Category Archives: Certifications

The Open Trusted Technology Provider™ Standard (O-TTPS) – Approved as ISO/IEC 20243:2015 and the O-TTPS Certification Program

By The Open Group

The increase of cybersecurity threats, along with the global nature of Information and Communication Technology (ICT), results in a threat landscape ripe for the introduction of tainted (e.g., malware-enabled or malware-capable) and counterfeit components into ICT products. This poses significant risk to customers in the operation of their business enterprises and our critical infrastructures.

A compromised electronic component or piece of malware-enabled software that lies dormant and undetected within an organization could cause tremendous damage if activated remotely. Counterfeit products can also cause significant damage to customers and providers resulting in rogue functionality, failed or inferior products, or revenue, brand equity loss, and critical damage.

As a result, customers now need assurances they are buying from trusted technology providers who follow best practices with their own in-house secure development and engineering practices and also in securing their out-sourced components and their supply chains.

Summary

The O-TTPS, an Open Group Standard, specifies a set of best practice requirements and recommendations that ICT providers should follow throughout the full life cycle of their products from design through disposal – including their supply chains – in order to mitigate the risk of tainted and counterfeit components. The Standard is the first with a Certification Program that specifies measurable conformance criteria for both product integrity and supply chain security in ICT.

The Standard provides requirements for the full product life cycle, categorizing them further into best practice requirements for Technology Development (product development and secure engineering methods) and Supply Chain Security.

by-the-open-group

The Open Group O-TTPS Certification Program offers certificates for conformance to both the O-TTPS and ISO/IEC 20243:2015, as the two standards are equivalent. The Program identifies the successful applicant on a public registry so customers and business partners can readily identify an Open Trusted Technology Provider™ who conforms to the Standard.

The Certification Program is available to all providers in the ICT product’s supply chain, including: Original Equipment Manufacturers (OEMs), hardware and software component suppliers, integrators, Value Add Resellers (VARS), and distributors. Thus, it offers a holistic program that not only allows customers to identify trusted business partners like integrators or OEMs who are listed on the registry, but it also allows OEMs and integrators to identify trusted business partners like hardware and software component suppliers, VARS, and distributors from the public registry.

by-the-open-group

Target Audience

As the O-TTPS Certification Program is open to all constituents involved in a product’s life cycle – from design through disposal – including those in the product’s supply chain, the Standard and the Certification Program should be of interest to all ICT providers as well as ICT customers.

The newly published guide: O-TTPS for ICT Product Integrity and Supply Chain Security – A Management Guide, available from The Open Group Bookstore at www.opengroup.org/bookstore/catalog/g169.htm, offers guidance to managers – business managers, procurement managers, or program managers – who are considering adopting the best practices or becoming certified as an Open Trusted Technology Provider™. It provides valuable information on:

  • The best practices in the Standard, with an Appendix that includes all of the requirements
  • The business rationale for why a company should consider implementing the Standard and becoming certified
  • What an organization should understand about the Certification Program and how they can best prepare for the process
  • The differences between the options (self-assessed or third-party assessed) that are currently available for the Certification Program
  • The process steps and the terms and conditions of the certification, with pointers to the relevant supporting documents, which are freely available

The Management Guide offers a practical introduction to executives, managers, those involved directly in implementing the best practices defined in the Standard, and those who would be involved in the assessments, whether self-assessment or third-party assessment.

Further Information

The Open Trusted Technology Provider™ Standard (O-TTPS), Version 1.1 is available free-of-charge from www.opengroup.org/bookstore/catalog/c147.htm.

The technically equivalent standard – ISO/IEC 20243: 2015 – is available for a fee from iso.org.

For more information on the Open Trusted Technology Provider™ Standard (O-TTPS) and the O-TTPS Certification Program, visit www.opengroup.org/ottps.

@theopengroup #ogSFO

1 Comment

Filed under Accreditations, Certifications, COTS, Cybersecurity, O-TTF, O-TTPS, OTTF, standards, Supply chain risk, The Open Group, The Open Group San Francisco 2017, Uncategorized

What is Open FAIR™?

By Jim Hietala, VP, Business Development and Security, The Open Group

Risk Practitioners should be informed about the Open FAIR body of knowledge, and the role that The Open Group has played in creating a set of open and vendor-neutral standards and best practices in the area of Risk Analysis. For those not familiar with The Open Group, our Security Forum has created standards and best practices in the area of Security and Risk for 20+ years. The Open Group is a consensus-based and member-driven organization. Our interest in Risk Analysis dates back many years, as our membership saw a need to provide better methods to help organizations understand the level of risk present in their IT environments. The Open Group membership includes over 550 member organizations from both the buy-side and supply-side of the IT industry. The Security Forum currently has 80+ active member organizations contributing to our work.

A History of Open FAIR and The Open Group

In 2007, Security Forum Chairman Mike Jerbic brought the Factor Analysis of Information Risk (FAIR) to our attention, and suggested that it might be an interesting Risk Analysis taxonomy and method to consider as a possible open standard in this area. Originally created by Jack Jones and his then company Risk Management Insights (RMI), Jack and his partner Alex Hutton agreed to join The Open Group as members, and to contribute the FAIR IP as the basis for a possible open risk taxonomy standard.

