Tag Archives: Boundaryless Information Flow

The Open Group Baltimore 2015 Highlights

By Loren K. Baynes, Director, Global Marketing Communications, The Open Group

The Open Group Baltimore 2015, Enabling Boundaryless Information Flow™, July 20-23, was held at the beautiful Hyatt Regency Inner Harbor. Over 300 attendees from 16 countries, including China, Japan, Netherlands and Brazil, attended this agenda-packed event.

The event kicked off on July 20th with a warm Open Group welcome by Allen Brown, President and CEO of The Open Group. The first plenary speaker was Bruce McConnell, Senior VP, East West Institute, whose presentation “Global Cooperation in Cyberspace”, gave a behind-the-scenes look at global cybersecurity issues. Bruce focused on US – China cyber cooperation, major threats and what the US is doing about them.

Allen then welcomed Christopher Davis, Professor of Information Systems, University of South Florida, to The Open Group Governing Board as an Elected Customer Member Representative. Chris also serves as Chair of The Open Group IT4IT™ Forum.

The plenary continued with a joint presentation “Can Cyber Insurance Be Linked to Assurance” by Larry Clinton, President & CEO, Internet Security Alliance and Dan Reddy, Adjunct Faculty, Quinsigamond Community College MA. The speakers emphasized that cybersecurity is not a simply an IT issue. They stated there are currently 15 billion mobile devices and there will be 50 billion within 5 years. Organizations and governments need to prepare for new vulnerabilities and the explosion of the Internet of Things (IoT).

The plenary culminated with a panel “US Government Initiatives for Securing the Global Supply Chain”. Panelists were Donald Davidson, Chief, Lifecycle Risk Management, DoD CIO for Cybersecurity, Angela Smith, Senior Technical Advisor, General Services Administration (GSA) and Matthew Scholl, Deputy Division Chief, NIST. The panel was moderated by Dave Lounsbury, CTO and VP, Services, The Open Group. They discussed the importance and benefits of ensuring product integrity of hardware, software and services being incorporated into government enterprise capabilities and critical infrastructure. Government and industry must look at supply chain, processes, best practices, standards and people.

All sessions concluded with Q&A moderated by Allen Brown and Jim Hietala, VP, Business Development and Security, The Open Group.

Afternoon tracks (11 presentations) consisted of various topics including Information & Data Architecture and EA & Business Transformation. The Risk, Dependability and Trusted Technology theme also continued. Jack Daniel, Strategist, Tenable Network Security shared “The Evolution of Vulnerability Management”. Michele Goetz, Principal Analyst at Forrester Research, presented “Harness the Composable Data Layer to Survive the Digital Tsunami”. This session was aimed at helping data professionals understand how Composable Data Layers set digital and the Internet of Things up for success.

The evening featured a Partner Pavilion and Networking Reception. The Open Group Forums and Partners hosted short presentations and demonstrations while guests also enjoyed the reception. Areas focused on were Enterprise Architecture, Healthcare, Security, Future Airborne Capability Environment (FACE™), IT4IT™ and Open Platform™.

Exhibitors in attendance were Esteral Technologies, Wind River, RTI and SimVentions.

By Loren K. Baynes, Director, Global Marketing CommunicationsPartner Pavilion – The Open Group Open Platform 3.0™

On July 21, Allen Brown began the plenary with the great news that Huawei has become a Platinum Member of The Open Group. Huawei joins our other Platinum Members Capgemini, HP, IBM, Philips and Oracle.

By Loren K Baynes, Director, Global Marketing CommunicationsAllen Brown, Trevor Cheung, Chris Forde

Trevor Cheung, VP Strategy & Architecture Practice, Huawei Global Services, will be joining The Open Group Governing Board. Trevor posed the question, “what can we do to combine The Open Group and IT aspects to make a customer experience transformation?” His presentation entitled “The Value of Industry Standardization in Promoting ICT Innovation”, addressed the “ROADS Experience”. ROADS is an acronym for Real Time, On-Demand, All Online, DIY, Social, which need to be defined across all industries. Trevor also discussed bridging the gap; the importance of combining Customer Experience (customer needs, strategy, business needs) and Enterprise Architecture (business outcome, strategies, systems, processes innovation). EA plays a key role in the digital transformation.

Allen then presented The Open Group Forum updates. He shared roadmaps which include schedules of snapshots, reviews, standards, and publications/white papers.

Allen also provided a sneak peek of results from our recent survey on TOGAF®, an Open Group standard. TOGAF® 9 is currently available in 15 different languages.

Next speaker was Jason Uppal, Chief Architecture and CEO, iCareQuality, on “Enterprise Architecture Practice Beyond Models”. Jason emphasized the goal is “Zero Patient Harm” and stressed the importance of Open CA Certification. He also stated that there are many roles of Enterprise Architects and they are always changing.

Joanne MacGregor, IT Trainer and Psychologist, Real IRM Solutions, gave a very interesting presentation entitled “You can Lead a Horse to Water… Managing the Human Aspects of Change in EA Implementations”. Joanne discussed managing, implementing, maintaining change and shared an in-depth analysis of the psychology of change.

“Outcome Driven Government and the Movement Towards Agility in Architecture” was presented by David Chesebrough, President, Association for Enterprise Information (AFEI). “IT Transformation reshapes business models, lean startups, web business challenges and even traditional organizations”, stated David.

Questions from attendees were addressed after each session.

In parallel with the plenary was the Healthcare Interoperability Day. Speakers from a wide range of Healthcare industry organizations, such as ONC, AMIA and Healthway shared their views and vision on how IT can improve the quality and efficiency of the Healthcare enterprise.

Before the plenary ended, Allen made another announcement. Allen is stepping down in April 2016 as President and CEO after more than 20 years with The Open Group, including the last 17 as CEO. After conducting a process to choose his successor, The Open Group Governing Board has selected Steve Nunn as his replacement who will assume the role with effect from November of this year. Steve is the current COO of The Open Group and CEO of the Association of Enterprise Architects. Please see press release here.By Loren K. Baynes, Director, Global Marketing Communications

Steve Nunn, Allen Brown

Afternoon track topics were comprised of EA Practice & Professional Development and Open Platform 3.0™.

