Monday, July 26, 2010

Business Trends in Global IT Markets Provide New Traction and Value for Enterprise Architecture

Transcript of a sponsored podcast discussion on the global adoption of enterprise architecture in response to regional business trends.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion, coming to you from The Open Group Conference in Boston, the week of July 19, 2010.

We've assembled a panel to examine the key market trends impacting enterprise architecture (EA) in different regions of the world. We'll evaluate how the use and value of EA is emerging and progressing worldwide, and how the expanding use of EA offers a unique window into global business trends as well.

Our guests will share their knowledge on several developing and mature markets, as well as present a focus on China. We'll hear about the cultural barriers and/or accelerants for EA adoption from region to region.

Here to help better understand the role of EA as it bestrides the globe is our panel. Please join me in welcoming Allen Brown, President and CEO of The Open Group. Welcome, Allen.

Allen Brown: Thank you.

Gardner: We're also here with Eric Boulay, president and CEO of Arismore and also CEO of The Open Group, France. Welcome, Eric.

Eric Boulay: Good morning, Dana.

Gardner: Chris Forde, vice president of Enterprise Architecture & Membership Capabilities of The Open Group, also joins us. Welcome, Chris.

Chris Forde: Good afternoon.

Gardner: And Mats Gejnevall, a Certified Enterprise Architect with Capgemini, Sweden. Welcome.

Mats Gejnevall: Thank you very much.

Gardner: We are also here with Stuart Macgregor, CEO of Real IRM and CEO of The Open Group, South Africa. Welcome, Stuart.

Stuart Macgregor: Good afternoon. Glad to be here.

Gardner: Allen, let's start with you. Tell us a little bit about what's happening globally. Why is EA so popular now? We'll get into the regions in a moment, about why it's happening here and there, but are there any general perceptions as to why EA is such an important aspect of IT and business development at this time?

Brown: Thank you, Dana. A trend over a number of years now is that the barriers within enterprises; the silos, the departments, the stovepipes, have been broken down.

Organizations are working cross-functionally. They're bringing people together. They're working with their business partners, and they have their IT infrastructure integrated with their business partners. That has caused a requirement for people to be able to look across the entire organization and think about how IT impacts different parts of the organization and how it integrates together.

Many parts of the organization have had applications built for the stovepipes that now need to work together in ways that they were never intended, when those legacy applications were put in, because we never intended those legacy applications to last this long. But, they did, and you can't just replace them.

What's happened with what we call boundaryless information flow, or the requirement for access to integrated information under security issues, is that we're now having to deal with something called "EA" on a number of different levels.

Different aspects


Many people have tried to define EA, and I don't think anyone has come up with a satisfactory overarching definition yet. But, there are a number of different aspects to it. At the moment, EA is focused on the IT element, although it has ambition to look at the architecture of an entire enterprise at some stage.

People are looking at the entire enterprise from an IT perspective, like a city planner would. So you've got that kind of EA. Then you have got other folks that are more focused on specific solutions, and that's also EA.

EA is an umbrella term that relates to an awful lot of activity that flows further down, whether it's business IT architecture, data architecture, and so on. There are many things, but the driving force in many organizations is this need to integrate and share information.

In governments, you're seeing joined-up government and citizen-centric government. To deliver those services, and to do so economically, requires this boundaryless information flow concept, and that requires the discipline of EA.

Gardner: Of course we are in an environment where not only are the technology trends unfolding at different rates, but we have a different economic environment from region to region. Some regions are struggling, and others are growing quite well.

There are more organizations that are saying that this is the time to invest, to rationalize, and to really drive out value from their IT investment.



Being based in the UK, being familiar with Europe and North America where the economies are still struggling, do you see anything about the economy and the position of budget pressures that is accelerating or having impact on the adoption of EA?

Brown: It varies from enterprise to enterprise. We're seeing continued growth in the adoption of EA in general and TOGAF in particular -- and it's continuing to grow. There are organizations that are saying that EA isn’t delivering near-term bottom lines, so they're going to cut the cost.

There are more organizations that are saying that this is the time to invest, to rationalize, and to really drive out value from their IT investment. So, you're starting to see a mix of things. But, generally speaking, my experience in the developed or struggling economies is that there are more people focused on EA than not.

Gardner: Eric Boulay in France, tell me what the market for EA is there, and what are some of the drivers?

Boulay: Key drivers are the necessity to move forward for big and small enterprises. Because of the downturn, the future of the enterprise is to roll out in an international, standard view. In order to roll out -- for example, for big banks on a European or worldwide basis -- they have to welcome big transformation, and this kind of big transformation can be helped by EA.

Huge opportunity

It's an architecture issue to transform local enterprise to a worldwide or a European enterprise. This is a huge opportunity for enterprise architects and for EA to help in this big change. So, there is no downturn for EA, because if we use it and build a new EA practice in order to better address this kind of job, it's a huge opportunity for us. There is no downturn for us. It's only a matter of finding the right skills in order to help enterprise go abroad.

Gardner: Mats, based in Sweden with experience in Northern Europe, is transformation a real driver here regardless of the economy?

Gejnevall: Transformation has always been a big driver in the enterprise Architecture Forum, but what we see these days is that getting your IT under control has been a major factor for going into the EA side of things. Slowly the companies now are connecting the IT structures they have with the business.

It was a struggle in the beginning, and most of the EA projects were IT-based projects, but now, business is starting to understand the full impact and understand that the IT solutions that we create should really be aligned with the long-term strategies and objectives of the organizations.

Gardner: Do you perceive any difference between the public sector and private sector in terms of the adoptions markets are familiar with?

Gejnevall: In the past, public sector has been pretty slow on the uptake, but recently we're doing a lot of business with healthcare services and so on. They're really large organizations, with 30,000, 40,000, or 50,000 people, and they have lots of different divisions. They need to work together in a collaborative fashion and fulfill the long term goals that the politicians have set up for them.

Gardner: Stuart Macgregor in South Africa, are there certain trends afoot that you can identify that are prominent in your market, but might also represent other emerging markets?

Macgregor: South Africa is slightly different, because EA is from the business side, rather than from technology. A lot of organizations have spent a lot of money working on business processes, and that business process architecture across the business domain is now being linked to the technology domains. So, we are probably the opposite.

In fact, we're coming from the top down, instead of from the technology side upward. South Africa currently has roughly 10 percent of the Architecture Forum membership, all South Africans, and there is a big adoption of TOGAF in South Africa. If you look at our GDP in comparison, it’s quite exceptional.

That’s really been because of The Open Group's presence in South Africa, organizing events, a lot of TOGAF training, a lot of certification, a lot of press articles, and really driving the business value and the business understanding of what EA is about.

We have had for example, SASOL which is one of the larger petrochemical organizations, adopt TOGAF, working it into their governance standard. What their enterprise architect did, is he bought Enterprise Architecture as Strategy, the Jeanne Ross book, and distributed to senior executives. Given that it is written in business-speak, it really led to the adoption and understanding of what EA is about, and was quite serious for the uptake within the business.

Key focus area

We differ across business sectors as well, in that our financial services sector -- again, a big focus on the business process area -- are lagging in the technology domain, and that’s now a key focus area bringing that up to speed.

Across the natural resources sector, for example, we have an Open Group Standard called EMMMv, which stands for Exploration Mining Metals and Minerals, where we're working on putting together reference architectures for the sector, and that’s also driving global adoption of TOGAF. So, it really differs across sectors and across organizations. There's no one size fits all.

Gardner: It seems a credit to TOGAF, Allen Brown, that it can be playing a role in so many different markets with so many different variables at work. Perhaps you could, from your perch, tell us about certain markets in the world that have seen the most impact, adoption, or uptake of TOGAF and/or enterprise architecture.

