to properly staff, especially as you start to consider outsourcing options and Cloud and software-as-a-service (SaaS) types of options. Organizations are also looking at consolidation around their applications and infrastructure. So there’s quite a bit of change. Naturally, the people in the “people, processes, and technology” spectrum need to be addressed. From your perspective, why is there the need for more professionalization, or what are the trends that are driving the need to reexamine your staff and how to properly certify your IT leadership?

de Raeve: The primary driver here that we’re hearing from members and customers is that they need to get more out of the investments that they’re making — their payroll for their IT staff. They need to get more productivity. And that has a number of consequences.

Realizing talent

They want to ensure that the people they are employing and that they’re staffing their teams with are effective. They want to be sure that they’re not bringing in external experts when they don’t need to. So there is a need to realize the talent that they’ve actually got in their internal IT community and to develop that talent, nurture it, and exploit it for the benefit of the organization.

And professionalism, professionalization, and profession frameworks are all tools that can be used in identifying, measuring, and developing the talents and capabilities of your people. That seems to be the major driver.

Gardner: Steve, any further thoughts on the trends that are driving certification and professionalization issues?

Steve PhilpPhilp: Something I have noticed since joining The Open Group is that we’ve got some skills and experience-based certifications. They seem to be the things that people are particularly interested in, because it’s not just a test of your knowledge about a particular vendor or product, but how you have applied your skills and experience out there in the marketplace. They have proven to be very successful in helping people assess where they are and in working towards developing a career path. That’s one of the areas of certification that things are going to move more towards — more skills and experience-based certification programs in organizations.

Gardner: Where are we seeing this most in demand? Are there particular types of technology certification or professional role certification that are in the most demand? Where is this the most hot or impactful right now?

Philp: Looking at certification in general, you still have areas like Microsoft MCSE, Microsoft technical specialist, application development, and project management that are in demand, and things like CCNA from Cisco. But I’ve also noticed a lot more in the security field. CISSP and CCSA seem to be the ones that are always getting a lot of attention. In terms of security, the trends in mobile computing, cloud computing, means that security certification is a big growth area.

We’re just about to put a security track into our Certified IT Specialist Program at The Open Group, so there will be a skills and experience-based track for security practitioners soon.

Gardner: James, of course we should point out for our listeners that we’re not just talking about certification from vendors and suppliers about the specific products and/or platforms, but we’re really looking at a skill- and roles-based approach. Maybe you could help us distinguish between the two and why it’s important to do so?

de Raeve: The difference, as Steve alluded to, is that there is a whole world out there of technology and product-related certifications that are fulfilling a very important function in helping people establish and demonstrate their knowledge of those particular products and technologies.

But there is a need for people too in the building of teams and in the delivering of results to nurture and grow their people to be team players and team participants and to be able to work with them to function within the organization as, for want of a better term, “t-shaped people,” where there are a number of soft and people-related skills and potentially architecture related skills for the IT specialists, and skills and capabilities enable people to be rounded professionals within an organization.

T-shaped people

It’s that aspect that differentiates the professionalization and the profession-oriented certification programs that we’re operating here at The Open Group — The Open Certified Architect, The Open Certified IT Specialist. Those are t-shaped people and we think that makes a huge difference. It’s what’s going to enable organizations to be more effective by developing their people to have that more rounded t-shaped capability.

Gardner: Andrew, with the emphasis on standards and your role there, how does the impact of certification on the ability to adhere to and exploit standards come together? What’s the relationship between making sure you have standardization around your people and their skill sets, but also being able to exploit standardization and even more automation across your organization?

Josey: We see the certification as being the ultimate drive in the uptake of the standards, and so we’re able to go from not just having a standard on the shelf to actually seeing it being deployed in the field and used. We’ve actually got some people certification programs, such as TOGAF®, and we’ve got some over 20,000 practitioners now.

We’ve gone through the certification program and we’ve been using and evangelizing, TOGAF as a standard in the field and then feeding that back to our members and, through the association, the feedback improvements to the standards. So it’s very much part of the end-to-end ecosystem — developing a standard for deploying it, and getting people on it, and then getting the feedback in the right way.