After a very informative and productive day of sessions, workshops and presentations, event guests were treated to a dinner aboard the USS Constellation just a few minutes walk from the hotel. The USS Constellation constructed in 1854, is a sloop-of-war, the second US Navy ship to carry the name and is designated a National Historic Landmark.

By Loren K. Baynes, Director, Global Marketing CommunicationsUSS Constellation

On Wednesday, July 22, tracks continued: TOGAF® 9 Case Studies and Standard, EA & Capability Training, Knowledge Architecture and IT4IT™ – Managing the Business of IT.

Thursday consisted of members-only meetings which are closed sessions.

A special “thank you” goes to our sponsors and exhibitors: Avolution, SNA Technologies, BiZZdesign, Van Haren Publishing, AFEI and AEA.

Check out all the Twitter conversation about the event – @theopengroup #ogBWI

Event proceedings for all members and event attendees can be found here.

Hope to see you at The Open Group Edinburgh 2015 October 19-22! Please register here.

By Loren K. Baynes, Director, Global Marketing CommunicationsLoren K. Baynes, Director, Global Marketing Communications, joined The Open Group in 2013 and spearheads corporate marketing initiatives, primarily the website, blog, media relations and social media. Loren has over 20 years experience in brand marketing and public relations and, prior to The Open Group, was with The Walt Disney Company for over 10 years. Loren holds a Bachelor of Business Administration from Texas A&M University. She is based in the US.

1 Comment

Filed under Accreditations, Boundaryless Information Flow™, Cybersecurity, Enterprise Architecture, Enterprise Transformation, Healthcare, Internet of Things, Interoperability, Open CA, Open Platform 3.0, Security, Security Architecture, The Open Group Baltimore 2015, TOGAF®

Managing Your Vulnerabilities: A Q&A with Jack Daniel

By The Open Group

With hacks and security breaches becoming more prevalent everyday, it’s incumbent on organizations to determine the areas where their systems may be vulnerable and take actions to better handle those vulnerabilities. Jack Daniel, a strategist with Tenable Network Security who has been active in securing networks and systems for more than 20 years, says that if companies start implementing vulnerability management on an incremental basis and use automation to help them, they can hopefully reach a point where they’re not constantly handling vulnerability crises.

Daniel will be speaking at The Open Group Baltimore event on July 20, presenting on “The Evolution of Vulnerability Management.” In advance of that event, we recently spoke to Daniel to get his perspective on hacker motivations, the state of vulnerability management in organizations today, the human problems that underlie security issues and why automation is key to better handling vulnerabilities.

How do you define vulnerability management?

Vulnerability detection is where this started. News would break years ago of some vulnerability, some weakness in a system—a fault in the configuration or software bug that allows bad things to happen. We used to really to do a hit-or-miss job of it, it didn’t have to be rushed at all. Depending on where you were or what you were doing, you might not be targeted—it would take months after something was released before bad people would start doing things with it. As criminals discovered there was money to be made in exploiting vulnerabilities, the attackers became more and more motivated by more than just notoriety. The early hacker scene that was disruptive or did criminal things was largely motivated by notoriety. As people realized they could make money, it became a problem, and that’s when we turned to management.

You have to manage finding vulnerabilities, detecting vulnerabilities and resolving them, which usually means patching but not always. There are a lot of ways to resolve or mitigate without actually patching, but the management aspect is discovering all the weaknesses in your environment—and that’s a really broad brush, depending on what you’re worried about. That could be you’re not compliant with PCI if you’re taking credit cards or it could be that bad guys can steal your database full of credit card numbers or intellectual property.

It’s finding all the weaknesses in your environment, the vulnerabilities, tracking them, resolving them and then continuing to track as new ones appear to make sure old ones don’t reappear. Or if they do reappear, what in your corporate process is allowing bad things to happen over and over again? It’s continuously doing this.

The pace of bad things has accelerated, the motivations of the actors have forked in a couple of directions, and to do a good job of vulnerability management really requires gathering data of different qualities and being able to make assessments about it and then applying what you know to what’s the most effective use of your resources—whether it’s time or money or employees to fix what you can.

What are the primary motivations you’re seeing with hacks today?

They fall into a couple big buckets, and there are a whole bunch of them. One common one is financial—these are the people that are stealing credit cards, stealing credentials so they can do bank wire fraud, or some other way to get at money. There are a variety of financial motivators.

There are also some others, depending on who you are. There’s the so-called ‘Hacktivist,’ which used to be a thing in the early days of hacking but has now become more widespread. These are folks like the Syrian Electronic Army or there’s various Turkish groups that through the years have done website defacements. These people are not trying to steal money, they’re trying to embarrass you, they’re trying to promote a message. It may be, as with the Syrian Electronic Army, they’re trying to support the ruler of whatever’s left of Syria. So there are political motivations. Anonymous did a lot of destructive things—or people calling themselves ‘Anonymous’—that’s a whole other conversation, but people do things under the banner of Anonymous as hacktivism that struck out at corporations they thought were unjust or unfair or they did political things.

Intellectual property theft would be the third big one, I think. Generally the finger is pointed at China, but it’s unfair to say they’re the only ones stealing trade secrets. People within your own country or your own market or region are stealing trade secrets continuously, too.

Those are the three big ones—money, hacktivism and intellectual property theft. It trickles down. One of the things that has come up more often over the past few years is people get attacked because of who they’re connected to. It’s a smaller portion of it and one that’s overlooked but is a message that people need to hear. For example, in the Target breach, it is claimed that the initial entry point was through the heating and air conditioning vendors’ computer systems and their access to the HVAC systems inside a Target facility, and, from there, they were able to get through. There are other stories about the companies where organizations have been targeted because of who they do business with. That’s usually a case of trying to attack somebody that’s well-secured and there’s not an easy way in, so you find out who does their heating and air-conditioning or who manages their remote data centers or something and you attack those people and then come in.

How is vulnerability management different from risk management?