Brown: We're seeing it pretty broadly across the planet, really. Obviously the US and UK were leading, but the amount of uptake in the Asia-Pacific region right now is quite dramatic and we're starting to see that take off. But, it's really difficult to isolate any particular region.

We’ve now got something like 15,000 members of our professional body, the Association of The Open Group Enterprise Architects. They are, in some way or another, connected with TOGAF for our IT architect certification. Those people are distributed across 116 different countries. So, it's really quite difficult to say which is growing the most.

Gardner: Let's go to the Asia-Pac region and Chris Forde in China. What are some of the elements of TOGAF’s growth and adoption that you can identify that might be specific to China?

Forde: The Chinese market is really very interesting. There's an opportunity there for the EA practice to grow massively. For the most part, larger enterprises in the China region are relying on the brand name western companies to do strategy and planning, and there is very limited internal capability, knowledge, and experience around EA.

I've been hearing from folks in various organizations, both state-owned companies and others, that they're reluctant to step away from these brand-name companies, because there is a certain degree of security around the planning and activities that go on there, but there is also a degree of dissatisfaction that they aren’t feeling in control of their own fate.

Over the next several years, I anticipate the development of internal architecture practices and an up-scaling of staff. The universities already have in place CIO forums and executive MBA activities that explicitly deal with EA as a set of concepts. Over time, I think that it's going to find it's place in the Chinese organizations.

At the moment, they're still continuing with this kind of organic growth of the IT approach to things, which is something that the Western markets dealt with 15 years ago, and found the need for a more planful approach to doing things.

This is the opportunity for us in EA in that particular market. The issue is that at the leadership level in these companies there isn’t a perception that they need to do anything, because the problem hasn’t actually arrived broadly inside China, from what I’m seeing.

Gardner: I’m going to guess that in some of the more mature markets they wished they had had an opportunity to invoke some of these practices, before there was a problem. Is there an opportunity in China for them to gain a lesson from the rest of the world?

Body of knowledge

Forde: I think there is, and this is one of the things for the emerging markets, similar to cellphones. The learning that has occurred in the Western markets have produced a body of knowledge in TOGAF that can accelerate for other companies the way they adopt and improve their ability to deliver on strategy, planning, and execution.

Once the recognition is there inside companies, when the need arrives, those companies in that market that have planned for this will start to really accelerate in terms of their global position.

Gardner: Is it your understanding -- or anybody else's on our panel -- that the other so-called BRIC countries, Brazil, Russia and India, are facing similar situation as China?

Forde: I wouldn’t comment directly on the other BRIC countries. I have a sense that that’s the case, but I don’t have any specific information of those markets.

Gardner: Another set of variables we can bring to this picture are some of the technology trends: mobile, cloud, data explosion, complexity, and then, of course, due to the economy in most regions, an emphasis on efficiency. Can we look to any of these trends and find a relationship between EA adoption in a particular market? Why don’t we try with you, Mats, in Swede?.

In cloud, it always comes into the discussion, even though people don’t quite know how to use it yet. I think The Open Group’s effort around cloud computing can actually help that to a large extent.



Gejnevall: Capgemini has put together a number of service offerings
worldwide that we are adapting to the conditions of each one of the countries. We can see that things like boundaryless information -- being able to use information in new ways -- is something that every company wants to do.

In cloud, it always comes into the discussion, even though people don’t quite know how to use it yet. I think The Open Group’s effort around cloud computing can actually help that to a large extent. The ROI paper on cloud computing, for instance, will be a tremendous help for a lot of companies to have a look at and see what can they do. But, everything is moving very, very slowly. In countries like Sweden, the bigger companies might try these out, but the smaller ones are not ready yet.

Gardner: How about Eric Boulay in France? Are there some technology trends or adoption trends in business that are spurring some of this adoption of an EA perspective?

Boulay: Sometimes, it makes sense to have an engineer's analysis of the situation. We used to consider what is behind the word, and sometimes we have many questions about hype words, such as cloud. What is cloud? I've heard that many of CIOs here in France used to say that we have been doing cloud computing for a while. What’s the difference between private cloud and internal data centers with shared services application or infrastructure?

To go back to EA, we spent a lot of time to move from IT EA to real EA. Now, I think we're mature enough to take the new capability brought by the new technologies. Cloud should be one of them. And now, once more we're ready to move from the old-fashioned way of sharing resources to better practices brought by new technology.

So, it’s not a big deal. Once more, it’s obvious that EA is a way to transform, so you can transform the business, but you also can transform the way to consume IT.

Gardner: Very good. Does anyone else have any perspectives on technology? How about South Africa from your perspective, Stuart?

Modeling and defining

Macgregor: Not technology, specifically, but it's probably more in the domain of information architecture that we’re seeing greater focus on modeling and defining information architecture. We're understanding the difference between information architecture and data architecture and using that as a way of bridging the gap between business and technology, while tackling the information architecture domain.

Gardner: Now, because we’re in such a globally connected environment, I’m wondering if there isn’t a benefit down the road, as more of these regions and more of the large organizations -- public and private -- standardize and adopt enterprise and architecture?

Doesn’t it offer more of a opportunity for these disparate markets to work more in concert, reduce the friction of trade, reduce the friction of services, goods, even perhaps as cloud computing unfolds? We don’t know how it’s going to happen, the opportunities to share cloud computing resources across great distances and boundaries.

Back to you Allen Brown. Is there an opportunity for us to consider a unifying influence of EA that would have a growth and/or efficiency benefit, as more and more markets start approaching their business problems in a similar fashion architecturally?

Brown: Absolutely. I think it’s worth also bringing in Chris to see his experiences, but everything I hear says that organizations that are involved in EA in general, and TOGAF in particular, are finding it much easier to integrate with business partners. Mergers and acquisitions are enabled more effectively. So, in working with other organizations, as we get more and more connected, EA is a positive force in that.

Depending on the maturity of the company and of the region, you might be talking anywhere from six-month payback on an EA activity to a three-year payback.



Gardner: Chris Forde, your perspective on that, the notion that the more EA adoption around the world, then perhaps the more easily business can be conducted at a global scale?

Forde: I'd say that the long-term point around that is valid. I'd also say that there is a certain learning curve to be gotten up in terms of EA, and that, depending on the maturity of the company and of the region, you might be talking anywhere from six-month payback on an EA activity to a three-year payback.

The body of work that we have available to us in TOGAF is that, if you look at it as a tool in the context of the problem you’re trying to solve, you can drive immediate value. If you look at it as some sort of massive program that you’re going to implement, you’re looking at a longer term payback.

So, it’s very important for individuals and companies to approach EA with a specific problem in mind, not just some sort of generic goodness thing that they’re looking at.

Gardner: Fair enough. As we think about the tactical, and the potential strategic benefits, people who are engaged, understanding what they need to do, but not sure how to start, can we point them in any specific directions? Where do you go to get started on learning more about EA, learning more about TOGAF, finding the tactical, and then perhaps ultimately the strategic values? Chris?

Architecture Forum

Forde: There are a number of places. The first and foremost one will be the membership of The Open Group, and particularly the Architecture Forum. You’ve got people sitting around this microphone right now that can help, and you’ve got people out at the conference who have an enormous background and this capability.

Then, in the member companies, either on the supplier side, on the customer side, or in academia, you also have resources available. Those are the places to go to find out what you need to do, and what the approaches can be used, and in a practical sense, what the barriers and the pitfalls are in the approaches. People here have been there, done that, and that’s where you need to go, to the experience.

Gardner: Mats?

Gejnevall: In the past, we as consultants used to go out and do architectures with companies. We came out and we delivered a folder saying, "Here’s your EA. Go ahead and implement it." Of course, that didn’t work.