Gardner: I suppose that as organizations want to create a level playing field, we’re starting to see calls for this type of certification in requests for proposal (RFPs) around projects. For folks on the buy side who are seeking either people or the suppliers themselves, a supply chain and ecosystem of providers, how much is certification playing a role and how they can pick and choose among each other with some sense of trust and reliability?

Philp: It’s very much an important part of the process now. TOGAF and IT Architect Certification (ITAC) have appeared in a number of RFPs for government and for major manufacturing organizations. So it’s important that the suppliers and the buyers recognize these programs.

Similarly with recruitment, you find that things like TOGAF will appear in most recruitment ads for architects. Certainly, people want knowledge of it, but more and more you’ll see TOGAF certification is required as well.

ITAC, which is now Open CA, has also appeared in a number of recruitment ads for members like Logica, Capgemini, Shell. More recently, organizations like the CBS, EADS, ADGA Group, Direct Energy have requested it. And the list goes on. It’s a measure of how important the awareness is for these certifications and that’s something we will continue to drive at The Open Group.

Gardner: All right, Steve, thanks for that. As you mentioned, there have been some changes in terms of the branding around some of these. Let’s take a quick review if we could around what’s being happening at the Austin Conference, but also what’s new and what’s been going on with the branding. Let’s look at the TOGAF, ArchiMate®, and business architecture certifications. What’s new and interesting there?

In development

Josey: I am speaking up on what we are doing in ArchiMate first, before I talk about TOGAF, and then Steve will tell us what the Business Forum is up to.

ArchiMate certification is something new that we’re developing right now. We haven’t deployed a certification program as yet. The previous certification program was under the ArchiMate Foundation, which was the body that developed ArchiMate, before it transferred into The Open Group.

We’re currently working on the new program which will be similar to some aspects of our TOGAF program, and it’ll be knowledge base certification with an assessment by exam and a practical assessment in which the candidate can actually do modeling. So this will be people certification and there will also be accredited training course certification.

And then also what we’re going to do there is actually to provide certification for tools. There will be certifications there.

That’s pretty much what we’re doing in ArchiMate, so we don’t have a firm timeline. So it will not be available it looks like, probably towards the end of the year would be the earliest, but possibly early next year.

Gardner: Knowing that we reach a wide audience, could you give a quick overview of what ArchiMate is for those who might not be familiar.

Josey: ArchiMate is a modeling language for enterprise architecture (EA) in general and specifically it’s a good fit for TOGAF. It’s a way of communicating and developing models for TOGAF EA. Originally it was developed by the Telematica Instituut and funded, I think, by the EU and a number of commercial companies in the Netherlands. It was actually brought into The Open Group in 2008 by the ArchiMate Foundation and is now managed by the ArchiMate Forum within The Open Group.

Gardner: Now we’re going to hear an update on TOGAF.

Josey: The latest version of TOGAF is TOGAF 9 for certification. As we mentioned earlier, there are two types of certification programs, skills and knowledge based. TOGAF falls into the knowledge based camp. We have two levels. TOGAF 9 Foundation, which is our level one, is for individuals to assess that they know the terminology and basic concepts of EA in TOGAF.

Level two, which is a superset of level one, in addition assesses analysis and comprehension. The idea is that some people who are interested in just getting familiar with TOGAF and those people who work around enterprise architects can go into TOGAF Foundation. And these enterprise architects themselves should initially start with the TOGAF Certified, the level two, and then perhaps move on later to Open CA. That will be helpful.

For TOGAF 9 Certification, we introduced that by midyear 2009. We launched TOGAF 9 in February, and it took a couple of months to just roll out all these certifications through all the exam channels. Since then, we’ve gone through 8,000 certifications (see June blog post). We’ve seen that two-thirds of those were at the higher level, level two, for EA practitioners and one-third of those are currently at the foundation level.

Gardner: And lastly, business architecture?

A new area

Philp: Business architecture is a new area that we’ve been working on. Let me just to go back to what we did on the branding, because it ties in with that. We launched The Open Group’s new website recently and we used that as the opportunity to re-brand ITAC as The Open Group Certified Architect (Open CA) program. The IT Specialist Certification (ITSC) has now become The Open Group Certified IT Specialist or Open CITS Program.