It’s a subset of risk management. Risk management, when done well, gives a scope of a very large picture and helps you drill down into the details, but it has to factor in things above and beyond the more technical details of what we more typically think of as vulnerability management. Certainly they work together—you have to find what’s vulnerable and then you have to make assessments as to how you’re going to address your vulnerabilities, and that ideally should be done in a risk-based manner. Because as much as all of the reports from Verizon Data Breach Report and others say you have to fix everything, the reality is that not only can we not fix everything, we can’t fix a lot immediately so you really have to prioritize things. You have to have information to prioritize things, and that’s a challenge for many organizations.

Your session at The Open Group Baltimore event is on the evolution of vulnerability management—where does vulnerability management stand today and where does it need to go?

One of my opening slides sums it up—it used to be easy, and it’s not anymore. It’s like a lot of other things in security, it’s sort of a buzz phrase that’s never really taken off like it needs to at the enterprise level, which is as part of the operationalization of security. Security needs to be a component of running your organization and needs to be factored into a number of things.

The information security industry has a challenge and history of being a department in the middle and being obstructionist, which is I think is well deserved. But the real challenge is to cooperate more. We have to get a lot more information, which means working well with the rest of the organization, particularly networking and systems administrators and having conversations with them as far as the data and the environment and sharing and what we discover as problems without being the judgmental know-it-all security people. That is our stereotype. The adversaries are often far more cooperative than we are. In a lot of criminal forums, people will be fairly supportive of other people in their community—they’ll go up to where they reach the trade-secret level and stop—but if somebody’s not cutting into their profits, rumor is these people are cooperating and collaborating.

Within an organization, you need to work cross-organizationally. Information sharing is a very real piece of it. That’s not necessarily vulnerability management, but when you step into risk analysis and how you manage your environment, knowing what vulnerabilities you have is one thing, but knowing what vulnerabilities people are actually going to do bad things to requires information sharing, and that’s an industry wide challenge. It’s a challenge within our organizations, and outside it’s a real challenge across the enterprise, across industry, across government.

Why has that happened in the Security industry?

One is the stereotype—a lot of teams are very siloed, a lot of teams have their fiefdoms—that’s just human nature.

Another problem that everyone in security and technology faces is that we talk to all sorts of people and have all sorts of great conversations, learn amazing things, see amazing things and a lot of it is under NDA, formal or informal NDAs. And if it weren’t for friend-of-a-friend contacts a lot of information sharing would be dramatically less. A lot of the sanitized information that comes out is too sanitized to be useful. The Verizon Data Breach Report pointed out that there are similarities in attacks but they don’t line up with industry verticals as you might expect them to, so we have that challenge.

Another serious challenge we have in security, especially in the research community, is that there’s total distrust of the government. The Snowden revelations have really severely damaged the technology and security community’s faith in the government and willingness to cooperate with them. Further damaging that are the discussions about criminalizing many security tools—because the people in Congress don’t understand these things. We have a president who claims to be technologically savvy, and he is more than any before him, but he still doesn’t get it and he’s got advisors that don’t get it. So we have a great distrust of the government, which has been earned, despite the fact that any one of us in the industry knows folks at various agencies—whether the FBI or intelligence agencies or military —who are fantastic people—brilliant, hardworking patriotic—but the entities themselves are political entities, and that causes a lot of distrust in information sharing.

And there are just a lot of people that have the idea that they want proprietary information. This is not unique to security. There are a couple of different types of managers—there are people in organizations who strive to make themselves irreplaceable. As a manager, you’ve got to get those people out of your environment because they’re just poisonous. There are other people who strive to make it so that they can walk away at any time and it will be a minor inconvenience for someone to pick up the notes and run. Those are the type of people you should hang onto for dear life because they share information, they build knowledge, they build relationships. That’s just human nature. In security I don’t think there are enough people who are about building those bridges, building those communications paths, sharing what they’ve learned and trying to advance the cause. I think there’s still too many who horde information as a tool or a weapon.

Security is fundamentally a human problem amplified by technology. If you don’t address the human factors in it, you can have technological controls, but it still has to be managed by people. Human nature is a big part of what we do.

You advocate for automation to help with vulnerability management. Can automation catch the threats when hackers are becoming increasingly sophisticated and use bots themselves? Will this become a war of bot vs. bot?

A couple of points about automation. Our adversaries are using automation against us. We need to use automation to fight them, and we need to use as much automation as we can rely on to improve our situation. But at some point, we need smart people working on hard problems, and that’s not unique to security at all. The more you automate, at some point in time you have to look at whether your automation processes are improving things or not. If you’ve ever seen a big retailer or grocery store that has a person working full-time to manage the self-checkout line, that’s failed automation. That’s just one example of failed automation. Or if there’s a power or network outage at a hospital where everything is regulated and medications are regulated and then nobody can get their medications because the network’s down. Then you have patients suffering until somebody does something. They have manual systems that they have to fall back on and eventually some poor nurse has to spend an entire shift doing data entry because the systems failed so badly.

Automation doesn’t solve the problems—you have to automate the right things in the right ways, and the goal is to do the menial tasks in an automated fashion so you have to spend less human cycles. As a system or network administrator, you run into the same repetitive tasks over and over and you write scripts to do it or buy a tool to automate it. They same applies here –you want to filter through as much of the data as you can because one of the things that modern vulnerability management requires is a lot of data. It requires a ton of data, and it’s very easy to fall into an information overload situation. Where the tools can help is by filtering it down and reducing the amount of stuff that gets put in front of people to make decisions about, and that’s challenging. It’s a balance that requires continuous tuning—you don’t want it to miss anything so you want it to tell you everything that’s questionable but it can’t throw too many things at you that aren’t actually problems or people give up and ignore the problems. That was allegedly part of a couple of the major breaches last year. Alerts were triggered but nobody paid attention because they get tens of thousands of alerts a day as opposed to one big alert. One alert is hard to ignore—40,000 alerts and you just turn it off.

What’s the state of automated solutions today?

It’s pretty good if you tune it, but it takes maintenance. There isn’t an Easy Button, to use the Staples tagline. There’s not an Easy Button, and anyone promising an Easy Button is probably not being honest with you. But if you understand your environment and tune the vulnerability management and patch management tools (and a lot of them are administrative tools), you can automate a lot of it and you can reduce the pain dramatically. It does require a couple of very hard first steps. The first step in all of it is knowing what’s in your environment and knowing what’s crucial in your environment and understanding what you have because if you don’t know what you’ve got, you won’t be able to defend it well. It is pretty good but it does take a fair amount of effort to get to where you can make the best of it. Some organizations are certainly there, and some are not.