These days, we actually encourage companies to work with us, to work with experts in the field, and teach them and work and produce these EAs together, because EA is not just a project. It’s got a lifecycle and it needs to be maintained. If companies don’t get that knowledge themselves, the EA will die.

They're trying to educate enterprise architects inside their company. They understand that they need these kind of people in order to make the company be successful and to move forward.



Gardner: Any thoughts, Stuart Macgregor, on this journey of beginning it, perhaps regardless of where you’re starting from?

Macgregor: I certainly support what Mats and Chris have just said. To me organization change leadership is an absolute essential component of getting EA to work, the mechanics of modeling etc. It’s not really that difficult. It's the stuff that we have mastered and we’ve been doing for years. It’s how to drive positive business-appropriate and sustainable EA practices that are run like businesses with a very clearly defined offering that understands who the customers are, and can really deliver more value than they cost.

Gardner: And, Eric Boulay?

Boulay: In France, we had a long journey to capture EA practice. Right now, we consider that we moved from IT EA to enterprise, to real business EA, and this is a big shift. Now, CxOs aren't chasing enterprise architects. They're trying to educate enterprise architects inside their company. They understand that they need these kind of people in order to make the company be successful and to move forward.

So, it’s a big challenge and a big recognition for us. They need our body of knowledge as TOGAF and the EA body of knowledge. They need us to train, coach, and to help their inside employees to become leaders. Enterprise architects are definitely, as many of you mentioned, people who are ready to talk with different groups in order to ensure there are no more stovepipe in these companies.

Gardner: Allen, the last word to you. Do you have any thoughts about getting started and how companies and/or countries and regions that haven’t taken this journey too deeply could avail themselves of the many years' worth of experience that others have traveled through?

Brown: Yes, the first one is, if you can get to one of the conferences and share experiences with other members. That's the key area to start. But, if you can’t do that, then there is an awful lot of available information. At the minimum, TOGAF itself is available freely online for people to read, look at, and use within their own organization.

You can buy the book, if it’s easier to have that. If you want to go to the next state, there are many trainee organizations that can train your people in TOGAF. If you can’t avail yourself of that -- there are some countries where that’s not possible -- then there is a study guide that you can get from The Open Group to work your way through.

There are examination centers everywhere. Working through that gives you a good understanding of TOGAF. It doesn’t necessarily make you an enterprise architect. You’ve got to have the abilities to go with that, and you’ve got to have the experience.

Again, you can work with some of the folks either at conferences or local chapters. We've got chapters in many different countries now. You can share with them, correspond with them or our other members. This is the way that you actually get the experience of how to do it, what people have done, and what pitfalls there are.

Gardner: Great, thank you. We’ve been discussing key market trends impacting EA in different regions of the world and how folks are using EA and gaining value from it, in both emerging and more mature markets.

This sponsored podcast discussion is coming to you from The Open Group Conference in Boston, the week of July 19, 2010. I’d like to thank our guests; we’ve been here with Allen Brown, president and CEO of The Open Group, thank you, Allen.

Brown: Thank you very much, Dana.

Gardner: We also have here Eric Boulay, president and CEO of Arismore and also CEO of The Open Group, France.

Boulay: Thank you, Dana.

Gardner: Mats Gejnevall, Certified Enterprise Architect at Capgemini, Sweden. Thank you.

Gejnevall: Thank you, Dana.

Gardner: We’re also been joined by Chris Forde, Vice President of Enterprise Architecture and Membership Capabilities of The Open Group, based in Shanghai. Thank you.

Forde: It’s been a pleasure, thanks.

Gardner: And last, Stuart Macgregor, the CEO of Real IRM in South Africa, as well as the CEO of The Open Group in South Africa. Thank you.

Macgregor: Thank you very much, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect Podcast. Thanks for joining, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Transcript of a sponsored podcast discussion on the global adoption of enterprise architecture in response to regional business trends. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in:

Friday, July 23, 2010

The State of Enterprise Architecture: Vast Promise or Lost Opportunity?

Transcript of a sponsored podcast on the potential of enterprise architecture, resistance in the business community, and finding common ground.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion, coming to you from The Open Group Conference in Boston, the week of July 19, 2010.

We’ve assembled a panel to delve into the advancing role and powerful potential for enterprise architecture (EA). The need for EA seems to be more pressing than ever, yet efforts to professionalize EA do not necessarily lead to increased credibility and adoption, at least not yet.

We’ll examine the shift of IT from mysterious art to more engineered science and how enterprise architects face the unique opportunity to usher in the concept of business architecture and increased business agility.

The economy’s grip on budgets and the fast changing sourcing models like cloud computing are pointing to a reckoning for EA -- of now defining a vast new promise for IT business alignment improvement or, conversely, a potentially costly lost opportunity.

Please join me in better understanding the dynamic role of EA by welcoming our guests. We are here with Jeanne Ross, Director and Principal Research Scientist at the MIT Center for Information Systems Research and noted author. Welcome to BriefingsDirect.

Jeanne Ross: Thank you. It’s nice to be here.

Gardner: We are also here with Dave Hornford, an architecture practice principal at Integritas Solutions, as well as the Chairman of The Open Group Architecture Forum. Welcome Dave.

Dave Hornford: Thank you. It’s good to be here.

Gardner: We're also here with Len Fehskens, Vice President for Skills and Capabilities at The Open Group. Welcome, Len.

Len Fehskens: Hi, Dana. Glad to be here.

Gardner: Let me start with looking at this inflection point or opportunity. Many have discussed here at the conference that there's a lot to be done and gained by proper EA. But the stakes are high, because not all of these organizations seem to be rallying around this concept. So why are the stakes high, and why haven’t people gravitated to EA?

Ross: The stakes are high, because organizations are becoming more digital out of necessity. It’s a more digital economy. Thus, IT is more strategic. I think people see that, but outside of people who have already embraced architecture, there is some reluctance to think that the way we get more value from IT is basically by taming it, by establishing a vision and building to standards and understanding how that relates back to new ways of doing business, and actually developing standards around business processes and around data.

Exciting stuff

There is a piece of it that’s just not appealing. Besides, we feel like this should all be about innovation, which should be all exciting stuff. Architecture just doesn’t have the right feel for a lot of businesspeople, who are saying, "Oh sure, the digital economy is very exciting."

Gardner: We’ve also been hearing here at the conference that there is this delayed gratification effect, whereby a lot of the structure and discipline that you might bring to architecture can have a long-term and strategic benefit, but most people are focused on the here and the now.

A recurring theme for me here has been, "How we accommodate both?" How do we present something to our executives and across the organization that they can work with now, but that also will put us in a strong long-term position? Jeanne?

Ross: This is where there is a certain art in architecture. We’ve learned a lot about methodologies, disciplines, and tools, but there is an art to be able to take the long-term vision for an organization and not just say, "It’ll come guys, be patient," but rather, "I understand that starting tomorrow, we need to begin generating value from more disciplined processes."

Great organizations actually learn how to do something in the near-term that builds toward the long-term, but also delivers on some new value to the organization today.

Gardner: Len, we're looking at quite a bit of change. We're asking the organization to change how they use and perceive of IT, and to elevate the way in which they process the logic of the business itself to an architectural level. Then, we're also asking these architects, the individuals, to put on many hats and be multi-disciplined.

The question to you is, in examining the state of EA, this concept of a professional category or definition of EA, where is it at this time?

Fehskens: It’s really just a gleam in many people’s eye at this point. If you look at the discipline of EA and compare it to mature professions like law and medicine, we’re back 200-300 years ago. We’ve been doing a lot of research recently into the professionalization of other disciplines.

Most of the people studying the subject come up with a fairly short list of characteristics of professions. They usually include things like a well-defined body of knowledge, and well-defined educational program and particular degree programs, often offered by schools that are specifically focused on the discipline, not just the department within a larger organization.