We did the rebranding at that time, because we wanted to be it associated with the word “open.” We wanted to give the skills and experience-based certification a closer linkage to The Open Group. That’s why we changed from ITAC to Open CA. But, we’ve not changed the actual program itself. Candidates still have to create a certification package and be interviewed by three board members, and there are still three levels of certification: Certified, Master, and Distinguished.

However, what we’re intending to do is have some core requirements that architects need to meet, and then add some specific specializations for different types of architects. The one that we’ve been working on the most recently is the Business Architecture Certification. This came about from an initiative about 18 months ago.

We formed something called the Business Forum with a number of Platinum Members who got involved with it –companies like IBM, HP, SAP, Oracle and Capgemini. We’ve been defining the conformance requirements for the business architecture certification. It’s going through the development process and hopefully will be launched sometime later this year or early next year.

Gardner: I’m interested in how this is making a difference in the field. There’s a lot of change going on this consolidation. There’s re-factoring of what’s core and what’s context in what IT department should focus on and, therefore, what their skill sets need to be. They’re adopting new technologies. I wonder if you have any examples of where we’ve seen certification come to play when an organization is looking to change its workforce. Any thoughts about some organizations and what the impact has been?

de Raeve: There’s a very good example of an organization that had exactly that problem, and they’ve done a presentation about this in one of our conferences. It’s Philips, and they used to have an IT workforce that was divided among the business units. The different businesses had their own IT function.

They changed that and went to a single IT function across the organization, providing services to the businesses. In doing so, they needed to rationalize things like grades, titles, job descriptions, and they were looking around for a framework within which they could do this and they evaluated a number of them.

They were working with a partner who wass helping them do this. The partner was an Open Group member and suggested they look at The Open Group’s IT Specialist Certification, the CITS Certification Program, as it provides a set of definitions for the capabilities and skills required for IT professionals. They picked it up and used it, because it covered the areas they were interested in.

This was sufficient and complete enough to be useful to them, and it was vendor-neutral, and an industry best practice. So they could pick this up and use it with confidence. And that has been very successful. They initially benchmarked their entire 900 strong IT workforce against The Open Group definition, so they could get to calibrate themselves, where their people were on their journey through development as professionals.

They’ve started to embrace the certification programs as a method of not only measuring their people, but also rewarding them. It’s had a very significant impact in terms of not only enabling them to get a handle upon their people, but also in terms of their employee engagement. In the engagement surveys that they do with their staff, some of the comments they got back after they started doing this process were, “For the first time we feel like management is paying attention to us.”

It was very positive feedback, and the net result is that they are well on their way to meeting their goal of no longer having automatically to bring in an external service provider whenever they were dealing with a new project or a new topic. They know that they’ve got people with sufficient expertise in-house on their own payroll now. They’ve been able to recognize that capability, and the use of it has had a very positive effect. So it’s a very strong good story.

I think that the slides will be available to our members in the conference’s proceedings from the London Conference in April. That will be worth something to look at.

Gardner: Where would you go for more information, if you were a practitioner, a budding enterprise architect and you wanted to certify yourself and/or if you were in an organization trying to determine more precisely what certification would mean to you as you’re trying to reengineer, modernize and right-size your organization? Where do you go for more information?

Philp: If you go to The Open Group website, http://www.opengroup.org/certifications, all of the people-based certifications are there, along with the benefits for individuals, benefits for organizations and various links to the appropriate literature. There’s also a lot of other useful things, like self-assessment tests, previous webinars, sample packages, etc. That will give you more of an idea of what’s required for certification along with the conformance requirements and other program documentation. There’s a lot of useful information on the website.

Gardner: Very good. We’ve been discussing how the role and impact of IT Certification is growing and some of the reasons for that. We’ve also looked at how organizations like The Open Group are elevating the role of certification and providing means to attain it and measure it the standard.

I’d like to thank our guests for delivering this sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011 We’ve been joined by our panel, Steve Philp, he is the Marketing Director for Professional Certification at the Open Group. Thank you, Steve.

Philp: Thank you, Dana.

Gardner: And we are also have been joined by by Andrew Josey, Director of Standards at The Open Group. Thank you, Andrew.

Josey: Thank you, Dana.

