By Eric Boulay, The Open Group France
Earlier this week, in Paris, The Open Group France held the latest in a series of one-day conferences focused on Enterprise Architecture. As usual, the event delivered high-value content in the form of an excellent keynote presentation and case studies. These covered the retail, gambling, and financial industries — including two from CIOs of major French corporations: Continue reading
Filed under Enterprise Architecture, TOGAF®
by Serge Thorn, Architecting the Enterprise
Whenever I suggest collaboration between these two worlds, I always observe some sort of astonishment from my interlocutors. Many Enterprise Architects or Business Architects do not realise there may be synergies. Business Process Management (BPM) team have not understood what Enterprise Architecture is all about and the other way around… There is no a single definition of Business Process Management, often it means different things to different people. To keep it very generic, BPM relates to any activities an organization does to support its process efforts.
There are many activities which can be included in such efforts:
To combine Business Process Management and Enterprise Architecture for better business outcomes is definitely the way forward, where BPM provides the business context, understanding, and- metrics, and Enterprise Architecture provides the discipline to translate business vision and strategy into architectural changes. Both are needed for sustainable continuous improvement. When referring to Enterprise Architecture, we would mainly refer to Business Architecture. Business Architecture involves more than just the structure of business processes. It also entails the organization of departments, roles, documents, assets, and all other process-related information.
Business Architects may be defining and implementing the Business Process framework and, in parallel, influencing the strategic direction for Business Process Management and improvement methodologies (e.g. Lean, Six Sigma). The business process owners and Business Analysts are working within their guidelines at multiple levels throughout the organizations’ business process. They have roles and responsibilities to manage, monitor and control their processes.
An important tool in developing Business Architecture is a Business Reference Model. These types of models are enormously beneficial. They can be developed in the organization to build and extend the information architecture. The shared vocabulary (verbal and visual) that emerges from these efforts promotes clear and effective communication.
To illustrate the touch points between Enterprise Architecture and Business Process Management, I have illustrated in the table below the synergies between the two approaches using TOGAF® 9.
In this table, we observe that, there is a perfect match between Business Process Management and the use of an Enterprise Architecture framework such as TOGAF. BPM is often project based and the Business Architect (or Enterprise Architect) may be responsible for identifying cross-project and cross-process capabilities. It can be considered as being the backbone of an Enterprise Architecture program. We can also add to this, that Service Oriented Architecture is the core operational or transactional capability while BPM does the coordination and integration into business processes.
When using BPM tools and suites, you should also consider the following functionalities: workflow, enterprise application integration, content management and business activity monitoring. These four components are traditionally provided by vendors as separate applications which are merged through BPM into a single application with high levels of integration. The implementation of a BPM solution should theoretically eliminate the maintenance and support cost of these four applications resulting in reducing the total cost of ownership.
Business Architecture provides the governance, alignment and transformational context for BPM across business units and silos. Enterprise Architects, Business Architects, Business Analysts should work together with BPM teams, when approaching the topic of Business Process Management. BPM efforts need structures and appropriate methodologies. It needs a structure to guide efforts at different levels of abstraction (separating “the what“ (the hierarchical structure of business functions) from “the how” (how the desired results are achieved), a documented approach and structure to navigate among the business processes of the organization, i.e. a Business Architecture. They also need a methodology such as an Enterprise Architecture framework to retain and leverage what they have learned about managing and conducting BPM projects.
Editor’s note: The Open Group Architecture Forum and the TM Forum have published a technical report exploring the synergies and identifying integration points between TOGAF and Frameworx. Download it here.
This article has previously appeared in Serge Thorn’s personal blog and appears here with his permission.
Serge Thorn is CIO of Architecting the Enterprise. He has worked in the IT Industry for over 25 years, in a variety of roles, which include; Development and Systems Design, Project Management, Business Analysis, IT Operations, IT Management, IT Strategy, Research and Innovation, IT Governance, Architecture and Service Management (ITIL). He has more than 20 years of experience in Banking and Finance and 5 years of experience in the Pharmaceuticals industry. Among various roles, he has been responsible for the Architecture team in an international bank, where he gained wide experience in the deployment and management of information systems in Private Banking, Wealth Management, and also in IT architecture domains such as the Internet, dealing rooms, inter-banking networks, and Middle and Back-office. He then took charge of IT Research and Innovation (a function which consisted of motivating, encouraging creativity, and innovation in the IT Units), with a mission to help to deploy a TOGAF based Enterprise Architecture, taking into account the company IT Governance Framework. He also chaired the Enterprise Architecture Governance worldwide program, integrating the IT Innovation initiative in order to identify new business capabilities that were creating and sustaining competitive advantage for his organization. Serge has been a regular speaker at various conferences, including those by The Open Group. His topics have included, “IT Service Management and Enterprise Architecture”, “IT Governance”, “SOA and Service Management”, and “Innovation”. Serge has also written several articles and whitepapers for different magazines (Pharma Asia, Open Source Magazine). He is the Chairman of the itSMF (IT Service Management forum) Swiss chapter and is based in Geneva, Switzerland.
Filed under Enterprise Architecture, TOGAF®
By Mark Skilton, Capgemini
Cloud Computing is more than just a utility cost reduction exercise of your IT storage and computing assets through subscribing or purchasing to an on-demand, pay-as-you-go model. Cloud Computing is evolving into an ecosystem of services from storage, computing and network infrastructure to impacting the integration and application software to transform the business processes and market service models. The many public discussions on search engines, edge networks and the myriad of mobile and tablet device technologies and operating systems are some of the many visible indicators of the high profile Cloud Computing has achieved today.
From an international perspective, The Open Group is well placed to see these large-scale effects on architecture in IT sourcing and delivery of on-demand, “always on” services. Major public Clouds provide significant social networking, computing and productivity services reaching across all industries.
A key challenge for companies is to understand key business and IT metrics that Cloud Computing can help achieve in operating cost efficiency savings, and how it can drive revenue and growth potential. This applies across the industry from private to public federal sectors.
Key challenges include:
The Open Group recently published a new book, Cloud Computing for Business: The Open Group Guide to address these issues through specific guidance on business drivers for Cloud; defining the Cloud vision and buying requirements criteria; assessing risk; and building the return on investment metrics and case for Cloud Computing. The book gives managers reliable and independent guidance that will help to support decisions and actions in this key operational area.
Download the book now (Open Group members only)
Buy a hard copy
Read the press announcement
Read an excerpt of the book
Read the blog post announcing the book, or Mark’s previous blog post on the book
Mark Skilton, Director, Capgemini, is the Co-Chair of The Open Group Cloud Computing Work Group. He has been involved in advising clients and developing of strategic portfolio services in Cloud Computing and business transformation. His recent contributions include the publication of Return on Investment models on Cloud Computing widely syndicated that achieved 50,000 hits on CIO.com and in the British Computer Society 2010 Annual Review. His current activities include development of a new Cloud Computing Model standards and best practices on the subject of Cloud Computing impact on Outsourcing and Off-shoring models and contributed to the second edition of the Handbook of Global Outsourcing and Off-shoring published through his involvement with Warwick Business School UK Specialist Masters Degree Program in Information Systems Management.
Filed under Cloud
By Mark Skilton, Capgemini
Recently, The Open Group published the book, Cloud Computing for Business: The Open Group Guide, to help businesses navigate the complexities of the value and ROI that can be gained from Cloud Computing. While there are aspirations and evidence that Cloud Computing is now a mainstream business and IT strategic paradigm for operations and services, for most organizations there still remains the challenge of making the right selection and choice of Cloud services, and the question of what savings and potential benefits may be achieved from making this shift as a customer or provider.
Many large and small companies are seeking similar benefits from Cloud Computing, but with a different emphasis on coordination and control. Core services such as risk and security management, service level management, and demand and supply availability have weighed heavily on all companies in assessing options in committing key operations to private or public Cloud services. Specific software and platform workloads also need to be identified and matched to real company needs. The alignment, coordination and transition to new business on-demand models can also take effect in the back office IT function as well as with front- end users consuming the services, particularly in larger corporations made up of many departments and disparate business units.
Yet the Cloud phenomenon is not just corporate enterprise; it is also now part of mobility and social networking and network media. Companies are seeing new supply and customer channels being created through online social networks and web portals that can fundamentally alter provisioning strategies, restructuring operations and competitive advantage positions for customers and providers alike. This “ecosystem” effect is the long-tail — sourcing and utility computing turning full circle as companies and customer expectations become catalog and on-demand oriented.
Key challenges include:
Cloud Computing for Business: The Open Group Guide offers specific guidance that address many of Cloud Computing’s key challenges, which include choosing the appropriate Cloud solution, buying requirements and measuring return on investment. The book also gives managers reliable and independent guidance that will help to support decisions and actions in this key operational area.
Download the book now
Buy a hard copy
Read the press announcement
Read an excerpt of the book
Read the previous blog post announcing the book
Mark Skilton, Director, Capgemini, is the Co-Chair of The Open Group Cloud Computing Work Group. He has been involved in advising clients and developing of strategic portfolio services in Cloud Computing and business transformation. His recent contributions include the publication of Return on Investment models on Cloud Computing widely syndicated that achieved 50,000 hits on CIO.com and in the British Computer Society 2010 Annual Review. His current activities include development of a new Cloud Computing Model standards and best practices on the subject of Cloud Computing impact on Outsourcing and Off-shoring models and contributed to the second edition of the Handbook of Global Outsourcing and Off-shoring published through his involvement with Warwick Business School UK Specialist Masters Degree Program in Information Systems Management.
Filed under Cloud
By Stuart Boardman, Getronics
Today was a dream day for cloud spotters. In the course of a 90-minute drive I could have ticked off at least 10 of the distinct cloud types documented in my “Cloud Collector’s Handbook” (No, I’m not a cloud nerd – it was given to me as a joke). It doesn’t do to stretch a metaphor too far but it’s quite interesting how what I saw could reflect the variety of situations with which a consumer (or even provider) of Cloud services might be confronted: well-defined shapes with a clearly substantial content; fine-grained but still well-defined little packages; vast, vague shapes that require great expertise to understand what they promise; thin, wispy layers linking other things together; but also every type mixed through and layered on each other. At the end I experienced (thanks to an immense downpour) what it’s like to be right inside a cloud – you can’t see a damn thing – including the other folks you’re sharing the service with – but they’re there and one way or another they might have an effect on you.
What I really want to talk about is The Open Group’s new book, Cloud Computing For Business, which you can download from The Open Group online bookstore or buy in hardback from van Haren Publishing. There’s no shortage of books about Cloud, so you might reasonably ask what could make this one so interesting. Well, that’s partly down to what it is and partly to what it isn’t. The title ought to give a clue. It’s not a Cloud collector’s handbook. It’s not interested in tying down the fine-grained differences between different types of Cloud service. It’s not concerned with marginal decisions about exactly what is and is not a Cloud service.
It IS concerned with helping you understand what you might be able to get out of a Cloud service, and how to ensure that it really delivers what you expect.
This book is concerned with value, as you might expect from a book with the word “Business” in the title. The sub-title is “The Open Group Guide”. That word Guide is also important. The book’s goal is to be a guide that will help you make your own decisions. It doesn’t offer potted solutions. It looks at the different kinds of value you could obtain from the Cloud and how to develop a strategy for Cloud that is correct for your own organization’s specific situation and goals. The main sections are about understanding what your organization might gain from using Cloud services (and why), how to select the right service (and provider), how to identify and manage risk and how to go about setting, measuring and assuring ROI expectations. There is, of course, an introduction explaining the key features of Cloud. The basis for this is the NIST definition. The Open Group promotes standards, so it’s natural that it makes the maximum use of standards developed elsewhere. In this case that’s the NIST definition – the models and characteristics. What the book adds to this is an exploration of what the different elements of the definition actually mean to Cloud users – why you should care, and also where you should not care.
What makes this book special, though, is the fact that it pulls together the knowledge and experience of a broad group of people from provider and consumer organizations, from business, government and education and from multiple geographies. It’s a product of The Open Group Cloud Computing Work Group and has therefore been the subject of discussion, review and improvement even before it appeared in the book. The Work Group is a focus for exchange of experiences and insights, for collaborative development of practical material and a forum for good, honest debate in a non-partisan environment. Its various projects have produced a series of white papers and reference documents, which in turn have contributed to the development of the book.
The book itself was actively reviewed by an even broader group. So what you get is something that reflects the experiences and opinions of a considerable number of people, who have nothing to gain from these activities apart from what they learn from each other in the process. There aren’t many books of which that can be said and certainly not your typical technical book.
And what I also admire is the refreshing lack of fluff. So many technical books seem to suffer from a need to be priced by weight. The result is that you might as well start reading at page 100, because you won’t have missed anything. This book get straight down to business.
If you’ll bear with me stretching my metaphor a bit further, in the end there is perhaps a similarity to the Cloud Collector’s Handbook (really a rather admirable and amusing little book, by the way) because both will help you to read the Cloud landscape and know what to expect – and that’s what really matters, isn’t it?
Download the book now
Buy a hard copy
Read the press announcement
Read an excerpt of the book
Stuart Boardman is a Senior Business Consultant with Getronics Consulting where he co-leads the Enterprise Architecture practice as well as the Cloud Computing solutions group. He is co-lead of The Open Group Cloud Computing Work Group’s Security for the Cloud and SOA project and a founding member of both The Open Group Cloud Computing Work Group and The Open Group SOA Work Group. Stuart is the author of publications by the Information Security Platform (PvIB) in The Netherlands and of his previous employer, CGI. He is a frequent speaker at conferences on the topics of Cloud, SOA, and Identity.
Filed under Cloud
by Stephen Bennett, Oracle
Republished with permission from CIO Update from an article published on behalf of The Open Group.
Confronted with the age old problems of agility and complexity, today’s CIOs are under more pressure than ever to improve the strategic value of IT to the business. At best, these challenges have increased costs, limited innovation and increased risk. At worst, they have reduced IT’s ability to respond to changing business needs in a timely fashion.
Yet, changes for business and IT are continuing to occur at an ever-increasing pace. To keep up, enterprises need to adopt an agile, flexible architecture style with a proven strategic approach to delivering IT to the business.
Over the last year, I have seen a resurgence of CIOs using Enterprise Architecture (EA) as a key tool to address these challenges. In the past, EA has experienced difficulties within the enterprise. It has been unfairly seen as primarily a documentation exercise and, when applied incorrectly, EA can — ironically — become a silo in of itself. To make sure that EA has better success this time, CIOs must make their EA efforts more actionable.
Step back: SOA
Service oriented architecture (SOA) has been positioned as an architectural style specifically intended to reduce costs, increase agility and, most importantly, simplify the business and the interoperation of different parts of that business.
A key principle of SOA is the structuring of business capabilities into meaningful, granular services as opposed to opaque and siloed business functions. This makes it possible to quickly identify and reuse any existing realized functional capabilities, thus avoiding the duplication of similar capabilities across the organization. By standardizing the behavior and interoperation of these services, it’s possible to limit the impacts of change and to forecast the likely chain of impacts.
Despite its popularity, relatively few enterprises have been able to measure and demonstrate the value of SOA. This is due primarily to the approach that enterprises have taken when adopting and applying SOA. In most cases, enterprises interpret SOA as simply another solution development approach. As a result, SOA has been relegated or wrongly positioned as a purely integration technology, rather than the strategic enabler that it can be.
Because of this, SOA must not be seen as a solution development approach that starts and ends once a solution is delivered. It must be seen as an on-going process that, when coupled with a strategic framework, can change and evolve with the business over time. Unfortunately, many enterprises adopt SOA without utilizing a strategic framework, causing a host of challenges for their business.
Just a few of the challenges I have seen include:
It’s no wonder that SOA has a bad reputation.
To address these challenges, enterprises utilizing or considering adopting SOA must align it with an EA framework that elevates the importance of the needs of the enterprise rather than only considering the requirements of individual projects.
Step forward: TOGAF® 9
Now used by 80 percent of the Fortune Global 50, TOGAF® , an Open Group standard, is an architecture framework that contains a detailed method and set of supporting resources for developing an EA. As a comprehensive, open method for EA, TOGAF 9 complements and can be used in conjunction with other frameworks that are more focused on specific aspects of architecture, such as MDA and ITIL.
The Open Group’s new guide, Using TOGAF to Define and Govern Service-Oriented Architectures, aims to facilitate common understanding of the development of SOA while offering a phased approach to maximizing its business impact based on the popular TOGAF methodology. Let’s take a look at the main takeaways from the guide:
Organization readiness - An enterprise first needs to adopt the principle of service-orientation. However, successful SOA depends on the readiness of the enterprise to become service-oriented. To get started with SOA, the guide recommends conducting a maturity assessment. Such an assessment is available from The Open Group and enables a practitioner to assess an organization’s SOA maturity level and define a roadmap for incremental adoption to maximize business benefits at each stage along the way.