Over a period of time, the Security Forum membership worked to create a standard comprising relevant aspects of FAIR (this initially meant the FAIR Risk Taxonomy). The result of this work was the eventual publication of the first version of the Risk Taxonomy Standard (O-RT), which was published in January 2009.  In 2012, the Security Forum decided to create a certification program of practitioners of the FAIR methodology, and undertook a couple of related efforts to update the Risk Taxonomy Standard, and to create a companion standard, the Risk Analysis Standard (O-RA). O-RA provides guidance on the process aspects of Risk Analysis that are lacking in O-RT, including things like risk measurement and calibration, the Risk Analysis process, and control considerations relating to Risk Analysis. The updated O-RT standard and the O-RA standard were published in late 2013, and the standards are available here:

C13G Risk Analysis (O-RA)

C13K Risk Taxonomy (O-RT), Version 2.0

We collectively refer to these two standards as the Open FAIR body of knowledge.  In late 2013, we also commenced operation of the Open FAIR Certification Program for Risk Analysts. In early 2014, we started development of an accreditation program for Open FAIR accredited training courses. The current list of accredited Open FAIR courses is found here. If you are with a training organization and want to explore accreditation, please feel free to contact us, and we can provide details. We have also created licensable Open FAIR courseware that can enable you to get started quickly with training on Open FAIR. Future articles will dive deeper into the Open FAIR certification program and the accredited training opportunity. It is worth noting at this point that we have also produced some hard copy Open FAIR guides that are helpful to candidates seeking to certify to Open FAIR. These are accessible via the links below, and are available at a nominal cost from our publishing partner Van Haren.

B140   Open FAIR Foundation Study Guide

G144  A Pocket Guide to the Open FAIR Body of Knowledge

Beyond the standards and certification program work, The Open Group has produced a number of other helpful publications relating to Risk, Security, and the use of Open FAIR. These include the following, all of which are available as free downloads:

W148  An Introduction to the Open FAIR Body of Knowledge

C103  FAIR – ISO/IEC 27005 Cookbook

G167  The Open FAIR™ – NIST Cybersecurity Framework Cookbook

G152  Integrating Risk and Security within a TOGAF® Enterprise Architecture

G081  Requirements for Risk Assessment Methodologies

W150  Modeling Enterprise Risk Management and Security with the ArchiMate® Language

Other Active Open FAIR Workgroups in the Security Forum

In addition to the standards and best practices described above, The Open Group has active workgroups developing the following related items.  Stay tuned for more details of these activities.   If any of the following projects are of interest to your organization, please feel free to reach out to learn more.

1) Open FAIR to STIX Mapping Whitepaper. This group is writing a whitepaper that maps the Open FAIR Risk Taxonomy Standard (O-RT) to STIX, a standard which originated at MITRE, and is being developed by OASIS.

2) Open FAIR Process Guide project – This group is writing a process guide for performing Open FAIR-based Risk Analysis. This guide fills a gap in our standards & best practices by providing a “how-to” process guide.

3) Open Source Open FAIR Risk Analysis tool – A basic Open FAIR Risk Analysis tool is being developed for students and industry.

5) Academic Program – A program is being established at The Open Group to support active student intern participation in risk activities within the Security Forum. The mission is to promote the development of the next generation of security practitioner and experience within a standards body.

6) Integration of Security and Risk into TOGAF®, an Open Group standard. This project is working to ensure that future versions of the TOGAF standard will comprehensively address security and risk.

How We Do What We Do

The Open Group Security Forum is a member-led group that aims to help members meet their business objectives through the development of standards and best practices. For the past several years, the focus of our work has been in the areas of Risk Management, Security Architecture, and Information Security Management standards and best practices. ‘Member-led’ means that members drive the work program, proposing projects that help them to meet their objectives as CISO’s, Security Architects, Risk Managers, or operational information security staff. All of our standards and best practices guidance are developed using our open, consensus-based standards process.

The standards development process at The Open Group allows members to collaborate effectively to develop standards and best practices that address real business issues. In the area of Risk Management, most of the publications noted above were created because members saw a need to determine how to apply Open FAIR in the context of other standards or frameworks, and then leveraged the entire Security Forum membership to produce useful guidance.

It is also worth noting that we do a lot of collaborating with other parts of The Open Group, including with the Architecture Forum on the integration of Risk and Security with TOGAF®, with the ArchiMate™ Forum on the use of ArchiMate, an Open Group standard, to model Risk and Security, with the Open Platform 3.0™ Forum, and with other Forums. We also have a number of external organizations that we work with, including SIRA, ISACA, and of course the FAIR Institute in the Risk Management area.

The Path Forward for Open FAIR

Our future work in the area of Risk Analysis will likely include other cookbook guides, showing how to use Open FAIR with other standards and frameworks. We are committed to meeting the needs of the industry, and all of our work comes from members describing a need in a given area. So in the area of Risk Management, we’d love to hear from you as to what your needs are, and even more, to have you contributing to the development of new materials.

For more information, please feel free to contact me directly via email or Linkedin:

 

@theopengroup

Jimby-jim-hietala-vp-business-development-and-security Hietala, Open FAIR, CISSP, GSEC, is Vice President, Business Development and Security for The Open Group, where he manages the business team, as well as Security and Risk Management programs and standards activities,  He has participated in the development of several industry standards including O-ISM3, O-ESA, O-RT (Risk Taxonomy Standard), O-RA (Risk Analysis Standard), and O-ACEML. He also led the development of compliance and audit guidance for the Cloud Security Alliance v2 publication.

Jim is a frequent speaker at industry conferences. He has participated in the SANS Analyst/Expert program, having written several research white papers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including CSO, The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

An IT security industry veteran, he has held leadership roles at several IT security vendors.

Jim holds a B.S. in Marketing from Southern Illinois University.

Leave a comment

Filed under Accreditations, ArchiMate®, Certifications, Cybersecurity, Open FAIR, Open FAIR Certification, RISK Management, Security, Standards, The Open Group, TOGAF®, Uncategorized

TOGAF® User Group Meetings

By The Open Group

Since its inception more than two decades ago, TOGAF®, an Open Group standard, has grown to become the de facto global framework for creating Enterprise Architectures.