There's some kind of professional certification or vetting process and often even some kind of legal sanction, a right to practice or right to bear the title. We don’t have any of those things right now for EA.

Proprietary knowledge

The body of knowledge is widely distributed and is largely proprietary. We’re at a state similar to going to a lawyer, and the lawyers try to sell themselves based on secret processes that only they had that would allow you to get a fair shake before a judge. Or similar thing with a doctor, who would say, "Come to this hospital, because we’re the only people who know how to do this particular kind of procedure."

So, we’ve got a long way to go. The big thing we’ve got going for us is that, as Jeanne pointed out, the stakes are high and so many organizations are becoming dependent upon the competent practice of EA as a discipline.

There's a lot of energy in the system to move forward very quickly on the professionalization of the discipline, and in addition to take advantage of what we’ve learned from watching the professionalization of disciplines like law, medicine, engineering, civil architecture, etc. We’ve got long ways to go, but we are running really hard to make some progress.

Gardner: Dave, we have high stakes. We have a great opportunity. This is a cake that hasn’t been baked yet, so folks can work with this. As a practitioner and someone who’s involved with the Forum, tell us where you see the current traction. Where are people who are doing this doing it well, and what is it about them that makes make prepared for this?

Hornford: Where people are doing it well is where they are focused on business value. The question of what is business value is highly dependent. People will mention a term, “agility.” I work with a mining company. They define agility as the ability to disassemble their business. They have a mine. Someone buys the mine. We need to remove the mine from the business. A different organization will define agility a different way, but underpinning all of that is what is the business trying to achieve? What is their vision and what is their goal?

Practitioners who are pursuing this have to be very clear on what is the end state, what is the goal, what is the business transformation, and how will the digital assets of the corporation the IT asset actually enable where they’re going, so that they’re able to move themselves to a target more effectively than their competition.

The stakes are high in the sense that should someone in your industry figure this out, they will change the game on you, and you will now be in a serious trouble. As long as all of your competition is struggling as long as you are, you’re okay. It’s when someone figures it out that they will change the game.

Gardner: Jeanne, through your research and publishing, you’ve identified some steps -- four that we heard about earlier today. Two of these seem to be very focused on IT, but then progress beyond IT. It’s this transition that seems to get people a little tripped up.

We often talk about the platforms that the IT people are focused on. I have project. I have a set of requirements. I’m going to install, manage, and optimize a platform, but at some point, that needs to work toward the business agility. Help us understand the role of the enterprise architect today in making that transition?

Ross: Right now, the enterprise architect would help design the platforms, but the critical thing to recognize about platforms is they represent the underpinnings of processes, which would be data, technology and applications.

Process vision

The architect is working very closely in designing these platforms with people who have a vision of how a process ought to be performed. It might be in terms of an end-to-end process. It might be in terms of a process that’s done repeatedly in different parts of an organization.

But, the architect’s role is to make sure that there is a vision. You may have to help provide that vision as to what that process is, and how it fits into the bigger vision that Dave was talking about. So there is a lot of negotiation and envisioning that becomes part of an architect’s role that is above and beyond just the technology piece and the methodology that we’ve worked so hard at in terms of developing the discipline.

Gardner: Len, when you go out and hear the requirements in the field and you see the need for a professional category, it seems that things are moving so fast that it's almost perhaps a benefit to have this as a loose concept.

So, the question for you is, if business processes are dynamic and continue to be accelerating in how quickly people need to adapt, isn’t the role of the enterprise architect in actually managing adaptability, rather than actually being a category like a lawyer or a doctor?

Fehskens: Yes, but I don’t think that changes the fact that the skills associated with doing architecture are largely independent of the domain that you're working in.

There is a set of capabilities that an architect has to have that are largely independent of where they are working.



There is a set of capabilities that an architect has to have that are largely independent of where they are working. While Dave and Jeanne were talking, I was thinking that, despite the fact that the discipline is so immature as a profession, we're still doing surprisingly well.

In terms of its maturity as a profession, it may be 100 or 200 years back, compared to law or medicine, but on the other hand, the quality of the practice is much more like where medicine and law were 50 year, 25 years ago.

So, there is a disparity between the capability, the quality of the services that enterprise architects are providing, and the maturity of the profession. That's a characteristic of architects. Architects have to be inherently adaptable.

In a lot of cases, we make a big deal about the technical expertise of architects, but in a lot of architectural engagements that I have been involved in, I didn’t actually know anything at all about the subject matter that I was being asked to architect.

What I did know how to do was ask the right questions, find the people who knew the answers to those, and help the people who actually had the information orchestrate, arrange, and understand it in a way that allowed them to solve the problem that they really had.

Dynamic environment

I
agree that there is something fundamentally different about the kind of work that architects do, compared to say lawyers and doctors. It is a much more dynamic environment, but the skills to deal with that dynamism are not really dynamic themselves. They're pretty stable in terms of the ability of architects to face a whole host of different kinds of problems and apply the same skills to them in a way that produces successful results.

Gardner: Dave, we heard the need for architects to be evangelists, to rally the troops, to get people on the same page, to hasten transformation, all of which is inherently difficult. So how about leadership? We haven’t heard that word, but it seems that the role of the architect is to really be a leader above many other activities within the organization. What is it about the leadership capability that you think can make or break the enterprise architect?

Hornford: The fundamental with leadership in EA is that architects don’t own things. They are not responsible for the business processes. They are not responsible for the sales results. They are responsible for leading a group of people to that transformation, to that happy place, or to the end-state that you're trying to achieve.

If you don't have good leadership skills, the rest of it fundamentally doesn’t matter. You’ll be sitting back and saying, "Well, if I only had a hammer. If I only had authority, I could make people do things." Well, if you have that authority, you would be the general manager. You’d be the COO. They're looking for someone to assist them in areas of the business at times that they can't be there.

I learned far more about doing EA in an 18-month period, when I was a general manager of a subsidiary for a telephone company. My job was to integrate that into the telephone company. I got that role as the enterprise architect for the integration, but through transformations I became the general manager of the subsidiary.

If you do not lead and do not take the risk to lead, the transformation won’t occur.



I learned more there, because I had the balance between having authority and not having to do some of the softer leadership, and coaching myself into doing the changes that were necessary. Seeing that transformation was a great learning experience, because it highlighted that you must lead as an architect. If you do not lead and do not take the risk to lead, the transformation won’t occur. One of the barriers for the profession today is that many architects are not prepared to take the risk of leadership.

Gardner: Jeanne, what about this issue of authority? Just because the enterprise architect has the vision -- and maybe has a very good plan as to what should take place in a particular way for that particular company -- at this particular time they don’t have the budget and the authority. If they can’t marshal those people who do have the budget and authority to cooperate -- wow, lost opportunity. Let’s discuss the issue of authority, and the role of the enterprise architect.

Ross: That’s quite a dilemma. In an environment where the architect can see the possibilities and can’t get the commitment of other people, it’s really not possible to win that. One of two things has to happen. Either the architect is successful in spreading the word and getting commitment or the architect should go somewhere where that’s possible, because I just don’t think you can successfully pursue architecture alone. You can’t just go off in a corner and be a successful architect, as we’ve been discussing here.

The first thing you do, because you are in an environment where you get it and you see it and you know what needs to be done, is that you do everything you can to get commitment across managers who can make things happen. But, there are situations where that’s not going to happen, and you're better off finding an organization that’s longing for good architecture talent -- and they're out there. There are plenty of organizations looking for architects to help them down that path.

Hornford: A key point that Jeanne made this morning in her presentation was the fundamental for commitments. If those commitments aren’t there, the organization will not absorb, consume, or benefit from EA.