Scope - The size and complexity of an enterprise affects the way its architecture develops. Where there are many different organizational and business models, it is not practical to integrate them within a single architecture. It is therefore generally not appropriate to develop a single, integrated SOA for a large and complex enterprise.
TOGAF defines enterprise as any collection of organizations that has a common set of goals. For example, an enterprise could be a government agency, a whole corporation, a division of a corporation, a single department, or a chain of geographically distant organizations linked together by common ownership.
The guide highlights an approach for enterprise architects to identify the business areas where SOA will be of greatest benefit and make a significant impact so that they can be prioritized. This approach will help organizations avoid using SOA with the wrong situations to maximize their investment and overall business impact.
Communication, communication, communication - Aspects of TOGAF 9 were extended and enhanced to cover specific service-oriented concepts and terminology such as service contracts. Service contracts formalize the functional and non-functional characteristics of a business service and how it interacts with other business services. This enables a business vocabulary to be derived that allows IT to converse with the business in terms of business process and business services and abstracting away the complexity of the underlying technical services.
Governance - The identification of service and service portfolios is a key task for SOA. The questions of what service and service portfolios the enterprise will have, and how they will be managed must be taken with an enterprise level view.
Just because you have identified a number of services does not automatically mean they will add value to the enterprise and that they should be realized (at least not initially). Governance plays a key role here and the guide recommends the establishment of a SOA governance and creating a linkage to both IT and EA governance in the enterprise.
The Open Group has a wealth of information available in this area, specifically an SOA governance framework that provides context and definitions that enable organizations to understand, customize, and deploy SOA governance.
The relationship between EA and SOA is a powerful and synergistic one. They are key enablers for one another, making EA actionable while making the wider business benefits of SOA obtainable.
SOA is certainly not the only architectural approach that your enterprise will require. But it can smooth the alignment and adoption of other architecture styles (e.g., business process management, event-driven architecture) into an EA framework. So rather than reinvent the wheel, organizations should consider using a well-established framework such as TOGAF to elevate and extend the value of SOA.
The Open Group’s new guide is a must-read for any enterprise architect currently using TOGAF, but remember that it needs to be customized and extended to your enterprises unique situation. Now, if only The Open Group had a guide on using TOGAF to define and govern Cloud Computing!
Stephen Bennett is a senior enterprise architect at Oracle, an author, and a 25-year technologist focused on providing thought leadership, best practices, and architecture guidance around SOA and Cloud Computing. He has co-chaired a number of Work Groups within The Open Group around SOA Governance and TOGAF/SOA.
Filed under Service Oriented Architecture
Listen to this recorded podcast here: Exploring Business-IT Alignment: A 20-Year Struggle Culminating in the Role and Impact of Business Architecture
The following is the transcript of a sponsored podcast panel discussion on defining the role and scope of the Business Architect, in conjunction with the The Open Group Conference, Austin 2011.
Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011. We’ve assembled a distinguished panel to delve into the role and opportunity for business architecture. We’ll examine how the definition of business architect has matured and we’ll see why it’s so important for this new role to flourish in today’s dynamic business and IT landscapes. We’ll also see how certification and training are helping to shape the business architecture leaders of tomorrow.
Here to help better understand the essential impact of business architecture on business success, is Harry Hendrickx, the Chief Technology Officer, CME Industry Unit, HP Enterprise Services and a Certified Global Enterprise Architect. Welcome, Harry.
Harry Hendrickx: Thank you, Dana.
Gardner: We’re also here with Dave van Gelder, Global Architect in the Financial Services Strategic Business Unit at Capgemini. Welcome, Dave.
Dave van Gelder: Thank you, Dana.
Gardner: And we’re also here with Mieke Mahakena. She is the Label Leader for Architecture in the Training Portfolio at Capgemini Academy and also a Certified Architect. Welcome, Mieke.
Mieke Mahakena: Thank you.
Gardner: Also, Peter Haviland, head of Architecture Services in the Americas for Ernst & Young. Hello, Peter.
Peter Haviland: Morning, Dana.
Gardner: And last, Kevin Daley, Chief Architect in the Technology and Innovation Group at IBM Global Business Services. Hello, Kevin.
Kevin Daley: Hello, Dana.
Gardner: Let me start by addressing both Harry and Kevin. There’s been a new paper that you are working on refining the definition of business architecture, but I’m interested why this is so important now. We see that CEOs around the world really are seeking fundamental change. They recognize that we’re at an inflection point. Why is that the case? Why is the role of business architect so important now? Let’s start with Harry, please.
Business-IT alignment
Hendrickx: Thank you very much, Dana. Yes, it is a very important question, of course. Why are we putting so much effort in getting business architecture on the scene? Over the past one or two decades, business-IT alignment has been number one on the CIO agenda, and apparently the organizations have increasing difficulty getting business-IT alignment resolved.
There are quite a few people pioneering in business-IT alignment, but apparently there was no urgency yet to recognize this role more specifically. HP, in the past two years, interviewed CIOs worldwide, and they all indicated that they face quite large and complex transformation processes. They also recognize that business-IT alignment is one of key issues. We think that the business architect really can provide some resolution to get those processes in better shape and more successful.
Gardner: Kevin, your thoughts. Why is it so important right now?
Daley: At IBM, we have a CEO study and a CIO study that come out in alternating years. One of the things that started coming out loud and clear in 2010 was that managing complexity and building operating dexterity required a better understanding across the entire company.
We’ve started seeing a trend to move not just from business IT alignment, but to business and IT convergence. There’s an understanding more and more that information technology, and technology in general, is a core part of the business model now. There’s an understanding that now we have a situation where business and IT aren’t so much aligned, because of the fact that IT is part of business.
Where we did interviews and surveys and then compiled them for thousands of CEOs, we came up with three key elements. Amongst those was managing and taking advantage of complexity while building operating dexterity. That’s the key theme.
One of the problems that we’re seeing from the CEOs is having for decades separated IT as if it was its own business unit, instead of part of the true sense of the business. It’s been an interpretive science. To manage that complexity they needed a means by which to start with the design of where they’re going and have have a business strategy.
How do they take that strategy and transform it into technology and into information management? They needed an ability to have a framework in which to have that substantive discussion between the people who were responsible, such as the CIO who is responsible for technology and the operations and the COOs, who are really about the execution of the overall picture.
What we’ve seen from our CEOs is a need to start being more integrated. There have been market pressures that they having to respond to. The big economic downturn was a big change for everyone, and they are trying to address it.
They’re looking at means that they can start integrating more globally. They can start to increase their cost variability and start becoming more agile in how they operate their business. To do that they need a means by which they can more effectively communicate.
Driving understanding
So far, we’ve been seeing that business architecture is a perfect way to start driving an understanding. It’s a place where both people who are used to seeing standard business models like revenue and capability are able to associate that to the different types of architectures and designs that we see coming out of the technology group.
It’s giving them a common place to meet and jointly move forward with what they’re trying to do in terms of managing the complexity, so they can be more agile and dexterous.
Gardner: Dave van Gelder, it sounds as if what we’re trying to do here is at a very high level in the organization. Does a business architect and architecture have to be at a high level to be successful? Where in the org chart do we typically see this role? Is it near the top? Does it matter?
van Gelder: It depends on the maturity of an organization. Within Capgemini nowadays, we talk about business technology. As Kevin said, business and technology are not separate. Technology is part of the total business.
When we started the Business Architecture Working Group in 2006, there was a lot of discussion about two words, business and architecture, and nobody knew exactly what we were talking about. Everybody had a different understanding of those words. In the last years what you have seen is that business architecture is looked at in a different way. Currently in the Business Architecture Working Group, we see business architecture as something that brings the balance between all the other architectures in the company — that’s IT architecture, financial architecture, money, people architecture, and a lot of other architectures.
If business architecture is bringing the balance between the different aspects of a company, then business architecture is something that should be handled in the top of the organization, because balance should be created between all the different aspects in the organization.
Gardner: Based on what Dave said. it sounds, Mieke, as if we’re talking about a federation of architectures,. What then is the fundamental problem that the business architect needs to solve? Is this getting into the actual mechanisms or is it about organizing the people around some sort of a vision or strategy?
Mahakena: It’s more like making sure that, whatever transformation you’re going to implement, you align all those different aspects. As Dave told us, there are a number of aspects in an organization that might need to change, and you can have all those different architectures for those aspects. But, if every aspect goes its own way in changing, then they will never be aligned. Business architecture is meant to align all of those aspects to make sure that you have a balanced, consistent, and coherent set of operations at the end.
Gardner: It sounds as if we’re in agreement that this is a high level function, but what is it that people might stumble upon, if they direct this in a wrong direction? What is business architecture not good at? Peter, what should we avoid? What’s a misstep in terms of either the level in the organization or the target of the activity?
Many things at once
Haviland:
Business architecture is similar to other forms of architecture, in that it tends to try to do many things all at once. The idea of enterprise alignment is definitely the right outcome, but there is enough complexity there to blow steam out of your head for many, many years to come.
Certainly in our experience of implementing these types of functions in organizations, functions that constrain scope very well also tend to communicate very well around what their status is, what their progress is against milestones, and what outcomes they’ve achieved: and they tend to articulate those outcomes in terms of real business value. What business architecture is not very good at are broad-reaching types of goals that don’t have measurable outcomes.
Gardner: So, it’s not just let’s have a designated business architect and a laurels-wearing individual, but move more towards something that’s very practical and that shows results. That leads to a question about how to professionalize this role.
Anyone could stand up and call themselves a business architect, but what is The Open Group, in particular, doing about actually certifying and moving towards a standardization of some sort. Does anybody have any thoughts about how to make this more rigorous?
Hendrickx: The first question we get asked is, what’s the difference between a business consultant and a business architect or a business analyst and a business architect? We also have enterprise architects and technology architects. Is there a reason for being for the business architect?
This is something we did a lot of research on at HP and we delineated the role of the business architect quite clearly from the business consulting and the business analyst aspect. The business architect’s role is distinct, because he combines the organizational strategy with the operations. He identifies the implications of this strategy, as well as that of the technology for the business operations. This is opposed to the business consultant, who is more outwardly looking to the commercial aspects of the organization and what that means for the structure. The business analyst is looking more at not the structure of the operation, but at the solution level.
When we look at the enterprise architect and the solution architect, the business architect focuses more on the complete implications of the strategy and technology trends on the operations, whereas the enterprise architect is more interested in the IT and the implications for the IT strategy and how IT should be deployed. The business architect is much more focused on the complete performance of the business operations.
So, the bottom line of these delineations of the past one-and-a-half years is that there is a reason for being for a business architect. It is a distinct role and it has a real solution for a problem.
Gardner: Thank you, Harry. Anyone else with some thoughts about how to make the certification and standardization of this stick?
Defining the profession
Mahakena: What we’ve been doing in the Business Forum, after we decided that business architecture has its own reason for existence, we described the business architecture profession – what’s the scope and what should be the outcome of business architecture. Now, we’re working on the practice of business architecture by defining a framework, looking at methods, and defining approaches you can use to do business architecture.
Parallel to that, if you know what the profession is and what the practice is, you’re able to create the business architecture certification, because those things help you define the required skills and experience a business architect needs. So, we are working on that in the Business Forum.
Daley: Let’s look at business architecture from the concept that has existed, combining the thoughts of what Mieke and Harry have already talked about. When we work with clients, for those of us that are in consultancies, we see that there is normally something that’s similar to business architecture, but it’s either a shadow organization inside a purely business unit that isn’t technology focused, or it is things like the enterprise architects who are having to learn the business concepts around business architect anecdotally, so that they can be successful in their roles.
I’d suggest that we’re seeing a need to make it more refined and more explicit, so that we’re able to identify the people that fit for this. They have specific things, instead of having general things that we have today. For me, the certification helps provide that certainty as a hiring manager or as somebody who is looking to staff an organization.
It provides that kind of clarity of what they should be doing, giving them specific activities, specific things they do that create value for the company. It takes out of the behind the scenes action and pull something that’s critical to success into the front with people who are specifically aligned and educated to do that.
Gardner: Thank you, Kevin. Let’s speak a little bit about why the strategic and top-level aspects of this certified individual or office is so important. It seems to me that, on one hand, we have more need for different technology competencies in an organization, but at the same time, we’re starting to see consolidation, particularly at the data center level, fewer data centers, more powerful and vast data centers and consolidation across different regions. How does globalization fit into this? Do we need to think about the fact that if we have fewer data centers but more technology requirements, doesn’t the role of somebody or some group need to come together so that there is a pan organizational or even global type of effect?
Let’s start with you Peter. How does the globalization impact the importance of this role?
Haviland: Globalization is creating more and more complexity in the business modelsthat organizations are trying to operate. Over the last couple of decades, with the science and the engineering of IT, there has been enormous investment by companies to actually operate, maintain, and improve their IT in their current world.
In many cases this IT work has outpaced the comparable business efforts inside those organizations when they think about their business, their business models, and their business operating principles. What we’re actually seeing now is that the rigor, the engineering, and the effort that’s put into technical architecture and IT architecture is now being proposed on the business side, with many businesses managing process improvement activities. These tend to be at quite a low level, however, when you compare them to business architecture initiatives at the enterprise level.
What we’re actually seeing now is that the rigor, the engineering, and the effort that’s put into technical architecture and IT architecture is now being proposed on the business side and many businesses have process improvement activities. Many of them see to be at the process level. Those processes are defined at quite a low level, when you compare it to some architecture initiatives that are enterprise wide.
Scope and challenge
If those architecture initiatives are at the high levels that are needed, you start to consider the scope and challenges that come into play, when you start talking about globalization. So, with the increase in scope and the global way that people are operating across cultures, geographies, and languages, that requires this discipline, which does operate at that high level to start to organize the other areas, but perhaps at a lower level.
Gardner: Harry Hendrickx, thoughts about this issue of increased complexity and yet more consolidation in terms of where IT is housed, managed, and governed?
Hendrickx: There are two aspects that need to be paid more attention to with globalization and more complexity. First, the business architect is, or should be, equipped to look at the organization, not only within the boundaries of an organization, but also the ecosystem of organizations that will mold together and have to be connected to produce the value.
Since these are more formalized contracts or relationship with different organizations connected to each other, there is a dynamic that is hardly seen anymore, that is not transparent anymore. There clearly needs to be some more detailed insights and transparency for each organization, so that people understand what the impact of certain developments or events will be. This can’t be done just by logic or just by watching carefully. This really needs some in-depth analysis for which the business architecture is built.
The second part of it is that the due to the complexity, the decision making process has become more complex and there will be more stakeholders involved in the different areas of decision making. The business architect has a clear task and challenge as well. By absorbing the strategy, technology trends, and the different developments and focusing on the applications for operations, he has the opportunity to discuss with the different stakeholders. He has the opportunity to get those stakeholders either mobilized or focused on specific decisions: the deliverables you will provide.
Gardner: We certainly see a lot of important characteristics in this role: global, strategic high level, encompassing business understanding, as well as technology. Dave van Gelder, where do you go to find these kinds of people? Who tends to make a good business architect or is there no real pattern yet established as to who steps up to the plate to be able to manage this type of a job?
van Gelder: To all the complexity already mentioned, I’d want to add something else that we found in the Business Architecture Working Group, which is more research in the whole field. That’s the problem of communication. How do people communicate with each other?
If you look in the IT world, most people come from an engineering background. It’s hard enough to talk to each other and to be clear to each other about what’s possible and how you should go or what you should go for. If you start talking to all those other areas in the business, then suddenly people have a completely other way of thinking. Sometimes they use the same words and don’t understand each other.
It’s not easy to have these kinds of people that need very good communication skills next to all the complexity that you have to handle. On the other hand, you need an architect when it’s complex. You don’t need an architect when it’s simple, because everybody can do it. But an architect is just a person. I say if I am a simple person, I can only handle simple things. What you need are people who can structure. I can only work with things when I can structure it, when the complexity is fairly well-structured. I then have overview of all those complexities, and then I can start communicating with all the parties I have to communicate with.
No real training
At the moment, I don’t see any real training or development of these kinds of people that you need. Most of them come with a lot of experience in a lot of fields, and because of that, they have the possibility to talk to all kinds of people and to bring the message.
Gardner: Mieke, at Capgemini Academy, you’ve obviously encouraged and encountered folks moving towards a business architect role. What are your thoughts on what it takes and where they tend to come from?
Mahakena: Let’s have a look where they can come from. What you see is that this role of business architect can be a next step in one’s career. For example, a business analyst, who has been creating a lot of experience in all kinds of fields, and he could evolve to watch a business architect. This person needs to get away from the detail and move towards the strategy and a more holistic view.
Another example could be an enterprise architect who already has analytics skills and communication skills. But, enterprise architects are more or less focusing on IT, so they should move more towards the business part and towards strategy and operations.
