Tag Archives: information management

#ogChat Summary – The Future of BYOD

By Patty Donovan, The Open Group

With over 400 tweets flying back and forth, last week’s BYOD Tweet Jam (#ogChat) saw a fast-paced, lively discussion on the future of the bring your own device (BYOD) trend and its implications in the enterprise. In case you missed the conversation, here’s a recap of last week’s #ogChat!

There were a total of 29 participants including:

Here is a high-level a snapshot of yesterday’s #ogChat:

Q1 What are the quantifiable benefits of BYOD? What are the major risks of #BYOD, and do these risks outweigh the benefits? #ogChat

Participants generally agreed that the main risk of BYOD is data security and benefits include cost and convenience.

  • @MobileGalen Data policy is core because that’s where the real value is in business. Affects access and intrusion/hacking of course secondarily #ogChat
  • @technodad Q1 #BYOD transcends time/space boundaries – necessary for a global business. #ogChat
  • @AWildCSO Q1 Risks: Risk to integrity and availability of corporate IT systems – malware into enterprise from employee owned devices #ogChat

Q2 What are the current security issues with #BYOD, and how should organizations go about securing those devices? #ogChat

The most prominent issue discussed was who owns the responsibility of security. Many couldn’t agree on whether responsibility fell on the user or the organization.

  • @AWildCSO Q2: Main issue is the confidentiality of data. Not a new issue, has been around a while, especially since the advent of networking. #ogChat
  • @cebess .@ MobileGalen Right — it’s about the data not the device. #ogChat
  • @AppsTechNews Q2 Not knowing who’s responsible? Recent ITIC/KnowBe4 survey: 37% say corporation responsible for #BYOD security; 39% say end user #ogChat
  • @802dotchris @MobileGalen there’s definitiely a “golden ratio” of fucntionality to security and controls @IDGTechTalk #ogChat
  • @MobileGalen #ogChat Be careful about looking for mobile mgmt tools as your fix. Most are about disablement not enablement. Start w enable, then protect.

Q3 How can an organization manage corporate data on employee owned devices, while not interfering with data owned by an employee? #ogChat

Most participants agreed that securing corporate data is a priority but were stumped when it came to maintaining personal data privacy. Some suggested that organizations will have no choice but to interfere with personal data, but all agreed that no matter what the policy, it needs to be clearly communicated to employees.

  • @802dotchris @jim_hietala in our research, we’re seeing more companies demand app-by-app wipe or other selective methods as MDM table stakes #ogChat
  • @AppsTechNews Q3 Manage the device, manage & control apps running on it, and manage data within those apps – best #BYOD solutions address all 3 #ogChat
  • @JonMoger @theopengroup #security #ogChat #BYOD is a catalyst for a bigger trend driven by cultural shift that affects HR, legal, finance, LOB.
  • @bobegan I am a big believer in people, and i think most employees feel that they own a piece of corporate policy #ogChat
  • @mobilityofficer @theopengroup Q3: Sometimes you have no choice but to interfere with private data but you must communicate that to employees #ogChat

Q4 How does #BYOD contribute to the creation or use of #BigData in the enterprise? What role does #BYOD play in #BigData strategy? #ogChat

Participants exchanged opinions on the relationship between BYOD and Big Data, leaving much room for future discussion.

  • @technodad Q4 #bigdata created by mobile, geotgged, realtime apps is gold dust for business analytics & marketing. Smart orgs will embrace it. #ogChat
  • @cebess .@ technodad Context is king. The device in the field has quite a bit of contextual info. #ogChat
  • @bobegan @cebess Right, a mobile strategy, including BYOD is really about information supply chain managment. Must include many audiences #ogChat

Q5 What best practices can orgs implement to provide #BYOD flexibility and also maintain control and governance over corporate data? #ogChat

When discussing best practices, it became clear that no matter what, organizations must educate employees and be consistent with business priorities. Furthermore, if data is precious, treat it that way.

  • @AWildCSO Q5: Establish policies and processes for the classification, ownership and custodianship of information assets. #ogChat
  • @MobileGalen #ogChat: The more precious your info, the less avail it should be, BYOD or not. Use containered apps for sensitive, local access for secret
  • @JonMoger @theopengroup #BYOD #ogChat 1. Get the right team to own 2. Educate mgmt on risks & opps 3. Set business priorities 4. Define policies

Q6 How will organizations embrace or reject #BYOD moving forward? Will they have a choice or will employees dictate use? #ogChat

While understanding the security risks, most participants embraced BYOD as a big trend that will eventually become the standard moving forward.