Thousands of companies worldwide have adopted and adapted TOGAF to transform their businesses. Facts about TOGAF include:

  • 80% of the Fortune Top 50 companies use TOGAF
  • Over 60,000 individuals hold certifications in TOGAF 9
  • TOGAF users are based in 120 countries
  • Greater than 60 accredited training courses available globally

The Open Group wants to ensure that TOGAF maintains its momentum worldwide and realizes that doing so cannot be done without capturing the voices beyond the The Open Group members.  Additionally, there is an increase in the number of licensed TOGAF professionals who want to follow up their training with a forum for discussion and sharing. Thus, there is an opportunity to provide TOGAF Users to easily Share, get Enlightenment, and Express their needs (’SEE’ TOGAF).

The starting off point for The Open Group was to begin hosting TOGAF User Group Meetings, which move in a direction where users get more involved in their structure. With these meetings, The Open Group gets an opportunity to Harvest ideas on use, Educate users, have Access to larger user base and broader set of Requirements (‘HEAR’ about TOGAF use).

The User Group Meetings are open to all interested people and are free to attend.

So there is a win-win for TOGAF Users to meet. This part of the story is yet to be written!

For the upcoming TOGAF® User Group Meeting in San Francisco, CA on January 30, 2017, please visit here.

by-the-open-group

 

Comments Off on TOGAF® User Group Meetings

Filed under Certifications, Enterprise Architecture, Enterprise Architecture (EA), Enterprise Transformation, Professional Development, Standards, The Open Group San Francisco 2017, TOGAF, TOGAF®

How Architects Can Survive and Thrive in the Digital Era: A Conversation with Peter Beijer

By The Open Group

Peter Beijer believes your job as an Enterprise Architect may be in jeopardy.

According to Beijer, Chief Technologist for the Office of the CTO for HP Enterprise and leader of the company’s architecture capabilities in EMEA, architects are being forced to change and evolve their role due to the digital revolution that all industries are currently facing.

Beijer believes that for Enterprise Architects to survive, they must do three things. First, they must learn to adapt and engage with the changes being brought by the digital shift and new development environments. Second, they must reach out and engage with today’s new business leaders to better understand the problems and opportunities that businesses and customers are facing. Finally, they must better develop their own personal brands in order to showcase their experience and credentials and show their worth to their organizations.

We spoke with Beijer in advance of The Open Group Paris 2016 event (October 24 – 27) to learn more about how he sees the state of the Enterprise Architecture profession today and what Enterprise Architects can to do remain relevant in the midst of a rapidly changing IT and business climate.

How are the current changes in IT affecting Enterprise Architects?

There is a digital shift going on—the whole world is going digital, and digital means a  business transformation for a lot of companies because they may get involved with human-centric customer engagement models that have very different dynamics than what they’re used to, so the skills of the Architecture profession are changing a lot. You have to be much more empathetic to be able to understand what the customers’ customer is doing and there is a whole new range of possibilities and platforms with technologies—it’s becoming very, very diverse.

That asks for more insight from architects to be able to do things. IT as such is changing—there are many forces driving that change. Everything is getting smaller, we are living on top of a mountain of data (which is self-propelling) and there’s also the societal impact of IT and the amount of information available to people. This whole change from the industrial way of doing computing, which was meant to help us do things, has transformed into an information society driven not by scarcity but by abundance. There’s an abundance of information, technology and platforms, and they have become very easily accessible to all of us. For example, where once we needed highly skilled specialists we can now do things now ourselves on a smartphone everywhere.

Within an enterprise, there has been a classic division between the business and IT, and we have always preached the paradigm, ‘We should align IT with the business.” But in fact business has become IT. However, the business people now have easy access to these new digital platforms so the IT department is lagging behind fixing legacy systems. Traditionally the role of the architect was always meant to collaborate with the business people to see how technology can advance the business.

But since IT has become so readily available—you can install mobile platforms, Cloud, or a business app by the press of a finger on an iPhone—what happens is business people are doing these things themselves more and more. Of course that is the very extreme end of the spectrum, but the net effect to the IT department is that business users want solutions more rapidly, more easily—they are not waiting for cumbersome projects.

For the architect, it’s ‘Welcome to the new world of IT.’ And you can question whether the architect is still needed when the click of a button allows you to engage with Amazon Web Services or Microsoft Azure or any other platform. So as the Architect, you’ve always done your projects, you’ve always carefully facilitated the discussions and guided decisions when defining solutions, and now you find yourself in a rapidly changing world where business people are building solutions themselves. You find yourself increasingly useless and no longer relevant.

On the other hand, if you pick up a role that articulates the value of these new technologies in the new business contexts that are emerging, you really have to change your job a lot to become meaningful. The fundamental value of architecting has not changed, but the spectrum of choices, the moving parts, the building blocks have greatly increased and it is against a background where everybody wants things very quick and very cheap. We are now living in a world where everybody says ‘Let’s fail fast and try many ideas.’ The architect by nature is more ‘Slow down. Are we making the right decision? Are we making the right choices?’ This is a bit counter or averse to the natural DNA of an architect. And that’s why the profession needs a wake up call.

How then can Architects remain relevant and meaningful within organizations? Why has it been so difficult for Enterprise Architects to show their value in companies?

That has always been a problem to show your business value as an Enterprise Architect. It has to do with making yourself relevant and being recognized by the organization. The question is, how do you do that?

First of all, the architect should actually be the first person to call on the business leader. Over the years, the discipline has been degraded a bit. Traditionally, we were the people that were engaging with the business, but the IT world has become very technical and in many organizations the architect has been degraded into a technical role while the original role of the architect was a liaison between business stakeholders and technical stakeholders. What the architect must do is to engage again with the business and build trust and confidence that they can make a difference in solving a problem, that they understand business language and that they can become empathetic.