One could be the business consultant who is now focusing on strategy, also should have those communication skills, and will be able to communicate with stakeholders in high positions in companies. Business consultants have a lot of industry knowledge. So they should need more knowledge about technology and perhaps improve their analytics skills and learn more to how to structure operations.
So, there are number of existing roles that already have a lot of skills required for business architecture. They just have to enhance skills and get new skills to do this new role.
Gardner: We talked about how this is important because of the internal organizational shifts and the need for transformation. We’ve seen how globalization makes this more important, but I’d like to also look a little bit at some of the trends and technology.
We’ve seen a great deal of emphasis on cloud computing, hybrid computing, the role of mobile devices, wirelessly connected devices, sensors, and fabric of information which, of course, leads to massive data, and they need to then analyze that data.
This is just a handful of some of the major technology trends. Kevin Daley, it seems to me that managing these trends and these new capabilities for organizations also undergirds and supports this need. So how do you see the technology impetus for encouraging the role of business architect?
Daley: I’m seeing from my work in the field that we’ve got all these things that are converging. Certainly, you’ve got all these enabling technologies and things that are emerging that are making it easier to do technology types of things and speeding them up. So, as they start maturing and as organizations start consuming them, what we’re seeing is that there’s a lack of alignment.
Business relevancy
What this trend is really doing is making sure that you have something that is your controlling device that says what is the business relevancy? Are we measuring these peer-to-peer — measuring something such as massive data and information fabrics compared to something like cloud computing, where you are dispersing the ability to access that more readily. It creates a problem in that you have to make sure that people are aligned on what they’re trying to accomplish.
We’re seeing that the technologies that are emerging are actually enabling business architecture in a fashion. It provides that unified vision, that holism, that you can start looking at combinations of these technologies, instead of having to look at them as we’ve had to in the past of siloed elements of technologies that have their own implications.
We’re using business architecture as a means to provide the information back to the business analyst who is going to look and help. You can provide the business implications, but then you have to analyze what that implication means and make decisions for how much of that you’re willing to accept within your organization.
In the notions around how I investigate risk, how I look at what is going to improve market, and what is the capacity of what I can do, there’s a disconnect that business for which architecture is helping provide the filler for to get to the people that are doing these corporate strategies and corporate analysis at a level. That allows them to virtualize the concept of the technology, consume what it means and what that relates to for a business or in terms of its operation and strategy and the technology itself.
We’re seeing this become the means by which you can have that universal understanding that these are the implications, and that those implications can now be layered, so that you can look at them in combination instead of having to deal with each technology trend as if it’s a standalone piece.
We’re seeing this as a means by which to provide some clarity around what any adoption would be. When you adopt technology, it obviously has a level of maturity it has to reach, but it also has a level of complexity. It’s being able to start taking advantage of more than just one technology trend at the same time and being able to realistically deliver that into their business model.
What I have been seeing is that the technologies are driving the need for business architecture, because they need that framework to make sure that they are talking apples to apples and that they are meaning the same thing, so that we get out of the interpretation that we have had in the past and get into something that’s very tactical and very tactile, and that you can structure and align in the same way, so you understand what the full ramifications are.
Gardner: Peter Haviland, we have these multiple technology developments overlapping. They can be opportunities for businesses, but they can also perhaps be problems, if you don’t manage them.
What are the stakes here for business architecture and for organizations that can master this? It seems to me that they would have a significant advantage. For those that don’t, it could mean a significant cratering of their business potentially. So are we talking about an existential level importance for business architecture? How important is this now?
Haviland: IIt’s extremely important. What I see is that this is a discipline that’s just crying out for more people and more maturity. You almost need it to become pervasive throughout organizations now.
Feeding technology
The most common story I encounter is simply that organizations spent a lot of time in the past creating their processes and then they spent a lot of time feeding technology solutions to those processes. In recent times, the pace of technology change has moved faster than that previous paradigm.
What you’re looking at is at people saying, well, I am the business, there are all of these technology options out there. I cannot find a way forward and so how do I exploit those? That is where the business architecture profession is really being pushed to the front.
That said, there is a slight risk here that it may be considered too much in isolation. I mean, it is an architecture profession, it is a part of architecture, and the value of architecture is to provide that aligned view across the various domains that are important in terms of business, technology, information, security, and those types of elements.
When it comes back to what’s at stake for businesses that are investing in this particular area and for businesses that are trying to reconsider the way that they can operate themselves to support technology, they are moving ahead and they have competitive advantage. Businesses that aren’t doing that tend to be left behind, because the pace of change of technology is going to get faster.
Gardner: We’re here at The Open Group Conference. I wonder if any of you could fill us in on what The Open Group is now doing to advance this definition, mature the role, promulgate certification, and hasten the effect and benefits of business architecture in the field. Who can update us briefly on where we stand with The Open Group’s movement on certification and definition?
Mahakena: All those subjects you mentioned are part of the work of the Business Forum. The Business Forum is working in parallel on all those things. For example, it’s defining the profession and defining business architecture, working on methods and frameworks and approaches, and working on certification.
We need to do that in parallel, because all those aspects have to be aligned. We also need alignment in our own work to make sure that the certification, for example, are just the skills you actually need to do the business architecture and to create the outcomes we have defined in the profession and practice part.
We’re on our way as a Business Forum and we have done a huge amount of work, but we’re not ready yet. There are still a number of subjects we need to discuss, and we need to align everything we have now to make sure that we have a consistent package of deliverables that can be used by the members of The Open Group and anyone outside as well.
That’s where we are at this moment, and we are hoping to deliver a set of documents that will be accepted by The Open Group, by the members, and then they can be shared.
Hendrickx: I want to extend a little bit on where we are, because there has been some investigation in the 28 frameworks, which are very close or are meant to be frameworks for business architects. From this it resulted that none of these really had a complete holistic approach, as the role is identified currently, or at least how the needs have been identified in the marketplace.
Some have gaps
Some are quite close, but quite a few have gaps in one of the areas that should be touched, like strategy, operations, processes, or technology. We currently try to identify and fill that gap. That’s one point.
The other one is that most of the techniques used by the business architect are very well- embedded in academic research and are often and sometimes already used by different roles as well.
I’m thinking of things like the systems approach, and the systems thinkers have quite a few techniques. There are also techniques developed by IBM, HP, and Capgemini on the business architecture, which are well-versed and well-embedded in academic research of the past 20, 30 years. So, it’s not just a set of techniques that are built together. These are really based on insights which we have gained over several decades.
Gardner: Very good. I understand that many of these resources and the ability to take part in some of these working groups are all available on the newly redesigned Open Group website. That would be opengroup.org online and easily found from search.
I want to close up by thanking our guests. We’ve been discussing the burgeoning role of, and the opportunity for, business architecture and its practitioners in a dynamic global business environment.
This podcast is coming to you as a sponsored activity in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011.
So thanks to our guests. We’ve been joined by Harry Hendrickx, Chief Technology Officer, CME Industry Unit in HP’s Enterprise Services, and also a Certified Global Enterprise Architect. Thank you, Harry.
Hendrickx: Thank you, Dana.
Gardner: And also Dave van Gelder, Global Architect in the Financial Services Strategic Business unit at Capgemini. Thank you, Dave.
van Gelder: Thank you, Dana.
Gardner: We’re also here with Mieke Mahakena. She is the Label Leader for Architecture in the Training Portfolio at Capgemini Academy, and also a Certified Architect. Thank you, Mieke.
Mahakena: You are welcome, Dana.
Gardner: Peter Haviland, Head of the Architecture Services for Americas at Ernst & Young has also joined us. Thank you, Peter.
Haviland: Thanks, Dana. Thanks everyone.
Gardner: And lastly, Kevin Daley, Chief Architect in the Technology and Innovation Group at IBM Global Business Services. Thanks so much, Kevin.
Daley: Thank you, Dana. Again, thanks to everyone else also.
Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks again for listening, and come back next time.
Listen to the podcast. Find it on iTunes/iPod and Podcast.com.
Copyright The Open Group 2011. All rights reserved.
Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirect™ blogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.
Filed under Business Architecture
By Stuart Boardman, Getronics
Right now work is starting on the next major release of TOGAF®, which for now is known as TOGAF® Next. That makes it a very good time to look at what else is going on in the world and what kind of contribution that might make.
A lot of the best ideas come from unexpected directions. Enterprise architects (fortunately) often have passions that don’t have much directly to do with that discipline. Let’s be honest, the best ones almost always do. Peter Bakker recently drew our attention to a current debate in the world of photography and photo journalism. People are using apps like Hipstamatic to make deliberately grungy images – to make the results less “realistic” and more “impressionistic” (same thing Claude Monet and his pals came up with in the late 19th century except they didn’t have apps back then). Apart from the intrinsic interest of the topic, Peter suggested this might be applicable in EA. That made me think. We’ve invested vast amounts of time and effort (and therefore money) in being able to specify things in enormous detail according to increasingly tightly defined models. In fact, people used to complain that those tight models were what TOGAF® lacked. Hmmm. Sometimes the result is not seeing the wood for the trees. Or assuming that detail equals fact. Or getting realism muddled up with reality. Or information with knowledge (never mind wisdom). The Impressionists wanted people to be able to get a feeling of what it was like to be there — not precisely what it looked like at a specific moment in time. So while I’m sure they weren’t thinking about quantum mechanics (that would have been quite an achievement!), they were certainly leaving things open for probabilistic interpretations. Could we do the same in EA – without just producing vagueness? Why not – at least down to a certain level? If you use the Business Model Canvas, for example, you can build up a very meaningful picture of an enterprise’s business model without vast amounts of detail. It provides a lot of knowledge and even some wisdom on the basis of an optimal amount of information. And that has the great benefit of allowing you to fill in the detail where it’s actually going to be useful to you. So why wouldn’t we do something similar in general in EA?
Ross Button is developing an idea he calls Scatter Architecture. You could visualize it as a lot of puzzle pieces that you scatter on a board and see what kind of a picture you can make out of them. They might turn out to fit together in more than one way. That’s actually a good thing, as it probably makes you more adaptable and less exposed to change. Some of the pieces will duplicate each other wholly or partly. Viewed from a TOGAF® perspective we can say that these duplicates occur both on the Enterprise Continuum and on the Solution Continuum. Duplicates are allowed in this architecture. I don’t suppose you’d find them in the Enterprise Strategy or in the Architecture Strategy but you might well find partial duplicates among your propositions, activities, resources and partners – particularly the latter. After all, you probably don’t really want to be dependent on one supplier but that doesn’t mean they’re all exactly alike. So your architecture strategy might even codify that, which means your architecture models will need to take account of it. On the solution side of things it’s just as likely. Ross has explicitly pointed to Cloud as an example of this. Just as in the “real” world, if you can avoid being locked into just one supplier (without the cost implications being too high), you have much more room to manoeuver. The Amazon crash a couple of months ago provided some good positive and negative examples. Moreover, just as in the “real” world, these partners might become part of your value creation process as opposed to just cost elements. So this introduces my second theme, multiplicity.
Louisa Leontiades has just launched a social media integrated business. It’s a great example of how enterprises are changing and why we need to understand them in non-traditional ways. What can we say about her business? Well, it’s an Internet company but it’s not selling technology. It sells real people skills but everything lives in the blogosphere. You can buy her stuff via the site but it’s not an eShop. It’s Louisa’s company but in some ways it’s a virtual enterprise. What does that mean? Well, there will be multiple contributors generating and selling content and the quality and commercial success of the content will shape how the company develops. Or to put it another way, the contributors are not merely suppliers but actually investors, who benefit from the success of the company. Oh and it has its own website but the marketing happens via separate blog sites, via Twitter, Facebook, Google+, LinkedIn – you name it. It’s easy to see then how capturing the architecture of such an enterprise is about capturing the essence and not getting distracted by detail that can change at any moment – exactly due to the multiplicity of contributors and propositions. It’s a daring concept – jumping into the unknown – and of course we won’t see this model in the large enterprise world for quite some time but in the non-profit world or perhaps even in education one could imagine a more rapid adoption. In fact you might reasonably expect to see it adopted in education. It was after all educational and research organizations that gave us the Web in the first place. And back then the web was all about collaboration and sharing – co-creation.
Tom Graves has been looking at extending the Business Model Canvas into Enterprise Architecture as a whole. One part of this is extending it upwards (or outwards – depends how you look at it) to reflect the extended enterprise context in which most organizations “live” today. This involves taking concepts which we already apply to the single enterprise and applying them to a world we don’t control, where multiplicity is the rule and in which our objective is to be an equal partner. This gives rise to relationships, which are both complex and shifting. I would argue that one consequence is that we need to put the emphasis on capturing the entirety of the situation, so we can understand its dynamics and reach (breadth), and we need to avoid the distraction of those details, which we know can and will change without our being consulted (anyone see a similarity to Cloud here?). Another part of what Tom is doing is a mapping with Archimate. I don’t know whether Tom sees it exactly the way I do, but I think one of the advantages is that it combines the impressionist approach with a standardized modeling technique and allows us to provide detail where it’s meaningful and useful. And what it also does is provide a semi-formalized way of using techniques coming from a different discipline within (or along with) familiar EA frameworks. Well, I say “does” but I should say “will do”. It’s work in progress, just like Scatter. Just like TOGAF® Next. You can contribute to these things, influence them or adapt them to your own purposes. You can read and leave them aside but at least you’ll have thought about it. And that in and of itself will enrich your practice.
Stuart Boardman is a Senior Business Consultant with Getronics Consulting where he co-leads the Enterprise Architecture practice as well as the Cloud Computing solutions group. He is co-lead of The Open Group Cloud Computing Work Group’s Security for the Cloud and SOA project and a founding member of both The Open Group Cloud Computing Work Group and The Open Group SOA Work Group. Stuart is the author of publications by the Information Security Platform (PvIB) in The Netherlands and of his previous employer, CGI. He is a frequent speaker at conferences on the topics of Cloud, SOA, and Identity.
Filed under Enterprise Architecture, TOGAF®
By Dana Gardner, Interabor Solutions
Listen to this recorded podcast here: BriefingsDirect-Effective Data Management Remains Elusive Even After Decades of Deployments
The following is the transcript of a sponsored podcast panel discussion on the state of data and information management strategies, in conjunction with the The Open Group Conference, Austin 2011.
Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, we present a sponsored podcast discussion in conjunction with the latest Open Group Conference in Austin, Texas, the week of July 18, 2011. We’ve assembled a distinguished panel to update us on the state of data and information management strategies. We’ll examine how it remains difficult for businesses to get the information they want in the way they can use, and why this has been a persistent problem. We’ll uncover the latest in the framework approach to information and data and look at how an information architect can make a big difference.
Here to help us better understand the role and impact of the information architect and also how to implement a successful data in information strategy is our panel. We’re here with Robert Weisman. He is CEO of Build The Vision Incorporated. Welcome to BriefingsDirect, Robert.
Robert Weisman: Thank you.
Gardner: We’re also here with Eugene Imbamba. He is Information Management Architect in IBM‘s Software Group. Welcome, Eugene.
Eugene Imbamba: Thank you very much.
Gardner: And we’re here also with Mei Selvage. She is the Lead in the IBM Community of Information Architects. Welcome to the show, Mei.
Mei Selvage: Thank you for having us.
Gardner: Tell me, Robert, why it is that it’s so hard for IT to deliver information access in the way that businesses really want.
Weisman: It’s the general insensitivity to information management concerns within the industry itself, which is very much becoming much more technology and tool-driven with the actual information not being taken into consideration. As a consequence, a lot of the solutions might work, but they don’t last, and they don’t, generally speaking, get the right information to the right person at the right time. Within The Open Group, we recognized this split about four years ago and that’s one reason that in TOGAF® 9 we redefined that information technology as “The lifecycle management of information and related technology within an organization.” We didn’t want to see an IM/IT split in organizations. We wanted to make sure that the architecture addressed the needs of the entire community, especially those requiring information and knowledge.
Gardner: Eugene, do you think if we focus more on the lifecycle management of information and the architecture frameworks like TOGAF, that we’ll get more to this requirement that business has that single view of reality?
Imbamba: Definitely, focusing on reference architecture methodologies are a good way to get going in the right direction. I don’t think it’s the end of all means to getting there. But, in terms of leveraging what’s been done, some of the architectures that have been developed, whether it’s TOGAF or some of the other artifacts out there, would help organizations, instead of spinning their wheels and reinventing the wheel, start building some of the foundational capabilities needed to have an enterprise information architecture.
Getting to the finish line
As a result, we’re seeing that each year with information management, projects starting up and projects collapsing for various reasons, whether it’s cost or just the process or people in place. Leveraging some of these artifacts, methods, and reference architectures is a way to help get started, and of course employing other areas of the information management disciplines to help get to the finish line.