Compelling value proposition

Fehskens: A phrase that you’ll hear architects use a lot is "compelling value proposition." The authority of an architect ultimately comes from their ability to articulate a compelling value proposition for architecture in general, for specific architect in a specific situation. Jeanne is absolutely right. Even if you have a compelling value proposition and it falls on deaf ears, for whatever reason, that’s the end of the road.

There isn’t any place you can go, because the only leverage an architect has is the ability to articulate a compelling value proposition that says, "I’ve recognized this. I acknowledge this is promise, but here’s why you have reason to believe that I can actually deliver on this and that when I have delivered on this, this thing itself will deliver these promised benefits."

But, you have to be able to make that argument and you have to be able to do it in the language of the audience that you're speaking to. This is probably one of the biggest problems that architects coming from a technical background have. They'll tell you about features and functions but never get around talking about benefits.

My experience with businesspeople is they don’t really care how you do something. All they care is what results you're going to produce. What you do is just a black box. All they care about is whether or not the black box delivers all the promises that it made.

To convince somebody that you can actually do this, that the black box will actually solve this problem without going into the details of the intricacies and sort of trying to prove that if I just show you how it works then you’ll obviously come to the conclusion that it will do what I promise, you can’t do that that. For most audiences that just doesn’t work. That’s probably one of the most fundamental skills that architects need in order to work through this problem -- getting people to buy into what they are trying to sell.

The thing to recognize about business agility is that it’s a journey. You don’t want to start making your compelling business values something you can't deliver for three years.



Gardner: Based on what we’ve been hearing here at the conference, the metric of success and perhaps even the lever to get the authority and commitment is this notion of business agility. As Dave pointed out, business agility can be very different for different companies at different times. It could be a divestiture. It could be growing into a new market. It could be acquiring, or what have you.

So, if we need to get to business agility with our focus on the short-term as well the long-term strategy, what is it that an enterprise architect needs to do in order to assess and project business agility? Perhaps the more technical folks are not used to something like that?

Ross: The thing to recognize about business agility is that it’s a journey. You don’t want to start making your compelling business values something you can't deliver for three years. Many times the path to agility is through risk management, where you can demonstrate the ability of the IT unit to reduce downtime to increase security or lower cost. The IT unit can often find ways to lower IT cost or to lower operational cost through IT.

So, many times, the compelling value proposition for agility is down the road. We've already learned how to save money. Then, it’s an easier sell to say, "Oh, you know, we haven’t used IT all that well in the past, but now we can make you more agile." I just don’t think anybody is going to buy it.

It’s a matter of taking it a step at a time, showing the organization what IT can help them do, and then, over time, there's this natural transition. In fact, I'm guessing a lot of organizations say, "Look, we're more agile than we used to be." It wasn’t because they said they were going to be agile, but rather because they said they were going to keep doing things better day after day.

Common ground

Gardner: Because the economy remains difficult, because budgets are under pressure, this notion of cost could be really a good common ground to bind areas that perhaps have been disparate in -- in terms of IT, business, and so forth.

Len, what about that -- enterprise architects as cost-cutters or cost-optimizers? Is this a short-term, let’s do this because the economy requires it, or is that really a key fundamental point of successful architects?

Fehskens: No, it’s a long-term requirement. It goes back to what the essence of architecture is about. Architects are ultimately charged with making sure that whatever it is that they're architecting is fit for purpose. Fitness for purpose involves not doing any more than you absolutely have to.

The notion of engineering efficiency is built into the architectural concept. It goes back to an idea that that was developed in the 1980s in the business process re-engineering movement which was the best way to make things simpler is to get rid of stuff. And, the stuff that you need to get rid of is the stuff that’s not essential or doesn’t really address the specific mission that you're trying to achieve.

Architects don’t cut costs for the sake of cutting costs. They cut costs by removing unnecessary cruft from whatever it is that they're responsible for architecting and focusing in on the stuff that really matters and the stuff that’s actually going to deliver the value, not stuff that’s there because it looks keen or because it’s the latest technology widget or whatever. Again, that’s an inherent property of what it is that architects do.

Cost cutting itself is not the goal. The goal is ultimately efficiency and making sure that you're not wasting time doing stuff.



Just as agility is, in some respects, a side-effect of what architects do, we need to keep in mind that agility is a means to the end of alignment. You can have a lot of agility if you never achieve alignment. Then, you're just continuously misaligned.

Similarly, the cost-cutting itself is not the goal. The goal is ultimately efficiency and making sure that you're not wasting time doing stuff. That doesn’t matter, because you are not only wasting time, but you are obviously wasting money, and you're committing resources that are necessary to solve this problem. Actually, those additional resources sometimes just get in the way, they make things worse, rather than making things better.

The architect’s approach to dealing with the architectural way of problem solving means that agility and cost cutting sort of are not short-term focuses. They are just built into the idea of why we do architecture in the first place.

Hornford: And that cost isn’t necessary. A lot of people focus on IT cost. It is cost to the business.

Gardner: Total cost?

Hornford: Total cost, and it’s not agility of your IT infrastructure, but agility of your business. If you lose that linkage, you lose the alignment that Len mentioned. Then, you're not able to deliver the compelling value preposition.

Gardner: We talked earlier about the notion of moving from a platform mentality to a business process and agility mentality. We hear a lot from the vendors and suppliers. They have a role in this as well. The architects are beavering away in these companies, trying to change culture and transform the business, but we hear marketing from the vendors, "If you do this product, this platform, or this technology, it will solve your problems."

Is there a message to the enterprise architects that they should be taking to their organization about the role of the vendors, and is that changing from what we’ve perceived in the past as the role of a vendor or a supplier? Len?

Limit to leverage

Fehskens: Big question. The short answer is, yes. I often joke that every architect will answer the question "yes ... but." So, here comes the but. There is a limit to the leverage you have over suppliers, and the architects have to work with the material that’s available to them. Hopefully, the vendors are listening to the needs of their customers and doing the same kind of thing on their side that architects are trying to do.

Gardner: Don’t the suppliers have to adjust too?

Fehskens: Yeah. It’s a big ecosystem. If you’re selling something that nobody needs or wants, you’re going to go out of business. Suppliers have to be adaptable to the needs of the customers, who are changing. We’re all in this big dance, and everybody is trying to avoid stepping on somebody else’s feet or tripping up and falling over their own.

How does that sort itself out? That’s a difficult question to answer, because there are time-lags and some organizations misread the environment in the current business climate, and they go out of business. Other organizations are very good at anticipating future needs by looking at the trends. They happen to be in the right place at the right time, when somebody needs something they’ve got and it’s available, and they end up winning the battle.

So, yes, we all have to learn how to cooperate. One of the goals of professionalizing the discipline is making it possible for architects on both sides of that relationship to communicate with one another in language that they both understand and recognize that you can’t optimize your side at the expense of other side, because at some point that’s going to come back and bite you. We have to make it possible for architects to have those conversations and to make it apparent to the businesspeople on both sides what the business value is.

A big part of architecture work has been around the development of standards that facilitate interoperability. In many respects, conforming to interoperability standard is counter intuitive to a business, because you basically give away whatever proprietary advantage you have by locking in the customer doing it your own way.

On the other hand, the same mechanism that allows you to lock a customer in also allows the customer to lock you out.



On the other hand, the same mechanism that allows you to lock a customer in also allows the customer to lock you out -- if they decide that they get better payoff from taking advantage of interoperability amongst multiple or other vendors who’ve agreed to collaborate and adopt a particular standard. It’s all about reading the environment and responding appropriately. This ultimately goes back to the idea of fitness for purpose.

Gardner: Jeanne, the relationship between the enterprise architect, the business, and the supplier -- is this an evolving dance? What are some of the new choreography steps?