That is one of the key skills that an architect must learn—to become empathetic and to understand what others do. They also need to understand the risks in building a system because things are going faster. They’re less cumbersome than in the early days but would a business really bet its success on not using an architect and run into risk on a project? You really need an architect to understand this whole playing field and the forces within the projects, the business opportunity, the key stakeholders, the customers’ customers and what technology can mean for them. Architects must understand the business language and build a level of trust where the business can have a dialogue where together they can explore the possibilities and see how they can make things happen. These are a couple of skills that architects need to develop.

How can Architects work on developing empathy as a skill?

That’s not an easy thing. That is because they must be much more business focused, learn much more business acumen, see how major trends in the industry effect the strategic intent of the company they’re working for. What is the whole value chain, or better, what is the value network? With the connectedness of today’s businesses we  think in terms of networks rather than of chains. Diving in and understanding these concepts and problems from a business perspective is one of the key skills they have to learn.

How do you then develop empathy? You have to work with these [business] people, you have to facilitate and guide dialogues so you can learn about those things and interact with the business. You have to actually think beyond the technology. It’s much more about understanding the usage of technology—the human/technology meta-narrative, so to speak. In the early days, people adapted to technologies. Nowadays, the technology must adapt to people and as an architect you have to understand that. The dialogues of that are on a much higher level of abstraction, so it is essential for architects to facilitate that dialogue but you also have to rapidly tie that down to technology possibilities. For example, how does a choice for a certain technology affect the value network that your organization is relying and expending on? Will it create a business blockage for the future?

What can Architects do to better showcase their skills and show their value to their organizations?

How can you step forward and say, ‘I have these skills’? This is where The Open Group Certified Architect program steps in because we provide a certification where we really evaluate the architect’s experience in doing these types of things.

As an architect, if you want to become relevant, you must adopt a skillset, and with that skillset you can qualify as an Open Certified Architect (Open CA). It’s about the skillset, the portfolio of experience you have built up as a professional can you prove that you have done that? Using those skills and experiences is a guide for an organization where they can have a resource pool of architects. In my organization, we are pretty serious about certification—we use it as a tool for career progression.

A profession framework gives organizations a consistent approach to industry recognized standards, the roles, the way people work, the methods they use, but also to develop training and education to get people there. It’s a quality assurance for professionals because that evaluation is done in a peer-based way where the certification of architects is evaluated by other architects. With certification, we have clearly defined standards—what is the industry consensus on a good approach for how people should work, the level of interaction needed with the business. The evaluation is probing whether you’re doing that, whether you’re capable of defining projects, delivering projects with a large degree of success. One of the key components is the conformance requirements for the Open Certified Architect—it basically tells you what skills and experience are necessary to seriously call yourself an “Architect.” 

If an organization wants to develop the career progression of architects and the standards for the way they work, a profession framework is a necessary instrument to develop and maintain the profession within an organization. Using a framework based on industry consensus, as with The Open Group, provides a good reference.  It is a very prestigious certification!

Within the Open CA program in The Open Group, we have 37 architecture methods that are recognized by the Specification Authority based on industry consensus. The methods help you establish architectural decisions, validate architectures to manage stakeholder requirements, basically define the transition from old to new or how to architect a solution for a business problem. Working according to an architecture method gives you a large degree of predictability for success instead of shooting from the hip and praying for the best. If organizations adopt a profession framework, they create an environment that enables people to practice and mature their profession. You create much more consistency with role definitions. A lot of organizations struggle with defining roles for their job families, so adopting a profession framework where the skills are clearly articulated and defined and can be evaluated by the means of a certification program can really increase the effectiveness of your workforce. And in developing standards, you can provide employees a roadmap for their career progression.

What steps can Enterprise Architects take to grow their careers over the next 5-10 years and continue to show value as the industry is changing?

The obvious answer for me is of course to get your Open Certified Architect certification. Once you have it, there is a three-year recertification that is not as cumbersome as the original certification. The initial certification a significant step for an architect. If you are an Open Certified Architect, you are a “Real Architect.” But it does require you to re-certify every three years, and that is a very short document that proves you are still architecting and maintaining your profession. Compare it to peer-reviewed professions such as lawyers and medical doctors.

One of the things we evaluate in that recertification is: Do you follow the industry? Are you following industry conferences? Are you following webinars? Are you maintaining your skills as an architect? Are you following the state of the art of the new disciplines related to architecture? The other thing we really encourage, because it’s a peer-driven evaluation, is that we encourage people to sit on boards to evaluate other architects going through the certification process.

So you keep your profession up to date, you understand what’s going on, you have to engage with your clients and give some evidence that you are still doing Architecture related work. You have to maintain your knowledge and experiences. As the industry is evolving toward a digital shift, of course everyone has to take webinars and keep up on industry trends, but to keep the Open Certified Architect certification, we ask you to do that otherwise you are no longer conforming to the conformance requirements.

@theopengroup #ogPARIS

by-the-open-groupDr. Peter Beijer is Chief Technologist in Hewlett Packard Enterprise, leading the Architecture Capability for Enterprise Services in Europe, Middle East and Africa (EMEA). Recognized pioneer in HPE’s Solution Architecture Blueprinting methodology and core contributor to the development of the architecture profession. He is Chair of the Open CA Specification Authority.  Dr. Beijer received a doctorate (Ph.D) from the University of Amsterdam.

Comments Off on How Architects Can Survive and Thrive in the Digital Era: A Conversation with Peter Beijer

Filed under Certifications, Enterprise Architecture, Enterprise Architecture (EA), Open CA, Standards, The Open Group, The Open Group Paris 2016, Uncategorized

The Enviable Pedigree of UNIX® and POSIX®

By Andrew Josey, VP, Standards and Certification, The Open Group

Technology can be a fickle thing. Spurred by perpetual innovation, the one constant in the tech industry is change. As such, we can expect that whatever is the hottest thing in the industry today—Cloud, Big Data, Mobile, Social, what have you—will be yesterday’s news within a few years’ time. That is how the industry moves and sustains itself, with constant development and creativity—all of which is only getting faster and faster.