What do organizations need to consider when putting together a vulnerability management system?

One word: visibility. They need to understand that they need to be able to see and know what’s in the environment—everything that’s in their environment—and get good information on those systems. There needs to be visibility into a lot of systems that you don’t always have good visibility into. That means your mobile workforce with their laptops, that means mobile devices that are on the network, which are probably somewhere whether they belong there or not, that means understanding what’s on your network that’s not being managed actively, like Windows systems that might not be in active directory or RedHat systems that aren’t being managed by satellite or whatever systems you use to manage it.

Knowing everything that’s in the environment and its roles in the system—that’s a starting point. Then understanding what’s critical in the environment and how to prioritize that. The first step is really understanding your own environment and having visibility into the entire network—and that can extend to Cloud services if you’re using a lot of Cloud services. One of the conversations I’ve been having lately since the latest Akamai report was about IPv6. Most Americans are ignoring it even at the corporate level, and a lot of folks think you can ignore it still because we’re still routing most of our traffic over the IPv4 protocol. But IPv6 is active on just about every network out there. It’s just whether or not we actively measure and monitor it. The Akamai Report said something that a lot of folks have been saying for years and that’s that this is really a problem. Even though the adoption is pretty low, what you see if you start monitoring for it is people communicating in IPv6 whether intentionally or unintentionally. Often unintentionally because everythings’s enabled, so there’s often a whole swath of your network that people are ignoring. And you can’t have those huge blind spots in the environment, you just can’t. The vulnerability management program has to take into account that sort of overall view of the environment. Then once you’re there, you need a lot of help to solve the vulnerabilities, and that’s back to the human problem.

What should Enterprise Architects look for in an automated solution?

It really depends on the corporate need. They need to figure out whether or not the systems they’re looking at are going to find most or all of their network and discover all of the weakness, and then help them prioritize those. For example, can your systems do vulnerability analysis on newly discovered systems with little or no input? Can you automate detection? Can you automate confirmation of findings somehow? Can you interact with other systems? There’s a piece, too—what’s the rest of your environment look like? Are there ways into it? Does your vulnerability management system work with or understand all the things you’ve got? What if you have some unique network gear that your vulnerability management systems not going to tell you what the vulnerability’s in? There are German companies that like to use operating systems other than Windows and garden variety Linux distributions. Does it work in your environment and will it give you good coverage in your environment and can it take a lot of the mundane out of it?

How can companies maintain Boundaryless Information Flow™–particularly in an era of the Internet of Things–but still manage their vulnerabilities?

The challenge is a lot of people push back against high information flow because they can’t make sense of it; they can’t ingest the data, they can’t do anything with it. It’s the challenge of accepting and sharing a lot of information. It doesn’t matter whether vulnerability management or lot analysis or patch management or systems administration or back up or anything—the challenge is that networks have systems that share a lot of data but until you add context, it’s not really information. What we’re interested in in vulnerability management is different than what you’re automated backup is. The challenge is having systems that can share information outbound, share information inbound and then act rationally on only that which is relevant to them. That’s a real challenge because information overload is a problem that people have been complaining about for years, and it’s accelerating at a stunning rate.

You say Internet of Things, and I get a little frustrated when people treat that as a monolith because at one end an Internet enabled microwave or stove has one set of challenges, and they’re built on garbage commodity hardware with no maintenance ability at all. There are other things that people consider Internet of Things because they’re Internet enabled and they’re running Windows or a more mature Linux stack that has full management and somebody’s managing it. So there’s a huge gap between the managed IoT and the unmanaged, and the unmanaged is just adding low power machines in environments that will just amplify things like distributed denial of service (DoS). As it is, a lot of consumers have home routers that are being used to attack other people and do DoS attacks. A lot of the commercial stuff is being cleaned up, but a lot of the inexpensive home routers that people have are being used, and if those are used and misused or misconfigured or attacked with worms that can change the settings for things to have everything in the network participate in.

The thing with the evolution of vulnerability management is that we’re trying to drive people to a continuous monitoring situation. That’s where the federal government has gone, that’s where a lot of industries are, and it’s a challenge to go from infrequent or even frequent big scans to watching things continuously. The key is to take incremental steps, and the goal is, instead of having a big massive vulnerability project every quarter or every month, the goal is to get down to where it’s part of the routine, you’re taking small remediated measures on a daily or regular basis. There’s still going to be things when Microsoft or Oracle come out with a big patch that will require a bigger tool-up but you’re going to need to do this continuously and reach that point where you do small pieces of the task continuously rather than one big task. That’s the goal is to get to where you’re doing this continuously so you get to where you’re blowing out birthday candles rather than putting out forest fires.

Jack Daniel, a strategist at Tenable Network Security, has over 20 years experience in network and system administration and security, and has worked in a variety of practitioner and management positions. A technology community activist, he supports several information security and technology organizations. Jack is a co-founder of Security BSides, serves on the boards of three Security BSides non-profit corporations, and helps organize Security B-Sides events. Jack is a regular, featured speaker at ShmooCon, SOURCE Boston, DEF CON, RSA and other marque conferences. Jack is a CISSP, holds CCSK, and is a Microsoft MVP for Enterprise Security.

Join the conversation – @theopengroup #ogchat #ogBWI

1 Comment

Filed under Boundaryless Information Flow™, Internet of Things, RISK Management, Security, the open group, The Open Group Baltimore 2015

The Open Group Healthcare Forum Publishes First Whitepaper and Announces New Member

By The Open Group

The Open Group Healthcare Forum has published its first whitepaper, “Enhancing Health Information Exchange with the FHIM” which examines the Federal Health Information Model (FHIM) and its efforts to bring semantic interoperability to the Healthcare industry.

The document was developed in response to a 2014 request to the Healthcare Forum made by the Federal Health Architecture program (FHA), an E-Government Line of Business initiative managed by ONC. The Forum was asked to evaluate the FHIM and to detail its potential usefulness to the wider Healthcare ecosystem. In response, The Healthcare Forum developed a whitepaper that highlights the strengths of the FHIM and the challenges it faces. Contributors came from organizations based across the globe including HP (US), Dividend Group (Canada), Sykehuspartner (Norway), and Philips Medical Systems (Germany).

The FHIM is a key component of a multimillion dollar effort to enable data sharing across the Healthcare enterprise. It has relevance worldwide as US federal agencies are among the leading markets for healthcare technology and processes. By identifying examples of FHIM adoption, understanding barriers to its adoption, and relating the FHIM to other major efforts to achieve Healthcare interoperability, the white paper reflects The Healthcare Forum’s support of Boundaryless Information Flow™, which continues to be engaged in this important work and expects to publish new insights in the second white paper in this series, planned for late 2015. The full whitepaper can be found here to download.

At the same time The Open Group Healthcare Forum has also announced that The Office of the National Coordinator for Health Information Technology (ONC – part of the U.S. Department of Health and Human Services) as its latest key member.

FHA Director Gail Kalbfleisch commented on the announcement, “We look forward to this membership opportunity with the Healthcare Forum, and becoming a part of the synergy that comes from collaborating with other members.”

Allen Brown, President & CEO of The Open Group also welcomed the news, “We are delighted to welcome the ONC to The Open Group Healthcare Forum following the evaluation of the FHIM by our members. The efficient and effective flow of secure healthcare information through healthcare systems is a critical goal of all who are engaged in that industry and is core to the vision of The Open Group which is Boundaryless Information Flow™, achieved through global interoperability in a secure, reliable and timely manner“.

Leave a comment

Filed under Boundaryless Information Flow™, Healthcare, whitepaper

Why We Like ArchiMate®

What Are Your Thoughts?

By Allen Brown, President & CEO of The Open Group

This year marks the 30th anniversary of my class graduation from the London Business School MBA program. It was 3 years of working full-time for Unilever and studying every minute possible, and tackling what seemed to be impossible case studies on every subject that you would have to deal with when managing a business.

One of the many core subjects was “Operations Management”: organizing people, materials and technology into an efficient unit. The first thing we were taught was that there are no rules, only pressures and opportunities. The next thing was that there are no boundaries to what can have an impact on the subject: from macro issues of structure and infrastructure to micro issues of marketing, capabilities, location, motivation and much more. It required a lot of analysis and a lot of thinking around realistic solutions of how to change the “now” state.

To support this, one of the techniques we were taught was modeling. There was one case study that I recall was about a small company of less than 150 personnel engaged in the manufacture and development of fast sea-based transport. As part of the analysis I modeled the physical flow system which covered all aspects of the operation from sales to customer feedback and from design to shipment – all in pencil and all on one page. An extract is shown here.

By Allen Brown, President & CEO, The Open Group

I don’t know if it’s just me but that looks very similar to some ArchiMate® models I have seen. OK there is not a specific box or symbol for the actors and their roles or for identifying processes but it is clear, who is responsible what, the function or process that they perform and the information or instructions they pass to or receive from their colleagues.

So it should not be surprising that I would like ArchiMate®, even before it became a standard of The Open Group and by the same token many people holding senior positions in organizations today, have also been through MBA programs in the past, or some form of executive training and as such would be familiar with the modeling that I and my classmates were taught and would therefore easily understand ArchiMate models.

Since graduating, I have used modeling on many occasions to assist with understanding of complex processes and to identify where problems, bottlenecks, delays and unnecessary costs arise. Almost everyone, wherever they are in the organization has not only understood them but also been able to improve them, with the possible exception of software developers, who still needed UML and BPMN.

An ArchiMate Focus Group

A few months ago I got together with some users of ArchiMate to try to understand its appeal to others. Some were in large financial services businesses, others were in healthcare and others were in consulting and training organizations.

The first challenge, of course, is that different people, in different situations, with different roles in different organizations in different countries and continents will always see things differently. In The Open Group there are more than 300,000 people from over 230 different countries; nearly one third of those people identify themselves as “architects”; and of those “architects” there are more than 3,400 job titles that contain the word architect. There are also more than 3,500 people who identify themselves as CEO, nearly 5,500 CIO’s etc.

So one size definitely will not fit all and neither will a single statement produced by a small number of people sat in a room for a day.

So what we did was to focus mostly on a senior executive in a major financial services company in the United States whose team is responsible for maintaining the business capability map for the company. After that we tested the results with others in the financial services industry, a representative from the healthcare industry and with an experienced consultant and trainer.

Ground Rules for Feedback

Now, what I would like to get feedback on is your views, which is the reason for writing this blog. As always there are some ground rules for feedback:

  • Please focus on the constructive
  • Please identify the target audience for the messages as closely as you can: e.g. job title / type; industry; geographic location etc

With those thoughts in mind, let me now share what we have so far.

The Value of ArchiMate

For the person that we initially focused on, he felt that The Open Group ArchiMate® Standard is the standard visual language for communicating and managing the impact of change. The reasons behind this are that it bridges between strategy, solutions and execution and it enables explicit communication.

The value of bridging between strategy, solutions and execution is recognized because it:

  • Accelerates value delivery
  • Integrates between disciplines
  • Describes strategic capabilities, milestones and outcomes

Enabling explicit communication is realized because it:

  • Improves understanding at all levels of the organization
  • Enables a short time to benefit
  • Is supported by leading tool vendors

A supporting comment from him was that ArchiMate enables different delivery approaches (e.g. waterfall, agile). From a modeling point of view the diagrams are still the same, but the iteration cycles and utilization of them become very different in the agile method. Interesting thought.

This is obviously different from why I like ArchiMate but also has some similarities (e.g. easily understood by anyone) and it is a perfect example of why we need to recognize the differences and similarities when communicating with different people.

So when we asked others in the financial services whether they agreed or not and to tell us why they like ArchiMate, they all provided great feedback and suggested improvements. They identified two groups

  • The CEO, CIO, Business Analyst and Business Architect; and
  • Areas of business support and IT and Solution Architects and System Analysts.

All agreed that The Open Group ArchiMate® Standard is the standard visual language. Where they varied was in the next line. For the CEO, CIO, Business Analyst and Business Architect target audience the value of ArchiMate, was realized because:

  • It is for modeling the enterprise and managing its change
  • It can support strategic alignment and support impact analysis

Instead of “enabling explicit communication” others preferred the simpler, “clarifies complex systems” but the sub-bullets remained the same. One supporting statement was, “I can show a diagram that most people can understand even without technical knowledge”. Another statement, this time in support of the bridging capability was, “It helps me in unifying the languages of business and IT”.

The value of strategic alignment support was realized through ArchiMate because it:

  • Allows an integrated view
  • Depicts links between drivers and the specific requirements that address them
  • Links between motivation and business models

Its support of impact analysis and decision taking recognizes the bridging capability:

  • Integrates between disciplines: links between cause and effect
  • Describes and allows to identify, strategic capabilities
  • Bridges between strategy, solutions and execution

When the target audience changed to areas of business support and IT or to Solution Architects and System Analysts, the next line became:

  • It is for communicating and managing change that leverages TOGAF® standard usage
  • It can support the development of conceptual representations for the applications and IT platforms and their alignment with business goals

For these audiences the value was still in the ability to clarify complex systems and to bridge between strategy, solutions and execution but the sub-bullets changed significantly:

  • Clarifies complex systems
    • Improves understanding at all levels of the organization
    • Allows integration between domains
    • Provides a standard way to represent inputs and outputs between domains
    • Supports having a standard model repository to create views
  • Bridges between strategy, solutions and execution
    • Allows views segmentation efficiently
    • Allow a consolidated organizational landscape definition business aligned
    • Supports solutions design definition

Unlike my business school models, ArchiMate models are also understandable to software developers.

The feedback from the healthcare organization was strikingly similar. To give an example format for feedback, I will represent it in a way that would be very helpful if you could use for your comments.

Country: USA

Industry: Healthcare

Target Audience: VP of IT

Positioning statement:

The Open Group ArchiMate® Standard is the standard visual language for communicating and managing change and making the enterprise architecture practice more effective.

It achieves this because it:

  • Clarifies complex systems
    • Improves understanding at all levels of the organization
    • Short time to benefit
    • Supported by leading tool vendors
    • Supports a more effective EA delivery
  • Bridges between strategy, solutions and execution
    • Accelerates value delivery
    • Integrates between disciplines
    • Describes strategic capabilities, milestones and outcomes

Feedback from an experienced consultant and trainer was:

Country / Region: Latin America

Industry:

Target Audience: Director of Business Architecture, Chief EA, Application Architects

Positioning statement:

The Open Group ArchiMate® Standard is the standard visual language for modeling the organization, leveraging communication with stakeholders and managing change

It achieves this because it:

  • Clarifies complex systems and leverage change
    • Improves understanding at all levels of the organization
    • Supported by leading tool vendors
    • Support change impact analysis into the organization and it is a helping tool portfolio management and analysis
    • Supports complex system structures presentation to different stakeholders using a simplified notation
  • Bridges between strategy, solutions and execution
    • Accelerates value delivery
    • Integrates between disciplines
    • Describes strategic capabilities, milestones and outcomes
    • Allow a consolidated organizational landscape definition

Your Feedback

All of this gives us some insight into why a few of us like ArchiMate. I would like to know what you like about ArchiMate or how you talk about it to your colleagues and acquaintances.

So please do not hesitate to let me know. Do you agree with the statements that have been made so far? What improvements would you suggest? How do they resonate in your country, your industry, your organization? What different audiences should be addressed and what messages should we use for them?

Please email your feedback to ArchiMateFeedback@opengroup.org.

By The Open GroupAllen Brown is President and CEO of The Open Group – a global consortium that enables the achievement of business objectives through IT standards.  He is also President of the Association of Enterprise Architects (AEA).

Allen was appointed President & CEO in 1998.  Prior to joining The Open Group, he held a range of senior financial and general management roles both within his own consulting firm, which he founded in 1987, and other multi-national organizations.

Allen is TOGAF® 9 certified, an MBA alumnus of the London Business School and a Fellow of the Association of Chartered Certified Accountants.

1 Comment

Filed under Allen Brown, ArchiMate®, Business Architecture, Enterprise Transformation, the open group

The Open Group Madrid 2015 – Day Two Highlights

By The Open Group

On Tuesday, April 21, Allen Brown, President & CEO of The Open Group, began the plenary presenting highlights of the work going on in The Open Group Forums. The Open Group is approaching 500 memberships in 40 countries.

Big Data & Open Platform 3.0™ – a Big Deal for Open Standards

Ron Tolido, Senior Vice President of Capgemini’s group CTO network and Open Group Board Member, discussed the digital platform as the “fuel” of enterprise transformation today, citing a study published in the book “Leading Digital.” The DNA of companies that successfully achieve transform has the following factors:

  • There is no escaping from mastering the digital technology – this is an essential part of leading transformation. CEO leadership is a success factor.
  • You need a sustainable technology platform embraced by both the business and technical functions

Mastering digital transformation shows a payoff in financial results, both from the standpoint of efficient revenue generation and maintaining and growing market share. The building blocks of digital capability are:

  • Customer Experience
  • Operations
  • New business models

Security technology must move from being a constraint or “passion killer” to being a driver for digital transformation. Data handling must change it’s model – the old structured and siloed approach to managing data no longer works, resulting in business units bypassing or ignoring the “single souce” data repository. He recommended the “Business Data Lake” approach as a approach to overcoming this, and suggested it should be considered as an open standard as part of the work of the Open Platform 3.0 Forum.

In the Q&A session, Ron suggested establishing hands-on labs to help people embrace digital transformation, and presented the analogy of DatOps as an analogy to DevOps for business data.