Gardner: And lastly, James de Raeve, he is the Vice President of Certification, once again at The Open Group. Thanks James.

de Raeve: Thank you, Dana, and thanks to everyone who has listened.

Gardner: Right. This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks for listening and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com.

Copyright The Open Group 2011. All rights reserved.

Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirect™ blogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.

Comments Off

Filed under Certifications, Enterprise Architecture

Innovation in the Cloud needs open standards

By Mark Skilton, Capgemini

This article is a continuation of a series on standards by Mark Stilton. Read his previous post on “Why standards in information technology are critical.

The forces of innovation are seen in the power of broadband, mass computing power, dynamic new mobile cell devices and tablets, new social networking software and new advanced technologies in fields such as medical scanners, multi-media, education, robotics and electronics. These disruptions are jumps that can make huge leaps in societal quality of life and benefit for all. And with every advance there can be counterproductive and emergent issues that result which may be detrimental to markets, and to personal liberty and safety. There is a continuing debate over standards and policies that may or may not prejudice the legitimate rights of consumers, providers and governments that seek these benefits.

Standards evolve as a means for description and commonality as well as differentiation. Common utility services in the gas, electricity, and water amenities industry are examples that trade and provide services to mass markets. Likewise, in consumer electronics markets and network standards, we see interests in common interface and connector standards to enable consumer and providers to access and gain use of the products and services marketplaces. Without standards in areas that enable trade exchange, markets would be fragmented, limiting potential growth and evolution of new opportunities.

But equally, standards can create challenges to barriers in trade and adoption. Protection of intellectual property, closed technology platforms and protectionist and legislative control policies are consequences that can been seen as building competitive advantages; but equally can be limiting access and competition to existing and new markets.

This is a concern from large multi-national corporations to the plethora of SMBs, and to the individual. It can also be seen as a wider economic, societal and environmental issue, where disproportionate activities and resource consumption can affect green sustainability and intergovernmental and marketplace balance of power and growth.

Mark Skilton, Director, Capgemini, is the Co-Chair of The Open Group Cloud Computing Work Group. He has been involved in advising clients and developing of strategic portfolio services in Cloud Computing and business transformation. His recent contributions include the publication of Return on Investment models on Cloud Computing widely syndicated that achieved 50,000 hits on CIO.com and in the British Computer Society 2010 Annual Review. His current activities include development of a new Cloud Computing Model standards and best practices on the subject of Cloud Computing impact on Outsourcing and Off-shoring models and contributed to the second edition of the Handbook of Global Outsourcing and Off-shoring published through his involvement with Warwick Business School UK Specialist Masters Degree Program in Information Systems Management.

2 Comments

Filed under Cloud, Standards

PODCAST: Standards effort points to automation via common markup language for improved IT compliance, security

By Dana Gardner, Interabor Solutions

Listen to this recorded podcast here: BriefingsDirect-O-ACEML Standard Effort Points to Broad Automation for Improved IT Compliance and Security Across Systems

The following is the transcript of a sponsored podcast panel discussion on the new Open Automated Compliance Expert Markup Language (O-ACEML) standard, in conjunction with the The Open Group Conference, Austin 2011.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011. We’re going to examine the Open Automated Compliance Expert Markup Language (O-ACEML), a new standard creation and effort that helps enterprises automate security compliance across their systems in a consistent and cost-saving manner.

O-ACEML helps to achieve compliance with applicable regulations but also achieves major cost savings. From the compliance audit viewpoint, auditors can carry out similarly consistent and more capable audits in less time. Here to help us understand O-ACEML and managing automated security compliance issues and how the standard is evolving are our guests. We’re here with Jim Hietala, Vice President of Security at The Open Group. Welcome back, Jim.

Jim Hietala: Thanks, Dana. Glad to be with you.

Gardner: We’re also here with Shawn Mullen. He’s a Power Software Security Architect at IBM. Welcome to the show, Shawn.

Shawn Mullen: Thank you.

Gardner: Let’s start by looking at why this is an issue. Why do O-ACEML at all? I assume that security being such a hot topic, as well as ways in which organizations grapple with the regulations, and compliance issues are also very hot, this has now become an issue that needs some standardization. Let me throw this out to both of you. Why are we doing this at all and what are the problems that we need to solve with O-ACEML?