But today’s breakthroughs would be nowhere and would not have been possible without what came before them—a fact we sometimes forget. Mainframes led to personal computers, which gave way to laptops, then tablets and smartphones, and now the Internet of Things. Today much of the interoperability we enjoy between our devices and systems—whether at home, the office or across the globe—owes itself to efforts in the 1980s and 1990s to make an interoperable operating system (OS) that could be used across diverse computing environments—the UNIX operating system.

Created at AT&T Bell Laboratories in the early 1970s, the UNIX operating system was developed as a self-contained system that could be easily adapted and run on commodity hardware. By the 1980s, UNIX workstations were widely used in academia and commercially, with a large number of system suppliers, such as HP, IBM, and Sun Microsystems (now Oracle), developing their own flavors of the OS.

At the same time, a number of organizations began standardization efforts around the system. By the late 1980s, three separate organizations were publishing different standards for the UNIX operating system, including IEEE, ISO/IEC JTC1 and X/Open (which eventually became The Open Group).

As part of the standardization efforts undertaken by IEEE, it developed a small set of application programming interfaces (APIs). This effort was known as POSIX, or Portable Operation System Interface. Published in 1988, the POSIX.1 standard was the first attempt outside the work at AT&T and BSD (the UNIX derivative developed at the University of California at Berkeley) to create common APIs for UNIX systems. In parallel, X/Open (an industry consortium consisting at that time of over twenty UNIX suppliers) began developing a set of standards aligned with POSIX that consisted of a superset of the POSIX APIs.  The X/Open standard was known as the X/Open Portability Guide and had an emphasis on usability. ISO also got involved in the efforts, by taking the POSIX standard and internationalizing it.

In 1995, the Single UNIX Specification was created to represent the core of the UNIX brand. Born of a superset of POSIX APIs, the specification provided a richer set of requirements than POSIX for functionality, scalability, reliability and portability for multiuser computing systems. At the same time, the UNIX trademark was transferred to X/Open (now The Open Group). Today, The Open Group holds the trademark in trust for the industry, and suppliers that develop UNIX systems undergo certification, which includes over 40,000 tests, to assure their compatibility and conformance to the standard.

These tri-furcated efforts by separate standards organizations continued through most of the 1990s, with the people involved in developing the standards constantly bouncing between organizations and separate meetings. In late 1997, a number of vendors became tired of having three separate parallel efforts to keep track of and they suggested all three organizations come together to work on one standard.

In 1998, The Open Group, which had formed through the merger of X/Open and the Open Software Foundation, met with the ISO/IEC JTC 1 and IEEE technical experts for an inaugural meeting at IBM’s offices in Austin, Texas. At this meeting, it was agreed that they would work together on a single set of standards that each organization could approve and publish. Since then the approach to specification development has been “write once, adopt everywhere,” with the deliverables being a set of specifications that carry the IEEE POSIX designation, The Open Group Technical Standard designation, and the ISO/IEC designation. Known as the Austin Group, the three bodies still work together today to progress both the joint standard. The new standard not only streamlined the documentation needed to work with the APIs but simplified what was available to the market under one common standard.

A constant evolution

As an operating system that forms the foundational underpinnings of many prominent computing systems, the UNIX OS has always had a number of advantages over other operating systems. One of the advantages is that those APIs have made it possible to write code that conforms to the standard that can run on multiple systems made by different vendors. If you write your code to the UNIX standard, it will run on systems made by IBM, HP, Oracle and Apple, since they all follow the UNIX standard and have submitted their operating systems for formal certification. Free OSs such as Linux and BSD also support the majority of the UNIX and POSIX APIs, so those systems are also compatible with all the others. That level of portability is key for the industry and users, enabling application portability across a wide range of systems.

In addition, UNIX is known for its stability and reliability—even at great scale. Apple claims over 80 million Mac OS X systems in use today – all of them UNIX certified. In addition, the UNIX OS forms the basis for many “big iron” systems. The operating systems’ high through-put and processing power have made it an ideal OS for everything from supercomputing to systems used by the government and financial sectors—all of which require high reliability, scale and fast data processing.

The standard has also been developed such that it allows users to “slice and dice” portions of it for use even when they don’t require the full functionality of the system, since one size does not fit all. Known as “profiles,” these subsets of the standard API sets can be used for any number of applications or devices. So although not full UNIX systems, we see a lot of devices out there with the standard APIs inside them, notably set top boxes, home routers, in-flight entertainment systems and many smart phones.

Although the UNIX and POSIX standards tend to be hidden, deeply embedded in the technologies and devices they enable today, they have been responsible for a great many advances across industries from science to entertainment. Consider the following:

  • Apple’s Mac OS X, the second widely most used desktop system today is a certified UNIX system
  • The first Internet server for the World Wide Web developed by Tim Berners Lee was developed on a UNIX system
  • The establishment of the World Wide Web was driven by the availability of connected UNIX systems
  • IBM’s Deep Blue supercomputer, a UNIX system, was the first computer to beat World Chess Champion Gary Kasparov in 1997
  • Both DNA and RNA were sequenced using a UNIX system
  • For eight consecutive years (1995-2002), each film nominated for an Academy Award for Distinguished Achievement in Visual Effects was created on Silicon Graphics computers running the UNIX OS.

Despite what one might think, both the UNIX and POSIX standards are continually under development still even today.  The community for each is very active—meeting more than 40 times a year to continue developing the specifications.

Things are always changing, so there are new areas of functionality to standardize. The standard is also large so there is a lot of maintenance and ways to improve clarity and portability across systems.

Although it might seem that once a technology becomes standardized it becomes static, standardization usually has the opposite effect—once there is a standard, the market tends to grow even more because organizations know that the technology is trusted and stable enough to build upon. Once the platform is there, you can add things to it and run things above it. We have about 2,000 application interfaces in UNIX today.

And as Internet-worked devices continue to proliferate in today’s connected world, chances are many of these systems that need big processing power, high reliability and huge scale are going to have a piece of the UNIX standard behind them—even if it’s deep beneath the covers.

By Andrew JoseyAndrew Josey is VP, Standards and Certification at The Open Group overseeing all certification and testing programs. He also manages the standards process for The Open Group.

Since joining the company in 1996, Andrew has been closely involved with the standards development, certification and testing activities of The Open Group. He has led many standards development projects including specification and certification development for the ArchiMate®, TOGAF®, POSIX® and UNIX® programs.

He is a member of the IEEE, USENIX, UKUUG, and the Association of Enterprise Architects (AEA).  He holds an MSc in Computer Science from University College London.

@theopengroup

1 Comment

Filed under Association of Enterprise Architects (AEA), Certifications, digital business, enterprise architecture, Enterprise Architecture (EA), Internet of Things, IoT, IT, operating system, Oracle, Single UNIX Specification, standards, Uncategorized, UNIX

Using Apprenticeships to Develop Your IT Workforce: A Conversation with Andy Ruth

By The Open Group

It’s no secret that the IT workforce is suffering from a skills gap. Not only are there not enough workers available to fill tech positions at many companies, but even the workers available may not possess the skills that companies need today to deal with the rapid changes being brought about by digital transformation.

Andy Ruth, Managing Director of Sustainable Evolution, spoke at The Open Group Austin 2016 in July about one way companies can tackle the skills gap—apprenticeship programs. We spoke with Andy about the state of the IT workforce, why apprenticeship works and how it can help bring a new and more diverse population of workers into the IT workforce.

What are some of the things currently stymieing the IT work force?

There are a couple different things that are really a challenge. We have an older workforce that is being replaced in large part by a younger workforce. That younger workforce is smaller and many don’t have fundamental knowledge of what’s going on under the covers because they grew up learning in a world with higher levels of abstraction. For instance, if someone learns Python or Rails, they may not have the deeper understanding and stronger foundations that they might if they were to start with C or C+. I was coaching a kid that’s going to MIT, and he asked ‘What do I need to do while I’m there?’ I suggested he build an operating system for one of the new IoT processors and learn the C language. He countered with ‘Well, C’s not in use anymore and nobody builds operating systems,’ to which I said, ‘Perhaps, but that builds deep understanding and good fundamentals. You’ll know how things work and you can think deeply about it. That’s what you need is that foundation, just like you need to be able to do simple math before algebra, trig and physics.’ So, I think part of it is the shift in what and how the workforce learns.

We also are in a time of such tremendous change in IT. IT is about people, process and technology. In the past we have had big shifts in technology, then we change process and people to match. Right now we have change in all three, each having an impact on the other two. Technology change is the easiest to adopt since we are geeks and naturally track it. Process change is a bit more challenging and not as interesting, so a bit harder. People are the hardest to change because they like working the way they like to work. They don’t like to be told what to do or how to do it, and really don’t feel they need someone to tell them they need to change. Having change in people, process and technology at the same time is disruptive to people.

The change is especially hard for architects since we typically have a number of years in the industry and everything is completely different from what we grew up with. We are responsible for planning the changes needed to people, process and technology, and if we haven’t experienced it we don’t know how to get started. Also, a lot of us want to stick with the old ways or haven’t needed to change yet. We used to ask ourselves if we should still code as an architect, now if we are not coding we are not relevant.

We’ve also changed the way we develop software and the way that IT works altogether. We shifted from waterfall to agile approaches, and now DevOps is the latest approach. With architecture, we no longer have the luxury of doing heavy design and evaluation. Rather, we get started and learn as we go. If we take the wrong path, we start over. I think that it’s a challenge across the board. Worst of all, many of us haven’t worked in modern IT environments so we’re not able to teach the younger folks how to be successful in the new paradigm. Unless people have been in a start-up environment, they probably haven’t worked in the modern IT workspace.

Why is there a disconnect between the skills IT people are learning and what the workforce requires?

Two groups of people need education or reeducation. Let me address the new workforce or kids going to college first. It takes about three years to get a curriculum change into the college system, so there is a natural lag. Some colleges work closely with start-up companies or big comm and those colleges can make the change fairly quickly. For the colleges working with some of the older echelon companies that have been playing it safe, they don’t have the awareness of what’s going on in the industry, so they’re slower to change their curriculum—those are the two key pieces.

In terms of the workforce at large and their reeducation, IT has been run the same way for a long time and business has run so close to the bone. There are a lot of companies that are not operating in SOA environments and are not ready for the digital transformation going on right now. People have not been able to apply modern IT techniques at work, and hands-on is the best way to learn. Since they haven’t changed, a lot of existing staff haven’t learned the new technologies and approaches.

In the early 2000s we shifted from a structured and composed N-tier environment to decomposed integration (SOA) environments. Some companies have adopted that and some haven’t. Now we’re moving from SOA on-premise to leveraging the Cloud. People and organizations who haven’t adopted SOA yet have to take two major leaps with their people, process and technology. A majority of companies are in that boat, where they have to shift to service orientation and then have to figure out how to design for the cloud. That is two gigantic leaps, and people can take one leap at a time—often unwillingly, but they can take it. When they have to jump two levels, it kills them and they’re paralyzed.

Is that part of the reason we’re now seeing companies doing bi-modal IT?

Bi-modal or multi-model are needed to successfully adopt modern concepts and complete digital transformation. In some conversations I’ve had, there’s a difference of opinion in what bi-modal means. One is, you have an IT department that runs at two different speeds. The first speed is for the systems of record, and the second is for systems of integration. Another way to put that is that you have a consistent core and you have agility at the edge. When you move from a large system and start decomposing it, you pick off integration pieces and develop using more agile approaches. For the big back-end chunks, you take more time planning and longer timeline efforts.