Challengers in the Digital Era

Mariano Arnaiz, Chief Information Officer in the CESCE Group, presented the experiences of CESCE in facing challenges of:

  • Changing regulation
  • Changing consumer expectations
  • Changing technology
  • Changing competition and market entrants based on new technology

The digital era represents a new language for many businesses, which CESCE faced during the financial crisis of 2008. They chose the “path less traveled” of becoming a data-driven company, using data and analytics to improve business insight, predict behavior and act on it. CESCE receives over 8000 risk analysis requests per day; using analytics, over 85% are answered in real time, when it used to take more than 20 days. Using analytics has given them unique competitive products such as variable pricing and targeted credit risk coverage while reducing loss ratio.

To drive transformation, the CIO must move beyond IT service supporting the business to helping drive business process improvement. Aligning IT to business is no longer enough for EA – EA must also help align business to transformational technology.

In the Q&A, Mariano said that the approach of using analytics and simulation for financial risk modeling could be applied to some cybersecurity risk analysis cases.

Architecting the Internet of Things

Kary Främling,  CEO of the Finnish company ControlThings and Professor of Practice in Building Information Modeling (BIM) at Aalto University, Finland, gave a history of the Internet of Things (IoT), the standards landscape, issues on security in IoT, and real-world examples.

IoT today is characterized by an increasing number of sensors and devices each pushing large amounts of data to their own silos, with communication limited to their own network. Gaining benefit from IoT requires standards to take a systems view of IoT providing horizontal integration among IoT devices and sensors with data collected as and when needed, and two-way data flows between trusted entities within a vision of Closed-Loop Lifecycle Management. These standards are being developed in The Open Group Open Platform 3.0 Forum’s IoT work stream; published standards such as Open Messaging interface (O-MI) and Open Data Format (O-DF) that allow discovery and interoperability of sensors using open protocols, similar to the way http and html enable interoperability on the Web.

Kary addressed the issues of security and privacy in IoT, noting this is an opportunity for The Open Group to use our EA and Security work to to assess these issues at the scale IoT will bring.By The Open Group

Kary Främling

Comments Off on The Open Group Madrid 2015 – Day Two Highlights

Filed under big data, Boundaryless Information Flow™, Cybersecurity, Enterprise Architecture, Internet of Things

The Open Group Summit Amsterdam 2014 – Day Two Highlights

By Loren K. Baynes, Director, Global Marketing Communications, The Open Group

On Tuesday, May 13, day two of The Open Group Summit Amsterdam, the morning plenary began with a welcome from The Open Group President and CEO Allen Brown. He presented an overview of the Forums and the corresponding Roadmaps. He described the process of standardization, from the initial work to a preliminary standard, including review documents, whitepapers and snapshots, culminating in the final publication of an open standard. Brown also announced that Capgemini is again a Platinum member of The Open Group and contributes to the realization of the organization’s objectives in various ways.

Charles Betz, Chief Architect, Signature Client Group, AT&T and Karel van Zeeland, Lead IT4IT Architect, Shell IT International, presented the second keynote of the morning, ‘A Reference Architecture For the Business of IT’.  When the IT Value Chain and IT4IT Reference Architecture is articulated, instituted and automated, the business can experience huge cost savings in IT and significantly improved response times for IT service delivery, as well as increasing customer satisfaction.

AmsterdamPlenaryKarel van Zeeland, Charles Betz and Allen Brown

In 1998, Shell Information Technology started to restructure the IT Management and the chaos was complete. There were too many tools, too many vendors, a lack of integration, no common data model, a variety of user interfaces and no standards to support rapid implementation. With more than 28 different solutions for incident management and more than 160 repositories of configuration data, the complexity was immense. An unclear relationship with Enterprise Architecture and other architectural issues made the case even worse.

Restructuring the IT Management turned out to be a long journey for the Shell managers. How to manage 1,700 locations in 90 countries, 8,000 applications, 25,000 servers, dozens of global and regional datacenters,125,000 PCs and laptops, when at the same time you are confronted with trends like BYOD, mobility, cloud computing, security, big data and the Internet of Things (IoT).  According to Betz and van Zeeland, IT4IT is a promising platform for evolution of the IT profession. IT4IT however has the potential to become a full open standard for managing the business of IT.

Jeroen Tas, CEO of Healthcare Informatics Solutions and Services within Philips Healthcare, explained in his keynote speech, “Philips is becoming a software company”. Digital solutions connect and streamline workflow across the continuum of care to improve patient outcomes. Today, big data is supporting adaptive therapies. Smart algorithms are used for early warning and active monitoring of patients in remote locations. Tas has a dream, he wants to make a valuable contribution to a connected healthcare world for everyone.

In January 2014, Royal Philips announced the formation of Healthcare Informatics Solutions and Services, a new business group within Philips’ Healthcare sector that offers hospitals and health systems the customized clinical programs, advanced data analytics and interoperable, cloud-based platforms necessary to implement new models of care. Tas, who previously served as the Chief Information Officer of Philips, leads the group.

In January of this year, The Open Group launched The Open Group Healthcare Forum whichfocuses on bringing Boundaryless Information Flow™ to the healthcare industry enabling data to flow more easily throughout the complete healthcare ecosystem.

Ed Reynolds, HP Fellow and responsible for the HP Enterprise Security Services in the US, described the role of information risk in a new technology landscape. How do C-level executives think about risk? This is a relevant and urgent question because it can take more than 243 days before a data breach is detected. Last year, the average cost associated with a data breach increased 78% to 11.9 million dollars. Critical data assets may be of strategic national importance, have massive corporate value or have huge significance to an employee or citizen, be it the secret recipe of Coca Cola or the medical records of a patient. “Protect your crown jewels” is the motto.

Bart Seghers, Cyber Security Manager, Thales Security and Henk Jonkers, Senior Research Consultant of BiZZdesign, visualized the Business Impact of Technical Cyber Risks. Attacks on information systems are becoming increasingly sophisticated. Organizations are increasingly networked and thus more complex. Attacks use digital, physical and social engineering and the departments responsible for each of these domains within an organization operate in silos. Current risk management methods cannot handle the resulting complexity. Therefore they are using ArchiMate® as a risk and security architecture. ArchiMate is a widely accepted open standard for modeling Enterprise Architecture. There is also a good fit with other EA and security frameworks, such as TOGAF®. A pentest-based Business Impact Assessment (BIA) is a powerful management dashboard that increases the return on investment for your Enterprise Architecture effort, they concluded.