A big thank you to all the participants who made this such a great discussion!

Patricia Donovan is Vice President, Membership & Events, at The Open Group and a member of its executive management team. In this role she is involved in determining the company’s strategic direction and policy as well as the overall management of that business area. Patricia joined The Open Group in 1988 and has played a key role in the organization’s evolution, development and growth since then. She also oversees the company’s marketing, conferences and member meetings. She is based in the U.S.

Comments Off

Filed under Tweet Jam

Optimizing ISO/IEC 27001 Using O-ISM3

By Jim Hietala, The Open Group and Vicente Aceituno, Sistemas Informáticos Abiertos

The Open Group has just published a guide titled “Optimizing ISO/IEC 27001 using O-ISM3” that will be of interest to organizations using ISO27001/27002 as their Information Security Management System (ISMS).

By way of background, The Open Group published our Open Information Security Management Maturity Model last year, O-ISM3. O-ISM3 brings continuous improvement to information security management, and it provides a framework for security decision-making that is top down in nature, where security controls, security objectives and spending decisions are driven by (and aligned with) business objectives.

We have for some time now heard from information security managers that they would like a resource aimed at showing how the O-ISM3 standard could be used to manage information security alongside ISO27001/27002. This new guide provides specific guidance on this topic.

We view this as an important resource, for the following reasons:

  • O-ISM3 complements ISO27001/2 by adding the “how” dimension to information security management
  • O-ISM3 uses a process-oriented approach, defining inputs and outputs, and allowing for evaluation by process-specific metrics
  • O-ISM3 provides a framework for continuous improvement of information security processes

This resource:

  • Maps O-ISM3 and ISO27001 security objectives
  • Maps ISO27001/27002 controls and documents to O-ISM3 security processes, documents, and outputs
  • Provides a critical linkage between the controls-based approach found in ISO27001 to the process-based approach found in O-ISM3

If you have interest in information security management, we encourage you to have a look at Optimizing ISO/IEC 27001 using O-ISM3. The guide may be downloaded (at no cost, minimal registration required) here.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Vicente Aceituno, CISA, has 20 years experience in the field of IT and Information Security. During his career in Spain and the UK, he has worked for companies like Coopers & Lybrand, BBC News, Everis, and SIA Group. He is the main author of the Information Security Management Method ISM3, author of the information security book “Seguridad de la Información,” Director of the ISM3 Consortium (www.ism3.com) and President of the Spanish chapter of the ISSA.

3 Comments

Filed under Cybersecurity, Information security, Security Architecture

PODCAST: Why data and information management remain elusive after decades of deployments; and how to fix it

By Dana Gardner, Interabor Solutions

Listen to this recorded podcast here: BriefingsDirect-Effective Data Management Remains Elusive Even After Decades of Deployments

The following is the transcript of a sponsored podcast panel discussion on the state of data and information management strategies, in conjunction with the The Open Group Conference, Austin 2011.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, we present a sponsored podcast discussion in conjunction with the latest Open Group Conference in Austin, Texas, the week of July 18, 2011. We’ve assembled a distinguished panel to update us on the state of data and information management strategies. We’ll examine how it remains difficult for businesses to get the information they want in the way they can use, and why this has been a persistent problem. We’ll uncover the latest in the framework approach to information and data and look at how an information architect can make a big difference.

Here to help us better understand the role and impact of the information architect and also how to implement a successful data in information strategy is our panel. We’re here with Robert Weisman. He is CEO of Build The Vision Incorporated. Welcome to BriefingsDirect, Robert.

Robert Weisman: Thank you.

Gardner: We’re also here with Eugene Imbamba. He is Information Management Architect in IBM‘s Software Group. Welcome, Eugene.

Eugene Imbamba: Thank you very much.

Gardner: And we’re here also with Mei Selvage. She is the Lead in the IBM Community of Information Architects. Welcome to the show, Mei.

Mei Selvage: Thank you for having us.

Gardner: Tell me, Robert, why it is that it’s so hard for IT to deliver information access in the way that businesses really want.

Weisman: It’s the general insensitivity to information management concerns within the industry itself, which is very much becoming much more technology and tool-driven with the actual information not being taken into consideration. As a consequence, a lot of the solutions might work, but they don’t last, and they don’t, generally speaking, get the right information to the right person at the right time. Within The Open Group, we recognized this split about four years ago and that’s one reason that in TOGAF® 9 we redefined that information technology as “The lifecycle management of information and related technology within an organization.” We didn’t want to see an IM/IT split in organizations. We wanted to make sure that the architecture addressed the needs of the entire community, especially those requiring information and knowledge.

Gardner: Eugene, do you think if we focus more on the lifecycle management of information and the architecture frameworks like TOGAF, that we’ll get more to this requirement that business has that single view of reality?

Imbamba: Definitely, focusing on reference architecture methodologies are a good way to get going in the right direction. I don’t think it’s the end of all means to getting there. But, in terms of leveraging what’s been done, some of the architectures that have been developed, whether it’s TOGAF or some of the other artifacts out there, would help organizations, instead of spinning their wheels and reinventing the wheel, start building some of the foundational capabilities needed to have an enterprise information architecture.

Getting to the finish line

As a result, we’re seeing that each year with information management, projects starting up and projects collapsing for various reasons, whether it’s cost or just the process or people in place. Leveraging some of these artifacts, methods, and reference architectures is a way to help get started, and of course employing other areas of the information management disciplines to help get to the finish line.

Gardner: Mei, when it comes to learning from those that have done this well, what do we know about what works when it comes to data and information management? What can we point to and say, “Without question, moving in this direction is allowing us to be inclusive, move beyond just the data and databases, and get that view that the business is really looking for?”

Selvage: Eugene and I had a long debate over how we know that we’ve delivered a successful information architecture. Our conclusion comes out three plus one. The first piece is just like any strategy roadmap. You need to have a vision and strategy. To have a successful information architecture vision you really have to understand your business problem and your business vision. Then, you use applicable, proven referenced architecture and methodology to support that.

Once you have vision, then you come to the execution. How do you leverage your existing IT environments, integrates with them, keep good communication, and use the best practices? Finally, you have to get implemented on time and on schedule within the budget — and the end-user is satisfied.

Those are three parts. Then, the plus part is data governance, not just one-time project delivery. You’ll have to make sure that data governance is getting consistently implemented across the projects.

Gardner: How about in the direction of this organizational definition of what works and what doesn’t work? How important is it rather for an information architect role to emerge? Let’s start with you, Robert. Then, I’d like to take this to all of you. What is it about the information architect role that can play an important element here?

Weisman: The information architect will soon be called the knowledge architect to start realizing some of the promise that was seen in the 1980s and in the 1990s. The information architect’s role is essentially is to harmonize all manner of information and make sure it’s properly managed and accessible to the people who are authorized to see it. It’s not just the information architect. He has to be a team player, working closely with technology, because more and more information will be not just machine-readable, but machine-processable and interpretable. So he has to work with the people not only in technology, but with those developing applications, and especially those dealing with security because we’re creating more homogenous enterprise information-sharing environments with consolidated information holdings.

The paradigm is going to be changing. It’s going to be much more information-centric. The object-oriented paradigm, from a technical perspective, meant the encapsulation of the information. It’s happened, but at the process level.

When you have a thousand processes in the organization, you’ve got problems. Whereas, now we’d be looking at encapsulation of the information much more at the enterprise level so that information can be reused throughout the organization. It will be put in once and used many times.

Quality of information

The quality of the information will also be addressed through governance, particularly incorporating something called data stewardship, where people would be accountable, not only for the structure of the information but for the actual quality of the informational holdings.

Gardner: Thank you. Eugene, how do you see the role of the information architect as important in solidifying people’s thinking about this at that higher level, and as Robert said, being an advocate for the information across these other disciplines?

Imbamba: It’s inevitable that this role will definitely emerge and is going to take a higher-level position within organizations. Back to my earlier comment about information really becoming an issue, we have lots of information. We have variety of information and varied velocity of information requirements.

We don’t have enough folks today who are really involved in this discipline and some of the projections we have are within the next 20 years, we’re going to have a lot more information that needs to be managed. We need folks who are engaged in this space, folks who understand the space and really can think outside the box, but also understand what the business users want, what they are trying to drive to, and be able to provide solutions that really not only look at the business problem at hand but also what is the organization trying to do.