Hietala: One of the things you’ve seen in last 10 or 12 years, since the compliance regulations have really come to the fore, is that the more regulation there is, more specific requirements are put down, and the more challenging it is for organizations to manage. Their IT infrastructure needs to be in compliance with whatever regulations impact them, and the cost of doing so becomes a significant thing. So, anything that could be done to help automate, to drive out cost, and maybe make organizations more effective in complying with the regulations that affect them — whether it’s PCI, HIPAA, or whatever — there’s lot of benefit to large IT organizations in doing that. That’s really what drove us to look at adopting a standard in this area.

Gardner: Jim, just for those folks who are coming in as fresh, are we talking about IT security equipment and the compliance around that, or is it about the process of how you do security, or both? What are the boundaries around this effort and what it focuses on?

Manual process

Hietala: It’s both. It’s enabling the compliance of IT devices specifically around security constraints and the security configuration settings and to some extent, the process. If you look at how people did compliance or managed to compliance without a standard like this, without automation, it tended to be a manual process of setting configuration settings and auditors manually checking on settings. O-ACEML goes to the heart of trying to automate that process and drive some cost out of an equation.

Gardner: Shawn Mullen, how do you see this in terms of the need? What are the trends or environment that necessitate in this?

Mullen: I agree with Jim. This has been going on a while, and we’re seeing it on both classes of customers. On the high-end, we would go from customer-to-customer and they would have their own hardening scripts, their own view of what should be hardened. It may conflict with what compliance organization wanted as far as the settings. This was a standard way of taking what the compliance organization wanted, and also it has an easy way to author it, to change it.

If your own corporate security requirements are more stringent, you can easily change the O-ACEML configuration, so that is satisfies your more stringent corporate compliance or security policy, as well as satisfying the regulatory compliance organization in an easy way to monitor it, to report, and see it.

In addition, on the low end, the small businesses don’t have the expertise to know how to configure their systems. Quite frankly, they don’t want to be security experts. Here is an easy way to print an XML file to harden their systems as it needs to be hardened to meet compliance or just the regular good security practices.

Gardner: One of the things that’s jumped out at me as I’ve looked into this, is the rapid improvement in terms of a cost or return on investment (ROI), almost to the league of a no- brainer category. Help me understand why is it so expensive and inefficient now, when it comes to security equipment audits and regulatory compliance. What might this then therefore bring in terms of improvement?

Mullen: One of the things that we’re seeing in the industry is server consolidation. If you have these hundreds, or in large organizations, thousands of systems and you have to manually configure them, it becomes a very daunting task. Because of that, it’s a one-time shot at doing this, and then the monitoring is even more difficult. With O-ACEML, it’s a way of authoring your security policy as it meets compliance or for your own security policy in pushing that out. This allows you to have a single XML and push it onto heterogeneous platforms. Everything is configured securely and consistently and it gives you a very easy way to get the tooling to monitor those systems, so they are configured correctly today. You’re checking them weekly or daily to ensure that they remain in that desired state.

Gardner: So it’s important not only to automate, but be inclusive and comprehensive in the way you do that or you are back to manual process at least for a significant portion, but that might then not be at your compliance issues. Is that how it works?

Mullen: We had a very interesting presentation here at The Open Group Conference yesterday. I’ll let Jim provide some of the details on that, but customers are finding the best way they can lower their compliance or their cost of meeting compliance is through automation. If you can automate any part of that compliance process, that’s going to save you time and money. If you can get rid of the manual effort with automation, it greatly reduces your cost.

Gardner: Shawn, do we have any sense in the market what the current costs are, even for something that was as well-known as Sarbanes-Oxley? How impressive, or unfortunately intimidating, are some of these costs?

Cost of compliance

Mullen: There was a very good study yesterday. The average cost of an organization to be compliant is $3 million. That’s annual cost. What was also interesting was that the cost of being non-compliant, as they called it, was $9 million.

Hietala: The figures that Shawn was referencing come out of the study by the Ponemon Institute. Larry Ponemon does lots of studies around security risk compliance cost. He authors an annual data breach study that’s pretty widely quoted in the security industry that gets to the cost of data breaches on average for companies.

In the numbers that were presented yesterday, he recently studied 46 very large companies, looking at their cost to be in compliance with the relevant regulations. It’s like $3.5 million a year, and over $9 million for companies that weren’t compliant, which suggests that companies that are actually actively managing towards compliance are probably little more efficient than those that aren’t. What O-ACEML has the opportunity to do for those companies that are in compliance is help drive that $3.5 million down to something much less than that by automating and taking manual labor out of process.

Gardner: So it’s a seemingly very worthwhile effort. How do we get to where we are now, Jim, with the standard and where do we need to go? What’s the level of maturity with this?

Hietala: It’s relatively new. It was just published 60 days ago by The Open Group. The actual specification is on The Open Group website. It’s downloadable, and we would encourage both, system vendors and platform vendors, as well as folks in the security management space or maybe the IT-GRC space, to check it out, take a look at it, and think about adopting it as a way to exchange compliance configuration information with platforms.

We want to encourage adoption by as broad a set of vendors as we can, and we think that having more adoption by the industry, will help make this more available so that end-users can take advantage of it.

Gardner: Back to you Shawn. Now that we’ve determined that we’re in the process of creating this, perhaps, you could set the stage for how it works. What takes place with ACEML? People are familiar with markup languages, but how does this now come to bear on this problem around compliance, automation, and security?

Mullen: Let’s take a single rule, and we’ll use a simple case like the minimum password length. In PCI the minimum password length, for example, is seven. Sarbanes-Oxley, which relies on COBiT password length would be eight.

But with an O-ACEML XML, it’s very easy to author a rule, and there are three segments to it. The first segment is, it’s very human understandable, where you would put something like “password length equals seven.” You can add a descriptive text with it, and that’s all you have to author.

Actionable command

When that is pushed down on to the platform or the system that’s O-ACEML aware, it’s able to take that simple ACEML word or directive and map that into an actionable command relevant to that system. When it finds the map into the actionable command ,it writes it back into the XML. So that’s completing the second phase of the rule. It executes that command either to implement the setting or to check the setting.

The result of the command is then written back into the XML. So now the XML for particular rule has the first part, the authored high-level directive as a compliance organization, how that particular system mapped into a command, and the result of executing that command either in a setting or checking format.

Now we have all of the artifacts we need to ensure that the system is configured correctly, and to generate audit reports. So when the auditor comes in we can say, “This is exactly how any particular system is configured and we know it to be consistent, because we can point to any particular system, get the O-ACEML XML and see all the artifacts and generate reports from that.”

Gardner: Maybe to give a sense of how this works, we can also look at a before-and-after scenario. Maybe you could describe how things are done now, the before or current status approach or standard operating procedure, and then what would be the case after someone would implement and mature O-ACEML implementation.

Mullen: There are similar tools to this, but they don’t all operate exactly the same way. I’ll use an example of BigFix. If I had a particular system, they would offer a way for you to write your own scripts. You would basically be doing what you would do at the end point, but you would be doing it at the BigFix central console. You would write scripts to do the checking. You would be doing all of this work for each of your different platforms, because everyone is a little bit different.

Then you could use BigFix to push the scripts down. They would run, and hopefully you wrote your scripts correctly. You would get results back. What we want to do with ACEML is when you just put the high-level directive down to the system, it understands ACEML and it knows the proper way to do the checking.

What’s interesting about ACEML, and this is one of our differences from, for example, the security content automation protocol (SCAP), is that instead of the vendor saying, “This is how we do it. It has a repository of how the checking goes and everything like that,” you let the end point make the determination. The end point is aware of what OS it is and it’s aware of what version it is.

For example, with IBM UNIX, which is AIX, you would say “password check at this different level.” We’ve increased our password strength, we’ve done a lot of security enhancements around that. If you push the ACEML to a newer level of AIX, it would do the checking slightly differently. So, it really relies on the platform, the device itself, to understand ACEML and understand how best to do its checking.

We see with small businesses and even some of the larger corporations that they’re maintaining their own scripts. They’re doing everything manually. They’re logging on to a system and running some of those scripts. Or, they’re not running scripts at all, but are manually making all of these settings.

It’s an extremely long and burdensome process,when you start considering that there are hundreds of thousands of these systems. There are different OSs. You have to find experts for your Linux systems or your HP-UX or AIX. You have to have all those different talents and skills in these different areas, and again the process is quite lengthy.

Gardner: Jim Hietala, it sounds like we are focusing on servers to begin with, but I imagine that this could be extended to network devices, other endpoints, other infrastructure. What’s the potential universe of applicability here?

Different classes

Hietala: The way to think about it is the universe of IT devices that are in scope for these various compliance regulations. If you think about PCI DSS, it defines pretty tightly what your cardholder data environment consists of. In terms of O-ACEML, it could be networking devices, servers, storage equipment, or any sort of IT device. Broadly speaking, it could apply to lots of different classes of computing devices.

Gardner: Back to you Shawn,. You mentioned the AIX environment. Could you explain a beginning approach that you’ve had with IBM Compliance Expert, or ICE, that might give us a clue as to how well this could work, when applied even more broadly? How does that heritage in ICE develop, and what would that tell us about what we could expect with O-ACEML?

Mullen: We’ve had ICE and this AIX Compliance Expert, using the XML, for a number of years now. It’s been broadly used by a lot of our customers, not only to secure AIX but to secure the virtualization environment in a particular a virtual I/O server. So we use it for that.

One of the things that ACEML brings is that it has some of the lessons we learned from doing our own proprietary XML. It also brings some lessons we learned when looking at other XML for compliance like XCCDF. One of the things we put in there was a remediation element.

For example, the PCI says that your password length should be seven. COBiT says your password length should be eight. It has the XML, so you can blend multiple compliance requirements with a single policy, choosing the more secure setting, so that both compliance organizations, or other three compliance organizations, gets set properly to meet all of those, and apply it to a singular system.

One of the things that we’re hoping vendors will gravitate toward is the ability to have a central console controlling their IT environment or configuring and monitoring their IT environment. It just has to push out a single XML file. It doesn’t have to push out a special XML for Linux versus AIX versus a network device. It can push out that ACEML file to all of the devices. It’s a singular descriptive XML, and each device, in turn, knows how to map it to its own particular platform in security configuring.

Gardner: Jim Hietala, it sounds as if the low-hanging fruit here would be the compliance and automation benefit, but it also sounds as if this is comprehensive. It’s targeted at a very large set of the devices and equipment in the IT infrastructure. This could become a way of propagating new security policies, protocols, approaches, even standards, down the line. Is that part of the vision here — to be able to offer a means by which an automated propagation of future security changes could easily take place?

Hietala: Absolutely, and it goes beyond just the compliance regulations that are inflicted on us or put on us by government organizations to defining a best practice instead of security policies in the organization. Then, using this as a mechanism to push those out to your environment and to ensure that they are being followed and implemented on all the devices in their IT environment.

So, it definitely goes beyond just managing compliance to these external regulations, but to doing a better job of implementing the ideal security configuration settings across your environment.

Gardner: And because this is being done in an open environment like The Open Group, and because it’s inclusive of any folks or vendors or suppliers who want to take part, it sounds as if this could also cross the chasm between an enterprise, IT set, and a consumer or mobile or external third-party provider set.

Is it also a possibility that we’re going beyond heterogeneity, when it comes to different platforms, but perhaps crossing boundaries into different segments of IT and what we’re seeing with the “consumerization” of IT now? I’ll ask this to either of you or both of you.

Moving to the Cloud

Hietala: I’ll make a quick comment and then turn it over to Shawn. Definitely, if you think about how this sort of a standard might apply towards services that are built in somebody’s Cloud, you could see using this as a way to both set configuration settings and check on the status of configuration settings and instances of machines that are running in a Cloud environment. Shawn, maybe you want to expand on that?

Mullen: It’s interesting that you brought this up, because this is the exact conversation we had earlier today in one of the plenary sessions. They were talking about moving your IT out into the Cloud. One of the issues, aside from just the security, was how do you prove that you are meeting these compliance requirements?

O-ACEML is a way to reach into the Cloud to find your particular system and bring back a report that you can present to your auditor. Even though you don’t own the system –it’s not in the data center here in the next office, it’s off in the cloud somewhere — you can bring back all the artifacts necessary to prove to the auditor that you are meeting the regulatory requirements.

Gardner: Jim, how do folks take further steps to either gather more information? Obviously, this would probably of interest to enterprises as well as the suppliers, vendors for professional services organizations. What are the next steps? Where can they go to get some information? What should they do to become involved?

Hietala: The standard specification is up on our website. You can go to the “Publications” tab on our website, and do a search for O-ACEML, and you should find the actual technical standard document. Then, you can get involved directly in the Security Forum by joining The Open Group . As the standard evolves, and as we do more with it, we certainly want more members involved in helping to guide the progress of it over time.

Gardner: Thoughts from you, Shawn, on that same getting involved question?

Mullen: That’s a perfect way to start. We do want to invite different compliance organization, everybody from the electrical power grid — they have their own view of security — to ISO, to payment card industry. For the electrical power grid standard, for example — and ISO is the same way — what ACEML helps them with is they don’t need to understand how Linux does it, how AIX does it. They don’t need to have that deep understanding.

In fact, the way ISO describes it in their PDF around password settings, it basically says, use good password settings, and it doesn’t go into any depth beyond that. The way we architected and designed O-ACEML is that you can just say, “I want good password settings,” and it will default to what we decided. What we focused in on collectively as an international standard in The Open Group was, that good password hygiene means you change your password every six months. It should at least carry this many characters, there should be a non-alpha/numeric.

It removes the burden of these different compliance groups from being security experts and it let’s them just use ACEML and the default settings that The Open Group came up with. We want to reach out to those groups and show them the benefits of publishing some of their security standards in O-ACEML. Beyond that, we’ll work with them to have that standard up, and hopefully they can publish it on their website, or maybe we can publish it on The Open Group website.

Next milestones

Gardner: Well, great. We’ve been learning more about the Open Automated Compliance Expert Markup Language, more commonly known as O-ACEML. And we’ve been seeing how it can help assure compliance along with some applicable regulations across different types of equipment, but has the opportunity to perhaps provide more security across different domains, be that cloud or on-premises or even partner networks. while also achieving major cost savings. We’ve been learning how to get to started on this and what the maturity timeline is.

Jim Hietala, what would be the next milestone? What should people expect next in terms of how this is being rolled out?

Hietala: You’ll see more from us in terms of adoption of the standard. We’re looking already at case studies and so forth to really describe in terms that everyone can understand what benefits organizations are seeing from using O-ACEML. Given the environment we’re in today, we’re seeing about security breaches and hacktivism and so forth everyday in the newspapers.

I think we can expect to see more regulation and more frequent revisions of regulations and standards affecting IT organizations and their security, which really makes it imperative for engineers in IT environment in such a way that you can accommodate those changes, as they are brought to your organization, do so in an effective way, and at the least cost. Those are really the kinds of things that O-ACEML has targeted, and I think there is a lot of benefit to organizations to using it.

Gardner: Shawn, one more question to you as a follow-up to what Jim said, not only that should we expect more regulations, but we’ll see them coming from different governments, different strata of governments, so state, local, federal perhaps. For multinational organization, this could be a very complex undertaking, so I’m curious as to whether O-ACEML could also help when it comes to managing multiple regulations across multiple jurisdictions for larger organizations.

Mullen: That was the goal when we came up with O-ACEML. Anybody could author it, and again, if a single system fell under the purview of multiple compliance requirements, we could plan that together and that system would be a multiple one. It’s an international standard, we want it to be used by multiple compliance organizations. And compliance is a good thing. It’s just good IT governance. It will save companies money in the long run, as we saw with these statistics. The goal is to lower the cost of being compliant, so you get good IT governance, just with a lower cost.

Gardner: Thanks. This sponsored podcast is coming to you in conjunction with The Open Group Conference in Austin, Texas, in the week of July 18, 2011. Thanks to both our guests. Jim Hietala, the Vice President of Security at The Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: And also Shawn Mullen, Power Software Security Architect at IBM. Thank you, Shawn.

Mullen: Thank you, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com.

Copyright The Open Group 2011. All rights reserved.

Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirect™ blogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.

3 Comments

Filed under Cybersecurity