Ross: I'm not sure I know the dance yet! One benefit we get from good architecture is that we understand the process components and the underlying technology and application from data components, which allows us to take advantage of what’s on the market.

If there is a good component, we can grab it, and if there is not, then we don’t need to take it. What architecture is doing -- and I think we’re seeing vendors start to respond to this, but have a long way to go -- is spur a real developing marketplace for the components that many organizations need. I look out there and I say, "Now pretty much everyone gets it that they don’t have to provide any benefits internally to their employees, because you can outsource that." We get that component. It’s a plug and play.

Core to the business

There are things that are more core to the business that we’ll see more available. I don’t think the architects are going to also become the vendor managers. They're the ones who are going to design the components and recognize the interfaces, but they’ll be working closely with the vendors to make sure the pieces come together.

Gardner: It does seem that the vendors are appreciating that they’re elevating their role inside their enterprises. The notion of EA is elevating beyond platforms. The vendor response seems to be that, "We’ll provide everything -- we’ll merge, acquire, and provide everything at an architectural level." Do you think that’s the right way?

Ross: I should note that I use the term “platform” differently from you. There is technology platform, which I think is what you are referring to, but there are digitized process platforms that are really valuable, and many times vendors can provide the whole thing. Software as a service (SaaS) is a partial example, but actual business process outsourcing really accomplishes that. I think of these as potential platforms for organizations.

But, there is a fine line between a platform and an outsourced process, and organizations are trying to piece that together. What's our platform? What are the components for plugging into and taking out of that platform? That’s the architectural challenge. I feel like I just didn’t answer your question, but it is the thought that came to my mind.

Gardner: It occurs to me that this is another point of variability, and that the architect needs to not only consider the variables internally, but suppliers are redefining themselves, and cloud computing is pushing the envelope on what you would consider as sourcing options.

Different organizations will have different things that matter to them.



So, Dave, last question before we close up. This notion of a dynamic environment for sourcing and vendors redefining their role, perhaps trying to expand their role, sounds to me like the enterprise architect’s role becomes more critical as a result.

Hornford: I'd agree with that. If we're going to look at our sourcing options, using the word "component" as opposed to "platform," I can acquire a benefit. I can acquire a benefits engine as a service or I can build my own and manage my own processes, whether fully manual or digitized. Those choices come down to my value in the business.

Different organizations will have different things that matter to them. They will structure and compose their businesses for a different value chain for a different value proposition to their customers.

If we get back to the core of what an architect has to deliver, it’s understanding what is the business’s value, where are we delivering value to my customers? How that organization is structured, how it succeeds, how it gets its agility, and how it gets its cost may be different for different organizations. We have a larger collection of tools available to us without a clear, "This is the right answer. Everyone does it this way."

Gardner: Well, we’ll have to wrap it up there. It’s obviously a deep and interesting subject, and we will be revisiting it often, I'm sure. We've been discussing the advancing role and powerful potential for EA, and how practitioners and leaders face a vast new promise for IT business alignment improvement. But there are also quite a few missing parts, and perhaps even a lost opportunity, if you don’t do this and your competitor does.

This sponsored podcast discussion is coming to you from The Open Group Conference in Boston. We're here in the week of July 19, 2010. Please join me in thanking our guests, Jeanne Ross, Director and Principal Research Scientist for the MIT Center for Information Systems Research. Thank you.

Ross: Thank you so much, Dana.

Gardner: We are also here with Dave Hornford, Architecture Practice Principal at Integritas Solutions, as well as the Chairman of The Open Group’s Architecture Forum. Thank you, Dave.

Hornford: Thank you, Dana.

Gardner: And also Len Fehskens, Vice President of Skills and Capabilities at The Open Group. Thanks, Len.

Fehskens: Thank you, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’ve been listening to BriefingsDirect. Thanks for joining, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Transcript of a sponsored podcast on the potential of enterprise architecture, resistance in the business community, and finding common ground. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in:

Wednesday, July 21, 2010

Enterprise Architects Increasingly Join in Common Defense Against Cyber Security Threats

Transcript of a sponsored podcast on how private enterprises and government agencies can combat the growing threat of cyber crime and the looming threat of cyber terrorism.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion, coming to you from The Open Group Conference in Boston, the week of July 19, 2010.

We’ve assembled a panel to examine the need for improved common defenses -- including advancing cooperation between enterprise architects and chief security officers -- to jointly defend against burgeoning cyber security threats. The risks are coming from inside enterprises, as well as myriad external sources.

We’ll learn more about the nature of these borderless, external, cyber security threats, as they emerge from criminal enterprises, globally competitive business sources, even state-based threats, and sometimes a combination of these. We’ll also hear recommendations on developing smarter processes for cyber security based on proven methods and pervasive policies.

To help broaden the scope of enterprise architecture, and to develop a leverage point for "mission architecture"-levels of security and defenses, please join me in welcoming a security executive from The Open Group, as well as two cyber security experts who are presenting here at the conference.

Allow me to introduce you to retired Air Force Lt. Gen. Harry D. Raduege Jr., chairman of the Deloitte Center for Cyber Innovation, and who co-chairs a cybersecurity commission under President Obama. Welcome.

Gen. Harry Raduege: Thank you very much, Dana. It’s good to be here with you.

Gardner: We’re also here with Usman Sindhu, researcher at Forrester Research.

Usman Sindhu: Thank you, Dana. Good to be here.

Gardner: And Jim Hietala, Vice President of Security at the Open Group.

Jim Hietala: Hi, Dana.

Gardner: Let’s start with you, Harry. Tell us about the nature of the threat. Perhaps there's a level of the intensity about these external threats that the enterprise practitioners, the architects, don’t perhaps quite appreciate yet.

Raduege: Thank you very much. At this conference, we've put a few of these areas that you’ve mentioned into perspective. As far as cyberspace, it’s a tremendous opportunity for us to gain the benefits of being able to communicate, not only nationally, but also internationally, and across all borders, in the area of cyber security.

But, with that openness, come these new threats. The vulnerabilities that we have of operating in cyberspace are magnified by the threats. These threats are in the areas of identity theft, information manipulation, information theft, cyber crime, and insider threats that are prevalent in many of our organizations and companies today. Also, the threat of espionage, of losing lots of intellectual property from our businesses, and the cyber attacks that are taking place, the denial-of-service (DOS), and also the threat that we see on the horizon -- cyberterrorism.

Gardner: If you're a business or a government agency, perhaps a multinational corporation, is there a commonality, or is everyone getting hit the same by these sorts of things? Who's vulnerable, who isn’t?

International problem

Raduege: The Internet and all of our connections in cyberspace are across all nations of the world. In fact, this is an international problem, and so an opportunity for us to take advantage of it. Basically, Dana, we’re all in this together.

This is the significance of this type of a gathering, to talk about the real benefits of cyberspace, but also to talk about the issues of cyber security that are facing us all. The importance of the underlying foundational aspects of having a great enterprise architecture is pointing more toward a mission architecture for business success.

Gardner: Are there standards, practical ways that cut across the different types of organizations that perhaps are in the works, but that other people aren’t aware of? And how important is education toward moving against some of these common threats?

Raduege: A number of organizations like The Open Group are working on the common standards that are so important for the international community to comply with and to have as guiding factors. Education is very important, developing a cyber mindset across all people of the world, not only in the government organizations, but for industry, and also the individual users at home.

The aspects of education and training and awareness of what’s going on there in cyber is paramount for proper operation, but also for the protection of your critical information.



The aspects of education and training and awareness of what’s going on there in cyber is paramount for proper operation, but also for the protection of your critical information.

Gardner: Harry, are there things that are going on within governments, and not just in the US, that are buttressing the protections and reducing the risk for enterprises and that maybe enterprises aren’t aware of? How could that cooperation between public and private perhaps improve?