The role is definitely emerging, and within the next couple of years, as Robert said, the term might change from information architects to knowledge architects, based on where information is and what information provides to business.

Gardner: Mei, how far along are we actually on this definition and even professionalization of the information architect role?

Selvage: I’d like to share a little bit of what IBM is doing internally. We have a major change to our professional programs and certification programs. We’ve removed IT out of architect as title. We just call architect. Under architect we have business architecture, IT architecture, and enterprise architecture. Information architecture falls under IT architecture. Even though we were categorized one of the sub components of IT architecture.

Information architect, in my opinion, is more business-friendly than any other professionals. I’m not trying to put others down, but a lot of new folks come from data modeling backgrounds. They really have to understand business language, business process, and their roles.

When we have this advantage, we need to leverage those and not just keep thinking about how I create database structures and how I make my database perform better. Rather, my tasks today contribute to my business. I want to doing the right thing, rather than doing the wrong things sooner.

IBM reflects an industry shift. The architect is a profession and we all need to change our mindsets to be even broader.

Delivering business value

Weisman: I’d like to add to that. I fully agree, as I said, that The Open Group has created TOGAF 9 as a capability-based planning paradigm for the business planning. IM and IT are just two dimensions of that overall capability, and everything is pushed toward the delivery of business value.

You don’t have to align IM/IT with the business. IM and IT become an integral part of the business. This came out of the defense world in many cases and it has proven very successful.

IM, IT, and all of the architecture domains are going to have to really understand the business for that. It’ll be an interesting time in the next couple of years in the organizations that really want to derive competitive advantage from their information holdings, which is certainly becoming a key differentiator amongst large companies.

Gardner: Robert, perhaps while you’re talking about The Open Group, you could update us a bit on what took place at the Austin Conference, particularly vis-à-vis the workgroups. What was the gist of the development and perhaps any maturation that you can point to?

Weisman: We had some super presentations, in particular the one that Eugene and Mei gave that addressed information architecture and various associated processes and different types of sub- architectures/frameworks as well.

The Information Architecture Working Group, which is winding down after two years, has created a series of whitepapers. The first one addressed the concerns of the data management architecture and maps the data management body of knowledge processes to The Open Group Architecture Framework. That whitepaper went through final review in the Information Architecture Working Group in Austin.

We have an Information Architecture Vision paper, which is an overall rethinking of how information within an organization is going to be addressed in a holistic manner, incorporating what we’d like to think as all of the modern trends, all types of information, and figure out some sort of holistic way that we can represent that in an architecture. The vision paper is right now in the final review. Following that, we’re preparing a consolidated request for change to the TOGAF 9 specification. The whitepapers should be ready and available within the next three months for public consultation. This work should address many significant concerns in the domain of information architecture and management. I’m really confident the work that working group has done has been very productive.

Gardner: Now, you mentioned that Mei and Eugene delivered a presentation. I wonder if we can get an overview, a quick summary of the main points. Mei, would you care to go first?

Selvage: We’ve already talked a lot about what we have described in our presentation. Essentially, we need to understand what it means to have a successful solution information architecture. We need to leverage all those best practices, which come in a form of either a proven reference architecture or methodology, and use that to achieve alignment within the business. Eugene, do you have anything you want to specifically point out in our presentation?

Three keys

Imbamba: No, just to add to what you said. The three keys that we brought were the alignment of business and IT, using and leveraging reference architectures to successfully implement information architectures, and last was the adoption of proven methodology.

In our presentation, we defined these constructs, or topics, based on our understanding and to make sure that the audience had a common understanding of what these components meant. Then, we gave examples and actually gave some use cases of where we’ve seen this actually happen in organizations, and where there has been some success in developing successful projects through the implementation of these methods. That’s some of what we touched on.

Weisman: Just as a postscript from The Open Group, we’re coming with an Information Architecture and Planning Model. We have a comprehensive definition of data and information and knowledge; we’ve come up with a good generic lifecycle that can be used by all organizations. And, we addressed all the issues associated with them in a holistic way with respect to the information management functions of governance, planning, operations, decision support and business intelligence, records and archiving, and accessibility and privacy.

This is one of the main contributions that these whitepapers are going to provide is a good planning basis for the holistic management of all manner of information in the form of a complete model.

Gardner: We’ve heard about how the amount of data is going to be growing exponentially, perhaps 44 times in less than 10 years, and we’ve also heard that knowledge, information, and your ability to exploit it could be a huge differentiator in how successful you are in business. I even expect that many businesses will make knowledge and information of data part of their business, part of their major revenue capabilities — a product in itself.

Let’s look into the future. Why will the data and information management professionalization, this role of the information architect be more important based on some of the trends that we expect? Let’s start with you, Robert. What’s going to happen in the next few year that’s going to make it even more important to have the holistic framework, strategic view of data information?

Weisman: Right now, it’s competitive advantage upon which companies may rise and fall. Harvard Business School Press, Davenport in particular, has produced some excellent books on competitive analytics and the like, with good case studies. For example, a factory halfway through construction is stopped because they didn’t have timely access to the their information indicating the factory didn’t even need to be constructed. This speaks of information quality.

In the new service-based rather than industry-based economic paradigm, information will become absolutely key. With respect to the projected increase of information available, I actually see a decrease in information holdings within the enterprise itself.

This will be achieved through a) information management techniques, you will actually get rid of information; b) you will consolidate information; and c) with paradigms such as cloud, you don’t necessarily have to have information within the organization itself.

More with less

So you will be dealing with information holdings, that are accessible by the enterprise, and not necessarily just those that are held by the enterprise. There will also be further issues such as knowledge representation and the like, that will become absolutely key, especially with demographics as it stands now. We have to do more with less.

The training and professionalization of information architecture, or knowledge architecture, I anticipate will become key. However, knowledge architects cannot be educated totally in a silo, they also have to have a good understanding of the other architecture domains. A successful enterprise architect must understand all the the other architecture domains.

Gardner: Eugene, how about you, in terms of future trends that impact the increased importance of this role in this perspective on information?

Imbamba: From an IBM perspective, we’ve seen over the last 20 years organizations focusing on what I call an “application agenda,” really trying to implement enterprise resource planning (ERP) systems, supply chain management systems, and these systems have been very valuable for various reasons, reducing cost, bringing efficiencies within the business.

But, as you know, over the last 20 years, a lot of companies now have these systems in place, so the competitive advantage has been lost. So what we’re seeing right now is companies focusing on an information agenda, and the reason is that each organization has information about its customers, its products, its accounts like no other business would have.

So, what we’re seeing today is leveraging that information for competitive advantage, trying to optimize your business, gleaning the information that you have so that you can understand the relationships between your customers, between your partners, your suppliers, and optimize that to deliver the kinds of services and needs, the business wants and the customer’s needs. It’s a focus from application agenda to an information agenda to try and push what’s going on in that space.

Gardner: Mei, last word to you, future trends and why would they increase the need for the information architecture role?

Selvage: I like to see that from two perspectives. One is from the vendor perspective, just taking IBM as an example. The information management brand is the one that has the largest software products, which reflects market needs and the market demands. So there are needs to have information architects who are able to look over all those different software offerings in IBM and other major vendors too.

From the customer perspective, where I see a lot of trends is that many outsource basic database administration, kind of a commodity or activity out to a third-party where they keep the information architects in-house. That’s where we can add in the value. We can talk to the business. We can talk to the other components of IT, and really brings things together. That’s a trend I see more organizations are adopting.

Gardner: Very good. We’ve been discussing the role and impact of an information architect and perhaps how to begin to implement a more successful data and information strategy.

This comes to you as a sponsored podcast in conjunction with The Open Group Conference in Austin, Texas in the week of July 18, 2011. I’d like to thank our guests. We’ve been joined by Robert Weisman, CEO of Build The Vision Incorporated. Thanks so much, Robert.

Weisman: You’re very welcome. Thank you for inviting.

Gardner: And we’ve been here with Eugene Imbamba. He is Information Management Architect in IBM Software Group. Thank you, Eugene.

Imbamba: Thank you for having me.

Gardner: And Mei Selvage, she is Lead of the IBM Community of Information Architects. Thanks to you as well.

Selvage: You’re welcome. Thank you too.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks to our viewers and listeners as well, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com.

Copyright The Open Group 2011. All rights reserved.

Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirect™ blogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.

Comments Off

Filed under Data management