Category Archives: Standards

Using Risk Management Standards: A Q&A with Ben Tomhave, Security Architect and Former Gartner Analyst

By The Open Group

IT Risk Management is currently in a state of flux with many organizations today unsure not only how to best assess risk but also how to place it within the context of their business. Ben Tomhave, a Security Architect and former Gartner analyst, will be speaking at The Open Group Baltimore on July 20 on “The Strengths and Limitations of Risk Management Standards.”

We recently caught up with Tomhave pre-conference to discuss the pros and cons of today’s Risk Management standards, the issues that organizations are facing when it comes to Risk Management and how they can better use existing standards to their advantage.

How would you describe the state of Risk Management and Risk Management standards today?

The topic of my talk is really on the state of standards for Security and Risk Management. There’s a handful of significant standards out there today, varying from some of the work at The Open Group to NIST and the ISO 27000 series, etc. The problem with most of those is that they don’t necessarily provide a prescriptive level of guidance for how to go about performing or structuring risk management within an organization. If you look at ISO 31000 for example, it provides a general guideline for how to structure an overall Risk Management approach or program but it’s not designed to be directly implementable. You can then look at something like ISO 27005 that provides a bit more detail, but for the most part these are fairly high-level guides on some of the key components; they don’t get to the point of how you should be doing Risk Management.

In contrast, one can look at something like the Open FAIR standard from The Open Group, and that gets a bit more prescriptive and directly implementable, but even then there’s a fair amount of scoping and education that needs to go on. So the short answer to the question is, there’s no shortage of documented guidance out there, but there are, however, still a lot of open-ended questions and a lot of misunderstanding about how to use these.

What are some of the limitations that are hindering risk standards then and what needs to be added?

I don’t think it’s necessarily a matter of needing to fix or change the standards themselves, I think where we’re at is that we’re still at a fairly prototypical stage where we have guidance as to how to get started and how to structure things but we don’t necessarily have really good understanding across the industry about how to best make use of it. Complicating things further is an open question about just how much we need to be doing, how much value can we get from these, do we need to adopt some of these practices? If you look at all of the organizations that have had major breaches over the past few years, all of them, presumably, were doing some form of risk management—probably qualitative Risk Management—and yet they still had all these breaches anyway. Inevitably, they were compliant with any number of security standards along the way, too, and yet bad things happen. We have a lot of issues with how organizations are using standards less than with the standards themselves.

Last fall The Open Group fielded an IT Risk Management survey that found that many organizations are struggling to understand and create business value for Risk Management. What you’re saying really echoes those results. How much of this has to do with problems within organizations themselves and not having a better understanding of Risk Management?

I think that’s definitely the case. A lot of organizations are making bad decisions in many areas right now, and they don’t know why or aren’t even aware and are making bad decisions up until the point it’s too late. As an industry we’ve got this compliance problem where you can do a lot of work and demonstrate completion or compliance with check lists and still be compromised, still have massive data breaches. I think there’s a significant cognitive dissonance that exists, and I think it’s because we’re still in a significant transitional period overall.

Security should really have never been a standalone industry or a standalone environment. Security should have just been one of those attributes of the operating system or operating environments from the outset. Unfortunately, because of the dynamic nature of IT (and we’re still going through what I refer to as this Digital Industrial Revolution that’s been going on for 40-50 years), everything’s changing everyday. That will be the case until we hit a stasis point that we can stabilize around and grow a generation that’s truly native with practices and approaches and with the tools and technologies underlying this stuff.

An analogy would be to look at Telecom. Look at Telecom in the 1800s when they were running telegraph poles and running lines along railroad tracks. You could just climb a pole, put a couple alligator clips on there and suddenly you could send and receive messages, too, using the same wires. Now we have buried lines, we have much greater integrity of those systems. We generally know when we’ve lost integrity on those systems for the most part. It took 100 years to get there. So we’re less than half that way with the Internet and things are a lot more complicated, and the ability of an attacker, one single person spending all their time to go after a resource or a target, that type of asymmetric threat is just something that we haven’t really thought about and engineered our environments for over time.

I think it’s definitely challenging. But ultimately Risk Management practices are about making better decisions. How do we put the right amount of time and energy into making these decisions and providing better information and better data around those decisions? That’s always going to be a hard question to answer. Thinking about where the standards really could stand to improve, it’s helping organizations, helping people, understand the answer to that core question—which is, how much time and energy do I have to put into this decision?

When I did my graduate work at George Washington University, a number of years ago, one of the courses we had to take went through decision management as a discipline. We would run through things like decision trees. I went back to the executives at the company that I was working at and asked them, ‘How often do you use decision trees to make your investment decisions?” And they just looked at me funny and said, ‘Gosh, we haven’t heard of or thought about decision trees since grad school.’ In many ways, a lot of the formal Risk Management stuff that we talk about and drill into—especially when you get into the quantitative risk discussions—a lot of that goes down the same route. It’s great academically, it’s great in theory, but it’s not the kind of thing where on a daily basis you need to pull it out and use it for every single decision or every single discussion. Which, by the way, is where the FAIR taxonomy within Open FAIR provides an interesting and very valuable breakdown point. There are many cases where just using the taxonomy to break down a problem and think about it a little bit is more than sufficient, and you don’t have to go the next step of populating it with the actual quantitative estimates and do the quantitative estimations for a FAIR risk analysis. You can use it qualitatively and improve the overall quality and defensibility of your decisions.

How mature are most organizations in their understanding of risk today, and what are some of the core reasons they’re having such a difficult time with Risk Management?

The answer to that question varies to a degree by industry. Industries like financial services just seem to deal with this stuff better for the most part, but then if you look at multibillion dollar write offs for JP Morgan Chase, you think maybe they don’t understand risk after all. I think for the most part most large enterprises have at least some people in the organization that have a nominal understanding of Risk Management and risk assessment and how that factors into making good decisions.

That doesn’t mean that everything’s perfect. Look at the large enterprises that had major breaches in 2014 and 2013 and clearly you can look at those and say ‘Gosh, you guys didn’t make very good decisions.’ Home Depot is a good example or even the NSA with the Snowden stuff. In both cases, they knew they had an exposure, they had done a reasonable job of risk management, they just didn’t move fast enough with their remediation. They just didn’t get stuff in place soon enough to make a meaningful difference.

For the most part, larger enterprises or organizations will have better facilities and capabilities around risk management, but they may have challenges with velocity in terms of being able to put to rest issues in a timely fashion. Now slip down to different sectors and you look at retail, they continue to have issues with cardholder data and that’s where the card brands are asserting themselves more aggressively. Look at healthcare. Healthcare organizations, for one thing, simply don’t have the budget or the control to make a lot of changes, and they’re well behind the curve in terms of protecting patient records and data. Then look at other spaces like SMBs, which make up more than 90 percent of U.S. employment firms or look at the education space where they simply will never have the kinds of resources to do everything that’s expected of them.

I think we have a significant challenge here – a lot of these organizations will never have the resources to have adequate Risk Management in-house, and they will always be tremendously resource-constrained, preventing them from doing all that they really need to do. The challenge for them is, how do we provide answers or tools or methods to them that they can then use that don’t require a lot of expertise but can guide them toward making better decisions overall even if the decision is ‘Why are we doing any of this IT stuff at all when we can simply be outsourcing this to a service that specializes in my industry or specializes in my SMB business size that can take on some of the risk for me that I wasn’t even aware of?’

It ends up being a very basic educational awareness problem in many regards, and many of these organizations don’t seem to be fully aware of the type of exposure and legal liability that they’re carrying at any given point in time.

One of the other IT Risk Management Survey findings was that where the Risk Management function sits in organizations is pretty inconsistent—sometimes IT, sometimes risk, sometimes security—is that part of the problem too?

Yes and no—it’s a hard question to answer directly because we have to drill in on what kind of Risk Management we’re talking about. Because there’s enterprise Risk Management reporting up to a CFO or CEO, and one could argue that the CEO is doing Risk Management.

One of the problems that we historically run into, especially from a bottom-up perspective, is a lot of IT Risk Management people or IT Risk Management professionals or folks from the audit world have mistakenly thought that everything should boil down to a single, myopic view of ‘What is risk?’ And yet it’s really not how executives run organizations. Your chief exec, your board, your CFO, they’re not looking at performance on a single number every day. They’re looking at a portfolio of risk and how different factors are balancing out against everything. So it’s really important for folks in Op Risk Management and IT Risk Management to really truly understand and make sure that they’re providing a portfolio view up the chain that adequately represents the state of the business, which typically will represent multiple lines of business, multiple systems, multiple environments, things like that.

I think one of the biggest challenges we run into is just in an ill-conceived desire to provide value that’s oversimplified. We end up hyper-aggregating results and data, and suddenly everything boils down to a stop light that IT today is either red, yellow or green. That’s not really particularly informative, and it doesn’t help you make better decisions. How can I make better investment decisions around IT systems if all I know is that today things are yellow? I think it comes back to the educational awareness topic. Maybe people aren’t always best placed within organizations but really it’s more about how they’re representing the data and whether they’re getting it into the right format that’s most accessible to that audience.

What should organizations look for in choosing risk standards?

I usually get a variety of questions and they’re all about risk assessment—‘Oh, we need to do risk assessment’ and ‘We hear about this quant risk assessment thing that sounds really cool, where do we get started?’ Inevitably, it comes down to, what’s your actual Risk Management process look like? Do you actually have a context for making decisions, understanding the business context, etc.? And the answer more often than not is no, there is no actual Risk Management process. I think really where people can leverage the standards is understanding what the overall risk management process looks like or can look like and in constructing that, making sure they identify the right stakeholders overall and then start to drill down to specifics around impact analysis, actual risk analysis around remediation and recovery. All of these are important components but they have to exist within the broader context and that broader context has to functionally plug into the organization in a meaningful, measurable manner. I think that’s really where a lot of the confusion ends up occurring. ‘Hey I went to this conference, I heard about this great thing, how do I make use of it?’ People may go through certification training but if they don’t know how to go back to their organization and put that into practice not just on a small-scale decision basis, but actually going in and plugging it into a larger Risk Management process, it will never really demonstrate a lot of value.

The other piece of the puzzle that goes along with this, too, is you can’t just take these standards and implement them verbatim; they’re not designed to do that. You have to spend some time understanding the organization, the culture of the organization and what will work best for that organization. You have to really get to know people and use these things to really drive conversations rather than hoping that one of these risk assessments results will have some meaningful impact at some point.

How can organizations get more value from Risk Management and risk standards?

Starting with latter first, the value of the Risk Management standards is that you don’t have to start from scratch, you don’t have to reinvent the wheel. There are, in fact, very consistent and well-conceived approaches to structuring risk management programs and conducting risk assessment and analysis. That’s where the power of the standards come from, from establishing a template or guideline for establishing things.

The challenge of course is you have to have it well-grounded within the organization. In order to get value from a Risk Management program, it has to be part of daily operations. You have to plug it into things like procurement cycles and other similar types of decision cycles so that people aren’t just making gut decisions based off whatever their existing biases are.

One of my favorite examples is password complexity requirements. If you look back at the ‘best practice’ standards requirements over the years, going all the way back to the Orange Book in the 80s or the Rainbow Series which came out of the federal government, they tell you ‘oh, you have to have 8-character passwords and they have to have upper case, lower, numbers, special characters, etc.’ The funny thing is that while that was probably true in 1985, that is probably less true today. When we actually do risk analysis to look at the problem, and understand what the actual scenario is that we’re trying to guard against, password complexity ends up causing more problems than it solves because what we’re really protecting against is a brute force attack against a log-in interface or guessability on a log-in interface. Or maybe we’re trying to protect against a password database being compromised and getting decrypted. Well, password complexity has nothing to do with solving how that data is protected in storage. So why would we look at something like password complexity requirements as some sort of control against compromise of a database that may or may not be encrypted?

This is where Risk Management practices come into play because you can use Risk Management and risk assessment techniques to look at a given scenario—whether it be technology decisions or security control decisions, administrative or technical controls—we can look at this and say what exactly are we trying to protect against, what problem are we trying to solve? And then based on our understanding of that scenario, let’s look at the options that we can apply to achieve an appropriate degree of protection for the organization.

That ultimately is what we should be trying to achieve with Risk Management. Unfortunately, that’s usually not what we see implemented. A lot of the time, what’s described as risk management is really just an extension of audit practices and issuing a bunch of surveys, questionnaires, asking a lot of questions but never really putting it into a proper business context. Then we see a lot of bad practices applied, and we start seeing a lot of math-magical practices come in where we take categorical data—high, medium, low, more or less, what’s the impact to the business? A lot, a little—we take these categorical labels and suddenly start assigning numerical values to them and doing arithmetic calculations on them, and this is a complete violation of statistical principles. You shouldn’t be doing that at all. By definition, you don’t do arithmetic on categorical data, and yet that’s what a lot of these alleged Risk Management and risk assessment programs are doing.

I think Risk Management gets a bad rap as a result of these poor practices. Conducting a survey, asking questions is not a risk assessment. A risk assessment is taking a scenario, looking at the business impact analysis for that scenario, looking at the risk tolerance, what the risk capacity is for that scenario, and then looking at what the potential threats and weaknesses are within that scenario that could negatively impact the business. That’s a risk assessment. Asking people a bunch of questions about ‘Do you have passwords? Do you use complex passwords? Have you hardened the server? Are there third party people involved?’ That’s interesting information but it’s not usually reflective of the risk state and ultimately we want to find out what the risk state is.

How do you best determine that risk state?

If you look at any of the standards—and again this is where the standards do provide some value—if you look at what a Risk Management process is and the steps that are involved in it, take for example ISO 31000—step one is establishing context, which includes establishing potential business impact or business importance, business priority for applications and data, also what the risk tolerance, risk capacity is for a given scenario. That’s your first step. Then the risk assessment step is taking that data and doing additional analysis around that scenario.

In the technical context, that’s looking at how secure is this environment, what’s the exposure of the system, who has access to it, how is the data stored or protected? From that analysis, you can complete the assessment by saying ‘Given that this is a high value asset, there’s sensitive data in here, but maybe that data is strongly encrypted and access controls have multiple layers of defense, etc., the relative risk here of a compromise or attack being successful is fairly low.’ Or ‘We did this assessment, and we found in the application that we could retrieve data even though it was supposedly stored in an encrypted state, so we could end up with a high risk statement around the business impact, we’re looking at material loss,’ or something like that.

Pulling all of these pieces together is really key, and most importantly, you cannot skip over context setting. If you don’t ever do context setting, and establish the business importance, nothing else ends up mattering. Just because a system has a vulnerability doesn’t mean that it’s a material risk to the business. And you can’t even know that unless you establish the context.

In terms of getting started, leveraging the standards makes a lot of sense, but not from a perspective of this is a compliance check list that I’m going to use verbatim. You have to use it as a structured process, you have to get some training and get educated on how these things work and then what requirements you have to meet and then do what makes sense for the organizational role. At the end of the day, there’s no Easy Button for these things, you have to invest some time and energy and build something that makes sense and is functional for your organization.

To download the IT Risk Management survey summary, please click here.

By The Open GroupFormer Gartner analyst Ben Tomhave (MS, CISSP) is Security Architect for a leading online education organization where he is putting theories into practice. He holds a Master of Science in Engineering Management (Information Security Management concentration) from The George Washington University, and is a member and former co-chair of the American Bar Association Information Security Committee, senior member of ISSA, former board member of the Northern Virginia OWASP chapter, and member and former board member for the Society of Information Risk Analysts. He is a published author and an experienced public speaker, including recent speaking engagements with the RSA Conference, the ISSA International Conference, Secure360, RVAsec, RMISC, and several Gartner events.

Join the conversation! @theopengroup #ogchat #ogBWI

1 Comment

Filed under Cybersecurity, RISK Management, Security, Security Architecture, Standards, The Open Group Baltimore 2015, Uncategorized

The Open Group Madrid 2015 – Day One Highlights

By The Open Group

On Monday, April 20, Allen Brown, President & CEO of The Open Group, welcomed 150 attendees to the Enabling Boundaryless Information Flow™ summit held at the Madrid Eurobuilding Hotel.  Following are highlights from the plenary:

The Digital Transformation of the Public Administration of Spain – Domingo Javier Molina Moscoso

Domingo Molina, the first Spanish national CIO, said that governments must transform digitally to meet public expectations, stay nationally competitive, and control costs – the common theme in transformation of doing more with less. Their CORA commission studied what commercial businesses did, and saw the need for an ICT platform as part of the reform, along with coordination and centralization of ICT decision making across agencies.

Three Projects:

  • Telecom consolidation – €125M savings, reduction in infrastructure and vendors
  • Reduction in number of data centers
  • Standardizing and strengething security platform for central administration – only possible because of consolidation of telecom.

The Future: Increasing use of mobile, social networks, online commercial services such as banking – these are the expectations of young people. The administration must therefore be in the forefront of providing digital services to citizens. They have set a transformation target of having citizens being able to interact digitally with all government services by 2020.


  • Any use of formal methods for transformation such as EA? Looked at other countries – seen models such as outsourcing. They are taking a combined approach of reusing their experts and externalizing.
  • How difficult has it been to achieve savings in Europe given labor laws? Model is to re-assign people to higher-value tasks.
  • How do you measure progress: Each unit has own ERP for IT governance – no unified reporting. CIO requests and consolidates data. Working on common IT tool to do this.

An Enterprise Transformation Approach for Today’s Digital Business – Fernando García Velasco

Computing has moved from tabulating systems to the internet and moving into an era of “third platform” of Cloud, Analytics, Mobile and Social (CAMS) and cognitive computing. The creates a “perfect storm” for disruption of enterprise IT delivery.

  • 58% say SMAC will reduce barriers to entry
  • 69% say it will increase competition
  • 41% expect this competition to come from outside traditional market players

These trends are being collected and consolidated in The Open Group Open Platform 3.0™ standard.

He sees the transformation happening in three ways:

  1. Top-down – a transformation view
  2. Meet in the middle: Achieving innovation through EA
  3. Bottom-up: the normal drive for incremental improvement

Gartner: EA is the discipline for leading enterprise response to disruptive forces. IDC: EA is mandatory for managing transformation to third platform.

EA Challenges & Evolution – a Younger Perspective

Steve Nunn, COO of The Open Group and CEO of the Association of Enterprise Architects (AEA), noted the AEA is leading the development of EA as a profession, and is holding the session to recognize the younger voices joining the EA profession. He introduced the panelists: Juan Abal, Itziar Leguinazabal, Mario Gómez Velasco, Daniel Aguado Pérez, Ignacio Macias Jareño.

The panelists talked about their journey as EAs, noting that their training focused on development with little exposure to EA or Computer Science concepts. Schools aren’t currently very interested in teaching EA, so it is hard to get a start. Steve Nunn noted the question of how to enter EA as a profession is a worldwide concern. The panelists said they started looking at EA as a way of gaining a wider perspective of the development or administrative projects they were working on. Mentoring is important, and there is a challenge in learning about the business side when coming from a technical world. Juan Abal said such guidance and mentoring by senior architects is one of the benefits the AEA chapter offers.

Q: What advice would you give to someone entering into the EA career? A: If you are starting from a CS or engineering perspective, you need to start learning about the business. Gain a deep knowledge of your industry. Expect a lot of hard work, but it will have the reward of having more impact on decisions. Q: EA is really about business and strategy. Does the AEA have a strategy for making the market aware of this? A: The Spanish AEA chapter focuses on communicating that EA is a mix, and that EAs need to develop business skills. It is a concern that young architects are focused on IT aspects of EA, and how they can be shown the path to understand the business side.

Q: Should EA be part of the IT program or the CS program in schools? A: We have seen around the world a history of architects coming from IT and that only a few universities have specific IT programs. Some offer it at the postgraduate level. The EA is trying globally to raise awareness of the need for EA education. continuing education as part of a career development path is a good way to manage the breadth of skills a good EA needs; organizations should also be aware of the levels of The Open Group Open CA certifications.

Q: If EA is connected to business, should EAs be specialized to the vertical sector, or should EA be business agnostic? A: Core EA skills are industry-agnostic, and these need to be supplemented by industry-specific reference models. Methodology, Industry knowledge and interpersonal skills are all critical, and these are developed over time.

Q: Do you use EA tools in your job? A: Not really – the experience to use complex tools comes over time.

Q: Are telecom companies adopting EA? A: Telecom companies are adopting standard reference architectures. This sector has not made much progress in EA, though it is critical for transformation in the current market. Time pressure in a changing market is also a barrier.

Q: Is EA being grown in-house or outsourced? A: We are seeing increased uptake among end-user companies in using EA to achieve transformation – this is happening across sectors and is a big opportunity in Spain right now.

Join the conversation! @theopengroup #ogMAD

Comments Off on The Open Group Madrid 2015 – Day One Highlights

Filed under Uncategorized, Enterprise Architecture, Standards, Professional Development, Open Platform 3.0, Boundaryless Information Flow™, Internet of Things

The Open Group Madrid Summit 2015 – An Interview with Steve Nunn

By The Open Group

The Open Group will be hosting its Spring 2015 summit in Madrid from April 20-23. Focused on Enabling Boundaryless Information Flow™, the summit will explore the increasing digitalization of business today and how Enterprise Architecture will be a critical factor in helping organizations to adapt to the changes that digitalization and rapidly evolving technologies are bringing.

In advance of the summit, we spoke to Steve Nunn, Vice President and COO of The Open Group and CEO of the Association of Enterprise Architects (AEA) about two speaking tracks he will be participating in at the event—a panel on the challenges facing young Enterprise Architects today, and a session addressing the need for Enterprise Architects to consider their personal brand when it comes to their career path.

Tell us about the panel you’ll be moderating at the Madrid Summit on EA Challenges.

The idea for the panel really came from the last meeting we had in San Diego. We had a panel of experienced Enterprise Architects, including John Zachman, giving their perspectives on the state of Enterprise Architecture and answering questions from the audience. It gave us the idea that, we’ve heard from the experienced architects, what if we also heard from younger folks in the industry, maybe those newer to the profession than the previous panel? We decided to put together a panel of young architects, ideally local to Madrid, to get what we hope will be a different set of perspectives on what they have to deal with on a day-to-day basis and what they see as the challenges for the profession, what’s working well and what’s working less well. In conjunction with the local Madrid chapter of the AEA, we put the panel together. I believe it’s a panel of four young architects, plus a gentleman named Juan Abel, who is the chair of the local chapter in Madrid, who helped put it together, with me moderating. The Madrid chapter of the AEA has been very helpful in putting together the summit in Madrid and with details on the ground, and we thank them for all their help.

We’ll be putting some questions together ahead of time, and there will be questions from the audience. We hope it will be a different set of perspectives from folks entering the profession and in a different geography as well, so there may be some things that are particular to practicing Enterprise Architecture in Spain which come out as well. It’s a long panel—over an hour—so, hopefully, we’ll be able to not just hit things at a cursory level, but get into more detail.

What are some of the challenges that younger Enterprise Architects are facing these days?

We’re hoping to learn what the challenges are for those individuals, and we’re also hoping to hear what they think is attracting people to the profession. That’s a part that I’m particularly interested in. In terms of what I think going in to the panel session, the thing I hear about the most from young architects in the profession is about the career path. What is the career path for Enterprise Architects? How do I get in? How do I justify the practice of Enterprise Architecture in my organization if it doesn’t exist already? And if it does exist, how do I get to be part of it?

In the case of those individuals coming out of university—what are the relevant qualifications and certifications that they might be looking at to give themselves the best shot at a career in Enterprise Architecture. I expect it will be a lot of discussion about getting into Enterprise Architecture and how do you best position yourself and equip yourself to be an Enterprise Architect.

Were there things that came out of the San Diego session that will be relevant to the Madrid panel?

There were certainly some things discussed about frameworks and the use of frameworks in Enterprise Architecture. Being an Open Group event, obviously a lot of it was around TOGAF®, an Open Group standard, and with John Zachman as part of it, naturally the Zachman Framework too. There was some discussion about looking into how the two can play more naturally together. There was less discussion about the career development aspect, by and large because, when these people started out in their careers, they weren’t Enterprise Architects because it wasn’t called that. They got into it along the way, rather than starting out with a goal to be an Enterprise Architect, so there wasn’t as much about the career aspect, but I do think that will be a big part of what will come out in Madrid.

I think where there are overlaps is the area around the value proposition for Enterprise Architecture inside an organization. That’s something that experienced architects and less experienced architects will face on a day-to-day basis in an organization that hasn’t yet bought into an Enterprise Architecture approach. The common theme is, how do you justify taking Enterprise Architecture inside an organization in a way that delivers value quick enough for people to see that something is happening? So that it’s not just a multi-year project that will eventually produce something that’s nicely tied up in a bow that may or may not do what they wanted because, chances are, the business need has moved on in that time anyway. It’s being able to show that Enterprise Architecture can deliver things in the short term as well as the long term. I think that’s something that’s common to architects at all stages of their careers.

You’re also doing a session on creating a personal brand in Madrid. Why is branding important for Enterprise Architects these days?

I have to say, it’s a lot of fun doing that presentation. It really is. Why is it important? I think at a time, not just for Enterprise Architects but for any of us, when our identities are out there so much now in social media—whatever it may be, Facebook, LinkedIn, other social media profiles— people get a perception of you, many times never having met you. It is important to control that perception. If you don’t do it, someone else may get a perception that you may or may not want from it. It’s really the idea of taking charge of your own brand and image and how you are perceived, what values you have, what you want to be known for, the type of organization you want to work in, the types of projects that you want to be involved in. Not all of those things happen at once, they don’t all land on a plate, but by taking more control of it in a planned way, there’s more chance of you realizing some of those goals than if you don’t. That’s really the essence of it.

The timing and particular relevance to Enterprise Architects is that, more and more, as organizations do see value in Enterprise Architecture, Enterprise Architects are getting a seat at the top table. They’re being listened to by senior management, and are sometimes playing an active role in strategy and important decisions being made in organizations. So, now more than ever, how Enterprise Architects are being perceived is important. They need to be seen to be the people that can bring together the business people and IT, who have the soft skills, being able to talk to and understand enough about different aspects of the business to get their job done. They don’t have to be experts in everything, of course, but they have to have a good enough understanding to have meaningful discussions with the people with whom they’re working. That’s why it’s crucial at this time that those who are Enterprise Architects, as we build the profession, are perceived in a positive way, and the value of that is highlighted and consistently delivered.

A lot of technologists don’t always feel comfortable with overtly marketing themselves—how do you help them get over the perception that having a personal brand is just “marketing speak?”

That’s something that we go through in the presentation. There are 11 steps that we recommend following. This goes back to an old Tom Peters article that was written years ago titled ‘The Brand Called You’ . Many of us aren’t comfortable doing this and it’s hard, but it is important to force yourself to go through this so your name and your work and what you stand for are what you want them to be.

Some of the suggestions are to think of the things that you’re good at and what your strengths are, and to test those out with people that you know and trust. You can have some fun with it along the way. Think about what those strengths are, and think about what it is that you offer that differentiates you.

A big part of the personal brand concept is to help individuals differentiate themselves from everyone else in the workplace, and that’s a message that seems to resonate very well. How do you stand out from lots of other people that claim to have the same skills and similar experience to yourself? Think of what those strengths are, pick a few things that you want to be known for. Maybe it’s that you never miss a deadline, you’re great at summarizing meetings or you’re a great facilitator—I’m not suggesting you focus on one—but what combination of things do you want to be known for? Once you know what that is—one of the examples I use is, if you want to be known for being punctual, which is an important thing, make sure you are—set the alarm earlier, make sure you show up for meetings on time, then that’s one of the things you’re known for. All these things help build the personal brand, and when people think of you, they think of how they can rely on you, and think of the attributes and experience that they can get from working with you.

That’s really what it comes down to—as human beings, we all prefer to work with people we can trust. Ideally people that we like, but certainly people that we can trust and rely on. You’re far more likely to get the right doors opening for you and more widely if you’ve built a brand that you maintain, and people you work with know what you stand for and know they can rely on you. It’s going to work in your favor and help you get the opportunities that you hope for in your career.

But there’s a big fun aspect to the presentation, as well. I start the presentation looking at branding and the types of brands that people know what they stand for. I think it has scope for workshop-type sessions, as well, where people follow some of the steps and start developing their personal brands. Feedback on this presentation has been very positive because it stands out as a non-technical presentation, and people can see that they can use it privately to further their careers, or to use it with their teams within their organizations. People really seem to resonate with it.

As CEO of the Association of Enterprise Architects, what are you seeing in terms of career opportunities available for architects right now?

We are seeing a lot of demand for Enterprise Architects all over the place, not just in the U.S., but globally. One of the things we have on the AEA website is a job board and career center, and we’ve been trying to increase the number of jobs posted there and make it a useful place for our members to go when they’re considering another position, and a good place for recruiters to promote their openings. We are growing that and it’s being populated more and more. Generally, I hear that there is a lot of demand for Enterprise Architects, and the demand outweighs the supply at the moment. It’s a good time to get into the profession. It’s a good time to be making the most of the demand that’s out there in the market right now. To back that up, the latest Foote Report showed that the OpenCA and TOGAF certifications were among the most valuable certifications in the IT industry. I think there is demand for certified architects and what we’re doing in the AEA is building the professional body to the point, ultimately, where people not only want to be AEA members, but effectively need to be AEA members in order to be taken seriously in Enterprise Architecture.

We’re also seeing an increasing number of inquiries from organizations that are recruiting Enterprise Architects to check that the applicant is indeed an AEA member. So clearly that tells us that people are putting it down on their resumes as something that differentiates them. It’s good that we get these inquiries, because it shows that there is perceived value in membership.

What’s new with the AEA? What’s happening within the organization right now?

Other things we have going on are a couple of webinar series running in parallel. One is a series of 13 webinars led by Jason Uppal of QRS Systems. He’s giving one a month for 13 months—we’ve done seven or eight already. The other is a series of 10 webinars given by Chris Armstrong of the Armstrong Process Group. What they have in common is that they are tutorials, they’re educational webinars and learning opportunities, and we’re seeing the number of attendees for those increasing. It’s a value of being an AEA member to be able to participate in these webinars. Our focus is on giving more value to the members, and those are a couple of examples of how we’re doing that.

The other thing that we have introduced is a series of blogs on ‘What Enterprise Architects Need to Know About…’ We’ve covered a couple of topics like Internet of Things and Big Data—we have more planned in that series. That’s an attempt to get people thinking about the changing environment in which we’re all operating now and the technologies coming down the pike at us, and what it means for Enterprise Architects. It’s not that architects have to be an expert in everything, but they do need to know about them because they will eventually change how organizations put together their architectures.

By The Open GroupSteve Nunn is the VP and Chief Operating Officer of The Open Group. Steve’s primary responsibility for The Open Group is to ensure the legal protection of its assets, particularly its intellectual property. This involves the development, maintenance and policing of the trademark portfolio of The Open Group, including the registered trade marks behind the Open Brand and, therefore, the various Open Group certification programs, including TOGAF®, Open CA, Open CITS, and UNIX® system certification. The licensing, protection and promotion of TOGAF also falls within his remit.

In addition, Steve is CEO of the Association of Enterprise Architects (AEA) and is focused on creating and developing the definitive professional association for enterprise architects around the globe. To achieve this, Steve is dedicated to advancing professional excellence amongst AEA’s 20,000+ members, whilst raising the status of the profession as a whole.

Steve is a lawyer by training and has an L.L.B. (Hons) in Law with French and retains a current legal practising certificate.

Join the conversation @theopengroup #ogchat #ogMAD



Comments Off on The Open Group Madrid Summit 2015 – An Interview with Steve Nunn

Filed under Boundaryless Information Flow™, Brand Marketing, Enterprise Architecture, Internet of Things, Open CA, Standards, TOGAF, TOGAF®, Uncategorized

The Open Group Johannesburg 2015 – Conference Highlights

By Stuart Macgregor, CEO, The Open Group South Africa

A packed agenda drew over 125 delegates to  The Open Group Johannesburg Conference on 17 March 2015, the seventh to be hosted by The Open Group South Africa. The theme this year was “The State of Enterprise Architecture Globally” which explored the transformative benefits of EA and how to reach the ultimate state of “business-focused, sustainable EA” through a series of presentations, discussions and an exhibition.

Conference exhibitors Avolution, Troux and BIC Platform showcased their Enterprise Architecture tools at the event. Avolution gave delegates a preview of the new release of the flagship toolset ABACUS 4.4.

It’s not hard to see why Enterprise Architecture is capturing the attention of business and technology professionals. Keynote speaker and The Open Group President & CEO Allen Brown pointed out that vehicle manufacturer Nissan attributes more than $1-billion in savings to Enterprise Architecture over a 10 year period.

Brown drew attention to The Open Group vision of Boundaryless Information Flow™, which enables the breakdown of barriers to create a cross-functional organisation. He also noted that Enterprise Architecture is not a technologically-driven conversation; instead, it must be aligned with the customer journey. “The organisation needs to learn more about people so as not to segment, since people are not ‘one size fits all’; business architecture, as a component of Enterprise Architecture, helps with understanding the customer journey,” he said.

Brown noted growth in successful implementations of EA around the world, including the remarkable case of Nissan. The carmaker faced challenges familiar to many technology professionals in large enterprises: multiple demands to align IT with business, the necessity to document rapidly changing information, and standardise processes. Nissan applied EA to create a comprehensive, readily accessible view of its technology environment.

Closer to home, Brown said Sasol is a local case study which shows the capabilities which flow from an EA implementation. It’s not only corporations that benefit; skilled individuals are making their mark, too. “Enterprise Architects are in high demand around the world and it’s one of the highest paid skills,” he added.

In addition to Brown’s keynote address, presentations by Paul van der Merwe, Enterprise Architect, Nedbank and Vusi Mdlalose, head of Reference Architecture and Tooling for the Barclays Africa Group, provided direct insights into how South African companies are harnessing the power of EA – and the TOGAF® and ArchiMate® standards (both Open Group standards) – to achieve predictable outcomes from complex technology environments.

“The Enterprise Architecture team played an instrumental role in defining this transformational journey for the bank through their adoption of TOGAF as the EA method,” noted van der Merwe, “This journey was defined by applying a capability-based approach to understanding the business requirements and priorities, a layered model for organising technology solutions and a managed evolution rollout strategy.”

Vusi Mdlalose’s talk gave insight into how ArchiMate informed the building and implementation of their meta model, and how they then built their architecture reference models and underlying architectures.

And, taking delegates outside of technology to consider the psychology of change, Real IRM’s Joanne Macgregor, Specialist Consultant and Trainer, presented on the necessity for effective change management as an integral part of EA implementations. Her aptly named presentation title, “You can lead a horse to water…” explored how many EA implementations do not succeed in realising their full potential due to a failure in managing the “fuzzy” human aspects of organisational transformation.

James Thomas, Lead Enterprise Architect at the South African Reserve Bank, took a different approach in his presentation titled, “The state of Enterprise Architecture globally”.

Thomas noted that the EA discipline is growing globally, but that there are business and IT stakeholders with concerns, misconceptions and downright scepticism – and set about dispelling the unknown. Fortunately his final conclusion stated “Long live Enterprise Architects!”

Lunch was followed by three tracks which focused on EA Frameworks, Practical TOGAF® and Realising EA Value. The topics and speakers included:

  • Frameworks of the IBM Systems Journal by Adriaan Vorster, Industry Consultant, Gijima
  • Successfully doing TOGAF in a Scrum Project; Marvin Williams, Associate Director Architect, Cognizant Technology USA
  • Less is more: putting EA at the heart of top-level decision-making; Jerome Bugnet, Senior Solution Director, Troux Technologies UK
  • Enterprise Security Architecture at Eskom – TOGAF and SABSA; Maganathin Veeraragaloo, Chief Advisor Information Security, Eskom
  • Enterprise Architecture as a core capability in successful transformation programmes; Roar Engen, Partner and Chief Enterprise Architect, Primesource EA Norway

The afternoon plenary included a presentation by Louw Labuschagne, Managing Partner, CS Interactive, who gave an overview of the Skills Framework for the Information Age (SFIA) and showed how the adoption of this framework is impacting the definition of Enterprise Architecture (EA) skills.

The Open Group Johannesburg 2015 was declared a resounding success. “Not only have delegates enjoyed executive insights directly from The Open Group, they have also seen how leading South African companies are applying EA principles to take charge of complex technology environments. And, of course, an event like this also presents an unmatched opportunity for global networking in a specialist field which is growing rapidly.”

In the closing presentation, Brown urged the delegates to view and download the publications from The Open Group for further insight and knowledge and more importantly to talk to the people who are doing EA. (Whether it’s IT4IT™, TOGAF or ArchiMate)

“It’s the networking at events like these that are ten times more valuable than anything else,” concluded Brown.

By Stuart Macgregor, The Open GroupStuart Macgregor, CEO of The Open Group South Africa, is also the Chief Executive of the South African company, Real IRM Solutions. Through his personal achievements, he has gained the reputation of an Enterprise Architecture and IT Governance specialist, both in South Africa and internationally.

Macgregor participated in the development of the Microsoft Enterprise Computing Roadmap in Seattle. He was then invited by John Zachman to Scottsdale, Arizona to present a paper on using the Zachman framework to implement ERP systems. In addition, Macgregor was selected as a member of both the SAP AG Global Customer Council for Knowledge Management, and of the panel that developed COBIT 3rd Edition Management Guidelines. He has also assisted a global Life Sciences manufacturer to define their IT Governance framework, a major financial institution to define their global, regional and local IT organizational designs and strategy. He was also selected as a core member of the team that developed the South African Breweries (SABMiller) plc global IT strategy.

Stuart, as the lead researcher, assisted the IT Governance Institute map CobiT 4.0 to TOGAF® . This mapping document was published by ISACA and The Open Group.

Comments Off on The Open Group Johannesburg 2015 – Conference Highlights

Filed under Enterprise Architecture, Enterprise Transformation, Standards, TOGAF®, Uncategorized

Enabling the Boundaryless Organization the Goal of The Open Group Madrid Summit 2015

The Open Group, the global vendor-neutral IT consortium, is hosting its latest event in Madrid April 20 – 23 2015. The event is set to build on the success of previous events and focus on the challenge of building a Boundaryless Organization in the face of a range of new IT trends. As organizations look to take advantage of trends such as the Internet of Things and Open Platform 3.0™, the Madrid event will be an opportunity for peers to present and discuss and how the Boundaryless Organization can be achieved and what methods are best to do so.

Objectives of this year’s conference include:

  • Understanding what role Enterprise Architecture as currently practiced plays in Enterprise Transformation, especially transformations driven by merging and disruptive technologies.
  • Showing the need for Boundaryless Information Flow™, which would result in more interoperable, real-time business processes that span throughout all business ecosystems.
  • Understanding how to develop better interoperability and communication across organizational boundaries and pursue global standards for Enterprise Architecture that are highly relevant to all industries.
  • Showing how organizations can achieve their business objectives by adopting new technologies and processes as part of the Enterprise Transformation management principles – making the whole process more a matter of design than of chance.
  • Examining how the growth of “The Internet of Things” with online currencies and mobile enabled transactions has changed the face of financial services, and poses new threats and opportunities.

Key plenary and track speakers at the event include:

  • Allen Brown, President & CEO, The Open Group
  • Ron Tolido, SVP, Group CTO Office, , Global Insights and Data practice, Capgemini
  • Mariano Arnaiz, CIO, Grupo CESCE
  • Domingo Molina, Director of Information Technology and Communication Management, CNIS

Full details on the event agenda can be found here.

Registration for The Open Group Madrid is open now and available to members and non-members.  Please visit here.

Join the conversation! @theopengroup #ogMAD

1 Comment

Filed under big data, Boundaryless Information Flow™, Enterprise Architecture, Internet of Things, Interoperability, Open Platform 3.0, OTTF, Professional Development, RISK Management, Standards, Strategy, TOGAF

Cybersecurity Standards: The Open Group Explores Security and Ways to Assure Safer Supply Chains

Following is a transcript of part of the proceedings from The Open Group San Diego 2015 in February.

The following presentations and panel discussion, which together examine the need and outlook for Cybersecurity standards amid supply chains, are provided by moderator Dave Lounsbury, Chief Technology Officer, The Open Group; Mary Ann Davidson, Chief Security Officer, Oracle; Dr. Ron Ross, Fellow of the National Institute of Standards and Technology (NIST), and Jim Hietala, Vice President of Security for The Open Group.

Here are some excerpts:

By The Open GroupDave Lounsbury: Mary Ann Davidson is responsible for Oracle Software Security Assurance and represents Oracle on the Board of Directors for the Information Technology Information Sharing and Analysis Center, and on the international Board of the ISSA.

Dr. Ron Ross leads the Federal Information Security Management Act Implementation Project. It sounds like a big job to fulfill, developing the security standards and guidelines for the federal government.

This session is going to look at the cybersecurity and supply chain landscape from a standards perspective. So Ron and Mary Ann, thank you very much.

By The Open GroupRon Ross: All of us are part of the technology explosion and revolution that we have been experiencing for the last couple of decades.

I would like to have you leave today with a couple of major points, at least from my presentation, things that we have observed in cybersecurity for the last 25 years: where we are today and where I think we might need to go in the future. There is no right or wrong answer to this problem of cybersecurity. It’s probably one of the most difficult and challenging sets of problems we could ever experience.

In our great country, we work on what I call the essential partnership. It’s a combination of government, industry, and academia all working together. We have the greatest technology producers, not just in this country, but around the world, who are producing some fantastic things to which we are all “addicted.” I think we have an addiction to the technology.

Some of the problems we’re going to experience going forward in cybersecurity aren’t just going to be technology problems. They’re going to be cultural problems and organizational problems. The key issue is how we organize ourselves, what our risk tolerance is, how we are going to be able to accomplish all of our critical missions and business operations that Dawn talked about this morning, and do so in a world that’s fairly dangerous. We have to protect ourselves.

Movie App

I think I can sum it up. I was at a movie. I don’t go to movies very often anymore, but about a month ago, I went to a movie. I was sitting there waiting for the main movie to start, and they were going through all the coming attractions. Then they came on the PA and they said that there is an app you can download. I’m not sure you have ever seen this before, but it tells you for that particular movie when is the optimal time to go to the restroom during the movie.

I bring this up because that’s a metaphor for where we are today. We are consumed. There are great companies out there, producing great technologies. We’re buying it up faster than you can shake a stick at it, and we are developing the most complicated IT infrastructure ever.

So when I look at this problem, I look at this from a scientist’s point of view, an engineering point of view. I’m saying to myself, knowing what I know about what it takes  to — I don’t even use the word “secure” anymore, because I don’t think we can ever get there with the current complexity — build the most secure systems we can and be able to manage risk in the world that we live in.

In the Army, we used to have a saying. You go to war with the army that you have, not the army that you want. We’ve heard about all the technology advances, and we’re going to be buying stuff, commercial stuff, and we’re going to have to put it together into systems. Whether it’s the Internet of Things (IoT) or cyber-physical convergence, it all goes back to some fairly simple things.

The IoT and all this stuff that we’re talking about today really gets back to computers. That’s the common denominator. They’re everywhere. This morning, we talked about your automobile having more compute power than Apollo 11. In your toaster, your refrigerator, your building, the control of the temperature, industrial control systems in power plants, manufacturing plants, financial institutions, the common denominator is the computer, driven by firmware and software.

When you look at the complexity of the things that we’re building today, we’ve gone past the time when we can actually understand what we have and how to secure it.

That’s one of the things that we’re going to do at NIST this year and beyond. We’ve been working in the FISMA world forever it seems, and we have a whole set of standards, and that’s the theme of today: how can standards help you build a more secure enterprise?

The answer is that we have tons of standards out there and we have lots of stuff, whether it’s on the federal side with 853 or the Risk Management Framework, or all the great things that are going on in the standards world, with The Open Group, or ISO, pick your favorite standard.

The real question is how we use those standards effectively to change the current outlook and what we are experiencing today because of this complexity? The adversary has a significant advantage in this world, because of complexity. They really can pick the time, the place, and the type of attack, because the attack surface is so large when you talk about not just the individual products.

We have many great companies just in this country and around the world that are doing a lot to make those products more secure. But then they get into the engineering process and put them together in a system, and that really is an unsolved problem. We call it a Composability Problem. I can have a trusted product here and one here, but what is the combination of those two when you put them together in the systems context? We haven’t solved that problem yet, and it’s getting more complicated everyday.

Continuous Monitoring

For the hard problems, we in the federal government do a lot of stuff in continuous monitoring. We’re going around counting our boxes and we are patching stuff and we are configuring our components. That’s loosely called cyber hygiene. It’s very important to be able to do all that and do it quickly and efficiently to make your systems as secure as they need to be.

But even the security controls in our control catalog, 853, when you get into the technical controls —  I’m talking about access control mechanisms, identification, authentication, encryption, and audit — those things are buried in the hardware, the software, the firmware, and the applications.

Most of our federal customers can’t even see those. So when I ask them if they have all their access controls in place, they can nod their head yes, but they can’t really prove that in a meaningful way.

So we have to rely on industry to make sure those mechanisms, those functions, are employed within the component products that we then will put together using some engineering process.

This is the below-the-waterline problem I talk about. We’re in some kind of digital denial today, because below the water line, most consumers are looking at their smartphones, their tablets, and all their apps — that’s why I used that movie example — and they’re not really thinking about those vulnerabilities, because they can’t see them, until it affects them personally.

I had to get three new credit cards last year. I shop at Home Depot and Target, and JPMorgan Chase is our federal credit card. That’s not a pain point for me because I’m indemnified. Even if there are fraudulent charges, I don’t get hit for those.

If your identity is stolen, that’s a personal pain point. We haven’t reached that national pain point yet. All of the security stuff that we do we talk about it a lot and we do a lot of it, but if you really want to effect change, you’re going to start to hear more at this conference about assurance, trustworthiness, and resiliency. That’s the world that we want to build and we are not there today.

That’s the essence of where I am hoping we are going to go. It’s these three areas: software assurance, systems security engineering, and supply-chain risk management.

My colleague Jon Boyens is here today and he is the author, along with a very talented team of coauthors, of the NIST 800-161 document. That’s the supply chain risk document.

It’s going to work hand-in-hand with another publication that we’re still working on, the 800-160 document. We are taking an IEEE and an ISO standard, 15288, and we’re trying to infuse into that standard. They are coming out with the update of that standard this year. We’re trying to infuse security into every step of the lifecycle.

Wrong Reasons

The reason why we are not having a lot of success on the cybersecurity front today is because security ends up appearing either too late or by the wrong people for the wrong reasons.

I’ll give you one example. In the federal government, we have a huge catalog of security controls, and they are allocated into different baselines: low, moderate, and high. So you will pick a baseline, you will tailor, and you’ll come to the system owner or the authorizing official and say, “These are all the controls that NIST says we have to do.” Well, the mission business owner was never involved in that discussion.

One of the things we are going to do with the new document is focus on the software and systems engineering process from the start of the stakeholders, all the way through requirements, analysis, definition, design, development, implementation, operation, and sustainment, all the way to disposal. Critical things are going to happen at every one of those places in the lifecycle

The beauty of that process is that you involve the stakeholders early. So when those security controls are actually selected they can be traced back to a specific security requirement, which is part of a larger set of requirements that support that mission or business operation, and now you have the stakeholders involved in the process.

Up to this point in time, security operates in its own vacuum. It’s in the little office down the hall, and we go down there whenever there’s a problem. But unless and until security gets integrated and we disappear as being our own discipline, we now are part of the Enterprise Architecture, whether it’s TOGAF® or whatever architecture construct you are following, or the systems engineering process. The system development lifecycle is the third one, and people ask what is acquisition and procurement.

Unless we have our stakeholders at those tables to influence, we are going to continue to deploy systems that are largely indefensible not against all cyber attacks but against the high-end attacks.

We have to do a better job getting at the C-Suite and I tried to capture the five essential areas that this discussion has to revolve around. The acronym is TACIT, and it just happens to be a happy coincidence that it fit into an acronym. But it’s basically looking at the threat, how you configure your assets, and how you categorize your assets with regard to criticality.

How complex is the system you’re building? Are you managing that complexity in trying to reduce it, integrating security across the entire set of business practices within the organization? Then, the last component, which really ties into The Open Group, and the things you’re doing here with all the projects that were described in the first session, that is the trustworthiness piece.

Are we building products and systems that are, number one, more penetration resistance to cyber attacks; and number two, since we know we can’t stop all attacks, because we can never reduce complexity to where we thought we could two or three decades ago. Are we building the essential resiliency into that system. Even when the adversary comes to the boundary and the malware starts to work, how far does it spread, and what can it do?

That’s the key question. You try to limit the time on target for the advisory, and that can be done very, very easily with good architectural and good engineering solutions. That’s my message for 2015 and beyond, at least from a lot of things at NIST. We’re going to start focusing on the architecture and the engineering, how to really affect things at the ground level?

Processes are Important

Now we always will have the people, the processes, the technologies kind of this whole ecosystem that we have to deal with, and you’re going to always have to worry about your sys admins that go bad and dump all the stuff that you don’t want dumped on the Internet. But that’s part of system process. Processes are very important because they give us structure, discipline, and the ability to communicate with our partners.

I was talking to Rob Martin from Mitre. He’s working on a lot of important projects there with the CWEs, CVEs. It gives you the ability to communicate a level of trustworthiness and assurance that other people can have that dialogue, because without that, we’re not going to be communicating with each other. We’re not going to trust each other, and that’s critical, having that common understanding. Frameworks provide that common dialogue of security controls in a common process, how we build things, and what is the level of risk that we are willing to accept in that whole process.

These slides, and they’ll be available, go very briefly into the five areas. Understanding the modern threat today is critical because, even if you don’t have access to classified threat data, there’s a lot of great data out there with Symantec and Verizon reports, and there’s open-source threat information available.

If you haven’t had a chance to do that, I know the folks who work on the high assurance stuff in The Open Group RT&ES. look at that stuff a lot, because they’re building a capability that is intended to stop some of those types of threats.

The other thing about assets is that we don’t do a very good job of criticality analysis. In other words, most of our systems are running, processing, storing, and transmitting data and we’re not segregating the critical data into its own domain where necessary.

I know that’s hard to do sometimes. People say, “I’ve got to have all this stuff ready to go 24×7,” but when you look at some of the really bad breaches that we have had over the last several years establishing a domain for critical data, where that domain can be less complex, which means you can better defend it, and then you can invest more resources into defending those things that are the most critical.

I used a very simple example of a safe deposit box. I can’t get all my stuff into the safe deposit box. So I have to make decisions. I put important papers in there, maybe a coin collection, whatever.  I have locks on my house on the front door, but they’re not strong enough to stop some of those bad guys out there. So I make those decisions. I put it in the bank, and it goes in a vault. It’s a pain in the butt to go down there and get the stuff out, but it gives me more assurance, greater trustworthiness. That’s an example of the things we have to be able to do.

Complexity is something that’s going to be very difficult to address because of our penchant for bringing in new technologies. Make no mistake about it, these are great technologies. They are compelling. They are making us more efficient. They are allowing us to do things we never imagined, like finding out the optimal time to go to the restroom during a movie, I mean who could have imagined we could do that a decade ago.

But as with every one of our customers out there, the kinds of things we’re talking about flies below their radar. When you download 100 apps on your smartphone, people in general, even the good folks in Cybersecurity, have no idea where those apps are coming from, where the pedigree is, have they been tested at all, have they been evaluated, are they running on a trusted operating system?

Ultimately, that’s what this business is all about, and that’s what 800-161 is all about. It’s about a lifecycle of the entire stack from applications, to middleware, to operating systems, to firmware, to integrated circuits, to include the supply chain.

The adversary is all over that stack. They now figure out how to compromise our firmware so we have to come up with firmware integrity controls in our control catalog, and that’s the world we live in today.

Managing Complexity

I was smiling this morning when I talked about the DNI, the Director of National Intelligence in building their cloud, if that’s going to go to the public cloud or not. I think Dawn is probably right, you probably won’t see that going to the public cloud anytime soon, but cloud computing gives us an opportunity to manage complexity. You can figure out what you want to send to the public cloud.

They do a good job through the FedRAMP program of deploying controls and they’ve got a business model that’s important to make sure they protect their customers’ assets. So that’s built into their business model and they do a lot of great things out there to try to protect that information.

Then, for whatever stays behind in your enterprise, you can start to employ some of the architectural constructs that you’ll see here at this conference, some of the security engineering constructs that we’re going to talk about in 800-160, and you can better defend what stays behind within your organization.

So cloud is a way to reduce that complexity. Enterprise Architecture, TOGAF®, an Open Group standard, all of those architectural things allow you to provide discipline and structure and thinking about what you’re building: how to protect it, how much it’s going to cost and is it worth it? That is the essence of good security. It’s not about running around with a barrel full of security controls or ISO 27000 saying, hey, you’ve got to do all this stuff, or this guy is going to fall, those days are over.

Integration we talked about. This is also hard. We are working with stovepipes today. Enterprise Architects typically don’t talk to security people. Acquisition folks, in most cases, don’t talk to security people.

I see it everyday. You see RFPs go out and there is a whole long list of requirements, and then, when it comes to security, they say the system or the product they are buying must be FISMA compliant. They know that’s a law and they know they have to do that, but they really don’t give the industry or the potential contractors any specificity as to what they need to do to bring that product or the system to the state where it needs to be.

And so it’s all about expectations. I believe our industry, whether it’s here or overseas, wherever these great companies operate, the one thing we can be sure of is that they want to please their customers. So maybe what the message I’m going to send everyday is that we have to be more informed consumers. We have to ask for things that we know we need.

It’s like if you go back with the automobile. When I first started driving a long time ago,  40 years ago, cars just had seatbelts. There were no airbags and no steel-reinforced doors. Then, you could actually buy an airbag as an option at some point. When you fast-forward to today, every car has an airbag, seatbelt, steel-reinforced doors. It comes as part of the basic product. We don’t have to ask for it, but as consumers we know it’s there, and it’s important to us.

We have to start to look at the IT business in the same way, just like when we cross a bridge or fly in an airplane. All of you who flew here in airplanes and came across bridges had confidence in those structures. Why? Because they are built with good scientific and engineering practices.

So least functionality, least privilege, those are kind of foundational concepts in our world and cybersecurity. You really can’t look at a smartphone or a tablet and talk about least functionality anymore, at least if you are running that movie app, and you want to have all of that capability.

The last point about trustworthiness is that we have four decades of best practices in trusted systems development. It failed 30 years ago because we had the vision back then of trusted operating systems, but the technology and the development far outstripped our ability to actually achieve that.

Increasingly Difficult

We talked about a kernel-based operating system having 2,000, 3,000, 4,000, 5,000 lines of code and being highly trusted. Well, those concepts are still in place. It’s just that now the operating systems are 50 million lines of code, and so it becomes increasingly difficult.

And this is the key thing. As a society, we’re going to have to figure out, going forward, with all this great technology, what kind of world do we want to have for ourselves and our grandchildren? Because with all this technology, as good as it is, if we can’t provide a basis of security and privacy that customers can feel comfortable with, then at some point this party is going to stop.

I don’t know when that time is going to come, but I call it the national pain point in this digital denial. We will come to that steady state. We just haven’t had enough time yet to get to that balance point, but I’m sure we will.

I talked about the essential partnership, but I don’t think we can solve any problem without a collaborative approach, and that’s why I use the essential partnership: government, industry, and academia.

Certainly all of the innovation, or most of the innovation, comes from our great industry. Academia is critical, because the companies like Oracle or Microsoft want to hire students who have been educated in what I call the STEM disciplines: Science, Technology, Engineering — whether it’s “double e” or computer science — and Mathematics. They need those folks to be able to build the kind of products that have the capabilities, function-wise, and also are trusted.

And government plays some role — maybe some leadership, maybe a bully pulpit, cheerleading where we can — bringing things together. But the bottom line is that we have to work together, and I believe that we’ll do that. And when that happens I think all of us will be able to sit in that movie and fire up that app about the restroom and feel good that it’s secure.

By The Open GroupMary Ann Davidson: I guess I’m preaching to the converted, if I can use a religious example without offending somebody. One of the questions you asked is, why do we even have standards in this area? And of course some of them are for technical reasons. Crypto it turns out is easy for even very smart people to get wrong. Unfortunately, we have reason to find out.

So there is technical correctness. Another reason would be interoperability to get things to work better in a more secure manner. I’ve worked in this industry long enough to remember the first SSL implementation, woo-hoo, and then it turns out 40 bits wasn’t really 40, bits because it wasn’t random enough, shall we say.

Trustworthiness. ISO has a standard — The Common Criteria. It’s an ISO standard. We talk about what does it mean to have secure software, what type of threats does it address, how do you prove that it does what you say you do? There are standards for that, which helps. It helps everybody. It certainly helps buyers understand a little bit more about what they’re getting.

No Best Practices

And last, but not least, and the reason it’s in quotes, “best practices,” is because there actually are no best practices. Why do I say that — and I am seeing furrowed brows back there? First of all, lawyers don’t like them in contracts, because then if you are not doing the exact thing, you get sued.

There are good practices and there are worst practices. There typically isn’t one thing that everyone can do exactly the same way that’s going to be the best practice. So that’s why that’s in quotation marks.

Generally speaking, I do think standards, particularly in general, can be a force for good in the universe, particularly in cybersecurity, but they are not always a force for good, depending on other factors.

And what is the ecosystem? Well, we have a lot of people. We have standards makers, people who work on them. Some of them are people who review things. Like when NIST is very good, which I appreciate, about putting drafts out and taking comments, as opposed to saying, “Here it is, take it or leave it.” That’s actually a very constructive dialogue, which I believe a lot of people appreciate. I know that I do.

Sometimes there are mandators. You’ll get an RFP that says, “Verily, thou shall comply with this, less thee be an infidel in the security realm.” And that can be positive. It can  be a leading edge of getting people to do something good that, in many cases, they should do anyway.

Implementers, who have to take this and decipher and figure out why they are doing it. People who make sure that you actually did what you said you were going to do.

And last, but not least, there are weaponizers. What do I mean by that? We all know who they are. They are people who will try to develop a standard and then get it mandated. Actually, it isn’t a standard. It’s something they came up with, which might be very good, but it’s handing them regulatory capture.

And we need to be aware of those people. I like the Oracle database. I have to say that, right? There are a lot of other good databases out there. If I went in and said, purely objectively speaking, everybody should standardize on the Oracle database, because it’s the most secure. Well, nice work if I can get it.

Is that in everybody else’s interest? Probably not. You get better products in something that is not a monopoly market. Competition is good.

So I have an MBA, or had one in a prior life, and they used to talk in the marketing class about the three Ps of marketing. Don’t know what they are anymore; it’s been a while. So I thought I would come up with Four Ps of a Benevolent Standard, which are Problem Statement, Precise Language, Pragmatic Solutions, and Prescriptive Minimization.

Economic Analysis

And the reason I say this is one of the kind of discussions I have to have a lot of times, particularly sometimes with people in the government. I’m not saying this in any pejorative way. So please don’t take it that way. It’s the importance of economic analysis, because nobody can do everything.

So being able to say that I can’t boil the ocean, because you are going to boil everything else in it, but I can do these things. If I could do these things, it’s very clear what I am trying to do. It’s very clear what the benefit is. We’ve analyzed it, and it’s probably something everybody can do. Then, we can get to better.

Better is better than omnibus. Omnibus is something everybody gets thrown under if you make something too big. Sorry, I had to say that.

So Problem Statement: why is this important? You would think it’s obvious, Mary Ann, except that it isn’t, because so often the discussions I have with people, tell me what problem you are worried about? What are you trying to accomplish? If you don’t tell me that, then we’re going to be all over the map. You say potato and I say “potahto,” and the chorus of that song is, “let’s call the whole thing off.”

I use supply chain as an example, because this one is all over the map. Bad quality? Well, buying a crappy product is a risk of doing business. It’s not, per se, a supply chain risk. I’m not saying it’s not important, but it it’s certainly not a cyber-specific supply chain risk.

Bad security: well, that’s important, but again, that’s a business risk.

Backdoor bogeyman: this is the popular one. How do I know you didn’t put a backdoor in there? Well, you can’t actually, and that’s not a solvable problem.

Assurance, supply chain shutdown: yeah, I would like to know that a critical parts supplier isn’t going to go out of business. So these are all important, but they are all different problems.

So if you don’t say what you’re worried about, and it can’t be all the above. Almost every business has some supplier of some sort, even if it’s just healthcare. If you’re not careful how you define this, you will be trying to define a 100 percent of any entity’s business operations. And that’s not appropriate.

Use cases are really important, because you may have a Problem Statement. I’ll give you one, and this is not to ding NIST in any way, shape, or form, but I just read this. It’s the Cryptographic Key Management System draft. The only reason I cite this as an example is that I couldn’t actually find a use case in there.

So whatever the merits of that are saying, are you trying to develop a super secret key management system for government, very sensitive cryptographic things you are building from scratch, or you are trying to define a key management system that we have to use for things like TLS or any encryption that any commercial product does, because that’s way out of scope?

So without that, what are you worried about? And also what’s going to happen is somebody is going to cite this in an RFP and it’s going to be, are you compliant with bladdy-blah? And you have no idea whether that even should apply.

Problem Statement

So that Problem Statement is really important, because without that, you can’t have that dialogue in groups like this. Well, what are we trying to accomplish? What are we worried about? What are the worst problems to solve?

Precise Language is also very important. Why? Because it turns out everybody speaks a slightly different language, even if we all speak some dialect of geek, and that is, for example, a vulnerability.

If you say vulnerability to my vulnerability handling team, they think of that as a security vulnerability that’s caused by a defect in software.

But I’ve seen it used to include, well, you didn’t configure the product properly. I don’t know what that is, but it’s not a vulnerability, at least not to a vendor. You implemented a policy incorrectly. It might lead to vulnerability, but it isn’t one. So you are seeing where I am going with this. If you don’t have language to find very crisply the same thing, you read something and you go off and do it and you realize you solved the wrong problem.

I am very fortunate. One of my colleagues from Oracle, who works on our hardware, and I also saw a presentation by people in that group at the Cryptographic Conference in November. They talked about how much trouble we got into because if you say, “module” to a hardware person, it’s a very different thing from what it meant to somebody trying to certify it. This is a huge problem because again you say, potato, I say “potahto.” It’s not the same thing to everybody. So it needs to be very precisely defined.

Scope is also important. I don’t know why. I have to say this a lot and it does get kind of tiresome, I am sure to the recipients, COTS isn’t GOTS. Commercial software is not government software, and it’s actually globally developed. That’s the only way you get commercial software, the feature rich, reads frequently. We have access to global talent.

It’s not designed for all threat environments. It can certainly be better, and I think most people are moving towards better software, most likely because we’re getting beaten up by hackers and then our customers, and it’s good business. But there is no commercial market for high-assurance software or hardware, and that’s really important, because there is only so much that you can do to move the market.

So even a standards developer or big U.S. governments, is an important customer in the market for a lot of people, but they’re not big enough to move the marketplace on their own, and so you are limited by the business dynamic.

So that’s important, you can get to better. I tell people, “Okay, anybody here have a Volkswagen? Okay, is it an MRAP vehicle? No, it’s not, is it? You bought a Volkswagen and you got a Volkswagen. You can’t take a Volkswagen and drive it around streets and expect it to perform like an MRAP vehicle. Even a system integrator, a good one, cannot sprinkle pixie dust over that Volkswagen and turn it into an MRAP vehicle. Those are very different threat environments.

Why you think commercial software and hardware is different? It’s not different. It’s exactly the same thing. You might have a really good Volkswagen, and it’s great for commuting, but it is never going to perform in an IED environment. It wasn’t designed for that, and there is nothing you can do or make it designed to perform in that environment.


Pragmatism; I really wish anybody working on any standard would do some economic analysis, because economics rules the world. Even if it’s something really good, a really good idea, time, money, and people, particularly qualified security people, are constrained resourses.

So if you make people do something that looks good on paper, but it’s really time-consuming, it’s an opportunity, the cost is too high. That means what is the value of something you could do with those resources that would either cost less or deliver higher benefit. And if you don’t do that analysis, then you have people say, “Hey, that’s a great idea. Wow, that’s great too. I’d like that.” It’s like asking your kid, “Do you want candy. Do want new toys? Do want more footballs?” Instead of saying, “Hey, you have 50 bucks, what you are going to do with it?”

And then there are unintended consequences, because if you make this too complex, you just have fewer suppliers. People will never say, “I’m just not going to bid because it’s impossible.” I’m going to give you three examples and again I’m trying to be respectful here. This is not to dis anybody who worked on these. In some cases, these things have been subsequent revisions that have been modified, which I really appreciate. But there are examples of, when you think about it, what were you asking for in the first place.

I think this was an early version of NISTR 7622 and has since been excised. There was a requirement that the purchaser wanted to be notified of personnel changes involving maintenance. Okay, what does that mean?

I know what I think they wanted, which is, if you are outsourcing the human resources for the Defense Department and you move the whole thing to “Hackistan,” obviously they would want to be notified. I got that, but that’s not what it said.

So I look at that and say, we have 5,000 products, at least, at Oracle. We have billions and billions of lines of code everyday. Somebody checks out a transaction, getting some code, and they do some work on it and they didn’t write it in the first place.

So am I going to tweet all that to somebody. What’s that going to do for you? Plus you have things like the German Workers Council. We are going to tell the US Government that Jurgen worked on this line of code. Oh no, that’s not going to happen.

So what was it you were worried about, because that is not sustainable, tweeting people 10,000 times a day with code changes is just going to consume a lot of resource.

In another one, had this in an early version of something they were trying to do. They wanted to know, for each phase of development for each project, how many foreigners worked on it? What’s a foreigner? Is it a Green Card holder? Is it someone who has a dual passport? What is that going to do for you?

Now again if you had a super custom code for some intelligence, I can understand there might be cases in which that would matter. But general-purpose software is not one of them. As I said, I can give you that information. We’re a big company and we’ve got lots of resource. A smaller company probably can’t. Again, what will I do for you, because I am taking resources I could be using on something much more valuable and putting them on something really silly.

Last, but not least, and again, with respect, I think I know why this was in there. It might have been the secure engineering draft standard that you came up with that has many good parts to it.

Root Cause Analysis

I think vendors will probably understand this pretty quickly. Root Cause Analysis. If you have a vulnerability, one of the first things you should use is Root Cause Analysis. If you’re a vendor and you have a CVSS 10 Security vulnerability in a product that’s being exploited, what do you think the first thing you are going to do is?

Get a patch in your customers’ hands or work around? Yeah, probably, that’s probably the number one priority. Also, Root Cause Analysis, particularly for really nasty security bugs, is really important. CVSS 0, who cares? But for 9 or 10, you should be doing that common analysis.

I’ve got a better one. We have a technology we have called Java. Maybe you’ve heard of it. We put a lot of work into fixing Java. One of the things we did is not only Root Cause Analysis, for CVSS 9 and higher. They have to go in front of my boss. Every Java developer had to sit through that briefing. How did this happen?

Last but not least, looking for other similar instances, not just root cause, how did that get in there and how do we avoid it. Where else does this problem exist. I am not saying this to make us look good; I ‘m saying for the analytics. What are you really trying to solve here. Root Cause Analysis is important, but it’s important in context. If I have to do it for everything, it’s probably not the best use of a scarce resource.

My last point is to minimize prescriptiveness within limits. For example, probably some people in here don’t know how to bake or maybe you made a pie. There is no one right way to bake a cherry pie. Some people go down to Ralphs and they get a frozen Marie Callendar’s out of the freezer, they stick it in the oven, and they’ve got a pretty good cherry pie.

Some people make everything from scratch. Some people use a prepared pie crust and they do something special with the cherries they picked off their tree, but there is no one way to do that that is going to work for everybody.

Best practice for something. For example, I can say truthfully that a best development practice would not be just start coding, number one; and number two, it compiles without too many errors on the base platform, and ship it. That is not good development practice.

If you mandate too much, it will stifle innovation and it won’t work for people. Plus, as I mentioned, you will have an opportunity cost. If I’m doing something that somebody says I have to do, but there is a more innovative way of doing that.

We don’t have a single development methodology in Oracle, mostly because of acquisitions. We buy a great company, we don’t tell them, “You know, that agile thing you are doing, it’s the last year. You have to do waterfall.” That’s not going to work very well, but there are good practices even within those different methodologies.

Allowing for different hows is really important. Static analysis is one of them. I think static analysis is kind of industry practice now, and people should be doing it. Third party is really bad. I have been opining about this, this morning.

Third-party Analysis

Let just say, I have a large customer, I won’t name who used a third-party static analysis service. They broke their license agreement with us. They’re getting a lot of it from us. Worse, they give us a report that included vulnerabilities from one of our competitors. I don’t want to know about those, right? I can’t fix some. I did tell my competitor, “You should know this report exist, because I’m sure you want to analyze this.”

Here’s the worst part. How many of those vulnerabilities the third-party found you think had any merit? Run tool is nothing; analyzing results is everything. That customer and the vendor wasted the time of one of our best security leads, trying to make sure there was no there there, and there wasn’t.

So again, and last but not least, government can use their purchasing power in lot of very good ways, but realize that regulatory things are probably going to lag actual practice. You could be specifying buggy whip standards and the reality is that nobody uses buggy whips anymore. It’s not always about the standard, particularly if you are using resources in a less than optimal way.

One of the things I like about The Open Group is that here we have actual practitioners. This is one of the best forums I have seen, because there are people who have actual subject matter expertise to bring to the table, which is so important in saying what is going to work and can be effective.

The last thing I am going to say is a nice thank you to the people in The Open Group Trusted Technology Forum (OTTF), because I appreciate the caliber of my colleagues, and also Sally Long. They talk about this type of an effort as herding cats, and at least for me, it’s probably like herding a snarly cat. I can be very snarly. I’m sure you can pick up on that.

So I truly appreciate the professionalism and the focus and the targeting. Targeting a good slice of making a supply-chain problem better, not boiling the ocean, but very focused and targeted and with very high-caliber participation. So thank you to my colleagues and particularly thank you to Sally, and that’s it, I will turn it over to others.

By The Open GroupJim Hietala: We do, we have a few questions from the audience. So the first one and both here could feel free to chime in on this. Something you brought up Dr. Ross, building security in looking at software and systems engineering processes. How do you bring industry along in terms of commercial off-the-shelf products and services especially when you look at things like IoT, where we have got IP interfaces grafted on to all sorts of devices?

Ross: As Mary Ann was saying before, the strength of any standard is really its implementability out there. When we talk about, in particular, the engineering standard, the 15288 extension, if we do that correctly every organization out there who’s already using — let’s say a security development lifecycle like the 27034, you can pick your favorite standard — we should be able to reflect those activities in the different lanes of the 15288 processes.

This is a very important point that I got from Mary Ann’s discussion. We have to win the hearts and minds and be able to reflect things in a disciplined and structured process that doesn’t take people off their current game. If they’re doing good work, we should be able to reflect that good work and say, “I’m doing these activities whether it’s SDL, and this is how it would map to those activities that we are trying to find in the 15288.”

And that can apply to the IoT. Again, it goes back to the computer, whether it’s Oracle database or a Microsoft operating system. It’s all about the code and the discipline and structure of building that software and integrating it into a system. This is where we can really bring together industry, academia, and government and actually do something that we all agree on.

Different Take

Davidson: I would have a slightly different take on this. I know this is not a voice crying in the wilderness. My concern about the IoT goes back to things I learned in business school in financial market theory, which unfortunately has been borne out in 2008.

There are certain types of risks you can mitigate. If I cross a busy street, I’m worried about getting hit by a car. I can look both ways. I can mitigate that. You can’t mitigate systemic risk. It means that you created a fragile system. That is the problem with the IoT, and that is a problem that no jury of engineering will solve.

If it’s not a problem, why aren’t we giving nuclear weapons’ IP addresses? Okay, I am not making this up. The Air Force thought about that at one point. You’re laughing. Okay, Armageddon, there is an app for that.

That’s the problem. I know this is going to happen anyway. whether or not I approve of it, but I really wish that people could look at this, not just in terms of how many of these devices and what a great opportunity, but what is a systemic risk that we are creating by doing this.

My house is not connected to the Internet directly and I do not want somebody to shut my appliances off or shut down my refrigerator or lock it so that I can’t get into it or use that for launching an attack, those are the discussions we should be having — at least as much as how we make sure that people designing these things have a clue.

Hietala: The next question is, how do customers and practitioners value the cost of security, and then a kind of related question on what can global companies due to get C-Suite attention and investment on cybersecurity, that whole ROI value discussion?

Davidson: I know they value it because nobody calls me up and says, “I am bored this week. Don’t you have more security patches for me to apply?” That’s actually true. We know what it costs us to produce a lot of these patches, and it’s important for the amount of resources we spend on that I would much rather be putting them on building something new and innovative, where we could charge money for it and provide more value to customers.

So it’s cost avoidance, number one; number two more people have an IT backbone. They understand the value of having it be reliable. Probably one of the reasons people are moving to clouds is that it’s hard to maintain all these and hard to find the right people to maintain them. But also I do have more customers asking us now about our security practices, which is be careful what you wish for

I said this 10 years ago. People should be demanding. They know what we’re doing and now I am going to spend a lot of time answering RFPs, but that’s good. These people are aware of this. They’re running their business on our stuff and they want to know what kind of care we’re taking to make sure we’re protecting their data and their mission-critical applications as if it were ours.

Difficult Question

Ross: The ROI question is very difficult with regard to security. I think this goes back to what I said earlier. The sooner we get security out of its stovepipe and integrated as just part of the best practices that we do everyday, whether it’s in the development work at a company or whether it’s in our enterprises as part of our mainstream organizational management things like the SDLC, or if we are doing any engineering work within the organization, or if we have the Enterprise Architecture group involved. That integration makes security less of  “hey, I am special” and more of just a part of the way we do business.

So customers are looking for reliability and dependability. They rely on this great bed of IT product systems and services and they’re not always focused on the security aspects. They just want to make sure it works and that if there is an attack and the malware goes creeping through their system, they can be as protected as they need to be, and sometimes that flies way below their radar.

So it’s got to be a systemic process and an organizational transformation. I think we have to go through it, and we are not quite there just yet.

Davidson: Yeah, and you really do have to bake it in. I have a team of — I’ve got three more headcount, hoo-hoo — 45 people, but we have about 1,600 people in development whose jobs are to be security points of contact and security leads. They’re the boots on the ground who implement our program, because I don’t want to have an organization that peers over everybody’s shoulder to make sure they are writing good code. It’s not cost-effective, not a good way to do it. It’s cultural.

One of the ways that you do that is seeding those people in the organization, so they become the boots on the ground and they have authority to do things, because you’re not going to succeed otherwise.

Going back to Java, that was the first discussion I had with one of the executives that this is a cultural thing. Everybody needs to feel that he or she is personally responsible for security, not those 10-20 whatever those people are, whoever the security weenie is. It’s got to be everybody and when you can do that, you really have to see change and how things happen. Everybody is not going to be a security expert, but everybody has some responsibility for security.

Transcript available here.

Transcript of part of the proceedings from The Open Group San Diego 2015 in February. Copyright The Open Group and Interarbor Solutions, LLC, 2005-2015. All rights reserved.

Join the conversation! @theopengroup #ogchat

You may also be interested in:


Comments Off on Cybersecurity Standards: The Open Group Explores Security and Ways to Assure Safer Supply Chains

Filed under Uncategorized, Enterprise Architecture, Cybersecurity, Cloud/SOA, TOGAF®, Information security, Standards, Cloud, Conference, OTTF, RISK Management, Internet of Things, Security, IT

The Open Group San Diego Panel Explores Synergy Among Major Frameworks in Enterprise Architecture

Following is a transcript of part of the proceedings from The Open Group San Diego event in February – a panel discussion on The Synergy of Enterprise Architecture frameworks.

The following panel, which examines the synergy among the major Enterprise Architecture frameworks, consists of moderator Allen Brown, President and Chief Executive Officer, The Open Group; Iver Bank, an Enterprise Architect at Cambia Health Solutions; Dr. Beryl Bellman, Academic Director, FEAC Institute; John Zachman, Chairman and CEO of Zachman International, and originator of the Zachman Framework; and Chris Forde, General Manager, Asia and Pacific Region and Vice President, Enterprise Architecture, The Open Group.

Here are some excerpts:

By The Open GroupIver Band: As an Enterprise Architect at Cambia Health Solutions, I have been working with the ArchiMate® Language for over four years now, both working with and on it in the ArchiMate® Forum. As soon as I discovered it in late 2010, I could immediately see, as an Enterprise Architect, how it filled an important gap.

It’s very interesting to see the perspective of John Zachman. I will briefly present how the ArchiMate Language allows you to fully support enterprise architecture using The Zachman Framework. So I am going to very briefly talk about enterprise architecture with the ArchiMate Language and The Zachman Framework.

What is the ArchiMate Language? Well, it’s a language we use for building understanding across disciplines in an organization and communicating and managing change.  It’s a graphical notation with formal semantics. It’s a language.

It’s a framework that describes and relates the business, application, and technology layers of an enterprise, and it has extensions for modelling motivation, which includes business strategy, external factors affecting the organization, requirements for putting them altogether and for showing them from different stakeholder perspectives.

You can show conflicting stakeholder perspectives, and even politics. I’ve used it to model organizational politics that were preventing a project from going forward.

It has a rich set of techniques in its viewpoint mechanism for visualizing and analyzing what’s going on in your enterprise. Those viewpoints are tailored to different stakeholders.  And, of course, ArchiMate®, like TOGAF®, is an open standard managed by The Open Group.

Taste of Archimate

This is just a taste of ArchiMate for people who haven’t seen it before. This is actually excerpted from the presentation my colleague Chris McCurdy and I are doing at this conference on Guiding Agile Solution Delivery with the ArchiMate Language.

What this shows is the Business and Application Layers of ArchiMate. It shows a business process at the top. Each process is represented by a symbol. It shows a data model of business objects, then, at the next layer, in yellow.

Below that, it shows a data model actually realized by the application, the actual data that’s being processed.

Below that, it shows an application collaboration, a set of applications working together, that reads and writes that data and realizes the business data model that our business processes use.

All in all, it presents a vision of an integrated project management toolset for a particular SDLC that uses the phases that you see across the top.

We are going to dissect this model, how you would build it, and how you would develop it in an agile environment in our presentation tomorrow.

I have done some analysis of The Zachman Framework, comparing it to the ArchiMate Language. What’s really clear is that ArchiMate supports enterprise architecture with The Zachman Framework. You see a rendering of The Zachman Framework and then you see a rendering of the components of the ArchiMate Language. You see the Business Layer, the Application Layer, the Technology Layer, its ability to express information, behavior, and structure, and then the Motivation and Implementation and Migration extensions.

So how does it support it? Well, there are two key things here. The first is that ArchiMate models answer the questions that are posed by The Zachman Framework columns.

For what: for Inventory. We are basically talking about what is in the organization. There are Business and Data Objects, Products, Contracts, Value, and Meaning.

For how: for process. We can model Business Processes and Functions. We can model Flow and Triggering Relationships between them.

Where: for the Distribution of our assets. We can model Locations, we can model Devices, and we can model Networks, depending on how you define Location within a network or within a geography.

For who: We can model Responsibility, with Business Actors, Collaborations, and Roles.

When: for Timing. We have Business Events, Plateaus of System Evolution, relatively stable systems states, and we have Triggering Relationships.

Why: We have a rich Motivation extension, Stakeholders, Drivers, Assessments, Principles, Goals, Requirements, etc., and we show how those different components influence and realize each other.

Zachman perspectives

Finally, ArchiMate models express The Zachman Row Perspectives. For the contextual or boundary perspective, where Scope Lists are required, we can make catalogs of ArchiMate Concepts. ArchiMate has broad tool support, and in a repository-based tool, while ArchiMate is a graphical language, you can very easily take list of concepts, as I do regularly, and put them in catalog or metrics form. So it’s easy to come up with those Scope Lists.

Secondly, for the Conceptual area, the Business Model, we have a rich set of Business Layer Viewpoints. Like the top of the — that focus on the top of the diagram that I showed you; Business Processes, Actors, Collaborations, Interfaces, Business Services that are brought to market.

Then at the Logical Layer we have System. We have a rich set of Application Layer Viewpoints and Viewpoints that show how Applications use Infrastructure.

For Physical, we have an Infrastructure Layer, which can be used to model any type of Infrastructure: Hosting, Network, Storage, Virtualization, Distribution, and Failover. All those types of things can be modeled.

And for Configuration and Instantiation, the Application and Technology Layer Viewpoints are available, particularly more detailed ones, but are also important is the Mappings to standard design languages such as BPMN, UML and ERD. Those are straightforward for experienced modelers. We also have a white paper on using the ArchiMate language with UML. Thank you.

By The Open GroupDr. Beryl Bellman: I have been doing enterprise architecture for quite a long time, for what you call pre-enterprise architecture work, probably about 30 years, and I first met John Zachman well over 20 years ago.

In addition to being an enterprise architect I am also a University Professor at California State University, Los Angeles. My focus there is on Organizational Communications. While being a professor, I always have been involved in doing contract consulting for companies like Digital Equipment Corporation, ASK, AT&T, NCR, then Ptech.

About 15 years ago, a colleague of mine and I founded the FEAC Institute. The initial name for that was the Federal Enterprise Architecture Certification Institute, and then we changed it to Federated. It actually goes by both names.

The business driver of that was the Clinger–Cohen Bill in 1996 when it was mandated by government that all federal agencies must have an enterprise architecture.

And then around 2000, they began to enforce that regulation. My business partner at that time, Felix Rausch, and I felt that we need some certification in how to go about doing and meeting those requirements, both for the federal agencies and the Department of Defense. And so that’s when we created the FEAC Institute.

Beginning of FEAC

In our first course, we had the Executive Office of the President, US Department of Fed, which I believe was the first Department of the Federal Government that was hit by OMB which held up their budget for not having an enterprise architecture on file. So they were pretty desperate, and that began the first of the beginning of the FEAC.

Since that time, a lot of people have come in from the commercial world and from international areas. And the idea of FEAC was that you start off with learning how to do enterprise architecture. In a lot of programs, including TOGAF, you sort of have to already know a little bit about enterprise architecture, the hermeneutical circle. You have to know what it is to know.

In FEAC we had a position that you want to provide training and educating in how to do enterprise architecture that will get you from a beginning state to be able to take full responsibility for work doing enterprise architecture in a matter of three months. It’s associated with the California State University System, and you can get, if you so desire, 12 graduate academic units in Engineering Management that can be applied toward a degree or you can get continuing education units.

So that’s how we began that. Then, a couple of years ago, my business partner decided he wanted to retire, and fortunately there was this guy named John Zachman, who will never retire. He’s a lot younger than all of us in this room, right? So he purchased the FEAC Institute.

I still maintain a relationship with it as Academic Director, in which primarily my responsibilities are as a liaison to the universities. My colleague, Cort Coghill, is sort of the Academic Coordinator of the FEAC Institute.

FEAC is an organization that also incorporates a lot of the training and education programs of Zachman International, which includes managing the FEAC TOGAF courses, as well as the Zachman certified courses, which we will tell you more about.

‘m just a little bit surprised by this idea, the panel, the way we are constructed here, because I didn’t have a presentation. I’m doing it off the top, as you can see. I was told we are supposed to have a panel discussion about the synergies of enterprise architecture. So I prepared in my mind the synergies between the different enterprise architectures that are out there.

For that, I just wanted to make a strong point. I wanted to talk about synergy like a bifurcation between on the one hand, “TOGAF and Zachman” as being standing on one side, whereas the statement has been made earlier this morning and throughout the meeting is “TOGAF and.”

Likewise, we have Zachman, and it’s not “Zachman or, but it’s ‘Zachman and.” Zachman provides that ontology, as John talks about it in his periodic table of basic elements of primitives through which we can constitute any enterprise architecture. To attempt to build an architecture out of composites and then venting composites and just modeling  you’re just getting a snapshot in time and you’re really not having an enterprise architecture that is able to adapt and change. You might be able to have a picture of it, but that’s all you really have.

That’s the power of The Zachman Framework. Hopefully, most of you will attend our demonstration this afternoon and a workshop where we are actually going to have people work with building primitives and looking at the relationship of primitives, the composites with a case study.

Getting lost

On the other side of that, Schekkerman wrote something about the forest of architectural frameworks and getting lost in that. There are a lot of enterprise architectural frameworks out there.

I’m not counting TOGAF, because TOGAF has its own architectural content metamodel, with its own artifacts, but those does not require one to use the artifacts in the architectural content metamodel. They suggest that you can use DoDAF. You can use MODAF. You can use commercial ones like NCR’s GITP. You can use any one.

Those are basically the competing models. Some of them are commercial-based, where organizations have their own proprietary stamps and the names of the artifacts, and the wrong names for it, and others want to give it its own take.

I’m more familiar nowadays with the governmental sectors. For example, FEAF, Federal Enterprise Architecture Framework Version 2. Are you familiar with that? Just go on the Internet, type in FEAF v2. Since Scott Bernard has been the head, he is the Chief Architect for the US Government at the OMB, he has developed a model of enterprise architecture, what he calls the Architecture Cube Model, which is an iteration off of John’s, but he is pursuing a cube form rather than a triangle form.

Also, for him the FEAF-II, as enterprise architecture, fits into his FEAF-II, because at the top level he has the strategic plans of an organization.

It goes down to different layers, but then, at one point, it drops off and becomes not only a solution, but it gets into the manufacturing of the solution. He has these whole series of artifacts that pertain to these different layers, but at the lower levels, you have a computer wiring closet diagram model, which is a little bit more detailed than what we would consider to be at a level of enterprise architecture.

Then you have the MODAF, the DoDAF, and all of these other ones, where a lot of those compete with each other more on the basis of political choices.

With the MODAF, the British obviously don’t want to use DoDAF, they have their own, but they are very similar to each other. One view, the acquisition view, differs from the project view, but they do the same things. You can define them in terms of each other.

Then there is the Canadian, NAF, and all that, and they are very similar. Now, we’re trying to develop the unified MODAF, DoDAF, and NAF architecture, UPDM, which is still in its planning stages. So we are moving toward a more integrated system.

BrownAllen Brown: Let’s move on to some of the questions that folks are interested in. Moving away from what the frameworks are, there is a question here. How does enterprise architecture take advantage of the impact of new emerging technologies like social, mobile, analytics, cloud, and so on?

Bidirectional change

John A Zachman: The change can take place in the enterprise either from the top, where we change the context of the enterprise, or from the bottom, where we change the technologies.

So technology is expressed in the context of the enterprise, what I would call Rule 4, and that’s the physical domain. And it’s the same way in any other — the building architecture, the airplane architecture, or anything. You can implement the logic, the as-designed logic, in different technologies.

Whatever the technology is, I made an observation that you want to engineer for flexibility. You separate the independent variables. So you separate the logic at Rule 3 from the physics of Rule 4, and then you can change Rule 4 without changing Rule 3. Basically that’s the idea, so you can accommodate whatever the emerging technologies are.

Bellman: I would just continue with that. I agree with John. Thinking about the synergy between the different architectures, basically every enterprise architecture contains, or should contain, considerations of those primitives. Then, it’s a matter of which a customer wants, which a customer feels comfortable with? Basically as long as you have those primitives defined, then you essentially can use any architecture. That constitute the synergy between the architectures.

Band: I agree with what’s been said. It’s also true that I think that one of the jobs of an enterprise architect is to establish a view of the organization that can be used to promote understanding and communicate and manage change. With cloud-based systems, they are generally based on metadata, and the major platforms, like as an example. They publish their data models and their APIs.

So I think that there’s going to be a new generation of systems that provide a continuously synchronized, real-time view of what’s going on in the enterprise. So the architectural model will model this in the future, where things need to go, and they will do analyses, but we will be using cloud, big data, and even sensor technologies to understand the state of the enterprise.

Bellman: In the DoDaF 2.0, when that initially came out, I think it was six years ago or so, they have services architecture, a services view, and a systems view. And one of the points they make within the context, not as a footnote, is that they expect the systems view to sort of disappear and there will be a cloud view that will take its place. So I think you are right on that.

Chris Forde: The way I interpreted the question was, how does EA or architecture approach the things help you manage disruptive things? And if you accept the idea that enterprise architecture actually is a management discipline, it’s going to help you ask the right questions to understand what you are dealing with, where it should be positioned, what the risks and value proposition is around those particular things, whether that’s the Internet of Things, cloud computing, or all of these types of activities.

So going back to the core of what Terry’s presentation was about is a decision making framework with informed questions to help you understand what you should be doing to either mitigate the risk, take advantage of the innovation, and deploy the particular thing in a way that’s useful to your business. That’s the way I read the question.

Impact of sensors

Band: Just to reinforce what Chris says, as an enterprise architect in healthcare, one of the things that I am looking at very closely is the evaluation of the impact of health sensor technology. Gartner Group says that by 2020, the average lifespan in a developed country will be increased by six months due to mobile health monitoring.

And so there are vast changes in the whole healthcare delivery system, of which my company is at the center as a major healthcare payer and investor in all sorts of healthcare companies. I use enterprise architecture techniques to begin to understand the impact of that and show the opportunities to our health insurance business.

Brown: If you think about social and mobile and you look at the entire enterprise architecture, now you are starting to expand that beyond the limits of the organization, aren’t you? You’re starting to look at, not just the organization and the ecosystem, your business partners, but you are also looking at the impact of bringing mobile devices into the organization, of managers doing things on their own with cloud that wasn’t part of the architecture. You have got the relationship with consumers out there that are using social and mobile. How do you capture all of that in enterprise architecture?

Forde: Allen, if I had the answer to that question I would form my own business and I would go sell it.

Back in the day, when I was working in large organizations, we were talking about the extended enterprise, that kind of ecosystem view of things. And at that time the issue was more problematic. We knew we were in an extended ecosystem, but we didn’t really have the technologies that effectively supported it.

The types of technologies that are available today, the ones that The Open Group has white papers about — cloud computing, the Internet of Things, this sort of stuff — architectures can help you classify those things. And the technologies that are being deployed can help you track them, and they can help you track them not as documents of the instance, but of the thing in real time that is talking to you about what its state is, and what its future state will be, and then you have to manage that information in vast quantities.

So an architecture can help you within your enterprise understand those things and it can help you connect to other enterprises or other information sources to allow you to make sense of all those things. But again, it’s a question of scoping, filtering, making sense, and abstracting — that key phrase that John pointed out earlier, of abstracting this stuff up to a level that is comprehensible and not overwhelming.

Brown: So Iver, at Cambia Health, you must have this kind of problem now, mustn’t you?

Provide value

Band: That’s exactly what I am doing. I am figuring out what will be the impact of certain technologies and how our businesses can use them to differentiate and provide value.

In fact, I was just on a call this morning with JeffSTAT, because the whole ecosystem is changing, and we know that healthcare is really changing. The current model is not financially sustainable, and there is also tremendous amount of waste in our healthcare system today. The executives of our company say that about a third of the $2.7 trillion and rising spent on healthcare in the US doesn’t do anyone any good.

There’s a tremendous amount of IT investment in that, and that requires architecture to tie it altogether. It has to do with all the things ranging from the logic with which we edit claims, to the follow-up we provide people with particularly dangerous and consequently expensive diseases. So there is just a tremendous amount going through an enterprise architecture. It’s necessary to have a coherent narrative of what the organization needs to do.

Bellman: One thing we all need to keep in mind is even more dynamic than that, if you believe even a little bit of Kurzweil’s possibilities is that — are people familiar with Ray Kurzweil’s ‘The Singularity Is Near’ — 2037 will be around the singularly between computers and human beings.

So I think that the wrap where he argues that the amount of change is not linear but exponential, and so in a sense you will never catch up, but you need an architecture to manage that.

By The Open GroupZachman: The way we deal with complexity is through classification. I suggest that there is more than one way to classify things. One is one-dimensional classification, taxonomy, or hierarchy, in effect, decompositions, one-dimensional classification, and that’s really helpful for manufacturing. From an engineering standpoint of a two-dimensional classification, where we have classified things so that they are normalized, one effect in one place.

Then if you have the problems identified, you can postulate several technology changes or several changes and simulate the various implications of it.

The whole reason why I do architecture has to do with change. You deal with extreme complexity and then you have to accommodate extreme change. There is no other way to deal with it. Humanity, for thousands of years, has not been able to figure out a better way to deal with complexity and change other than architecture.

Forde: Maybe we shouldn’t apply architecture to some things.

For example, maybe the technologies or the opportunity is so new, we need to have the decision-making framework that says, you know what, let’s not try and figure out all this, just to self-control their stuff in advance, okay? Let’s let it run and see what happens, and then when it’s at the appropriate point for architecture, let’s apply it, this is a more organic view of the way nature and life works than the enterprise view of it.

So what I am saying is that architecture is not irrelevant in that context. It’s actually there is a part of the decision-making framework to not architect something at this point in time because it’s inappropriate to do so.

Funding and budgeting

Band: Yeah, I agree that wholeheartedly. If it can’t be health solutions, we are a completely agile shop. All the technology development is on the same sprint cycle, and we have three-week sprints, but we also have certain things that are still annual and wonderful like funding and budgeting.

We live in a tension. People say, well, what are you going to do, what budget do you need, but at the same time, I haven’t figured everything out. So I am constantly living in that gap of what do I need to meet a certain milestone to get my project funded, and what do I need to do to go forward? Obviously, in a fully agile organization, all those things would be fluid. But then there’s financial reporting, and we would also have to be fluid too. So there are barriers to that.

For instance, the Scaled Agile Framework, which I think is a fascinating thing, has a very clear place for enterprise architecture. As Chris said, you don’t want to do too much of it in advance.  I am constantly getting the gap between how can I visualize what’s going to happen a year out and how can I give the development teams what they need for the sprint. So I am always living in that paradox.

Bellman: The Gartner Group, not too long ago, came up with the concept of emerging enterprise architecture and what we are dealing with. Enterprises don’t exist like buildings. A building is an object, but an enterprise is a group of human beings communicating with one another.

As a very famous organizational psychologist Karl Weick once pointed out, “The effective organization is garrulous, clumsy, superstitious, hypocritical, mostrous, octopoid, wandering, and grouchy.” Why? Because an organization is continually adapting, continually changing, and continually adapting to the changing business and technological landscape.

To expect anything other than that is not having a realistic view of the enterprise. It is emerging and it is a continually emerging phenomena. So in a sense, having an architecture concept I would not contest, but architecting is always worthwhile. It’s like it’s an organic phenomena, and that in order to deal with that what we can also understand and have an architecture for organic phenomena that change and rapidly adapt.

Brown: Chris, where you were going follows the lines of what great companies do, right?

There is a great book published about 30 years ago called ‘In Search of Excellence.’ If you haven’t read it, I suggest that people do. Written by Peters and Waterman, and Tom Peters has tried for ever since to try and recreate something with that magic, but one of the lessons learned was what great companies do, is something that goes simultaneous loose-tight properties. So you let somethings be very tightly controlled, and other things as are suggesting, let them flourish and see where they go before I actually box them in. So that’s a good thought.

So what do we think, as a panel, about evolving TOGAF to become an engineering methodology as well as a manufacturing methodology?

Zachman: I really think it’s a good idea.

Brown: Chris, do you have any thoughts on that?

Interesting proposal

Forde: I think it’s an interesting proposal and I think we need to look at it fairly seriously. The Open Group approach to things is, don’t lock people into a specific way of thinking, but we also advocate disciplined approach to doing things. So I would susspect that we are going to be exploring John’s proposal pretty seriously.

Brown: You mentioned in your talk that decision-making process is a precondition, the decision-making process to govern IT investments, and the question that comes in is how about other types of investments including facilities, inventory and acquisitions?

By The Open GroupForde: The wording of the presentation was very specific. Most organizations have a process or decision-making framework on an annual basis or quarterly whatever the cycles are for allocation of funding to do X, Y or Z. So the implication wasn’t that IT was the only space that it would be applied.

However, the question is how effective is that decision-making framework? In many organizations, or in a lot of organizations, the IT function is essentially an enterprise-wide activity that’s supporting the financial activities, the plant activities, these sorts of things. So you have the P&Ls from those things flowing in some way into the funding that comes to the IT organization.

The question is, when there are multiple complexities in an organization, multiple departments with independent P&Ls, they are funding IT activities in a way that may not be optimized, may or may not be optimized. For the architects, in my view, one of the avenues for success is in inserting yourself into that planning cycle and influencing,  because normally the architecture team does not have direct control over the spend, but influencing how that spend goes.

Over time gradually improving the enterprise’s ability to optimize and make effective the funding it applies for IT to support the rest of the business.

Zachman: Yeah, I was just wondering, you’ve got to make observation.

Band: I agree, I think that the battle to control shadow IT has been permanently lost. We are in a technology obsessed society. Every department wants to control some technology and even develop it to their needs. There are some controls that you do have, and we do have some, but we have core health insurance businesses that are nearly a 100 years old.

Cambia is constantly investing and acquiring new companies that are transforming healthcare. Cambia has over a 100 million customers all across the country even though our original business was a set of regional health plans.

Build relationships

You can’t possibly rationalize all of everything I want you to pay for on that thing. It is incumbent upon the architects, especially the senior ones, to build relationships with the people in these organizations and make sure everything is synergetic.

Many years ago, there was a senior architect. I asked him what he did, and he said, “Well, I’m just the glue. I go to a lot of meetings.” There are deliverables and deadlines too, but there is a part of consistently building the relationships and noticing things, so that when there is time to make a decision or someone needs something, it gets done right.

Zachman: I was in London when Bank of America got bought by NationsBank, and it was touted as the biggest banking merger in the history of the banking industry.

Actually it wasn’t a merger, it was an acquisition NationsBank acquired Bank of America and then changed the name to Bank of America. There was a London paper that was  observing that the headline you always see is, “The biggest merger in the history of the industry.” The headline you never see is, “This merger didn’t work.”

The cost of integrating the two enterprises exceeded the value of the acquisition. Therefore, we’re going to have to break this thing up in pieces and sell off the pieces as surreptitiously as possible, so nobody will notice that we buried any accounting notes someplace or other. You never see that article. You’ll only see the one about the biggest merger.

If I was the CEO and my strategy was to grow by acquisition, I would get really interested in enterprise architecture. Because you have to be able to anticipate the integration of the cost, if you want to merge two enterprises. In fact, you’re changing the scope of the enterprise. I have talked a little bit about the role on models, but you are changing the scope. As soon as you change a scope, you’re now going to be faced with an integration issue.

Therefore you have to make a choice, scrap and rework. There is no way, after the fact, to integrate parts that don’t fit together. So you’re gong to be faced a decision whether you want to scrap and rework or not. I would get really interested in enterprise architecture, because that’s what you really want to know before you make the expenditure. You acquire and obviously you’ve already blown out all the money. So now you’ve got a problem.

Once again, if I was the CEO and I want to grow by acquisition or merger acquisition, I would get really interested in enterprise architecture.

Cultural issues

Beryl Bellman: One of the big problems we are addressing here is also the cultural and political problems of organizations or enterprises. You could have the best design type of system, and if people and politics don’t agree, there are going to be these kind of conflicts.

I was involved in my favorite projects at consulting. I was involved in consulting with NCR, who was dealing with Hyundai and Samsung and trying to get them together at a conjoint project. They kept fighting with each other in terms of knowledge management, technology transfer, and knowledge transfer. My role of it was to do an architecture of that whole process.

It was called RIAC Research Institute in Computer Technology. On one side of the table, you had Hyundai and Samsung. On the other side of the table, you had NCR. They were throwing PowerPoint slides back and forth at each other. I brought up that the software we used at that time was METIS, and METIS modeled all the processes, everything that was involved.

Samsung said you just hit it with a 2×4. I used to be demonstrating it, rather than tossing out slides, here are the relationships, and be able to show that it really works. To me that was a real demonstration that I can even overcome some of the politics and cultural differences within enterprises.

Brown: I want to give one more question. I think this is more of a concern that we have raised in some people’s minds today, which is, we are talking about all these different frameworks and ontologies, and so there is a first question.

The second one is probably the key one that we are looking at, but it asks what does each of the frameworks lack, what are the key elements that are missing, because that leads on to the second question that says, isn’t needing to understand old enterprise architecture frameworks is not a complex exercise for a practitioner?

Band: My job is not about understanding frameworks. I have been doing enterprises solution architecture in HP at a standard and diversified financial services company and now at health insurance and health solutions company out for quite a while, and it’s really about communicating and understanding in a way that’s useful to your stakeholders.

The frameworks about creating shared understanding of what we have and where are we going to go, and the frameworks are just a set of tools that you have in your toolbox that most people don’t understand.

So the idea is not to understand everything but to get a set of tools, just like a mechanic would, that you carry around that you use all the time. For instance, there are certain types of ArchiMate views that I use when I am in a group. I will draw an ArchiMate business process view with application service use of the same. What are the business processes you need to be and what are the exposed application behaviors that they need to consume?

I had that discussion with people on the business who are in IT, and we drove those diagrams. That’s a useful tool, it works for me, it works for the people around me, it works in my culture, but there is no understanding over frameworks unless that’s your field of study. They are all missing the exact thing you need for a particular interaction, but most likely there is something in there that you can base the next critical interaction on.

Six questions

Zachman: I spent most of my life thinking about my frameworks. There are six questions you have to answer to have a complete description of whatever it is, what I will describe, what, how, where, who, and why. So that’s complete.

The philosophers have established six transformations interestingly enough, the transfer of idea into an instantiation, so that’s a complete set, and I did not invent either one of these, so the six interrogatives. They have the six stages of transformation and that framework has to, by definition, accommodate any factor that’s relevant to the existence of the object of the enterprise.  Therefore any fact has to be classifiable in that structure.

My framework is complete in that regard. For many years, I would have been reluctant to make a categorical statement, but we exercised this, and there is no anomaly. I can’t find an anomaly. Therefore I have a high level of confidence that you can classify any fact in that context.

There is one periodic table. There are n different compound manufacturing processes. You can manufacture anything out of the periodic table. That metaphor is really helpful. There’s one enterprise architecture framework ontology. I happened to stumble across, by accident, the ontology for classifying all of the facts relevant to an enterprise.

I wish I could tell you that I was so smart and understood all of these things at the beginning, but I knew nothing about this, I just happened to stumble across it. The framework fell on my desk one day and I saw the pattern. All I did was I put enterprise names on the same pattern for descriptive representation of anything. You’ve heard me tell quite a bit of the story this afternoon. In terms of completeness I think my framework is complete. I can find no anomalies and you can classify anything relative to that framework.

And I agree with Iver, that there are n different tools you might want to use. You don’t have to know everything about every framework. One thing is, whatever the tool is that you need to deal with and out of the context of the periodic table metaphor, the ontological construct of The Zachman Framework, you can accommodate whatever artifacts the tool creates.

You don’t have to analyze every tool, whatever tool is necessary, if you want to do with business architecture, you can create whatever the business architecture manifestation is. If you want to know what DoDAF is, you can create the DoDAF artifacts. You can create any composite, and you can create any compound from the periodic table. It’s the same idea.

I wouldn’t spend my life trying to understand all these frameworks. You have to operate the enterprise, you have to manage the enterprise and whatever the tool is, it’s required to do whatever it is that you need to do and there is something good about everything and nothing necessarily does everything.

So use the tool that’s appropriate and then you can create whatever the composite constructs are required by that tool out of the primitive components of the framework. I wouldn’t try to understand all the frameworks.

What’s missing

Forde: On a daily basis there is a line of people at these conferences coming to tell me what’s missing from TOGAF. Recently we conducted a survey through the Association of Enterprise Architects about what people needed to see. Basically the stuff came back pretty much, please give us more guidance that’s specific to my situation, a recipe for how to solve world hunger, or something like that. We are not in the role of providing that level of prescriptive detail.

The value side of the equation is the flexibility of the framework to a certain degree to allow many different industries and many different practitioners drive value for their business out of using that particular tool.

So some people will find value in the content metamodel in the TOGAF Framework and the other components of it, but if you are not happy with that, if it doesn’t meet your need, flip over to The Zachman Framework or vice versa.

John made it very clear earlier that the value in the framework that he has built throughout his career and has been used repeatedly around the world is its rigor, it’s comprehensiveness, but he made very clear, it’s not a method. There is nothing in there to tell you how to go do it.

So you could criticize The Zachman Framework for a lack of method or you could spend your time talking about the value of it as a very useful tool to get X, Y, and Z done.

From a practitioner’s standpoint, what one practitioner does is interesting in a value, but if you have a practice between 200 and 400 architects, you don’t want everybody running around like a loose cannon doing it their way, in my opinion. As a practice manager or leader you need something that makes those resources very, very effective. And when you are in a practice of that size, you probably have a handful of people trying to figure out how the frameworks come together, but most of the practitioners are tasked with taking what the organization says is their best practice and executing on it.

We are looking at improving the level of guidance provided by the TOGAF material, the standard and guidance about how to do specific scenarios.

For example, how to jumpstart an architecture practice, how to build a secure architecture, how to do business architecture well? Those are the kinds of things that we have had feedback on and we are working on around that particular specification.

Brown: So if you are employed by the US Department of Defense you would be required to use DoDAF, if you are an enterprise architect, because of the views it provides. But people like Terri Blevins that did work in the DoD many years, used TOGAF to populate DoDAF. It’s a method, and the method is the great strength.

If you want to have more information on that, there are a number of white papers on our website about using TOGAF with DoDAF, TOGAF with COBIT, TOGAF with Zachman, TOGAF with everything else.

Forde: TOGAF with frameworks, TOGAF with buy in, the thing to look at is the ecosystem of information around these frameworks is where the value proposition really is. If you are trying to bootstrap your standards practice inside, the framework is of interest, but applied use, driving to the value proposition for your business function is the critical area to focus on.

The panel, which examined the synergy among the major EA frameworks, consists of moderator Allen Brown, President and Chief Executive Officer, The Open Group; Iver Bank, an Enterprise Architect, Cambia Health Solutions; Dr. Beryl Bellman, Academic Director, FEAC Institute; John Zachman, Chairman and CEO of Zachman International, and originator of the Zachman Framework; and Chris Forde, General Manager, Asia and Pacific Region and Vice President, Enterprise Architecture, The Open Group.

Transcript available here.

Join the conversation @theopengroup #ogchat

You may also be interested in:



Filed under ArchiMate®, big data, Business Architecture, Cloud, Data management, Enterprise Architecture, Enterprise Transformation, Standards, TOGAF®, Uncategorized