Risk Management was also a hot topic during several sessions in the afternoon. Moderator Jim Hietala, Vice President, Security at The Open Group, hosted a panel discussion on Risk Management.

In the afternoon several international speakers covered topics including Enterprise Architecture & Business Value, Business & Data Architecture and Open Platform 3.0™. In relation to social networks, Andy Jones, Technical Director, EMEA, SOA Software, UK, presented “What Facebook, Twitter and Netflix Didn’t Tell You”.

The Open Group veteran Dr. Chris Harding, Director for Interoperability at The Open Group, and panelists discussed and emphasized the importance of The Open Group Open Platform 3.0™. The session also featured a live Q&A via Twitter #ogchat, #ogop3.

The podcast is now live. Here are the links:

Briefings Direct Podcast Home Page: http://www.briefingsdirect.com/

PODCAST STREAM: http://traffic.libsyn.com/interarbor/BriefingsDirect-The_Open_Group_Amsterdam_Conference_Panel_Delves_into_How_to_Best_Gain_Business_Value_From_Platform_3.mp3

PODCAST SUMMARY: http://briefingsdirect.com/the-open-group-amsterdam-panel-delves-into-how-to-best-gain-business-value-from-platform-30

In the evening, The Open Group hosted a tour and dinner experience at the world-famous Heineken Brewery.

For those of you who attended the summit, please give us your feedback! https://www.surveymonkey.com/s/AMST2014

Comments Off on The Open Group Summit Amsterdam 2014 – Day Two Highlights

Filed under ArchiMate®, Boundaryless Information Flow™, Certifications, Enterprise Architecture, Enterprise Transformation, Healthcare, Open Platform 3.0, RISK Management, Standards, TOGAF®, Uncategorized

The Open Group Summit Amsterdam 2014 – Day One Highlights

By Loren K. Baynes, Director, Global Marketing Communications, The Open Group

The Open Group Summit Amsterdam, held at the historic Hotel Krasnapolsky, began on Monday, May 12 by highlighting how the industry is moving further towards Boundaryless Information Flow™. After the successful introduction of The Open Group Healthcare Forum in San Francisco, the Governing Board is now considering other vertical Forums such as the airline industry and utilities sector.

The morning plenary began with a welcome from Steve Nunn, COO of The Open Group and CEO of the Association of Enterprise Architects (AEA). He mentioned that Amsterdam has a special place in his heart because of the remembrance of the 2001 event also held in Amsterdam, just one month after the 9/11 attacks which shocked the world. Today, with almost 300 registrations and people from 29 different countries, The Open Group is still appealing to a wide range of nationalities.

Allen Brown, President and CEO of The Open Group, took the audience on a journey as he described the transformation process that The Open Group has been on over the last thirty years from its inception in 1984. After a radically financial reorganization and raising new working capital, The Open Group is flourishing more than ever and is in good financial health.

It is amazing that 40 percent of the staff of 1984 is still working for The Open Group. What is the secret? You should have the right people in the boat with shared values and commitment. “In 2014, The Open Group runs a business, but stays a not-for-profit organization, a consortium”, Brown emphasized. “Enterprise Architecture is not a commercial vehicle or a ‘trendy’ topic. The Open Group always has a positive attitude and will never criticize other organizations. Our certification programs are a differentiator compared to other organizations. We collaborate with other consortia and standard bodies like ISO and ITIL”, Brown said.

Now the world is much more complex. Technology risk is increasing. A common language based on common standards is needed more than ever. TOGAF®, an Open Group standard, was in its infancy in 1998 and now it is the common standard for Enterprise Architects all over the world. In 1984, the UNIX® platform was the first platform of The Open Group. The Open Group Open Platform 3.0™, launched last year, focuses on new and emerging technology trends like mobility, big data, cloud computing and the Internet of Things converging with each other and leading to new business models and system designs. “The Open Group is all about building relationships and networking”, Brown concluded.

Leonardo Ramirez, CEO of ARCA SG and Chair of AEA Colombia, talked about the role of interoperability and Enterprise Architecture in Latin America. Colombia is now a safe country and has the strongest economy in the region. In 2011 Colombia promoted the electronic government and TOGAF was selected as the best choice for Enterprise Architecture. Ramirez is determined to stimulate social economic development projects in Latin America with the help of Enterprise Architecture. There is a law in Colombia (Regulation Law 1712, 2014) that says that every citizen has the right to access all the public information without boundaries.

Dr. Jonas Ridderstråle, Chairman, Mgruppen and Visiting Professor, Ashridge (UK) and IE Business Schools (Spain), said in his keynote speech, “Womenomics rules, the big winners of the personal freedom movement will be women. Women are far more risk averse. What would have happened with Lehman Brothers if it was managed by women? ‘Lehman Sisters’ probably had the potential to survive. Now women can spend 80 percent of their time on other things than just raising kids.” Ridderstråle continued to discuss life-changing and game-changing events throughout his presentation. He noted that The Open Group Open Platform 3.0 for instance is a good example of a successful reinvention.

“Towards a European Interoperability Architecture” was the title of one of the afternoon sessions led by Mr. R. Abril Jimenez. Analysis during the first phase of the European Interoperability Strategy (EIS) found that, at conceptual level, architecture guidelines were missing or inadequate. In particular, there are no architectural guidelines for cross-border interoperability of building blocks. Concrete, reusable interoperability guidelines and rules and principles on standards and architecture are also lacking. Based on the results achieved and direction set in the previous phases of the action, the EIA project has moved into a more practical phase that consists of two main parts: Conceptual Reference Architecture and Cartography.

Other tracks featured Healthcare, Professional Development and Dependability through Assuredness™.

The evening concluded with a lively networking reception in the hotel’s Winter Garden ballroom.

For those of you who attended the summit, please give us your feedback!  https://www.surveymonkey.com/s/AMST2014

Comments Off on The Open Group Summit Amsterdam 2014 – Day One Highlights

Filed under Boundaryless Information Flow™, Conference, Dependability through Assuredness™, Enterprise Architecture, Enterprise Transformation, Healthcare, Open Platform 3.0, Professional Development, Standards, TOGAF®, Uncategorized