Another, much more controversial definition of bi-modal is that you gracefully retire the old guard by bringing in fresh talent while modernizing your IT environment. You have the old guard maintain the current environment and the new people work on the transition to the new environment. Once you have enough talent and technology operating in the new environment you deprecate the old. If you can’t get the experienced people to shift to the new ways, they are part of that deprecation process.

What can companies do to better train and maintain employees? That seems to be a continual problem at most companies.

Invest in people and spotlight the ones that are making the shift to modern IT. That’s my passion area. As I have worked with IT groups I’ve seen the retraining budget go from about $14,000 per year per person down to a few thousand dollars down to almost zero. At the same time, there have been massive layoffs occurring all over the place so there’s no loyalty or reason to learn. Experienced people have little or no loyalty to the companies they work for and new entrants only work for a company for about 18 months, then move. If you’re a millennial in any job for more than three years then other millennials start looking at you funny like you can’t get another job. In that type of environment there’s not a lot of emphasis on the company investing in the employee or in the employee having company loyalty.

The way that I’ve been approaching it, and it’s been very successful, is by setting up apprenticeship programs very much like journeymen do in construction, or in hospitals where doctors go through residency programs for on-the-job training. I break the skills acquisition into two pieces—one is the very specific skills for the organization that can’t be taught but need to be experienced through on-the-job training. For instance, I am talking to one organization that needs 250 people on staff that can do integration. They either can’t find the talent or the talent is out of price range or unwilling to move. So I gave them an approach where they take the concept of apprenticeship and bring in people that have the key entry level skills and the right work ethic, and then pair them with someone that’s experienced with integration in that environment. The person being mentored shadows the mentor to see how it’s done, and then the mentor shadows the person being mentored and provides coaching to accelerate the apprentice’s competence. You can do that for the skills associated with business capability.  

The other thing you do is help the apprentice with the foundational skills that are not specific to the job or to a business capability. The interpersonal skills, time management or whatever general skills they need to survive and maintain decent work/life balance. For these type of skills you provide external training and discussion rather than job shadowing. You make the mentor responsible for the care and growth of that individual, and you tie the mentor’s yearly review goals to their success at growing the new talent.

Have you been able to implement that at some specific companies and has it be successful?

I can’t name the companies but yes, I have been able to do it. I have also been operating my company this way to create and improve the process and build out the tools and training to support apprenticeship. I’ve been successful accelerating new workforce entrants into productive employees, and with moving existing staff into more advanced or different roles. I’ve been able to move people from traditional IT shops to agile and DevOps type environments, from dev leads to architects, and from traditional architects to modern IT architects.

The most recent and most exciting is to take kids that are not going to be able to finish college. They have the skill to get a degree but don’t have the money or interest in completing it. I’ve been taking them from doing minimum wage jobs to shifting them over and getting them into the workforce and making them productive. I’ve been able to move people into IT-related jobs as well as other business-related positions.

I apprentice them by using customer journey mapping. I teach them how it works and then have the apprentices transcribe the interviews I record and when I do a whiteboard workshop, I have them transcribe those notes into an Excel spreadsheet. I could do that electronically or with automation, but by having them do it, they learn the overall rhythm and language of business and they start to understand it. Then by talking with them about the customer journey from discovery through support or separation, they understand what the customer journey looks like. They also understand the underpinning interface with the company and how the business works and how they interact with the customer. That has been wildly successful.

With that basic knowledge they learn new skills very quickly, allowing me to focus more on helping them grow a strong work ethic and better time management. I drive through objectives rather than hours worked. I let them manage themselves so they gain a lot of confidence and they drive forward and push themselves. The other thing I do is, for the life skills they may not have, I teach those. For instance, a lot of them don’t know how to budget. I tell them not to budget using money—budget using hours. Think about a cup of Starbucks coffee as 70 minutes of your time in order to pay for it, think of your apartment rent as two weeks work, think of your car as a week’s pay. I get them thinking that way and money becomes tangible, and they get better at budgeting. 

With these entry level people who are transitioning from minimum wage jobs, are they also being hired by a company or are you teaching them the skills and then they go out and get a job?

It works both ways. I’ve helped companies get apprenticeship programs going and also apprenticed people, then they go get jobs or take jobs with the companies I consult with. Before we start, the customer and I agree I’ll be using some unskilled people to help them grow, and in return the company has the opportunity to hire the person when they are ready. I pay my apprentices a living wage as I grow them and expose them to my customers. I’m very transparent about how much they cost me and how much they have to earn to break even, and I tell them that in every business, that’s what they’re looking at. I teach them that, and then as they are introduced to my customers, my customers are welcome to hire them. Gigantic win for my employees and my customers.

This seems like it could be another avenue to help solve some of the diversity problems that the tech community is facing right now. Have you also been looking at apprenticeships in that manner?

Absolutely I have. This is another thing that is near and dear to my heart. The reason that I’m in IT is because my sister went into IT in the mid-1970s. I watched her live through that horrible time for women in IT. I’ve tried to do my part to help create a more diversified workforce in IT. Now my daughter is in IT and her journey was 10 times better than my sister’s. Not perfect, but better. Since then I have worked to identify what is broken and fix it.

I’ve also worked with a lot of kids who are disadvantaged, and I’ve been able to help them move up and into IT. Once they see a way out of their current environment and have hope, and that all it takes is some effort on their part, they are in. They’ve got somebody that believes in them and willing to invest time in them, and they’re all over it, working harder and better than most of the privileged kids that I’ve worked with, or the ones that feel like they’re entitled.

What can employers do to make their employees more loyal these days?

That’s a tough one because when you look at it, millennials are different. The big five leadership indicators manifest different and they are not driven by the same incentives. There’s a big shift with millennials and there will be for future generations but there are a lot of things you can do culturally to address that. A lot have to do with the policies that you have. For instance, companies that allow you to bring a dog in or work remotely or wear jeans and a t-shirt, or bow ties, those little things help.

But what I’ve found is the number one thing that has helped is to have millennials form relationships with the people that have a lot of experience and giving them time to grow relationships and skills. Every millennial I’ve reached out to and worked with has been hungry for the relationship and growth. They don’t want platitudes, they want people who really want to interact with them and have a genuine interest in helping them. Once you show that, big win.  

The other thing you have to do is let them experiment and not put them in a box. You have to put a group of them together and let them figure out their own boundaries and just make it an objective base. I think doing that helps an awful lot. So building those relationships, which you can do through an apprenticeship program and then providing some freedom so they can operate in a different way, those are two of the things you can do. The heavy handed review cycles and trying to either intimidate or incent millennials with money is not going to work. A lot of them have a high-minded idea of the way they world should work, and they’re going to be more loyal if the company they work for represents that or if the manager they work for represents that.

What are some of those ideals that they’re looking for?

Most of them are worried about the world and want it to be a better place. They see the disparity between the highest paid and lowest paid, and they want fairness and to work as a group, and for the group being successful. A lot of their idealism is centered on those concepts, and allowing them volunteer time to work with charities and have outreach programs.

What role can certification programs such as The Open Group’s play in helping to close the skills gap?

It can play a gigantic role by providing frameworks and methodologies that reflect today’s IT environment. I think we also have to shift the way that we do certification and training and a lot of that is starting to happen. We’re starting to move the bar and have a lot more practical and hands-on certifications and training.

I think we need to shift from taking an online course and then going to a place and taking a test to working with and interacting with another person. An example of that is the top certifications for architects that The Open Group has, those are based on defending your experience and going through an interview process with peer members of that group, and them saying yes, this person is what they say. Using a test you can’t do that.

This type of approach makes it a lot more personal. What you will see over time is that people say ‘I had so and so on my board’ or ‘I had this person mentor me,’ and they start talking about their lineage based on the people they’ve worked with in the industry. If we shift more toward that type of validation as opposed to using multiple choice tests, we’ll be a lot better off.

I also think you’ll see hybrid industry/customer certifications just like you see industry/customer training. Someone will join a company and get trained and certified, but that certification will be able to follow the person rather than go away when they leave the company. What you’ll see is when an employee decides to leave, they can take part of the external facing portion of a credential with them, and only lose the internal portion. For the piece they lose, they will rely on their resume.

The other big area where you’ll see a shift in certification is, rather than being tied to technology and platforms, certification will be tied to business capabilities and business outcomes. You’ll certify that someone can build a solution toward a specific business outcome or capability that’s trying to be enabled.

@theopengroup #ogAUS

By The Open GroupAndy started his career in IT as a technical expert in consulting roles and well as staff roles. In the mid-1990s, he shifted from delivering IT capability to delivering training, speaking at conferences and writing books and training covering the IT space. The end of the 1990s Andy joined Microsoft as a subject matter expert working on their public training and certification programs.

He grew to own curriculum development, then certification development, and then creating and delivering new training and certification programs. Additionally, Andy spent time as a role owner, defining job roles, levels, career ladders and compensation models to field-based architects and consultants. Over the last several years, Andy employs his talents as a consultant helping with business and IT strategy, and has a passion for workforce development.

1 Comment

Filed under Certifications, devops, Enterprise Architecture, enterprise architecture, Enterprise Architecture (EA), Internet of Things, IT, operating system, Professional Development, skills gap, Standards, The Open Group, The Open Group Austin 2016, Uncategorized

The Open Group Austin Event to Take Place July 18-21, 2016

The Open Group, the vendor-neutral IT consortium, is hosting its latest event in Austin, TX, USA July 18—21, 2016. The event, taking place at Austin’s Four Seasons Hotel, will focus on open standards, open source and how to enable Boundaryless Information Flow™.

Industry experts will explain how organizations can use openness as an advantage and how the use of both open standards and open source can help enterprises support their digital business strategies. Sessions will look at the opportunities, advantages, risks and challenges of openness within organizations.

The event features key industry speakers including:

  • Steve Nunn,  President & CEO, The Open Group
  • Dr. Ben Calloni, Fellow, Cybersecurity, Lockheed Martin Aeronautics
  • Rick Solis, IT Business Architect, ExxonMobil Global Services Co
  • Zahid Hossain, Director, IT Architecture, Nationwide
  • William Wimsatt, Oracle Business Architect, Oracle

Full details on the agenda and speakers can be found here.

The Open Business Architecture Standard (O-BA) and ArchiMate® 3.0, a new standard for Architecture, will be the focus of Monday’s keynote sessions. There will also be a significant emphasis on IT4IT™, with the Tuesday plenary and tracks looking at using and implementing the IT4IT™ Reference Architecture Version 2.0 standard.

Further topics to be covered at the event include:

  • Open Platform 3.0™ – driving Lean Digital Architecture and large scale enterprise managed cloud integration
  • ArchiMate® – New features and practical use cases

Member meetings will take place throughout the course of the three-day event as well as the next TOGAF® User Group meeting taking place on July 20.

Registration for The Open Group Austin event is open now, is available to members and non-members, and can be found here.

By The Open Group

@theopengroup #ogAUS

For media queries, please contact:

Holly Hunter
Hotwire PR
+44 207 608 4638
UKOpengroup@hotwirepr.com

Comments Off on The Open Group Austin Event to Take Place July 18-21, 2016

Filed under ArchiMate, Boundaryless Information Flow™, Business Architecture, Certifications, Digital Transformation, Enterprise Architecture, Enterprise Architecture (EA), Internet of Things, IT4IT, Steve Nunn, The Open Group, The Open Group Austin 2016, TOGAF®, TOGAF®, Uncategorized