Raduege: Since everyone is member of this international community in cyberspace, everyone’s trying to address the issues that are so common to each one of us. Many people are bringing best practices to the table. We’re learning from each other’s experiences. As I mentioned earlier, we’re all in this together.

The international cooperation and collaboration, and the opportunity to meet and discuss these areas, are very valuable to all of us individually, and to our companies and to our nations.

Gardner: Usman, you had an interesting presentation. Tell us about this notion of "smarter" organizations. How is it that organizations, particularly enterprises, need to adjust their thinking in order to better protect themselves?

Sindhu: We’re living in a very exciting time in terms of the innovation, as well as the adoption of technology. Inventor Ray Kurzweil talks about the law of accelerating returns. He says that we're experiencing 20,000 years of adoption and technology growth. In the 21st Century we'll have a lot of innovations and more technology adoption in a much more accelerated fashion.

The smart concept

That’s where the smart concept comes in. This entails smartening our physical infrastructure, our critical infrastructures like utility, healthcare, financial services, transportation, public safety, and also city administrations, down to the IT system itself.

It will use of lot of IT enablement from either the cloud or communication infrastructure, things like RFID technologies, 4G technologies, and solar technologies, to embed lot of situational awareness, analytics, and locationing into the systems.

The need for this is present, if you look across the board at some of the incidents or some of the events. The BP incident shows us that the inefficiency, the number of physical infrastructures that are siloed, present a huge opportunity for technology growth.

This is a smart kind of a concept that embeds itself into smart city infrastructure where all the different components embed all the IT technologies together. There are other initiatives like smart grid or smart healthcare that are embedding these IT technologies as well.

That's a great way to start the 21st Century with this innovation, but the need for security arises at the same time. As Gen. Raduege mentioned, cyberspace is a new frontier, or information security in the cyber world, is a new frontier.

Today, many organizations, including the public and private sector, are waking up to the fact that technology alone is not the answer.



That’s where we have to address lot of different issues and problems around policy, architecture, and best practices. It’s only going to get more serious, as we connect a lot of different systems that were not connected in the past.

Gardner: So, from Forrester Research’s perspective, this smartness isn’t just a technical smartness, but it’s also the policies, the methods, and best practices. Tell me why best practices fit into this notion of smartness, and then maybe revisit how the threat increases with that interconnectivity.

Sindhu: Traditionally, security has been a point technology. Even in the government space, there has been a lot of focus around just technologies. Earlier today, in other sessions, we saw how the importance of point technologies has been overemphasized, rather than risk analysis and the process.

Today, many organizations, including the public and private sector, are waking up to the fact that technology alone is not the answer. It’s the process and people as well. That’s where deriving these best practices would be a key in collaborating with the private and public sector and bringing in an architecture that supports all three silos.

As far as this interconnectivity is concerned, you'll see lot of different business-to-business (B2B) and business-to-consumer (B2C) interactions. It happens today. Today, business partners and distributors do business on the go, on social media, either Twitter feeds or Facebook, or something I call ad-hoc communication through their mobile devices. This is the nature of today’s interaction. This is the nature of B2C and B2B interactions.

Perimeter notion

With that, threats increase manifold, because we tend to look at more of a perimeter notion of security. If you look out there, we're actually in a stock market situation, where information is flowing all over the place and we have no perimeters, so to speak. We need to understand this re-perimeterization, rather than de-perimeterization. How do we put security control at proper threat levels?

Gardner: One area where increased connectivity is not a threat is in connecting more of the enterprise stakeholders who perhaps have a role or a piece of the security puzzle, for them to be a bit more cooperative and coordinated. Tell me how smartness fits into collaboration between architects, chief security officers, and other stakeholders?

Sindhu: It’s a great question. One of the key aspects of smartness is cross-industry and cross-team collaboration. Today, when we start to look at some of the smart deployments, either in the vertical sectors like utilities, healthcare, or even other private-sector industries, we see more and more that security is getting attention from the board-level and C-level executive.

Similarly, enterprise architecture is getting its attention as well. Going forward, we see a great emphasis on combining these two initiatives, even though it’s still a very nascent stage at the board-level talks and C-level talks. We're not seeing a huge focus on cyber security in some instances, but of course it’s changing. It’s increasing.

It's fair to say that the security and enterprise architecture will play a key role, as both concepts mingle together to bring about best practices in architecture in the early phases into planning, deployment, and delivery of the smart services.

Gardner: How about that, Jim Hietala at The Open Group? You're all working with framework certification, defining and professionalizing the role of the enterprise architect. How well are we doing with imbuing security into that larger picture of enterprise architecture, as well as technology and process?

Hietala: I'd echo what Usman said. It’s early in the process of really bringing enhanced security into the professional enterprise architecture. So, in The Open Group Architecture Framework (TOGAF), three of the nine iterations of it, we've added significant security information and content that enterprise architecture need to bear in mind in developing architectures.

But that work is ongoing. We have a couple of projects both to enhance the security of TOGAF, and also to work to collaborate with the Sherwood Applied Business Security Architecture (SABSA) folks, another security architecture development methodology, to harmonize those two approaches.

There's a lot of work ongoing there, and there's a lot of work needed in developing reference architectures outside of purely IT. We have a document that we are updating called Enterprise Security Architecture. It will be published this fall, and updates some work that was done five or six years ago, sort of an IT reference architecture.

We see a need, as you start to look at cyber security and the different kinds of architectures, to develop new reference architectures to address some of these new applications of IT technology to everyday life. If you think about networks in cars or networks of smart devices comprising the power grid, what does security look like for those things? Our membership is starting to look at some of those and trying to determine where we can add some value for the industry.

Gardner: Let’s think a little bit more now about this notion of mission architecture. The Open Group and many organizations are involved with enterprise architecture. Harry, what do we mean by mission architecture? What does that mean and how does it relate to the concept of enterprise architecture?

Changing world

Raduege: The Internet has changed our world and the way we operate. For years, we've had enterprise architects who have been working down the hall or in the basements of organizations, and who have been trying to figure out the best way of technically aligning the Internet and all of the interconnected networks to make it work as best it could.

Now that this world of cyber has really come upon us, it has really elevated the importance of the enterprise architect into the higher levels of an organization, just because of the threats that are constantly coming upon us in our business operations and our mission success.

The enterprise architect has now gotten the attention of the C-suite executives and organization leadership. But, they don’t like to think as much about enterprise architecture, because it really has that technical connotation as my colleagues here have mentioned, we're really talking and focusing more now on the people and the process aspects of running the business properly.

The front-office people, the C-suite executives and leaders of organizations, instead of thinking about enterprise architecture from a technical aspect, are becoming much more interested in a mission architecture.

In other words, what's the architecture needed to complete my mission so that I can have success -- whatever your mission is, if it’s government activity or whether it’s industry. Mission architecture has taken on new meaning that takes into account the technical architecture, but also adds the workforce domain and the process elements of the organization.

Architecture is important, but there is no silver bullet to it. Since the smart concept is industry-wide and is global, there could be many references to architectures that could go in.



So, mission architecture is really pointing toward business success, whatever your business is, whether it’s government operations or industry.

Gardner: Usman, how do you relate mission architecture to your discussion about being smart?

Sindhu: A couple of things that come from a mission architecture perspective and a smart aspect in general, is what we're seeing in the industry as the IT risk baseline. There has been a lot of work done, and it gets even more important. How do you derive an IT risk baseline?

Architecture is important, but there is no silver bullet to it. Since the smart concept is industry-wide and is global, there could be many references to architectures that could go in. Some things have started to happen. For example, the Department of Homeland Security came over to IT risk baseline about a year-and-a-half ago. It collaborated with the IT vendors and IT sector in general and started to create this risk baseline, which comes about in the earlier phases of architecture.