Gardner: Mei, when it comes to learning from those that have done this well, what do we know about what works when it comes to data and information management? What can we point to and say, “Without question, moving in this direction is allowing us to be inclusive, move beyond just the data and databases, and get that view that the business is really looking for?”
Selvage: Eugene and I had a long debate over how we know that we’ve delivered a successful information architecture. Our conclusion comes out three plus one. The first piece is just like any strategy roadmap. You need to have a vision and strategy. To have a successful information architecture vision you really have to understand your business problem and your business vision. Then, you use applicable, proven referenced architecture and methodology to support that.
Once you have vision, then you come to the execution. How do you leverage your existing IT environments, integrates with them, keep good communication, and use the best practices? Finally, you have to get implemented on time and on schedule within the budget — and the end-user is satisfied.
Those are three parts. Then, the plus part is data governance, not just one-time project delivery. You’ll have to make sure that data governance is getting consistently implemented across the projects.
Gardner: How about in the direction of this organizational definition of what works and what doesn’t work? How important is it rather for an information architect role to emerge? Let’s start with you, Robert. Then, I’d like to take this to all of you. What is it about the information architect role that can play an important element here?
Weisman: The information architect will soon be called the knowledge architect to start realizing some of the promise that was seen in the 1980s and in the 1990s. The information architect’s role is essentially is to harmonize all manner of information and make sure it’s properly managed and accessible to the people who are authorized to see it. It’s not just the information architect. He has to be a team player, working closely with technology, because more and more information will be not just machine-readable, but machine-processable and interpretable. So he has to work with the people not only in technology, but with those developing applications, and especially those dealing with security because we’re creating more homogenous enterprise information-sharing environments with consolidated information holdings.
The paradigm is going to be changing. It’s going to be much more information-centric. The object-oriented paradigm, from a technical perspective, meant the encapsulation of the information. It’s happened, but at the process level.
When you have a thousand processes in the organization, you’ve got problems. Whereas, now we’d be looking at encapsulation of the information much more at the enterprise level so that information can be reused throughout the organization. It will be put in once and used many times.
Quality of information
The quality of the information will also be addressed through governance, particularly incorporating something called data stewardship, where people would be accountable, not only for the structure of the information but for the actual quality of the informational holdings.
Gardner: Thank you. Eugene, how do you see the role of the information architect as important in solidifying people’s thinking about this at that higher level, and as Robert said, being an advocate for the information across these other disciplines?
Imbamba: It’s inevitable that this role will definitely emerge and is going to take a higher-level position within organizations. Back to my earlier comment about information really becoming an issue, we have lots of information. We have variety of information and varied velocity of information requirements.
We don’t have enough folks today who are really involved in this discipline and some of the projections we have are within the next 20 years, we’re going to have a lot more information that needs to be managed. We need folks who are engaged in this space, folks who understand the space and really can think outside the box, but also understand what the business users want, what they are trying to drive to, and be able to provide solutions that really not only look at the business problem at hand but also what is the organization trying to do.
The role is definitely emerging, and within the next couple of years, as Robert said, the term might change from information architects to knowledge architects, based on where information is and what information provides to business.
Gardner: Mei, how far along are we actually on this definition and even professionalization of the information architect role?
Selvage: I’d like to share a little bit of what IBM is doing internally. We have a major change to our professional programs and certification programs. We’ve removed IT out of architect as title. We just call architect. Under architect we have business architecture, IT architecture, and enterprise architecture. Information architecture falls under IT architecture. Even though we were categorized one of the sub components of IT architecture.
Information architect, in my opinion, is more business-friendly than any other professionals. I’m not trying to put others down, but a lot of new folks come from data modeling backgrounds. They really have to understand business language, business process, and their roles.
When we have this advantage, we need to leverage those and not just keep thinking about how I create database structures and how I make my database perform better. Rather, my tasks today contribute to my business. I want to doing the right thing, rather than doing the wrong things sooner.
IBM reflects an industry shift. The architect is a profession and we all need to change our mindsets to be even broader.
Delivering business value
Weisman: I’d like to add to that. I fully agree, as I said, that The Open Group has created TOGAF 9 as a capability-based planning paradigm for the business planning. IM and IT are just two dimensions of that overall capability, and everything is pushed toward the delivery of business value.
You don’t have to align IM/IT with the business. IM and IT become an integral part of the business. This came out of the defense world in many cases and it has proven very successful.
IM, IT, and all of the architecture domains are going to have to really understand the business for that. It’ll be an interesting time in the next couple of years in the organizations that really want to derive competitive advantage from their information holdings, which is certainly becoming a key differentiator amongst large companies.
Gardner: Robert, perhaps while you’re talking about The Open Group, you could update us a bit on what took place at the Austin Conference, particularly vis-à-vis the workgroups. What was the gist of the development and perhaps any maturation that you can point to?
Weisman: We had some super presentations, in particular the one that Eugene and Mei gave that addressed information architecture and various associated processes and different types of sub- architectures/frameworks as well.
The Information Architecture Working Group, which is winding down after two years, has created a series of whitepapers. The first one addressed the concerns of the data management architecture and maps the data management body of knowledge processes to The Open Group Architecture Framework. That whitepaper went through final review in the Information Architecture Working Group in Austin.
We have an Information Architecture Vision paper, which is an overall rethinking of how information within an organization is going to be addressed in a holistic manner, incorporating what we’d like to think as all of the modern trends, all types of information, and figure out some sort of holistic way that we can represent that in an architecture. The vision paper is right now in the final review. Following that, we’re preparing a consolidated request for change to the TOGAF 9 specification. The whitepapers should be ready and available within the next three months for public consultation. This work should address many significant concerns in the domain of information architecture and management. I’m really confident the work that working group has done has been very productive.
Gardner: Now, you mentioned that Mei and Eugene delivered a presentation. I wonder if we can get an overview, a quick summary of the main points. Mei, would you care to go first?
Selvage: We’ve already talked a lot about what we have described in our presentation. Essentially, we need to understand what it means to have a successful solution information architecture. We need to leverage all those best practices, which come in a form of either a proven reference architecture or methodology, and use that to achieve alignment within the business. Eugene, do you have anything you want to specifically point out in our presentation?
Three keys
Imbamba: No, just to add to what you said. The three keys that we brought were the alignment of business and IT, using and leveraging reference architectures to successfully implement information architectures, and last was the adoption of proven methodology.
In our presentation, we defined these constructs, or topics, based on our understanding and to make sure that the audience had a common understanding of what these components meant. Then, we gave examples and actually gave some use cases of where we’ve seen this actually happen in organizations, and where there has been some success in developing successful projects through the implementation of these methods. That’s some of what we touched on.
Weisman: Just as a postscript from The Open Group, we’re coming with an Information Architecture and Planning Model. We have a comprehensive definition of data and information and knowledge; we’ve come up with a good generic lifecycle that can be used by all organizations. And, we addressed all the issues associated with them in a holistic way with respect to the information management functions of governance, planning, operations, decision support and business intelligence, records and archiving, and accessibility and privacy.
This is one of the main contributions that these whitepapers are going to provide is a good planning basis for the holistic management of all manner of information in the form of a complete model.
Gardner: We’ve heard about how the amount of data is going to be growing exponentially, perhaps 44 times in less than 10 years, and we’ve also heard that knowledge, information, and your ability to exploit it could be a huge differentiator in how successful you are in business. I even expect that many businesses will make knowledge and information of data part of their business, part of their major revenue capabilities — a product in itself.
Let’s look into the future. Why will the data and information management professionalization, this role of the information architect be more important based on some of the trends that we expect? Let’s start with you, Robert. What’s going to happen in the next few year that’s going to make it even more important to have the holistic framework, strategic view of data information?
Weisman: Right now, it’s competitive advantage upon which companies may rise and fall. Harvard Business School Press, Davenport in particular, has produced some excellent books on competitive analytics and the like, with good case studies. For example, a factory halfway through construction is stopped because they didn’t have timely access to the their information indicating the factory didn’t even need to be constructed. This speaks of information quality.
In the new service-based rather than industry-based economic paradigm, information will become absolutely key. With respect to the projected increase of information available, I actually see a decrease in information holdings within the enterprise itself.
This will be achieved through a) information management techniques, you will actually get rid of information; b) you will consolidate information; and c) with paradigms such as cloud, you don’t necessarily have to have information within the organization itself.
More with less
So you will be dealing with information holdings, that are accessible by the enterprise, and not necessarily just those that are held by the enterprise. There will also be further issues such as knowledge representation and the like, that will become absolutely key, especially with demographics as it stands now. We have to do more with less.
The training and professionalization of information architecture, or knowledge architecture, I anticipate will become key. However, knowledge architects cannot be educated totally in a silo, they also have to have a good understanding of the other architecture domains. A successful enterprise architect must understand all the the other architecture domains.
Gardner: Eugene, how about you, in terms of future trends that impact the increased importance of this role in this perspective on information?
Imbamba: From an IBM perspective, we’ve seen over the last 20 years organizations focusing on what I call an “application agenda,” really trying to implement enterprise resource planning (ERP) systems, supply chain management systems, and these systems have been very valuable for various reasons, reducing cost, bringing efficiencies within the business.
But, as you know, over the last 20 years, a lot of companies now have these systems in place, so the competitive advantage has been lost. So what we’re seeing right now is companies focusing on an information agenda, and the reason is that each organization has information about its customers, its products, its accounts like no other business would have.
So, what we’re seeing today is leveraging that information for competitive advantage, trying to optimize your business, gleaning the information that you have so that you can understand the relationships between your customers, between your partners, your suppliers, and optimize that to deliver the kinds of services and needs, the business wants and the customer’s needs. It’s a focus from application agenda to an information agenda to try and push what’s going on in that space.
Gardner: Mei, last word to you, future trends and why would they increase the need for the information architecture role?
Selvage: I like to see that from two perspectives. One is from the vendor perspective, just taking IBM as an example. The information management brand is the one that has the largest software products, which reflects market needs and the market demands. So there are needs to have information architects who are able to look over all those different software offerings in IBM and other major vendors too.
From the customer perspective, where I see a lot of trends is that many outsource basic database administration, kind of a commodity or activity out to a third-party where they keep the information architects in-house. That’s where we can add in the value. We can talk to the business. We can talk to the other components of IT, and really brings things together. That’s a trend I see more organizations are adopting.
Gardner: Very good. We’ve been discussing the role and impact of an information architect and perhaps how to begin to implement a more successful data and information strategy.
This comes to you as a sponsored podcast in conjunction with The Open Group Conference in Austin, Texas in the week of July 18, 2011. I’d like to thank our guests. We’ve been joined by Robert Weisman, CEO of Build The Vision Incorporated. Thanks so much, Robert.
Weisman: You’re very welcome. Thank you for inviting.
Gardner: And we’ve been here with Eugene Imbamba. He is Information Management Architect in IBM Software Group. Thank you, Eugene.
Imbamba: Thank you for having me.
Gardner: And Mei Selvage, she is Lead of the IBM Community of Information Architects. Thanks to you as well.
Selvage: You’re welcome. Thank you too.
Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks to our viewers and listeners as well, and come back next time.
Listen to the podcast. Find it on iTunes/iPod and Podcast.com.
Copyright The Open Group 2011. All rights reserved.
Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirect™ blogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.
Filed under Data management
By Mark Skilton, Capgemini
This article is a continuation of a series on standards by Mark Stilton. Read his previous posts on “Why standards in information technology are critical“ and “Innovation in the Cloud needs open standards.”
The evolution of standards has become a big domain issue. The world has moved from the individual languages of resources and transactions into architectural standards that seek to describe how different sets of resources, interfaces and interactions can be designed to work together. But this concept has now gone further in networked societies.
In this new “universe” of online and physical services, new channels, portals, devices and services are emerging that create new integration and compositions of services. New business models are emerging as a result, which are impacting existing markets and incumbents as well as creating new rules and standards. Old standards and policies such as digital privacy and cross-border intellectual property are being challenged by these new realities. Ignoring these is not an option, as companies and whole countries are realizing the need to keep up-to-date and aware of these developments that impact their own locations and economies.
This means the barriers and accelerators to individual markets and new markets are evolving and in constant dynamic change. Standards and interoperability are at the center of these issues and affect the very levers of change in markets.
Cloud Computing is one such phenomenon rewriting the rules on information exchange and business models for provisioning and delivery of products and services. The impact of Cloud Computing on competitive advantage is significant in the way it has lowered barriers to access of markets and collaboration. It has increased speed of provisioning and potential for market growth and expansion through the distributed power of the Internet. The connectivity and extensions of business models brought about by these trends is changing previously held beliefs and competitive advantages of ownership and relationships.
The following diagram was presented at The Open Group Conference, Amsterdam in the fall of 2010.
The Internet of Things (IOT) is an example of this trend that is seen in the area of Radio Frequency Identification (RFID) tags of materials and products for automatic tracking. But this is just one example of interoperability emerging across industries. Large-scale telecommunications networks now have the ability to reach and integrate large areas of the marketplace through fixed and now wireless mobile communications networks.
This vision can create new possibilities beyond just tagging and integration of supply chains; it hints towards a possibility of social networks, business networks and value chains being able to create new experiences and services through interconnectedness.
Mark Skilton, Director, Capgemini, is the Co-Chair of The Open Group Cloud Computing Work Group. He has been involved in advising clients and developing of strategic portfolio services in Cloud Computing and business transformation. His recent contributions include the publication of Return on Investment models on Cloud Computing widely syndicated that achieved 50,000 hits on CIO.com and in the British Computer Society 2010 Annual Review. His current activities include development of a new Cloud Computing Model standards and best practices on the subject of Cloud Computing impact on Outsourcing and Off-shoring models and contributed to the second edition of the Handbook of Global Outsourcing and Off-shoring published through his involvement with Warwick Business School UK Specialist Masters Degree Program in Information Systems Management.
By Dana Gardner, Interabor Solutions
Listen to this recorded podcast here: Architect Certification Increasingly Impacts Professionalization of IT in Cloud Era
The following is the transcript of a sponsored podcast panel discussion on certification and its impact on the professionalization of IT and skills management, in conjunction with the The Open Group Conference, Austin 2011.
Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011. We’ve assembled a panel to update us on the impact and role of certifications for IT professionals. We’ll examine how certification for enterprise architects, business architects, and such industry initiatives as ArchiMate® are proving instrumental as IT organizations seek to reinvent themselves.
There are now a lot of shifts in skills and a lot of movement about how organizations should properly staff themselves. There have been cost pressures and certification issues for regulation and the adoption of new technologies. We’re going to look at how all these are impacting the role of certification out in the field. Here to help us better understand how an organization like The Open Group is alleviating the impact and importance of IT skills and role certification amid this churning change in the IT organizations is Steve Philp. He is the Marketing Director for Professional Certification at The Open Group. Welcome, Steve.
Steve Philp: Thank you.
Gardner: We are also here with Andrew Josey. He is Director of Standards at The Open Group. Welcome, Andrew.
Andrew Josey: Thank you, Dana.
Gardner: And we’re here with James de Raeve. He is Vice President of Certification at The Open Group. Hello, James.
James de Raeve: Thanks, Dana.
Gardner: Let’s start with you. As I said, we’re seeing a lot of change about many things in IT, but certainly how to properly staff, especially as you start to consider outsourcing options and Cloud and software-as-a-service (SaaS) types of options. Organizations are also looking at consolidation around their applications and infrastructure. So there’s quite a bit of change. Naturally, the people in the “people, processes, and technology” spectrum need to be addressed. From your perspective, why is there the need for more professionalization, or what are the trends that are driving the need to reexamine your staff and how to properly certify your IT leadership?
de Raeve: The primary driver here that we’re hearing from members and customers is that they need to get more out of the investments that they’re making — their payroll for their IT staff. They need to get more productivity. And that has a number of consequences.
Realizing talent
They want to ensure that the people they are employing and that they’re staffing their teams with are effective. They want to be sure that they’re not bringing in external experts when they don’t need to. So there is a need to realize the talent that they’ve actually got in their internal IT community and to develop that talent, nurture it, and exploit it for the benefit of the organization.
And professionalism, professionalization, and profession frameworks are all tools that can be used in identifying, measuring, and developing the talents and capabilities of your people. That seems to be the major driver.
Gardner: Steve, any further thoughts on the trends that are driving certification and professionalization issues?
Philp: Something I have noticed since joining The Open Group is that we’ve got some skills and experience-based certifications. They seem to be the things that people are particularly interested in, because it’s not just a test of your knowledge about a particular vendor or product, but how you have applied your skills and experience out there in the marketplace. They have proven to be very successful in helping people assess where they are and in working towards developing a career path. That’s one of the areas of certification that things are going to move more towards — more skills and experience-based certification programs in organizations.
Gardner: Where are we seeing this most in demand? Are there particular types of technology certification or professional role certification that are in the most demand? Where is this the most hot or impactful right now?
Philp: Looking at certification in general, you still have areas like Microsoft MCSE, Microsoft technical specialist, application development, and project management that are in demand, and things like CCNA from Cisco. But I’ve also noticed a lot more in the security field. CISSP and CCSA seem to be the ones that are always getting a lot of attention. In terms of security, the trends in mobile computing, cloud computing, means that security certification is a big growth area.
We’re just about to put a security track into our Certified IT Specialist Program at The Open Group, so there will be a skills and experience-based track for security practitioners soon.
Gardner: James, of course we should point out for our listeners that we’re not just talking about certification from vendors and suppliers about the specific products and/or platforms, but we’re really looking at a skill- and roles-based approach. Maybe you could help us distinguish between the two and why it’s important to do so?
de Raeve: The difference, as Steve alluded to, is that there is a whole world out there of technology and product-related certifications that are fulfilling a very important function in helping people establish and demonstrate their knowledge of those particular products and technologies.
But there is a need for people too in the building of teams and in the delivering of results to nurture and grow their people to be team players and team participants and to be able to work with them to function within the organization as, for want of a better term, “t-shaped people,” where there are a number of soft and people-related skills and potentially architecture related skills for the IT specialists, and skills and capabilities enable people to be rounded professionals within an organization.
T-shaped people
It’s that aspect that differentiates the professionalization and the profession-oriented certification programs that we’re operating here at The Open Group — The Open Certified Architect, The Open Certified IT Specialist. Those are t-shaped people and we think that makes a huge difference. It’s what’s going to enable organizations to be more effective by developing their people to have that more rounded t-shaped capability.
Gardner: Andrew, with the emphasis on standards and your role there, how does the impact of certification on the ability to adhere to and exploit standards come together? What’s the relationship between making sure you have standardization around your people and their skill sets, but also being able to exploit standardization and even more automation across your organization?
Josey: We see the certification as being the ultimate drive in the uptake of the standards, and so we’re able to go from not just having a standard on the shelf to actually seeing it being deployed in the field and used. We’ve actually got some people certification programs, such as TOGAF®, and we’ve got some over 20,000 practitioners now.
We’ve gone through the certification program and we’ve been using and evangelizing, TOGAF as a standard in the field and then feeding that back to our members and, through the association, the feedback improvements to the standards. So it’s very much part of the end-to-end ecosystem — developing a standard for deploying it, and getting people on it, and then getting the feedback in the right way.
Gardner: I suppose that as organizations want to create a level playing field, we’re starting to see calls for this type of certification in requests for proposal (RFPs) around projects. For folks on the buy side who are seeking either people or the suppliers themselves, a supply chain and ecosystem of providers, how much is certification playing a role and how they can pick and choose among each other with some sense of trust and reliability?
Philp: It’s very much an important part of the process now. TOGAF and IT Architect Certification (ITAC) have appeared in a number of RFPs for government and for major manufacturing organizations. So it’s important that the suppliers and the buyers recognize these programs.
Similarly with recruitment, you find that things like TOGAF will appear in most recruitment ads for architects. Certainly, people want knowledge of it, but more and more you’ll see TOGAF certification is required as well.
ITAC, which is now Open CA, has also appeared in a number of recruitment ads for members like Logica, Capgemini, Shell. More recently, organizations like the CBS, EADS, ADGA Group, Direct Energy have requested it. And the list goes on. It’s a measure of how important the awareness is for these certifications and that’s something we will continue to drive at The Open Group.
Gardner: All right, Steve, thanks for that. As you mentioned, there have been some changes in terms of the branding around some of these. Let’s take a quick review if we could around what’s being happening at the Austin Conference, but also what’s new and what’s been going on with the branding. Let’s look at the TOGAF, ArchiMate®, and business architecture certifications. What’s new and interesting there?
In development
Josey: I am speaking up on what we are doing in ArchiMate first, before I talk about TOGAF, and then Steve will tell us what the Business Forum is up to.
ArchiMate certification is something new that we’re developing right now. We haven’t deployed a certification program as yet. The previous certification program was under the ArchiMate Foundation, which was the body that developed ArchiMate, before it transferred into The Open Group.
We’re currently working on the new program which will be similar to some aspects of our TOGAF program, and it’ll be knowledge base certification with an assessment by exam and a practical assessment in which the candidate can actually do modeling. So this will be people certification and there will also be accredited training course certification.
And then also what we’re going to do there is actually to provide certification for tools. There will be certifications there.
That’s pretty much what we’re doing in ArchiMate, so we don’t have a firm timeline. So it will not be available it looks like, probably towards the end of the year would be the earliest, but possibly early next year.
Gardner: Knowing that we reach a wide audience, could you give a quick overview of what ArchiMate is for those who might not be familiar.
Josey: ArchiMate is a modeling language for enterprise architecture (EA) in general and specifically it’s a good fit for TOGAF. It’s a way of communicating and developing models for TOGAF EA. Originally it was developed by the Telematica Instituut and funded, I think, by the EU and a number of commercial companies in the Netherlands. It was actually brought into The Open Group in 2008 by the ArchiMate Foundation and is now managed by the ArchiMate Forum within The Open Group.
Gardner: Now we’re going to hear an update on TOGAF.
Josey: The latest version of TOGAF is TOGAF 9 for certification. As we mentioned earlier, there are two types of certification programs, skills and knowledge based. TOGAF falls into the knowledge based camp. We have two levels. TOGAF 9 Foundation, which is our level one, is for individuals to assess that they know the terminology and basic concepts of EA in TOGAF.
Level two, which is a superset of level one, in addition assesses analysis and comprehension. The idea is that some people who are interested in just getting familiar with TOGAF and those people who work around enterprise architects can go into TOGAF Foundation. And these enterprise architects themselves should initially start with the TOGAF Certified, the level two, and then perhaps move on later to Open CA. That will be helpful.
For TOGAF 9 Certification, we introduced that by midyear 2009. We launched TOGAF 9 in February, and it took a couple of months to just roll out all these certifications through all the exam channels. Since then, we’ve gone through 8,000 certifications (see June blog post). We’ve seen that two-thirds of those were at the higher level, level two, for EA practitioners and one-third of those are currently at the foundation level.
Gardner: And lastly, business architecture?
A new area
Philp: Business architecture is a new area that we’ve been working on. Let me just to go back to what we did on the branding, because it ties in with that. We launched The Open Group’s new website recently and we used that as the opportunity to re-brand ITAC as The Open Group Certified Architect (Open CA) program. The IT Specialist Certification (ITSC) has now become The Open Group Certified IT Specialist or Open CITS Program.
We did the rebranding at that time, because we wanted to be it associated with the word “open.” We wanted to give the skills and experience-based certification a closer linkage to The Open Group. That’s why we changed from ITAC to Open CA. But, we’ve not changed the actual program itself. Candidates still have to create a certification package and be interviewed by three board members, and there are still three levels of certification: Certified, Master, and Distinguished.
However, what we’re intending to do is have some core requirements that architects need to meet, and then add some specific specializations for different types of architects. The one that we’ve been working on the most recently is the Business Architecture Certification. This came about from an initiative about 18 months ago.
We formed something called the Business Forum with a number of Platinum Members who got involved with it –companies like IBM, HP, SAP, Oracle and Capgemini. We’ve been defining the conformance requirements for the business architecture certification. It’s going through the development process and hopefully will be launched sometime later this year or early next year.
Gardner: I’m interested in how this is making a difference in the field. There’s a lot of change going on this consolidation. There’s re-factoring of what’s core and what’s context in what IT department should focus on and, therefore, what their skill sets need to be. They’re adopting new technologies. I wonder if you have any examples of where we’ve seen certification come to play when an organization is looking to change its workforce. Any thoughts about some organizations and what the impact has been?
de Raeve: There’s a very good example of an organization that had exactly that problem, and they’ve done a presentation about this in one of our conferences. It’s Philips, and they used to have an IT workforce that was divided among the business units. The different businesses had their own IT function.
They changed that and went to a single IT function across the organization, providing services to the businesses. In doing so, they needed to rationalize things like grades, titles, job descriptions, and they were looking around for a framework within which they could do this and they evaluated a number of them.
They were working with a partner who wass helping them do this. The partner was an Open Group member and suggested they look at The Open Group’s IT Specialist Certification, the CITS Certification Program, as it provides a set of definitions for the capabilities and skills required for IT professionals. They picked it up and used it, because it covered the areas they were interested in.
This was sufficient and complete enough to be useful to them, and it was vendor-neutral, and an industry best practice. So they could pick this up and use it with confidence. And that has been very successful. They initially benchmarked their entire 900 strong IT workforce against The Open Group definition, so they could get to calibrate themselves, where their people were on their journey through development as professionals.
They’ve started to embrace the certification programs as a method of not only measuring their people, but also rewarding them. It’s had a very significant impact in terms of not only enabling them to get a handle upon their people, but also in terms of their employee engagement. In the engagement surveys that they do with their staff, some of the comments they got back after they started doing this process were, “For the first time we feel like management is paying attention to us.”
It was very positive feedback, and the net result is that they are well on their way to meeting their goal of no longer having automatically to bring in an external service provider whenever they were dealing with a new project or a new topic. They know that they’ve got people with sufficient expertise in-house on their own payroll now. They’ve been able to recognize that capability, and the use of it has had a very positive effect. So it’s a very strong good story.
I think that the slides will be available to our members in the conference’s proceedings from the London Conference in April. That will be worth something to look at.
Gardner: Where would you go for more information, if you were a practitioner, a budding enterprise architect and you wanted to certify yourself and/or if you were in an organization trying to determine more precisely what certification would mean to you as you’re trying to reengineer, modernize and right-size your organization? Where do you go for more information?
Philp: If you go to The Open Group website, www.opengroup.org/certifications, all of the people-based certifications are there, along with the benefits for individuals, benefits for organizations and various links to the appropriate literature. There’s also a lot of other useful things, like self-assessment tests, previous webinars, sample packages, etc. That will give you more of an idea of what’s required for certification along with the conformance requirements and other program documentation. There’s a lot of useful information on the website.
Gardner: Very good. We’ve been discussing how the role and impact of IT Certification is growing and some of the reasons for that. We’ve also looked at how organizations like The Open Group are elevating the role of certification and providing means to attain it and measure it the standard.
I’d like to thank our guests for delivering this sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011 We’ve been joined by our panel, Steve Philp, he is the Marketing Director for Professional Certification at the Open Group. Thank you, Steve.
Philp: Thank you, Dana.
Gardner: And we are also have been joined by by Andrew Josey, Director of Standards at The Open Group. Thank you, Andrew.
Josey: Thank you, Dana.
Gardner: And lastly, James de Raeve, he is the Vice President of Certification, once again at The Open Group. Thanks James.
de Raeve: Thank you, Dana, and thanks to everyone who has listened.
Gardner: Right. This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks for listening and come back next time.
Listen to the podcast. Find it on iTunes/iPod and Podcast.com.
Copyright The Open Group 2011. All rights reserved.
Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirect™ blogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.
Filed under Certifications, Enterprise Architecture
By Mark Skilton, Capgemini
This article is a continuation of a series on standards by Mark Stilton. Read his previous post on “Why standards in information technology are critical“.
The forces of innovation are seen in the power of broadband, mass computing power, dynamic new mobile cell devices and tablets, new social networking software and new advanced technologies in fields such as medical scanners, multi-media, education, robotics and electronics. These disruptions are jumps that can make huge leaps in societal quality of life and benefit for all. And with every advance there can be counterproductive and emergent issues that result which may be detrimental to markets, and to personal liberty and safety. There is a continuing debate over standards and policies that may or may not prejudice the legitimate rights of consumers, providers and governments that seek these benefits.
Standards evolve as a means for description and commonality as well as differentiation. Common utility services in the gas, electricity, and water amenities industry are examples that trade and provide services to mass markets. Likewise, in consumer electronics markets and network standards, we see interests in common interface and connector standards to enable consumer and providers to access and gain use of the products and services marketplaces. Without standards in areas that enable trade exchange, markets would be fragmented, limiting potential growth and evolution of new opportunities.
But equally, standards can create challenges to barriers in trade and adoption. Protection of intellectual property, closed technology platforms and protectionist and legislative control policies are consequences that can been seen as building competitive advantages; but equally can be limiting access and competition to existing and new markets.
This is a concern from large multi-national corporations to the plethora of SMBs, and to the individual. It can also be seen as a wider economic, societal and environmental issue, where disproportionate activities and resource consumption can affect green sustainability and intergovernmental and marketplace balance of power and growth.
Mark Skilton, Director, Capgemini, is the Co-Chair of The Open Group Cloud Computing Work Group. He has been involved in advising clients and developing of strategic portfolio services in Cloud Computing and business transformation. His recent contributions include the publication of Return on Investment models on Cloud Computing widely syndicated that achieved 50,000 hits on CIO.com and in the British Computer Society 2010 Annual Review. His current activities include development of a new Cloud Computing Model standards and best practices on the subject of Cloud Computing impact on Outsourcing and Off-shoring models and contributed to the second edition of the Handbook of Global Outsourcing and Off-shoring published through his involvement with Warwick Business School UK Specialist Masters Degree Program in Information Systems Management.
By Dana Gardner, Interabor Solutions
Listen to this recorded podcast here: BriefingsDirect-O-ACEML Standard Effort Points to Broad Automation for Improved IT Compliance and Security Across Systems
The following is the transcript of a sponsored podcast panel discussion on the new Open Automated Compliance Expert Markup Language (O-ACEML) standard, in conjunction with the The Open Group Conference, Austin 2011.
Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011. We’re going to examine the Open Automated Compliance Expert Markup Language (O-ACEML), a new standard creation and effort that helps enterprises automate security compliance across their systems in a consistent and cost-saving manner.
O-ACEML helps to achieve compliance with applicable regulations but also achieves major cost savings. From the compliance audit viewpoint, auditors can carry out similarly consistent and more capable audits in less time. Here to help us understand O-ACEML and managing automated security compliance issues and how the standard is evolving are our guests. We’re here with Jim Hietala, Vice President of Security at The Open Group. Welcome back, Jim.
Jim Hietala: Thanks, Dana. Glad to be with you.
Gardner: We’re also here with Shawn Mullen. He’s a Power Software Security Architect at IBM. Welcome to the show, Shawn.
Shawn Mullen: Thank you.
Gardner: Let’s start by looking at why this is an issue. Why do O-ACEML at all? I assume that security being such a hot topic, as well as ways in which organizations grapple with the regulations, and compliance issues are also very hot, this has now become an issue that needs some standardization. Let me throw this out to both of you. Why are we doing this at all and what are the problems that we need to solve with O-ACEML?
Hietala: One of the things you’ve seen in last 10 or 12 years, since the compliance regulations have really come to the fore, is that the more regulation there is, more specific requirements are put down, and the more challenging it is for organizations to manage. Their IT infrastructure needs to be in compliance with whatever regulations impact them, and the cost of doing so becomes a significant thing. So, anything that could be done to help automate, to drive out cost, and maybe make organizations more effective in complying with the regulations that affect them — whether it’s PCI, HIPAA, or whatever — there’s lot of benefit to large IT organizations in doing that. That’s really what drove us to look at adopting a standard in this area.
Gardner: Jim, just for those folks who are coming in as fresh, are we talking about IT security equipment and the compliance around that, or is it about the process of how you do security, or both? What are the boundaries around this effort and what it focuses on?
Manual process
Hietala: It’s both. It’s enabling the compliance of IT devices specifically around security constraints and the security configuration settings and to some extent, the process. If you look at how people did compliance or managed to compliance without a standard like this, without automation, it tended to be a manual process of setting configuration settings and auditors manually checking on settings. O-ACEML goes to the heart of trying to automate that process and drive some cost out of an equation.
Gardner: Shawn Mullen, how do you see this in terms of the need? What are the trends or environment that necessitate in this?
Mullen: I agree with Jim. This has been going on a while, and we’re seeing it on both classes of customers. On the high-end, we would go from customer-to-customer and they would have their own hardening scripts, their own view of what should be hardened. It may conflict with what compliance organization wanted as far as the settings. This was a standard way of taking what the compliance organization wanted, and also it has an easy way to author it, to change it.
If your own corporate security requirements are more stringent, you can easily change the O-ACEML configuration, so that is satisfies your more stringent corporate compliance or security policy, as well as satisfying the regulatory compliance organization in an easy way to monitor it, to report, and see it.
In addition, on the low end, the small businesses don’t have the expertise to know how to configure their systems. Quite frankly, they don’t want to be security experts. Here is an easy way to print an XML file to harden their systems as it needs to be hardened to meet compliance or just the regular good security practices.
Gardner: One of the things that’s jumped out at me as I’ve looked into this, is the rapid improvement in terms of a cost or return on investment (ROI), almost to the league of a no- brainer category. Help me understand why is it so expensive and inefficient now, when it comes to security equipment audits and regulatory compliance. What might this then therefore bring in terms of improvement?
Mullen: One of the things that we’re seeing in the industry is server consolidation. If you have these hundreds, or in large organizations, thousands of systems and you have to manually configure them, it becomes a very daunting task. Because of that, it’s a one-time shot at doing this, and then the monitoring is even more difficult. With O-ACEML, it’s a way of authoring your security policy as it meets compliance or for your own security policy in pushing that out. This allows you to have a single XML and push it onto heterogeneous platforms. Everything is configured securely and consistently and it gives you a very easy way to get the tooling to monitor those systems, so they are configured correctly today. You’re checking them weekly or daily to ensure that they remain in that desired state.
Gardner: So it’s important not only to automate, but be inclusive and comprehensive in the way you do that or you are back to manual process at least for a significant portion, but that might then not be at your compliance issues. Is that how it works?
Mullen: We had a very interesting presentation here at The Open Group Conference yesterday. I’ll let Jim provide some of the details on that, but customers are finding the best way they can lower their compliance or their cost of meeting compliance is through automation. If you can automate any part of that compliance process, that’s going to save you time and money. If you can get rid of the manual effort with automation, it greatly reduces your cost.
Gardner: Shawn, do we have any sense in the market what the current costs are, even for something that was as well-known as Sarbanes-Oxley? How impressive, or unfortunately intimidating, are some of these costs?
Cost of compliance
Mullen: There was a very good study yesterday. The average cost of an organization to be compliant is $3 million. That’s annual cost. What was also interesting was that the cost of being non-compliant, as they called it, was $9 million.
Hietala: The figures that Shawn was referencing come out of the study by the Ponemon Institute. Larry Ponemon does lots of studies around security risk compliance cost. He authors an annual data breach study that’s pretty widely quoted in the security industry that gets to the cost of data breaches on average for companies.
In the numbers that were presented yesterday, he recently studied 46 very large companies, looking at their cost to be in compliance with the relevant regulations. It’s like $3.5 million a year, and over $9 million for companies that weren’t compliant, which suggests that companies that are actually actively managing towards compliance are probably little more efficient than those that aren’t. What O-ACEML has the opportunity to do for those companies that are in compliance is help drive that $3.5 million down to something much less than that by automating and taking manual labor out of process.
Gardner: So it’s a seemingly very worthwhile effort. How do we get to where we are now, Jim, with the standard and where do we need to go? What’s the level of maturity with this?
Hietala: It’s relatively new. It was just published 60 days ago by The Open Group. The actual specification is on The Open Group website. It’s downloadable, and we would encourage both, system vendors and platform vendors, as well as folks in the security management space or maybe the IT-GRC space, to check it out, take a look at it, and think about adopting it as a way to exchange compliance configuration information with platforms.
We want to encourage adoption by as broad a set of vendors as we can, and we think that having more adoption by the industry, will help make this more available so that end-users can take advantage of it.
Gardner: Back to you Shawn. Now that we’ve determined that we’re in the process of creating this, perhaps, you could set the stage for how it works. What takes place with ACEML? People are familiar with markup languages, but how does this now come to bear on this problem around compliance, automation, and security?
Mullen: Let’s take a single rule, and we’ll use a simple case like the minimum password length. In PCI the minimum password length, for example, is seven. Sarbanes-Oxley, which relies on COBiT password length would be eight.
But with an O-ACEML XML, it’s very easy to author a rule, and there are three segments to it. The first segment is, it’s very human understandable, where you would put something like “password length equals seven.” You can add a descriptive text with it, and that’s all you have to author.
Actionable command
When that is pushed down on to the platform or the system that’s O-ACEML aware, it’s able to take that simple ACEML word or directive and map that into an actionable command relevant to that system. When it finds the map into the actionable command ,it writes it back into the XML. So that’s completing the second phase of the rule. It executes that command either to implement the setting or to check the setting.
The result of the command is then written back into the XML. So now the XML for particular rule has the first part, the authored high-level directive as a compliance organization, how that particular system mapped into a command, and the result of executing that command either in a setting or checking format.
Now we have all of the artifacts we need to ensure that the system is configured correctly, and to generate audit reports. So when the auditor comes in we can say, “This is exactly how any particular system is configured and we know it to be consistent, because we can point to any particular system, get the O-ACEML XML and see all the artifacts and generate reports from that.”
Gardner: Maybe to give a sense of how this works, we can also look at a before-and-after scenario. Maybe you could describe how things are done now, the before or current status approach or standard operating procedure, and then what would be the case after someone would implement and mature O-ACEML implementation.
Mullen: There are similar tools to this, but they don’t all operate exactly the same way. I’ll use an example of BigFix. If I had a particular system, they would offer a way for you to write your own scripts. You would basically be doing what you would do at the end point, but you would be doing it at the BigFix central console. You would write scripts to do the checking. You would be doing all of this work for each of your different platforms, because everyone is a little bit different.
Then you could use BigFix to push the scripts down. They would run, and hopefully you wrote your scripts correctly. You would get results back. What we want to do with ACEML is when you just put the high-level directive down to the system, it understands ACEML and it knows the proper way to do the checking.
What’s interesting about ACEML, and this is one of our differences from, for example, the security content automation protocol (SCAP), is that instead of the vendor saying, “This is how we do it. It has a repository of how the checking goes and everything like that,” you let the end point make the determination. The end point is aware of what OS it is and it’s aware of what version it is.
For example, with IBM UNIX, which is AIX, you would say “password check at this different level.” We’ve increased our password strength, we’ve done a lot of security enhancements around that. If you push the ACEML to a newer level of AIX, it would do the checking slightly differently. So, it really relies on the platform, the device itself, to understand ACEML and understand how best to do its checking.
We see with small businesses and even some of the larger corporations that they’re maintaining their own scripts. They’re doing everything manually. They’re logging on to a system and running some of those scripts. Or, they’re not running scripts at all, but are manually making all of these settings.
It’s an extremely long and burdensome process,when you start considering that there are hundreds of thousands of these systems. There are different OSs. You have to find experts for your Linux systems or your HP-UX or AIX. You have to have all those different talents and skills in these different areas, and again the process is quite lengthy.
Gardner: Jim Hietala, it sounds like we are focusing on servers to begin with, but I imagine that this could be extended to network devices, other endpoints, other infrastructure. What’s the potential universe of applicability here?
Different classes
Hietala: The way to think about it is the universe of IT devices that are in scope for these various compliance regulations. If you think about PCI DSS, it defines pretty tightly what your cardholder data environment consists of. In terms of O-ACEML, it could be networking devices, servers, storage equipment, or any sort of IT device. Broadly speaking, it could apply to lots of different classes of computing devices.
Gardner: Back to you Shawn,. You mentioned the AIX environment. Could you explain a beginning approach that you’ve had with IBM Compliance Expert, or ICE, that might give us a clue as to how well this could work, when applied even more broadly? How does that heritage in ICE develop, and what would that tell us about what we could expect with O-ACEML?
Mullen: We’ve had ICE and this AIX Compliance Expert, using the XML, for a number of years now. It’s been broadly used by a lot of our customers, not only to secure AIX but to secure the virtualization environment in a particular a virtual I/O server. So we use it for that.
One of the things that ACEML brings is that it has some of the lessons we learned from doing our own proprietary XML. It also brings some lessons we learned when looking at other XML for compliance like XCCDF. One of the things we put in there was a remediation element.
For example, the PCI says that your password length should be seven. COBiT says your password length should be eight. It has the XML, so you can blend multiple compliance requirements with a single policy, choosing the more secure setting, so that both compliance organizations, or other three compliance organizations, gets set properly to meet all of those, and apply it to a singular system.
One of the things that we’re hoping vendors will gravitate toward is the ability to have a central console controlling their IT environment or configuring and monitoring their IT environment. It just has to push out a single XML file. It doesn’t have to push out a special XML for Linux versus AIX versus a network device. It can push out that ACEML file to all of the devices. It’s a singular descriptive XML, and each device, in turn, knows how to map it to its own particular platform in security configuring.
Gardner: Jim Hietala, it sounds as if the low-hanging fruit here would be the compliance and automation benefit, but it also sounds as if this is comprehensive. It’s targeted at a very large set of the devices and equipment in the IT infrastructure. This could become a way of propagating new security policies, protocols, approaches, even standards, down the line. Is that part of the vision here — to be able to offer a means by which an automated propagation of future security changes could easily take place?
Hietala: Absolutely, and it goes beyond just the compliance regulations that are inflicted on us or put on us by government organizations to defining a best practice instead of security policies in the organization. Then, using this as a mechanism to push those out to your environment and to ensure that they are being followed and implemented on all the devices in their IT environment.
So, it definitely goes beyond just managing compliance to these external regulations, but to doing a better job of implementing the ideal security configuration settings across your environment.
Gardner: And because this is being done in an open environment like The Open Group, and because it’s inclusive of any folks or vendors or suppliers who want to take part, it sounds as if this could also cross the chasm between an enterprise, IT set, and a consumer or mobile or external third-party provider set.
Is it also a possibility that we’re going beyond heterogeneity, when it comes to different platforms, but perhaps crossing boundaries into different segments of IT and what we’re seeing with the “consumerization” of IT now? I’ll ask this to either of you or both of you.
Moving to the Cloud
Hietala: I’ll make a quick comment and then turn it over to Shawn. Definitely, if you think about how this sort of a standard might apply towards services that are built in somebody’s Cloud, you could see using this as a way to both set configuration settings and check on the status of configuration settings and instances of machines that are running in a Cloud environment. Shawn, maybe you want to expand on that?
Mullen: It’s interesting that you brought this up, because this is the exact conversation we had earlier today in one of the plenary sessions. They were talking about moving your IT out into the Cloud. One of the issues, aside from just the security, was how do you prove that you are meeting these compliance requirements?
O-ACEML is a way to reach into the Cloud to find your particular system and bring back a report that you can present to your auditor. Even though you don’t own the system –it’s not in the data center here in the next office, it’s off in the cloud somewhere — you can bring back all the artifacts necessary to prove to the auditor that you are meeting the regulatory requirements.
Gardner: Jim, how do folks take further steps to either gather more information? Obviously, this would probably of interest to enterprises as well as the suppliers, vendors for professional services organizations. What are the next steps? Where can they go to get some information? What should they do to become involved?
Hietala: The standard specification is up on our website. You can go to the “Publications” tab on our website, and do a search for O-ACEML, and you should find the actual technical standard document. Then, you can get involved directly in the Security Forum by joining The Open Group . As the standard evolves, and as we do more with it, we certainly want more members involved in helping to guide the progress of it over time.
Gardner: Thoughts from you, Shawn, on that same getting involved question?
Mullen: That’s a perfect way to start. We do want to invite different compliance organization, everybody from the electrical power grid — they have their own view of security — to ISO, to payment card industry. For the electrical power grid standard, for example — and ISO is the same way — what ACEML helps them with is they don’t need to understand how Linux does it, how AIX does it. They don’t need to have that deep understanding.
In fact, the way ISO describes it in their PDF around password settings, it basically says, use good password settings, and it doesn’t go into any depth beyond that. The way we architected and designed O-ACEML is that you can just say, “I want good password settings,” and it will default to what we decided. What we focused in on collectively as an international standard in The Open Group was, that good password hygiene means you change your password every six months. It should at least carry this many characters, there should be a non-alpha/numeric.
It removes the burden of these different compliance groups from being security experts and it let’s them just use ACEML and the default settings that The Open Group came up with. We want to reach out to those groups and show them the benefits of publishing some of their security standards in O-ACEML. Beyond that, we’ll work with them to have that standard up, and hopefully they can publish it on their website, or maybe we can publish it on The Open Group website.
Next milestones
Gardner: Well, great. We’ve been learning more about the Open Automated Compliance Expert Markup Language, more commonly known as O-ACEML. And we’ve been seeing how it can help assure compliance along with some applicable regulations across different types of equipment, but has the opportunity to perhaps provide more security across different domains, be that cloud or on-premises or even partner networks. while also achieving major cost savings. We’ve been learning how to get to started on this and what the maturity timeline is.
Jim Hietala, what would be the next milestone? What should people expect next in terms of how this is being rolled out?
Hietala: You’ll see more from us in terms of adoption of the standard. We’re looking already at case studies and so forth to really describe in terms that everyone can understand what benefits organizations are seeing from using O-ACEML. Given the environment we’re in today, we’re seeing about security breaches and hacktivism and so forth everyday in the newspapers.
I think we can expect to see more regulation and more frequent revisions of regulations and standards affecting IT organizations and their security, which really makes it imperative for engineers in IT environment in such a way that you can accommodate those changes, as they are brought to your organization, do so in an effective way, and at the least cost. Those are really the kinds of things that O-ACEML has targeted, and I think there is a lot of benefit to organizations to using it.
Gardner: Shawn, one more question to you as a follow-up to what Jim said, not only that should we expect more regulations, but we’ll see them coming from different governments, different strata of governments, so state, local, federal perhaps. For multinational organization, this could be a very complex undertaking, so I’m curious as to whether O-ACEML could also help when it comes to managing multiple regulations across multiple jurisdictions for larger organizations.
Mullen: That was the goal when we came up with O-ACEML. Anybody could author it, and again, if a single system fell under the purview of multiple compliance requirements, we could plan that together and that system would be a multiple one. It’s an international standard, we want it to be used by multiple compliance organizations. And compliance is a good thing. It’s just good IT governance. It will save companies money in the long run, as we saw with these statistics. The goal is to lower the cost of being compliant, so you get good IT governance, just with a lower cost.
Gardner: Thanks. This sponsored podcast is coming to you in conjunction with The Open Group Conference in Austin, Texas, in the week of July 18, 2011. Thanks to both our guests. Jim Hietala, the Vice President of Security at The Open Group. Thank you, Jim.
Hietala: Thank you, Dana.
Gardner: And also Shawn Mullen, Power Software Security Architect at IBM. Thank you, Shawn.
Mullen: Thank you, Dana.
Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks again for listening, and come back next time.
Listen to the podcast. Find it on iTunes/iPod and Podcast.com.
Copyright The Open Group 2011. All rights reserved.
Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirect™ blogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.
Filed under Cybersecurity
By Serge Thorn, Architecting the Enterprise
TOGAF® often refers to Strategic Planning without specifying the details of what it consists of. This document explains why there is a perfect fit between the two.
Strategic Planning means different things to different people. The one constant is its reference to Business Planning which usually occurs annually in most companies. One of the activities of this exercise is the consideration of the portfolio of projects for the following financial year, also referred to as Project Portfolio Management (PPM). This activity may also be triggered when a company modifies its strategy or the priority of its current developments.
Drivers for Strategic Planning may be
Strategic Planning as a process may include activities such as:
1. The definition of the mission and objectives of the enterprise
Most companies have a mission statement depicting the business vision, the purpose and value of the company and the visionary goals to address future opportunities. With that business vision, the board of the company defines the strategic (e.g. reputation, market share) and financial objectives (e.g. earnings growth, sales targets).
2. Environmental analysis
The environmental analysis may include the following activities:
3. Strategy definition
Based on the previous activities, the enterprise matches strengths to opportunities and addressing its weaknesses and external threats and elaborate a strategic plan. This plan may then be refined at different levels in the enterprise. Below is a diagram explaining the various levels of plans.
To build that strategy, an Enterprise Strategy Model may be used to represent the Enterprise situation accurately and realistically for both past and future views. This can be based on Business Motivation Modeling (BMM) which allows developing, communicating and managing a Strategic Plan. Another possibility is the use of Business Model Canvas which allows the company to develop and sketch out new or existing business models. (Refer to the work from Alexander Osterwalder).
The model’s analyses should consider important strategic variables such as customers demand expectations, pricing and elasticity, competitor behavior, emissions regulations, future input, and labor costs.
These variables are then mapped to the main important business processes (capacity, business capabilities, constraints), and economic performance to determine the best decision for each scenario. The strategic model can be based on business processes such as customer, operation or background processes. Scenarios can then are segmented and analyzed by customer, product portfolio, network redesign, long term recruiting and capacity, mergers and acquisitions to describe Segment Business Plans.
4. Strategy Implementation
The selected strategy is implemented by means of programs, projects, budgets, processes and procedures. The way in which the strategy is implemented can have a significant impact on whether it will be successful, and this is where Enterprise Architecture may have a significant role to play. Often, the people formulating the strategy are different from those implementing it. The way the strategy is communicated is a key element of the success and should be clearly explained to the different layers of management including the Enterprise Architecture team.
To support that strategy, different levels or architecture can be considered such as strategic, segment or capability architectures.
This diagram below illustrates different examples of new business capabilities linked to a Strategic Architecture.
It also illustrates how Strategic Architecture supports the enterprise’s vision and the strategic plan communicated to an Enterprise Architecture team.
Going to the next level allows better detail the various deliverables and the associated new business capabilities. The segment architecture maps perfectly to the Segment Business Plan.
5. Evaluation and monitoring
The implementation of the strategy must be monitored and adjustments made as required.
Evaluation and monitoring consists of the following steps:
Strategic Planning and Enterprise Architecture should ensure that information systems do not operate in a vacuum. At its core, TOGAF® 9 uses/supports a strong set of guidelines that were promoted in the previous version, and have surrounded them with guidance on how to adopt and apply TOGAF® to the enterprise for Strategic Planning initiatives. The ADM diagram below clearly indicates the integration between the two processes.
The company’s mission and vision must be communicated to the Enterprise Architecture team which then maps Business Capabilities to the different Business Plans levels.
Many Enterprise Architecture projects are focused at low levels but should be aligned with Strategic Corporate Planning. Enterprise Architecture is a critical discipline, one Strategic Planning mechanism to structure an enterprise. TOGAF® 9 is without doubt an effective framework for working with stakeholders through Strategic Planning and architecture work, especially for organizations who are actively transforming themselves.
This article has previously appeared in Serge Thorn’s personal blog and appears here with his permission.
Serge Thorn is CIO of Architecting the Enterprise. He has worked in the IT Industry for over 25 years, in a variety of roles, which include; Development and Systems Design, Project Management, Business Analysis, IT Operations, IT Management, IT Strategy, Research and Innovation, IT Governance, Architecture and Service Management (ITIL). He has more than 20 years of experience in Banking and Finance and 5 years of experience in the Pharmaceuticals industry. Among various roles, he has been responsible for the Architecture team in an international bank, where he gained wide experience in the deployment and management of information systems in Private Banking, Wealth Management, and also in IT architecture domains such as the Internet, dealing rooms, inter-banking networks, and Middle and Back-office. He then took charge of IT Research and Innovation (a function which consisted of motivating, encouraging creativity, and innovation in the IT Units), with a mission to help to deploy a TOGAF based Enterprise Architecture, taking into account the company IT Governance Framework. He also chaired the Enterprise Architecture Governance worldwide program, integrating the IT Innovation initiative in order to identify new business capabilities that were creating and sustaining competitive advantage for his organization. Serge has been a regular speaker at various conferences, including those by The Open Group. His topics have included, “IT Service Management and Enterprise Architecture”, “IT Governance”, “SOA and Service Management”, and “Innovation”. Serge has also written several articles and whitepapers for different magazines (Pharma Asia, Open Source Magazine). He is the Chairman of the itSMF (IT Service Management forum) Swiss chapter and is based in Geneva, Switzerland.
Filed under Enterprise Architecture, TOGAF®
By Dana Gardner, Interabor Solutions
Listen to this recorded podcast here: BriefingsDirect-IT Industry Looks to Open Trusted Technology Forum to Help Secure Supply Chains That Support Technology Products
The following is the transcript of a sponsored podcast panel discussion on how the OTTF is developing an accreditation process for trusted technology, in conjunction with the The Open Group Conference, Austin 2011.
Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011.
We’ve assembled a distinguished panel to update us on The Open Group Trusted Technology Forum, also known as the OTTF, and an accreditation process to help technology acquirers and buyers safely conduct global procurement and supply chain commerce. We’ll examine how the security risk for many companies and organizations has only grown, even as these companies form essential partnerships and integral supplier relationships. So, how can all the players in a technology ecosystem gain assurances that the other participants are adhering to best practices and taking the proper precautions?
Here to help us better understand how established standard best practices and an associated accreditation approach can help make supply chains stronger and safer is our panel. We’re here with Dave Lounsbury, the Chief Technical Officer at The Open Group. Welcome back, Dave.
Dave Lounsbury: Hello Dana. How are you?
Gardner: Great. We are also here with Steve Lipner, Senior Director of Security Engineering Strategy in the Trustworthy Computing Security at Microsoft. Welcome back, Steve.
Steve Lipner: Hi, Dana. Glad to be here.
Gardner: We’re here also with Joshua Brickman, Director of the Federal Certification Program Office at CA Technologies. Welcome, Joshua.
Joshua Brickman: Thanks for having me.
Gardner: And, we’re here too with Andras Szakal. He’s the Vice President and CTO of IBM’s Federal Software Group. Welcome back, Andras.
Andras Szakal: Thank you very much, Dana. I appreciate it.
Gardner: Dave, let’s start with you. We’ve heard so much lately about “hacktivism,” break-ins, and people being compromised. These are some very prominent big companies, both public and private. How important is it that we start to engage more with things like the OTTF?
No backup plan
Lounsbury: Dana, a great quote coming out of this week’s conference was that we have moved the entire world’s economy to being dependent on the Internet, without a backup plan. Anyone who looks at the world economy will see, not only are we dependent on it for exchange of value in many cases, but even information about how our daily lives are run, traffic, health information, and things like that. It’s becoming increasingly vitally important that we understand all the aspects of what it means to have trust in the chain of components that deliver that connectivity to us, not just as technologists, but as people who live in the world.
Gardner: Steve Lipner, your thoughts on how this problem seems to be only getting worse?
Lipner: Well, the attackers are becoming more determined and more visible across the Internet ecosystem. Vendors have stepped up to improve the security of their product offerings, but customers are concerned. A lot of what we’re doing in The Open Group and in the OTTF is about trying to give them additional confidence of what vendors are doing, as well as inform vendors what they should be doing.
Gardner: Joshua Brickman, this is obviously a big topic and a very large and complex area. From your perspective, what is it that the OTTF is good at? What is it focused on? What should we be looking to it for in terms of benefit in this overall security issue?
Brickman: One of the things that I really like about this group is that you have all of the leaders, everybody who is important in this space, working together with one common goal. Today, we had a discussion where one of the things we were thinking about is, whether there’s a 100 percent fail-safe solution to cyber? And there really isn’t. There is just a bar that you can set, and the question is how much do you want to make the attackers spend, before they can get over that bar? What we’re going to try to do is establish that level, and working together, I feel very encouraged that we are getting there, so far.
Gardner: Andras, we are not just trying to set the bar, but we’re also trying to enforce, or at least have clarity into, what other players in an ecosystem are doing. So that accreditation process seems to be essential.
Szakal: We’re going to develop a standard, or are in the process of developing a specification and ultimately an accreditation program, that will validate suppliers and providers against that standard. It’s focused on building trust into a technology provider organization through this accreditation program, facilitated through either one of several different delivery mechanisms that we are working on. We’re looking for this to become a global program, with global partners, as we move forward.
Gardner: It seems as if almost anyone is a potential target, and when someone decides to target you, you do seem to suffer. We’ve seen things with Booz Allen, RSA, and consumer organizations like Sony. Is this something that almost everyone needs to be more focused on? Are we at the point now where there is no such thing as turning back, Dave Lounsbury?
Global effort
Lounsbury: I think there is, and we have talked about this before. Any electronic or information system now is really built on components and software that are delivered from all around the globe. We have software that’s developed in one continent, hardware that’s developed in another, integrated in a third, and used globally. So, we really do need to have the kinds of global standards and engagement that Andras has referred to, so that there is that one bar for all to clear in order to be considered as a provider of trusted components.
Gardner: As we’ve seen, there is a weak link in any chain, and the hackers or the cyber criminals or the state sponsored organizations will look for those weak links. That’s really where we need to focus.
Lounsbury: I would agree with that. In fact, some of the other outcomes of this week’s conference have been the change in these attacks, from just nuisance attacks, to ones that are focused on monetization of cyber crimes and exfiltration of data. So the spectrum of threats is increasing a lot. More sophisticated attackers are looking for narrower and narrower attack vectors each time. So we really do need to look across the spectrum of how this IT technology gets produced in order to address it.
Gardner: Steve Lipner, it certainly seems that the technology supply chain is essential. If there is weakness there, then it’s difficult for the people who deploy those technologies to cover their bases. It seems that focusing on the technology providers, the ecosystems that support them, is a really necessary first step to taking this to a larger, either public or private, buyer side value.
Lipner: The tagline we have used for The Open Group TTF is “Build with Integrity, Buy with Confidence.” We certainly understand that customers want to have confidence in the hardware and software of the IT products that they buy. We believe that it’s up to the suppliers, working together with other members of the IT community, to identify best practices and then articulate them, so that organizations up and down the supply chain will know what they ought to be doing to ensure that customer confidence.
Gardner: Let’s take a step back and get a little bit of a sense of where this process that you are all involved with is. I know you’re all on working groups and in other ways involved in moving this forward, but it’s been about six months now since The OTTF was developed initially, and there was a white paper to explain that. Perhaps, one of you will volunteer to give us sort of a state of affairs where things are,. Then, we’d also like to hear an update about what’s been going on here in Austin. Anyone?
Szakal: Well, as the chair, I have the responsibility of keeping track of our milestones, so I’ll take that one. A, we completed the white paper earlier this year, in the first quarter. The white paper was visionary in nature, and it was obviously designed to help our constituents understand the goals of the OTTF. However, in order to actually make this a normative specification and design a program, around which you would have conformance and be able to measure suppliers’ conformity to that specification, we have to develop a specification with normative language.
First draft
We’re finishing that up as we speak and we are going to have a first draft here within the next month. We’re looking to have that entire specification go through company review in the fourth quarter of this year.
Simultaneously, we’ll be working on the accreditation policy and conformance criteria and evidence requirements necessary to actually have an accreditation program, while continuing to liaise with other evaluation schemes that are interested in partnering with us. In a global international environment, that’s very important, because there exist more than one of these regimes that we will have to exist, coexist, and partner with. Over the next year, we’ll have completed the accreditation program and have begun testing of the process, probably having to make some adjustments along the way. We’re looking at sometime within the first half of 2012 for having a completed program to begin ramping up.
Gardner: Is there an update on the public sector’s, or in the U.S., the federal government’s, role in this? Are they active? Are they leading? How would you characterize the public role or where you would like to see that go?
Szakal: The Forum itself continues to liaise with the government and all of our constituents. As you know, we have several government members that are part of the TTF and they are just as important as any of the other members. We continue to provide update to many of the governments that we are working with globally to ensure they understand the goals of the OTTF and how they can provide value synergistically with what we are doing, as we would to them.
Gardner: I’ll throw this back out to the panel? How about the activities this week at the conference? What have been the progress or insights that you can point to from that?
Brickman: We’ve been meeting for the first couple of days and we have made tremendous progress on wrapping up our framework and getting it ready for the first review. We’ve also been meeting with several government officials. I can’t say who they are, but what’s been good about it is that they’re very positive on the work that we’re doing, they support what we are doing and want to continue this discussion. It’s very much a partnership, and we do feel like it’s not just an industry-led project, where we have participation from folks who could very much be the consumers of this initiative.
Gardner: Clearly, there are a lot of stakeholders around the world, across both the public and private domains. Dave Lounsbury, what’s possible? What would we gain if this is done correctly? How would we tangibly look to improvements? I know that’s hard with security. It’s hard to point out what doesn’t happen, which is usually the result of proper planning, but how would you characterize the value of doing this all correctly say a year or two from now?
Awareness of security
Lounsbury: One of the trends we’ll see is that people are increasingly going to be making decisions about what technology to produce and who to partner with, based on more awareness of security.
A very clear possible outcome is that there will be a set of simple guidelines and ones that can be implemented by a broad spectrum of vendors, where a consumer can look and say, “These folks have followed good practices. They have baked secure engineering, secure design, and secure supply chain processes into their thing, and therefore I am more comfortable in dealing with them as a partner.”
Of course, what the means is that, not only do you end up with more confidence in your supply chain and the components for getting to that supply chain, but also it takes a little bit of work off your plate. You don’t have to invest as much in evaluating your vendors, because you can use commonly available and widely understood sort of best practices.
From the vendor perspective, it’s helpful because we’re already seeing places where a company, like a financial services company, will go to a vendor and say, “We need to evaluate you. Here’s our checklist.” Of course, the vendor would have to deal with many different checklists in order to close the business, and this will give them some common starting point.
Of course, everybody is going to customize and build on top of what that minimum bar is, depending on what kind of business they’re in. But at least it gives everybody a common starting point, a common reference point, some common vocabulary for how they are going to talk about how they do those assessments and make those purchasing decisions.
Gardner: Steve Lipner, do you think that this is going to find its way into a lot of RFPs, beginning a sales process, looking to have a major checkbox around these issues? Is that sort of how you see this unfolding?
Lipner: If we achieve the sort of success that we are aiming for and anticipating, you’ll see requirements for the OTTF, not only in RFPs, but also potentially in government policy documents around the world, basically aiming to increase the trust of broad collections of products that countries and companies use.
Gardner: Joshua Brickman, I have to imagine that this is a living type of an activity that you never really finish. There’s always something new to be done, a type of threat that’s evolving that needs to be reacted to. Would the TTF over time take on a larger role? Do you see it expanding into larger set of requirements, even as it adjusts to the contemporary landscape?
Brickman: That’s possible. I think that we are going to try to get something achievable out there in a timeframe that’s useful and see what sticks. One of the things that will happen is that as companies start to go out and test this, as with any other standard, the 1.0 standard will evolve to something that will become more germane, and as Steve said, will hopefully be adopted worldwide.
Agile and useful
It’s absolutely possible. It could grow. I don’t think anybody wants it to become a behemoth. We want it to be agile, useful, and certainly something readable and achievable for companies that are not multinational billion dollar companies, but also companies that are just out there trying to sell their piece of the pie into the space. That’s ultimately the goal of all of us, to make sure that this is a reasonable achievement.
Lounsbury: Dana, I’d like to expand on what Joshua just said. This is another thing that has come out of our meetings this week. We’ve heard a number of times that governments, of course, feel the need to protect their infrastructure and their economies, but also have a realization that because of the rapid evolution of technology and the rapid evolution of security threats that it’s hard for them to keep up. It’s not really the right vehicle.
There really is a strong preference. The U.S. strategy on this is to let industry take the lead. One of the reasons for that is the fact that industry can evolve, in fact must evolve, at the pace of the commercial marketplace. Otherwise, they wouldn’t be in business.
So, we really do want to get that first stake in the ground and get this working, as Joshua said. But there is some expectation that, over time, the industry will drive the evolution of security practices and security policies, like the ones OTTF is developing at the pace of commercial market, so that governments won’t have to do that kind of regulation which may not keep up.
Gardner: Andras, any thoughts from your perspective on this ability to keep up in terms of market forces? How do you see the dynamic nature of this being able to be proactive instead of reactive?
Szakal: One of our goals is to ensure that the viability of the specification itself, the best practices, are updated periodically. We’re talking about potentially yearly. And to include new techniques and the application of potentially new technologies to ensure that providers are implementing the best practices for development engineering, secure engineering, and supply chain integrity. It’s going to be very important for us to continue to evolve these best practices over a period of time and not allow them to fall into a state of static disrepair.
I’m very enthusiastic, because many of the members are very much in agreement that this is something that needs to be happening in order to actually raise the bar on the industry, as we move forward, and help the entire industry adopt the practices and then move forward in our journey to secure our critical infrastructure.
Gardner: Given that this has the potential of being a fairly rapidly evolving standard that may start really appearing in RFPs and be impactful for real world business success, how should enterprises get involved from the buy side? How should suppliers get involved from the sell side, given that this is seemingly a market driven, private enterprise driven activity?
I’ll throw this out to the crowd. What’s the responsibility from the buyers and the sellers to keep this active and to keep themselves up-to-date?
Lounsbury: Let me take the first stab at this. The reason we’ve been able to make the progress we have is that we’ve got the expertise in security from all of these major corporations and government agencies participating in the TTF. The best way to maintain that currency and maintain that drive is for people who have a problem, if you’re on the buy side or expertise from either side, to come in and participate.
Hands-on awareness
You have got the hands-on awareness of the market, and bringing that in and adding that knowledge of what is needed to the specification and helping move its evolution along is absolutely the best thing to do.
That’s our steady state, and of course the way to get started on that is to go and look at the materials. The white paper is out there. I expect we will be doing snapshots of early versions of this that would be available, so people can take a look at those. Or, come to an Open Group Conference and learn about what we are doing.
Gardner: Anyone else have a reaction to that? I’m curious. Given that we are looking to the private sector and market forces to be the drivers of this, will they also be the drivers in terms of enforcement? Is this voluntary? One would hope that market forces reward those who seek accreditation and demonstrate adhesion to the standard, and that those who don’t would suffer. Or is there a potential for more teeth and more enforcement? Again, I’ll throw this out to the panel at large.
Szakal: As vendors, we’d would like to see minimal regulation and that’s simply the nature of the beast. In order for us to conduct our business and lower the cost of market entry, I think that’s important.
I think it’s important that we provide leadership within the industry to ensure that we’re following the best practices to ensure the integrity of the products that we provide. It’s through that industry leadership that we will avoid potential damaging regulations across different regional environments.
We certainly wouldn’t want to see different regulations pop-up in different places globally. It makes for very messy technology insertion opportunity for us. We’re hoping that by actually getting engaged and providing some self-regulation, we won’t see additional government or international regulation.
Lipner: One of the things that my experience has taught me is that customers are very aware these days of security, product integrity, and the importance of suppliers paying attention to those issues. Having a robust program like the TTF and the certifications that it envisions will give customers confidence, and they will pay attention to that. That will change their behavior in the market even without formal regulations.
Gardner: Joshua Brickman, any thoughts on the self-regulation benefits? If that doesn’t work, is it self-correcting? Is there a natural approach that if this doesn’t work at first, that a couple of highly publicized incidents and corporations that suffer for not regulating themselves properly, would ride that ship, so to speak?
Brickman: First of all, industry setting the standard is an idea that has been thrown around a while, and I think that it’s great to see us finally doing it in this area, because we know our stuff the best.
But as far as an incident indicating that it’s not working, I don’t think so. We’re going to try to set up a standard, whereby we’re providing public information about what our products do and what we do as far as best practices. At the end of the day the acquiring agency, or whatever, is going to have to make decisions, and they’re going to make intelligent decisions, based upon looking at folks that choose to go through this and folks that choose not to go through it.
It will continue
The bad news that continues to come out is going to continue to happen. The only thing that they’ll be able to do is to look to the companies that are the experts in this to try to help them with that, and they are going to get some of that with the companies that go through these evaluations. There’s no question about it.
At the end of the day, this accreditation program is going to shake out the products and companies that really do follow best practices for secure engineering and supply chain best practices.
Gardner: What should we expect next? As we heard, there has been a lot of activity here in Austin at the conference. We’ve got that white paper. We’re working towards more mature definitions and approaching certification and accreditation types of activities. What’s next? What milestone should we look to? Andras, this is for you.
Szakal: Around November, we’re going to be going through company review of the specification and we’ll be publishing that in the fourth quarter.
We’ll also be liaising with our government and international partners during that time and we’ll also be looking forward to several upcoming conferences within The Open Group where we conduct those activities. We’re going to solicit some of our partners to be speaking during those events on our behalf.
As we move into 2012, we’ll be working on the accreditation program, specifically the conformance criteria and the accreditation policy, and liaising again with some of our international partners on this particular issue. Hopefully we will, if all things go well and according to plan, come out of 2012 with a viable program.
Gardner: Dave Lounsbury, any further thoughts about next steps, what people should be looking for, or even where they should go for more information?
Lounsbury: Andras has covered it well. Of course, you can always learn more by going to www.opengroup.org and looking on our website for information about the OTTF. You can find drafts of all the documents that have been made public so far, and there will be our white paper and, of course, more information about how to become involved.
Gardner: Very good. We’ve been getting an update about The Open Group Trusted Technology Forum, OTTF, and seeing how this can have a major impact from a private sector perspective and perhaps head off issues about lack of trust and lack of clarity in a complex evolving technology ecosystem environment.
I’d like to thank our guests. We’ve been joined by Dave Lounsbury, Chief Technical Officer at The Open Group. Thank you, sir.
Lounsbury: Thank you, Dana.
Gardner: Steve Lipner, the Senior Director of Security Engineering Strategy in the Trustworthy
Computing Security Group at Microsoft. Thank you, Steve.
Lipner: Thanks, Dana.
Gardner: Joshua Brickman, who is the Director of the Federal Certification Program Office in CA Technologies, has also joined us. Thank you.
Brickman: I enjoyed it very much.
Gardner: And Andras Szakal, Vice President and CTO of IBM’s Federal Software Group. Thank you, sir.
Szakal: It’s my pleasure. Thank you very much, Dana.
Gardner: This discussion has come to you as a sponsored podcast in conjunction with The Open Group Conference in Austin, Texas. We are here the week of July 18, 2011. I want to thank our listeners as well. This is Dana Gardner, Principal Analyst at Interarbor Solutions. Don’t forget to come back next time.
Listen to the podcast. Find it on iTunes/iPod and Podcast.com.
Copyright The Open Group 2011. All rights reserved.
Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirect™ blogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.
Filed under Cybersecurity, Supply chain risk
By Stuart Boardman, Getronics
Even a social media lightweight like me could hardly avoid getting caught up in the Google+ hype. It got me thinking about the rate and unpredictability of change in the web world, and the effect on large enterprises of phenomena originating in the consumer and small business market.
The concept of the enterprise is experiencing a change – maybe a radical one. The role of technology is also changing (not for the first time). New business models are developing which, whilst not technological in nature, would never have been thought of without the technology developments of the last few years. Other business models, around for a bit longer and not technological in nature are pushing technology in a different direction. Business models themselves are subject to increasingly frequent and not always predictable change. What does this mean for the practice of enterprise architecture?
Back to Google+. A few years ago, when Web 2.0 was the buzzword and everyone conveniently forgot that the web actually started out as a vehicle for user-generated content and collaboration (sorry, had to get that off my chest), there was quite a battery of social media providers all with their own specializations: Facebook, MySpace, LinkedIn, Plaxo, Flickr and a whole bunch of sites for gamers and metal fans, etc. In Holland, where I live, we had our own, very successful variant on Facebook. Had. In the period since then there’s been increasing consolidation with Facebook developing an astonishing hegemony. I’ll admit that I assumed that’s how it would stay until a new Zuckerberg came up with a totally new game changer. But now here comes Google with a new spin on a familiar story and they look set to chew a big chunk out of the market. Perhaps even the enterprise market.
What’s this have to do with enterprises? Well, the fact is that everyone in the enterprise is out there exchanging ideas via Twitter and LinkedIn and Facebook and Google+ (and whatever specialized sites they might use) and they’re even using those media to tell the rest of the enterprise that they published something internally – because otherwise no one will notice. And then there’s co-creation, which is becoming increasingly common – even in large enterprises. So like it or not, the enterprise is being irreversibly extended out into the blogosphere. And that means that the enterprise is far more exposed to the trends and rapid shifts in the world outside its own boundaries than it has ever been before.
In the meantime, a lot of other stuff has been changing for the enterprise. Extended Enterprise, the idea that an enterprise’s business processes (some of them) are performed by third parties, who themselves are part of a broad value network, is pretty much established fact for many large and medium-sized organizations. And there are unexpected new business models emerging. Think about app stores. I can’t see inside Steve Jobs’ head but I suspect the app store was developed to support the iPhone – not the other way around. Just like iTunes was developed to support the iPod. But now everyone has app stores (even if Apple doesn’t want them to use the name). The end result of all this has been to create a whole new market, where new entrepreneurs can develop low-cost software and sell it in bulk across multiple platforms and where those platforms could hardly exist without the app developers. I’m even using an iPhone app (also available on Android) to drive my domestic hi-fi system (from a very respectable English high end designer – not some uber-nerd). The app strengthens the business case for the equipment and makes money for the developer. The app didn’t come with the equipment; I bought it at the app store. App stores themselves are new value propositions for their owners (Apple, etc). In some ways we could regard this as a commercial instantiation of the old Virtual Enterprise idea – an “enterprise” consisting of a loosely coupled, shifting alliance of unrelated legal entities. I like this recent quote from Verna Allee (@vernaallee): “Business models often assume the world revolves around our organization when we really revolve in spiral galaxy ecosystems”. Louisa Leontiades (@MoneyDecisions) is launching a web based, social media driven consultancy, which provides a sort of app store where independent experts can sell tools and frameworks (and yes, get consultancy deals too). Brilliant. And of course all this represents a very scattered field of players, business models and solutions.
How are these developments reflected in Enterprise Architecture? In particular what is the effect on architecture vision and the idea of a target state? I came across another interesting discussion recently. Robert Phipps (@robert_phipps) suggested in a discussion with Tom Graves (@tetradian) that an enterprise consists of many vectors, each with its own direction and velocity and each potentially colliding with and therefore affecting the direction and velocity of the others. Sounds pretty abstract but if you accept the metaphor you can see that the target state is going to be different depending on how the various collisions work out. In a “traditional” enterprise, the power relationships between the various vectors is pretty stable and the influence of external factors limited to macro-economic effects. The metaphor is still valid but the scale of the problem much smaller (less entropy). If what I wrote above is correct, there aren’t too many “traditional” enterprises these days. Tom took the metaphor a bit further and made reference to Quantum theory. That’s also interesting, because it focuses on a probabilistic situation. Architecting for uncertainty. Welcome to the real world. That doesn’t mean there is no value in a target. You have to have some idea what you want to achieve based on what you know now. It just doesn’t need to be too prescriptive. Or put another way, it needs not to be too sensitive to unpredictability. Everything (not just the technology) is likely to have changed before you get there. It certainly increases the relative importance of the first steps on the road to that target. The less particle/vector collisions take place within one step, the more chance of achieving something useful. After each step we re-evaluate both target and roadmap. Iterate. Agile EA. And guess what? This is what we’re supposed to do anyway – design for change, constant delivery of value. No “wait a year and we’ll have something for you”. So if we’ve not been doing that, we’ve not been doing what the enterprise needed from us. All that’s changed is that we will become increasingly irrelevant, if we don’t do it.
Stuart Boardman is a Senior Business Consultant with Getronics Consulting where he co-leads the Enterprise Architecture practice as well as the Cloud Computing solutions group. He is co-lead of The Open Group Cloud Computing Work Group’s Security for the Cloud and SOA project and a founding member of both The Open Group Cloud Computing Work Group and The Open Group SOA Work Group. Stuart is the author of publications by the Information Security Platform (PvIB) in The Netherlands and of his previous employer, CGI. He is a frequent speaker at conferences on the topics of Cloud, SOA, and Identity.
Filed under Enterprise Architecture
The Open Group set up two informal Twitter polls this week during The Open Group Conference, Austin. If you wondered about the results, or just want to see what our Twitter followers think about some topline issues in the industry in very simple terms, see our twtpoll.com results below.
On Day One of the Conference, when the focus of the discussions was on Enterprise Architecture, we polled our Twitter followers about the profession of EA: Do you think we will see a shortage of enterprise architects within the next decade? Why or why not?
The results were split right down the middle. A sampling of responses:
On Day Two, while we focused on security, we queried our Twitter followers about data security protection: What type of data security do you think provides the most comprehensive protection of PII? Again, the results were split evenly into thirds:
What do you think of our informal poll results? Do you agree? Disagree? And why?
And let us know if you have thoughts on this one: Do you think SOA is essential for Cloud implementation?
Want some survey results you can really sink your teeth into? View the results of The Open Group’s State of the Industry Cloud Survey. Download the slide deck from The Open Group Bookstore, or read a previous blog post about it.
The Open Group Conference, Austin is now in member meetings. Join us in Taipei or San Francisco for our next Conferences! Hear best practices and case studies on Enterprise Architecture, Cloud, Security and more, presented by preeminent thought leaders in the industry.
Filed under Cloud/SOA, Cybersecurity, Enterprise Architecture
By Ron Schuldt, UDEF-IT, LLC
For many years I have been promoting UDEF as an enabler for semantic interoperability. The problem with being an early adopter of UDEF where the benefit is semantic interoperability is that multiple systems need to adopt UDEF before you can begin to realize the benefits. The semantic interoperability benefit is realized by leveraging the UDEF ID that is language and application independent.
Within the last seven or eight months, I realized that UDEF provides an immediate benefit – specifically, when you follow the six basic steps of mapping your data to the UDEF, you improve the clarity of the name associated with the data. The UDEF name adds substantial clarity when compared to the typically cryptic names assigned to fields within an application. The garbage-in, garbage-out problem is likely heavily affected by poor names assigned to the fields. UDEF is a means for correcting the poor names issue which gives the early adopters of UDEF an immediate benefit while enabling the system for interoperability.
Semantic interoperability is one of the topics being discussed at The Open Group Conference, Austin, currently underway this week.
Ron Schuldt is a Senior Partner of UDEF-IT, LLC. He has more twenty years experience with national and international data standards covering the gamut from Electronic Data Interchange (EDI) to the National Information Exchange Model (NIEM). He is Chairman of The Open Group UDEF Project.
Filed under Semantic Interoperability
By Jim Hietala, The Open Group
The Open Group recently published the Open Automated Compliance Expert Markup Language (O-ACEML) standard. This new technical standard addresses needs to automate the process of configuring IT environments to meet compliance requirements. O-ACEML will also enable customer organizations and their auditors to streamline data gathering and reporting on compliance postures.
O-ACEML is aimed at helping organizations to reduce the cost of compliance by easing manual compliance processes. The standard is an open, simple, and well defined XML schema that allows compliance requirements to be described in machine understandable XML, as opposed to requiring humans to interpret text from documents. The standard also allows for a remediation element, which enables multiple requirements (from different compliance regulations) to be blended into a single policy. An example of where this is needed would be in password length and complexity requirements, which may differ between different regulations. O-ACEML allows for the most secure setting to be selected and applied, enabling all of the regulations to be met or exceeded.
O-ACEML is intended to allow platform vendors and compliance management and IT-GRC providers to utilize a common language for exchanging compliance information. The existence of a single common standard will benefit platform vendors and compliance management tool vendors, by reducing development costs and providing a single data interchange format. Customer organizations will benefit by reducing costs for managing compliance in complex IT environments, and by increasing effectiveness. Where previously organizations might have just polled a small but representative sample of their environment to assess compliance, the existence of a standard allowing automated compliance checking makes it feasible to survey the entire environment rather than just a small sample. Organizations publishing government compliance regulations, as well as the de facto standard compliance organizations that have emerged in many industries will benefit by enabling more cost effective adoption and simpler compliance with their regulations and standards.
In terms of how O-ACEML relates to other compliance related standards and content frameworks, it has similarities and differences to NIST’s Security Content Automation Protocol (SCAP), and to the Unified Compliance Framework (UCF). One of the main differences is that O-ACEML was architected such that a Compliance Organization could author its IT security requirements in a high-level language, without the need to understand the specific configuration command and settings an OS or device will use to implement the requirement. A distinguishing capability of O-ACEML is that it gathers artifacts as it moves from Compliance Organization directive, implementation on a particular device, and the result of the configuration command. The final step of this automation not only produces a computer system configured meet or exceed the compliance requirements, it also produces an xml document from which compliance reporting can be simplified. The Open Group plans to work with NIST and the creators of the UCF to ensure interoperability and integration between O-ACEML and SCAP and UCF.
If you have responsibility for managing compliance in your organization, or if you are a vendor whose software product involves compliance or security configuration management, we invite you to learn more about O-ACEML.
An IT security industry veteran, Jim Hietala is Vice President of Security at The Open Group, where he is responsible for security programs and standards activities. He holds the CISSP and GSEC certifications. Jim is based in the U.S.
Filed under Cybersecurity, Standards
By Steve Philp, The Open Group
With the launch of the new Open Group website this week, we have taken the opportunity to rebrand our two skills- and experience-based certification programs. The IT Architect Certification (ITAC) program has now become The Open Group Certified Architect (Open CA) program. The IT Specialist Certification (ITSC) program has now become The Open Group Certified IT Specialist (Open CITS) program.
The new website (and our new logo for that matter) places much more emphasis on the word “Open”. This is one of the reasons for us changing the names away from something that is not readily associated with The Open Group (i.e. ITAC) to something that is more recognizable as an Open Group certification, i.e. Open CA. However, besides the name change, there hasn’t been any changes made to the way in which either program operates. For example, the Open CA program still requires candidates to submit a comprehensive certification package detailing their skills and experience gained on working on architecture-related projects, followed by a rigorous peer review process.
The Open CA program still currently focuses on IT-related work. However, the architecture profession is constantly evolving and to reflect this, The Open Group will incorporate dedicated Business Architecture and Enterprise Architecture streams into the Open CA program at some point in the near future. Our members are working on defining the core skills that an architect needs to have and the specific competencies one needs for each of these three specialist areas. Therefore, going forward, applicants will be able to become an Open CA in:
There are approximately 3,200 individuals who are certified in our Open CA program, and by broadening the scope of the program we hope to certify many more architects. There are more than 2,300 certified IT Specialists in the Open CITS program, and many organizations around the world have identified this type of skills- and experienced-based program as a necessary part of the process to develop their own internal IT profession frameworks.
Open CA and Open CITs can be used in the recruitment process and help to guarantee a consistent and quality assured service on project proposals, procurements and on service level agreements. They can also help in the assessment of individuals in specific IT domains and provide a roadmap for their future career development. You can find out more about our programs by visiting the professional certification area of our website.
Steve Philp is the Marketing Director for the Open CA and Open CITS certification programs at The Open Group. Over the past 20 years, Steve has worked predominantly in sales, marketing and general management roles within the IT training industry. Based in Reading, UK, he joined the Open Group in 2008 to promote and develop the organization’s skills and experience-based IT certifications.
Filed under Certifications