As you develop a framework, you take feeds from the various industry standards and regulatory compliance mandates and you start to create a risk baseline, a risk profile that touches every single silo of people, process, and technology. Over the time, you do the collaboration, internally, but externally as well.

Also, you market the risk baseline component so that you are complying with it, but you're also educating this to your peers and your other adjacent industries. The smart concept, at its heart, would require a lot of collaboration among the public and private sectors. I see a lot of this is being driven by the government. The Department of Homeland Security is actually working on coming with the next iteration of this baseline, maybe next year.

I see a more cohesive approach, even though a lot of work needs to be done here, and in distinct industries like smart grid. There has been a lot of focus around standards. The National Institute of Standards and Technology (NIST) is working on creating a cyber security baseline and framework that touches interoperability as well as the security standards. A lot of work needs to be done. We're still at a very early stage.

Gardner: As we elevate from IT concerns to architecture and enterprise concerns -- and now we're talking at the mission architecture level -- do we run the risk of this becoming a hot potato? That is to say, no one really owns it, but it gets handed around. How do we organize an approach to a mission architecture in such a way that it's got the right level of command and control and yet is inclusive? Any thoughts around the organizational imperative, Harry?

Organizational concepts

Raduege: Maybe we can take a page from what the United States government has just recently gone through with organizational concepts, because we knew that many different activities across the federal government had a big part to play in securing cyberspace. The Department of Homeland Security, Department of Defense, the Intelligence Community, Department of Interior, Department of Commerce, Department of State, every one of those federal government activities had a specific role to play in securing cyberspace.

However, we found out that there was no one totally in-charge of orchestrating the elements and activities of our federal government. So with the President’s Cyberspace Policy Review, he decided to appoint the first ever White House Cybersecurity Coordinator, Howard Schmidt. Howard is the overarching orchestrator for all of our federal government activities, all the state and local and interfaces with industry, and also the international community.

If we're going to think about an organizational construct, our nation is led with that kind of an example of an individual at the top who provides the oversight, is also responsible and accountable for the proper operation of cyberspace and the cyber security elements.

Gardner: Jim Hietala at The Open Group, any thoughts about this organizational angle in terms of the personnel, their roles, and a rethinking of how these categories have so far been structured?

Hietala: From an enterprise perspective, looking at mission success and thinking about cyber security really is the Chief Information Security Officer (CISO) role inside a given enterprise. That probably is most relevant to address the issues. The interesting thing is that many of the new developments that we’re looking at -- whether it's smarter hospitals, smarter medical devices, smarter electrical grid -- are industry specific and they require a lot of cooperation between organizations in an industry.

There's a role for standards and industry organizations to pull together and come up with some common standards to facilitate better security.



There's a role for standards and industry organizations to pull together and come up with some common standards to facilitate better security, maybe better frameworks or things like that, that can be leveraged across an entire industry.

Gardner: Any thoughts about getting started? Where do you get traction on a problem like this? Again, we’ve got a lot of different stakeholders and many different siloed types of activities and technologies. Where do you begin to actually get a hold on this and make some impact?

Hietala: It depends on the industry, but you get started just getting smart people in a room and trying to find consensus around the problems and potential solution. We do a lot of that here at The Open Group in different areas. We have a lot of defense work that we’re doing with the suppliers to the military and those sorts of things. We get them in a room, drive consensus, and develop standards and best practices that all of them can leverage and that help their business be more secure.

Gardner: As Harry mentioned, there are some examples in the US government. There are governments, I imagine, as well where they’ve attacked this problem. They’ve made some strides, developed some approaches and methods. Is there an opportunity for increased public-to-private cooperation and standardization and can you think of any examples of how that's working?

Hietala: Definitely there is a need for increased public-sector and private-industry cooperation. We have an initiative here, The Open Group's Acquisition Cybersecurity (ACS) Initiative. It was brought to us by the Department of Defense as a consulting effort. They wanted an organization to pull together private industry and try to drive some standards looking at the supply chains to the major IT suppliers. That work is ongoing and that would be a good reference of an initiative like that.

Gardner: Harry, how about from your perspective on getting started? Where do you get a handle on this beast?

Specific areas of expertise

Raduege: As my colleagues here have mentioned, a lot of times in private industry, there is a number of individuals who, just like in the federal government, have specific areas of expertise and responsibilities in the organization. From the boardroom perspective, this could be a little confusing. You’ll have a Chief Information Officer, a Chief Information Security Officer, a Chief Privacy Officer, a Chief Management Officer, a Chief Financial Officer, and a Chief Operations Officer.

Doesn’t this sound kind of familiar to what our federal government looked like? ... Everybody has a specific role that is very, very important, but then, who is the one person then who talks to the CEO or the board? I know a lot of organizations wrestle with that concept.

In 1996, there was actually legislation, the Clinger–Cohen Act, which was officially called the Information Technology Management Reform Act. It said that across the entire federal government, there would be CIOs appointed, and they would report directly to agency heads. That has guided our federal government for quite some time, but these aspects of all the different areas need to be brought together and focused within organizations. We really have our work cut out for us.

Gardner: To you, Usman, perhaps some thoughts about getting started on the process of getting smarter?

Sindhu: One thing I'd like to echo from the previous question as well is that it's interesting to see how long it took security to get the attention it needed. Finally, it's getting the attention at the C-level. Then, from a budget perspective as well, they're getting a much better share of the IT budgets that they had before. So, there is a good momentum around understanding security early in the development phase of a project, a product, or any other deployment.

There is still a ramp to cross at getting attention at the earlier phase from a security professional’s perspective. Cyber has to be on that agenda as a top priority.



Now, when cyber security is talked about, this is another new beast for many organizations to deal with. In fact, I was speaking to one of our utility clients, and the cyber security lead mentioned that he has no approach or visibility into the earlier phases of when the vendors are selected or when the RFPs are made. He only comes in a second tier, when he has to accredit all the different vendors.

So, there is still a ramp to cross at getting attention at the earlier phase from a security professional’s perspective. Cyber has to be on that agenda as a top priority.

As far as smart initiatives, you need to get security involved and architecture involved earlier in the phase. I normally use a three-level or a three-phased approach, when we talk about the planning.

Many of the smart initiators today -- smart city, smart grid, or smart healthcare -- are mostly in the planning phase. In a year or two, we’ll see a lot more deployments. Deployments are happening today as well, but we’ll see a lot more deployments in a year or two. Then, the delivery phase will come when the smart services will be delivered to the consumers and businesses.

The role of the architecture and security has to be involved right from the planning phase, where you manifest the value of security being built in, either to the products or in general to the architecture? That has to be the first step -- that we acknowledge the need to embed that into the overall process.

Gardner: Thanks so much. We’ve been discussing the need for improved common defenses including advancing cooperation between enterprise architects and security officers, and to jointly defend against burgeoning cyber security threats.

This sponsored podcast discussion is coming to you from The Open Group Conference in Boston the week of July 19, 2010. I’d like to thank our guests. We’ve been here with retired Air Force Lt. Gen. Harry D. Raduege Jr., chairman of the Deloitte Center for Cyber Innovation, and who co-chairs a cybersecurity commission under President Obama. Thank you.

Raduege: Thank you very much.

Gardner: Usman Sindhu, researcher at Forrester Research. Thanks for the input.

Sindhu: Thank you. It's been a pleasure.

Gardner: And, Jim Hietala, Vice President of Security for The Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. You’ve been listening to BriefingsDirect. Thanks for joining and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Transcript of a sponsored podcast on how private enterprises and government agencies can combat the growing threat of cyber crime and the looming threat of cyber terrorism. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in: