Tuesday, February 15, 2011

Expert Panel: As Cyber Security Risks Grow, Architected Protection and Best Practices Must Keep Pace

Transcript of a sponsored podcast panel discussion from The Open Group 2011 U.S. Conference on how enterprises need to change their thinking to face and avert cyber security threats.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today we present a sponsored podcast discussion in conjunction with The Open Group Conference, held in San Diego the week of February 7, 2011. We’ve assembled a panel to examine the business risk around cyber security threats.

Looking back over the past few years, it seems like threats are only getting worse. We've had the Stuxnet Worm, The WikiLeaks affair, China-originating attacks against Google and others, and the recent Egypt Internet blackout. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

But, are cyber security dangers, in fact, getting that much worse? And are perceptions at odds with what is really important in terms of security protection? In either event, how can businesses best protect themselves from the next round of risks, especially as cloud, mobile, and social media and networking activities increase?

How can architecting for security become effective and pervasive? We'll pose these and other serious questions to a panel of security experts to examine the coming cyber business risks and ways to head them off.

Please join me now in welcoming our panel, Jim Hietala, the Vice President of Security at The Open Group; Mary Ann Mezzapelle, Chief Technologist in the CTO's Office at HP, and Jim Stikeleather, Chief Innovation Officer at Dell Services.

Gardner: As I mentioned, there have been a lot of things in the news about security. I'm wondering, what are the real risks that are worth being worried about? What should you be staying up late at night thinking about, Jim?

Stikeleather: Pretty much everything, at this time. One of the things that you're seeing is a combination of factors. When people are talking about the break-ins, you're seeing more people actually having discussions of what's happened and what's not happening. You're seeing a new variety of the types of break-ins, the type of exposures that people are experiencing. You're also seeing more organization and sophistication on the part of the people who are actually breaking in.

The other piece of the puzzle has been that legal and regulatory bodies step in and say, "You are now responsible for it." Therefore, people are paying a lot more attention to it. So, it's a combination of all these factors that are keeping people up right now.

Gardner: Is it correct, Mary Ann, to say that it's not just a risk for certain applications or certain aspects of technology, but it's really a business-level risk?

Key component

Mezzapelle: That's one of the key components that we like to emphasize. It's about empowering the business, and each business is going to be different. If you're talking about a Department of Defense (DoD) military implementation, that's going to be different than a manufacturing concern. So it's important that you balance the risk, the cost, and the usability to make sure it empowers the business.

Gardner: How about complexity, Jim Hietala? Is that sort of an underlying current here? We now think about the myriad mobile devices, moving applications to a new tier, native apps for different platforms, more social interactions that are encouraging collaboration. This is good, but just creates more things for IT and security people to be aware of. So how about complexity? Is that really part of our main issue?

Hietala: It's a big part of the challenge, with changes like you have mentioned on the client side, with mobile devices gaining more power, more ability to access information and store information, and cloud. On the other side, we’ve got a lot more complexity in the IT environment, and much bigger challenges for the folks who are tasked for securing things.

Gardner: Just to get a sense of how bad things are, Jim Stikeleather, on a scale of 1 to 10 -- with 1 being you're safe and sound and you can sleep well, and 10 being all the walls of your business are crumbling and you're losing everything -- where are we?

Stikeleather: Basically, it depends on who you are and where you are in the process. A major issue in cyber security right now is that we've never been able to construct an intelligent return on investment (ROI) for cyber security.

We're starting to see a little bit of a sea change, because starting with HIPAA-HITECH in 2009, for the first time, regulatory bodies and legislatures have put criminal penalties on companies who have exposures and break-ins associated with them.



There are two parts to that. One, we've never been truly able to gauge how big the risk really is. So, for one person it maybe a 2, and most people it's probably a 5 or a 6. Some people may be sitting there at a 10. But, you need to be able to gauge the magnitude of the risk. And, we never have done a good job of saying what exactly the exposure is or if the actual event took place. It's the calculation of those two that tell you how much you should be able to invest in order to protect yourself.

So, I'm not really sure it's a sense of exposure the people have, as people don't have a sense of risk management -- where am I in this continuum and how much should I invest actually to protect myself from that?

We're starting to see a little bit of a sea change, because starting with HIPAA-HITECH in 2009, for the first time, regulatory bodies and legislatures have put criminal penalties on companies who have exposures and break-ins associated with them.

So we're no longer talking about ROI. We're starting to talk about risk of incarceration , and that changes the game a little bit. You're beginning to see more and more companies do more in the security space -- for example, having a Sarbanes-Oxley event notification to take place.

The answer to the question is that it really depends, and you almost can't tell, as you look at each individual situation.

Gardner: Mary Ann, it seems like assessment then becomes super-important. In order to assess your situation, you can start to then plan for how to ameliorate it and/or create a strategy to improve, and particularly be ready for the unknown unknowns that are perhaps coming down the pike. When it comes to assessment, what would you recommend for your clients?

Comprehensive view

Mezzapelle: First of all we need to make sure that they have a comprehensive view. In some cases, it might be a portfolio approach, which is unique to most people in a security area. Some of my enterprise customers have more than a 150 different security products that they're trying to integrate.

Their issue is around complexity, integration, and just knowing their environment -- what levels they are at, what they are protecting and not, and how does that tie to the business? Are you protecting the most important asset? Is it your intellectual property (IP)? Is it your secret sauce recipe? Is it your financial data? Is it your transactions being available 24/7?

And, to Jim's point, that makes a difference depending on what organization you're in. It takes some discipline to go back to that InfoSec framework and make sure that you have that foundation in place, to make sure you're putting your investments in the right way.

Stikeleather: One other piece of it is require an increased amount of business knowledge on the part of the IT group and the security group to be able to make the assessment of where is my IP, which is my most valuable data, and what do I put the emphasis on.

One of the things that people get confused about is, depending upon which analyst report you read, most data is lost by insiders, most data is lost from external hacking, or most data is lost through email. It really depends. Most IP is lost through email and social media activities. Most data, based upon a recent Verizon study, is being lost by external break-ins.

When you move from just "I'm doing security" to "I'm doing risk mitigation and risk management," then you have to start doing portfolio and investment analysis in making those kinds of trade-offs.



We've kind of always have the one-size-fits-all mindset about security. When you move from just "I'm doing security" to "I'm doing risk mitigation and risk management," then you have to start doing portfolio and investment analysis in making those kinds of trade-offs.

That's one of the reasons we have so much complexity in the environment, because every time something happens, we go out, we buy any tool to protect against that one thing, as opposed to trying to say, "Here are my staggered differences and here's how I'm going to protect what is important to me and accept the fact nothing is perfect and some things I'm going to lose."

Gardner: Perhaps a part of having an assessment of where you are is to look at how things have changed, Jim Hietala, thinking about where we were three or four years ago, what is fundamentally different about how people are approaching security and/or the threats that they are facing from just a few years ago?

Hietala: One of the big things that's changed that I've observed is if you go back a number of years, the sorts of cyber threats that were out there were curious teenagers and things like that. Today, you've got profit-motivated individuals who have perpetrated distributed denial of service attacks to extort money. Now, they’ve gotten more sophisticated and are dropping Trojan horses on CFO's machines and they can to try in exfiltrate passwords and log-ins to the bank accounts.

We had a case that popped up in our newspaper in Colorado, where a mortgage company, a title company lost a million dollars worth of mortgage money that was loans in the process of funding. All of a sudden, five homeowners are faced with paying two mortgages, because there was no insurance against that.

When you read through the details of what happened it was, it was clearly a Trojan horse that had been put on this company's system. Somebody was able to walk off with a million dollars worth of these people's money.

State-sponsored acts

So you've got profit-motivated individuals on the one side, and you've also got some things happening from another part of the world that look like they're state-sponsored, grabbing corporate IP and defense industry and government sites. So, the motivation of the attackers has fundamentally changed and the threat really seems pretty pervasive at this point.

Gardner: Pervasive threat. Is that how you see it, Jim Stikeleather?

Stikeleather: I agree. The threat is pervasive. The only secure computer in the world right now is the one that's turned off in a closet, and that's the nature. You have to make decisions about what you're putting on and where you're putting it on. I's a big concern that if we don't get better with security, we run the risk of people losing trust in the Internet and trust in the web.

When that happens, we're going to see some really significant global economic concerns. If you think about our economy, it's structured around the way the Internet operates today. If people lose trust in the transactions that are flying across it, then we're all going to be in pretty bad world of hurt.

Gardner: All right, well I am duly scared. Let's think about what we can start doing about this. How should organizations rethink security? And is that perhaps the way to do this, Mary Ann? If you say, "Things have changed. I have to change, not only in how we do things tactically, but really at that high level strategic level," how do you rethink security properly now?

Mezzapelle: It comes back to one of the bottom lines about empowering the business. Jim talked about having that balance. It means that not only do the IT people need to know more about the business, but the business needs to start taking ownership for the security of their own assets, because they are the ones that are going to have to belay the loss, whether it's data, financial, or whatever.

We need to connect the dots and we need to have metrics. We need to look at it from an overall threat point of view, and it will be different based on what company you're about.



They need to really understand what that means, but we as IT professionals need to be able to explain what that means, because it's not common sense. We need to connect the dots and we need to have metrics. We need to look at it from an overall threat point of view, and it will be different based on what company you're about.

You need to have your own threat model, who you think the major actors would be and how you prioritize your money, because it's an unending bucket that you can pour money into. You need to prioritize.

Gardner: How would this align with your other technology and business innovation activities? If you're perhaps transforming your business, if you're taking more of a focus at the process level, if you're engaged with enterprise architecture and business architecture, is security a sideline, is it central, does it come first? How do you organize what's already fairly complex in security with these other larger initiatives?

Mezzapelle: The way that we've done that is this is we've had a multi-pronged approach. We communicate and educate the software developers, so that they start taking ownership for security in their software products, and that we make sure that that gets integrated into every part of portfolio.

The other part is to have that reference architecture, so that there’s common services that are available to the other services as they are being delivered and that we can not control it but at least manage from a central place.

You were asking about how to pay for it. It's like Transformation 101. Most organizations spend about 80 percent of their spend on operations. And so they really need to look at their operational spend and reduce that cost to be able to fund the innovation part.

Getting benchmarks

I
t may not be in security. You may not be spending enough in security. There are several organizations that will give you some kind of benchmark about what other organizations in your particular industry are spending, whether it's 2 percent on the low end for manufacturing up to 10-12 percent for financial institutions.

That can give you a guideline as to where you should start trying to move to. Sometimes, if you can use automation within your other IT service environment, for example, that might free up the cost to fuel that innovation.

Stikeleather: Mary Ann makes a really good point. The starting point is really architecture. We're actually at a tipping point in the security space, and it comes from what's taking place in the legal and regulatory environments with more-and-more laws being applied to privacy, IP, jurisdictional data location, and a whole series of things that the regulators and the lawyers are putting on us.

One of the things I ask people, when we talk to them, is what is the one application everybody in the world, every company in the world has outsourced. They think about it for a minute, and they all go payroll. Nobody does their own payroll any more. Even the largest companies don't do their own payroll. It's not because it's difficult to run payroll. It's because you can’t afford all of the lawyers and accountants necessary to keep up with all of the jurisdictional rules and regulations for every place that you operate in.

Data itself is beginning to fall under those types of constraints. In a lot of cases, it's medical data. For example, Massachusetts just passed a major privacy law. PCI is being extended to anybody who takes credit cards.

Because all these adjacencies are coming together, it's a good opportunity to sit down and architect with a risk management framework. How am I going to deal with all of this information?



The security issue is now also a data governance and compliance issue as well. So, because all these adjacencies are coming together, it's a good opportunity to sit down and architect with a risk management framework. How am I going to deal with all of this information?

Plus you have additional funding capabilities now, because of compliance violations you can actually identify what the ROI is for of avoiding that. The real key to me is people stepping back and saying, "What is my business architecture? What is my risk profile associated with it? What's the value associated with that information? Now, engineer my systems to follow that."

Mezzapelle: You need to be careful that you don't equate compliance with security? There are a lot of organizations that are good at compliance checking, but that doesn't mean that they are really protecting against their most vulnerable areas, or what might be the largest threat. That's just a letter of caution -- you need to make sure that you are protecting the right assets.

Gardner: It's a cliché, but people, process, and technology are also very important here. It seems to me that governance would be an overriding feature of bringing those into some alignment.

Jim Hietala, how should organizations approach these issues with a governance mindset? That is to say, following procedures, forcing those procedures, looking and reviewing them, and then putting into place the means by which security becomes in fact part-and-parcel with doing business?

Risk management

Hietala: I guess I'd go back to the risk management issue. That's something that I think organizations frequently miss. There tends to be a lot of tactical security spending based upon the latest widget, the latest perceived threat -- buy something, implement it, and solve the problem.

Taking a step back from that and really understanding what the risks are to your business, what the impacts of bad things happening are really, is doing a proper risk analysis. Risk assessment is what ought to drive decision-making around security. That's a fundamental thing that gets lost a lot in organizations that are trying to grapple the security problems.

Gardner: Jim, any thoughts about governance as an important aspect to this?

Stikeleather: Governance is a critical aspect. The other piece of it is education. There's an interesting fiction in both law and finance. The fiction of the reasonable, rational, prudent man. If you've done everything a reasonable, rational and prudent person has done, then you are not culpable for whatever the event was.

I don't think we've done a good job of educating our users, the business, and even some of the technologists on what the threats are, and what are reasonable, rational, and prudent things to do. One of my favorite things are the companies that make you change your password every month and you can't repeat a password for 16 or 24 times. The end result is that you get as this little thing stuck on the notebook telling them exactly what the password is.

So, it's governance, but it's also education on top of governance. We teach our kids not to cross the street in the middle of the road and don't talk to strangers. Well, we haven't quite created that same thing for cyberspace. Governance plus education may even be more important than the technological solutions.

The technical details of the risks are changing rapidly, but the nature of the risk themselves, the higher level of the taxonomy, is not changing all that much.



Gardner: One sort of push-back on that is that the rate of change is so rapid and the nature of the risks can be so dynamic, how does one educate? How you keep up with that?

Stikeleather: I don't think that it's necessary.

If you just introduce safe practices so to speak, then you're protected up until someone comes up with a totally new way of doing things, and there really hasn't been a lot of that. Everything has been about knowing that you don't put certain data on the system, or if you do, this data is always encrypted. At the deep technical details, yes, things change rapidly. At the level with which a person would exercise caution, I don't think any of that has changed in the last ten years.

Gardner: We've now entered into the realm of behaviors and it strikes me also that it's quite important and across the board. There are behaviors at different levels of the organization. Some of them can be good for ameliorating risk and others would be very bad and prolonged. How do you incentivize people? How do you get them to change their behavior when it comes to security, Mary Ann?

Mezzapelle: The key is to make it personalized to them or their job, and part of that is the education as Jim talked about. You also show them how it becomes a part of their job.

Experts don't know

I
have a little bit different view that it is so complex that even security professionals don’t always know what the reasonable right thing to do it. So, I think it's very unreasonable for us to expect that of our business users, or consumers, or as I like to say, my mom. I use her as a use case quite a lot of times about what would she do, how would she react and would she recognize when she clicked on, "Yes, I want to download that antivirus program," which just happened to be a virus program.

Part of it is the awareness so that you keep it in front of them, but you also have to make it a part of their job, so they can see that it's a part of the culture. I also think it's a responsibility of the leadership to not just talk about security, but make it evident in their planning, in their discussions, and in their viewpoints, so that it's not just something that they talk about but ignore operationally.

Gardner: One other area I want to touch on is the notion of cloud computing, doing more outsourced services, finding a variety of different models that extend beyond your enterprise facilities and resources.

There's quite a bit of back and forth about, is cloud better for security or worse for security? Can I impose more of these automation and behavioral benefits if I have a cloud provider or a single throat to choke, or is this something that opens up? I've got a sneaking suspicion I am going to hear "It depends" here, Jim Stikeleather, but I am going to go with you anyway. Cloud: I can't live with it, can't live without it. How does it work?

Stikeleather: You're right, it depends. I can argue both sides of the equation. On one side, I've argued that cloud can be much more secure. If you think about it, and I will pick on Google, Google can expend a lot more on security than any other company in the world, probably more than the federal government will spend on security. The amount of investment does not necessarily tie to a quality of investment, but one would hope that they will have a more secure environment than a regular company will have.

You have to do your due diligence, like with everything else in the world. I believe, as we move forward, cloud is going to give us an opportunity to reinvent how we do security.



On the flip side, there are more tantalizing targets. Therefore they're going to draw more sophisticated attacks. I've also argued that you have statistical probability of break-in. If somebody is trying to break into Google, and you're own Google running Google Apps or something like that, the probability of them getting your specific information is much less than if they attack XYZ enterprise. If they break in there, they are going to get your stuff.

Recently I was meeting with a lot of NASA CIOs and they think that the cloud is actually probably a little bit more secure than what they can do individually. On the other side of the coin it depends on the vendor. I've always admired astronauts, because they're sitting on top of this explosive device built by the lowest-cost provider. I've always thought that took more bravery than anybody could think of. So the other piece of that puzzle is how much is the cloud provider actually providing in terms of security.

You have to do your due diligence, like with everything else in the world. I believe, as we move forward, cloud is going to give us an opportunity to reinvent how we do security.

I've often argued that a lot of what we are doing in security today is fighting the last war, as opposed to fighting the current war. Cloud is going to introduce some new techniques and new capabilities. You'll see more systemic approaches, because somebody like Google can't afford to put in 150 different types of security. They will put one more integrated. They will put in, to Mary Ann’s point, the control panels and everything that we haven't seen before.

So, you'll see better security there. However, in the interim, a lot of the software-as-a-service (SaaS) providers, some of the simpler platform-as-a-service (PaaS) providers haven’t made that kind of investment. You're probably not as secured in those environments.

Gardner: Mary Ann, do you also see cloud as a catalyst to a better security either from technology process or implementation?

Lowers the barrier

Mezzapelle: For the small and medium size business it offers the opportunity to be more secure, because they don't necessarily have the maturity of processes and tools to be able to address those kinds of things. So, it lowers that barrier to entry for being secure.

For enterprise customers, cloud solutions need to develop and mature more. They may want to do with hybrid solution right now, where they have more control and the ability to audit and to have more influence over things in specialized contracts, which are not usually the business model for cloud providers.

I would disagree with Jim in some aspects. Just because there is a large provider on the Internet that’s creating a cloud service, security may not have been the key guiding principle in developing a low-cost or free product. So, size doesn't always mean secure.

You have to know about it, and that's where the sophistication of the business user comes in, because cloud is being bought by the business user, not by the IT people. That's another component that we need to make sure gets incorporated into the thinking.

Stikeleather: I am going to reinforce what Mary Ann said. What's going on in cloud space is almost a recreation of the late '70s and early '80s when PCs came into organizations. It's the businesspeople that are acquiring the cloud services and again reinforces the concept of governance and education. They need to know what is it that they're buying.

There will be some new work coming out over the next few months that lay out some of the tough issues there and present some approaches to those problems.



I absolutely agree with Mary. I didn't mean to imply size means more security, but I do think that the expectation, especially for small and medium size businesses, is they will get a more secure environment than they can produce for themselves.

Gardner: Jim Hietala, we're hearing a lot about frameworks, and governance, and automation. Perhaps even labeling individuals with responsibility for security and we are dealing with some changeable dynamics that move to cloud and issues around cyber security in general, threats from all over. What is The Open Group doing? It sounds like a huge opportunity for you to bring some clarity and structure to how this is approached from a professional perspective, as well as a process and framework perspective?

Hietala: It is a big opportunity. There are a number of different groups within The Open Group doing work in various areas. The Jericho Forum is tackling identity issues as it relates to cloud computing. There will be some new work coming out of them over the next few months that lay out some of the tough issues there and present some approaches to those problems.

We also have the Open Trusted Technology Forum (OTTF) and the Trusted Technology Provider Framework (TTPF) that are being announced here at this conference. They're looking at supply chain issues related to IT hardware and software products at the vendor level. It's very much an industry-driven initiative and will benefit government buyers, as well as large enterprises, in terms of providing some assurance of products they're procuring are secure and good commercial products.

Also in the Security Forum, we have a lot of work going on in security architecture and information security management. There are a number projects that are aimed at practitioners, providing them the guidance they need to do a better job of securing, whether it's a traditional enterprise, IT environment, cloud and so forth. Our Cloud Computing Work Group is doing work on a cloud security reference architecture. So, there are number of different security activities going on in The Open Group related to all this.

Gardner: What have you seen in a field in terms of a development of what we could call a security professional? We've seen Chief Security Officer, but is there a certification aspect to identifying people as being qualified to step in and take on some of these issues?

Certification programs

Hietala: There are a number of certification programs for security professionals that exist out there. There was legislation, I think last year, that was proposed that was going to put some requirements at the federal level around certification of individuals. But, the industry is fairly well-served by the existing certifications that are out there. You've got CISSP, you've got a number of certification from SANS and GIAC that get fairly specialized, and there are lots of opportunities today for people to go out and get certifications in improving their expertise in a given topic.

Gardner: My last question will go to you on this same issue of certification. If you're on the business side and you recognize these risks and you want to bring in the right personnel, what would you look for? Is there a higher level of certification or experience? How do you know when you've got a strategic thinker on security, Mary Ann?

Mezzapelle: The background that Jim talked about CISSP, CSSLP from (ISC)2, there is also the CISM or Certified Information Security Manager that’s from an audit point of view, but I don't think there's a certification that’s going to tell you that they're a strategic thinker. I started out as a technologist, but it's that translation to the business and it's that strategic planning, but applying it to a particular area and really bringing it back to the fundamentals.

Gardner: Does this become then part of enterprise architecture (EA)?

Mezzapelle: It is a part of EA, and, as Jim talked, about we've done some work on The Open Group with Information Security Management model that extend some of other business frameworks like ITIL into the security space to have a little more specificity there.

Gardner: Last word to you, Jim Stikeleather, on this issue of how do you get the right people in the job and is this something that should be part and parcel with the enterprise or business architect?

At the end of the day it's the incorporation of everything into EA, because you can't bolt on security. It just doesn't work.



Stikeleather: I absolutely agree with what Mary Ann said. It's like a CPA. You can get a CPA and they know certain things, but that doesn't guarantee that you’ve got a businessperson. That’s where we are with security certifications as well. They give you a comfort level that the fundamental knowledge of the issues and the techniques and stuff are there, but you still need someone who has experience.

At the end of the day it's the incorporation of everything into EA, because you can't bolt on security. It just doesn't work. That’s the situation we're in now. You have to think in terms of the framework of the information that the company is going to use, how it's going to use it, the value that’s associated with it, and that's the definition of EA.

Gardner: Well, great. We have been discussing the business risk around cyber security threats and how to perhaps position yourself to do a better job and anticipate some of the changes in the field. I’d like to thank our panelists. We have been joined by Jim Hietala, Vice President of Security for The Open Group; Mary Ann Mezzapelle, Chief Technologist in the Office of the CTO for HP, and Jim Stikeleather, Chief Innovation Officer at Dell Services.

This is Dana Gardner. You’ve been listening to a sponsored BriefingsDirect podcast in conjunction with The Open Group Conference here in San Diego, the week of February 7th, 2011. I want to thank all for joining and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Transcript of a sponsored podcast panel discussion from The Open Group 2011 U.S. Conference on how enterprises need to change their thinking to face and avert cyber security threats. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in:

Wednesday, February 09, 2011

Infosys Survey Shows Enterprise Architecture and Business Architecture on Common Ascent to Strategy Enablers

Transcript of a sponsored podcast panel discussion on the findings of a study on the current state and future direction of enterprise architecture, recorded at The Open Group 2011 U.S. Conference.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, we present a sponsored podcast discussion in conjunction with the Open Group Conference, held in San Diego in the week of February 7, 2011. We’ve assembled a panel to examine the current state of enterprise architecture (EA) and analyze some new findings on this subject from a recently completed Infosys annual survey.

We'll see how the architects themselves are defining the EA team concept, how enterprise architects are dealing with impact and engagement in their enterprises, and the latest definitions of EA deliverables and objectives. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

We'll also look at where the latest trends around hot topics like cloud and mobile are pushing the enterprise architects toward a new future. Here with us to delve into the current state of EA and the survey results, is Len Fehskens, Vice President of Skills and Capabilities at The Open Group. Welcome, Len.

Len Fehskens: Thanks, Dana.

Gardner: Nick Hill, Principal Enterprise Architect at Infosys Technologies. Welcome.

Nick Hill: Thank you very much.

Gardner: Dave Hornford, Architecture Practice Principal at Integritas, as well as Chair of The Open Group’s Architecture Forum. Welcome, Dave.

Dave Hornford: Welcome. Thanks for being here.

Gardner: Chris Forde, Vice President of Enterprise Architecture and Membership Capabilities for The Open Group.

Chris Forde: Good morning.

Gardner: We have a large group here today. We're also joined by Andrew Guitarte. He is the Enterprise Business Architect of Internet Services at Wells Fargo Bank. Welcome.

Andrew Guitarte: Thank you very much.

Gardner: And, Ahmed Fattah. He is the Executive IT Architect in the Financial Services Sector for IBM, Australia. Welcome.

Ahmed Fattah: Thank you, Dana.

Gardner: Nick Hill, let’s go to you first. You've conducted an annual survey. You just put together your latest results. You asked enterprise architects what’s going on in the business. What are the takeaways? What jumped out at you this year?

Hot topics

Hill: There are several major takeaways. There were some things that were different about this year’s survey. One, we introduced the notion of hot topics. So, we had some questions around cloud computing. And, we took a more forward-looking view in terms of not so much what has been transpiring with enterprise architectures since the last survey, but what are they looking to go forward to in terms of their endeavors. And, as we have been going through economic turmoil over the past 2-3 years, we asked some questions about that.

We did notice that in terms of the team makeup, a lot of the sort of the constituents of the EA group are pretty much still the same, hailing from largely the IT core enterprise group. We looked at the engagement and impacts that they have had on their organizations and, as well, whether they have been able to establish the value that we've noticed that enterprise architects have been trying to accomplish over the past 3-4 years.

This was our fifth annual survey, which was started by Sohel Aziz. We did try to do some comparative results from previous surveys and we found that some of things were the same, but there are some things that are shifting in terms of EA.

More and more, the business is taking hold of the value that enterprise architects bring to the table, enterprise architects have been able to survive the economic troubled times, and some companies have even increased their investment in EA. But, there was a wide range of topics, and I'm sure that we'll get to more of those as this discussion goes on.

Gardner: One of the things that you looked at was the EA team. Are we defining who these people are differently? Has that been shifting over the past few years?

Hill: Essentially, no. If you took a look at this year’s survey compared to 2007-2008 surveys, largely they’ve come from core IT with some increase from the business side, business architects and some increase in project managers. The leader of the EA group is still reporting through the IT chain either to the CIO or the CTO.

Gardner: Dave Hornford.

Hornford: Are you seeing that the leader of the architecture team is an architect or manager? The reason I'm asking is that we're seeing an increasing shift in our client base to not having an architect lead the architecture team?

Hill: Well, that was very interesting. We didn't exactly point to that kind of a determination. We wanted to see who they actually reported into. That would help us get some indication of how well they would be able to sell their value within the enterprise, if you're largely aligned more with the IT or more with the business side functions.

Gardner: Chris Forde, you've been observing a lot of these issues, is this a particularly dynamic time, or is this a time where things are settling out? Is there any way to characterize the way in which the enterprise architect occupation or professional definition is involved with the organization? Where are we on this?

Forde: Actually, I'll defer commentary on the professional aspect of things to my colleague Len. In terms of the dynamics of EA, we're constantly trying to justify why enterprise architects should exist in any organization. That's actually no different than most other positions are being reviewed on an ongoing basis, because of what the value proposition is for the organization.

Certifying architects

What I'm seeing in Asia is that a number of academic organizations, universities, are looking for an opportunity to certify enterprise architects, and a number of organizations are initiating, still through the IT organization but at a very high CIO-, CTO-level, the value proposition of an architected approach to business problems.

What I'm seeing in Asia is an increasing recognition of the need for EA, but also a continuing question of, "If we're going to do this, what's the value proposition," which I think is just a reasonable conversation to have on a day-to-day basis anyway.

Gardner: So, Chris is pointing to the fact that business transformation is an undercurrent to all these things in many different occupations, and processes and categories of workforce and even workflow are being reevaluated. Len, how is the EA job or function playing into that? Is this now an opportunity for it to start to become more of a business transformation occupation?

Fehskens: When you compare EA with all the other disciplines that make up a modern enterprise, it's the new kid on the block. EA, as a discipline, is maybe 20 years old, depending on what you count as the formative event, whereas most of the other disciplines that are part of the modern enterprise at least hundreds of years old.

So, this is both a real challenge and a real opportunity. The other functions have a pretty good understanding of what their business case is They've been around for a long time, and the case that they can make is pretty familiar. Mostly they just have to argue in terms of more efficient or more effective delivery of their results.

For EA, the value proposition pretty much has to be reconstructed from whole cloth, because it didn't really exist, and the value of the function is still not that well understood throughout most of the business.

So, this is an opportunity as well as a challenge, because it forces the maturing of the discipline, unlike some of these older disciplines who had decades to figure out what it was that we're really doing. We have maybe a few years to figure out what it is we're really doing and what we're really contributing, and that helps a lot to accelerate the maturing of the discipline.

EA, when it's well done, people do see the value. When it's not well done, it falls by the side of the road.



I don't think we're there completely yet, but I think EA, when it's well done, people do see the value. When it's not well done, it falls by the side of the road, which is to be expected. There's going to be a lot of that, because of the relative use of the discipline, but we'll get to the point where these other functions have and probably a lot faster than they did.

Gardner: So this is a work in progress, but that comes at a time when the organization is in transition. So, that might be a good match up. Nick, back to the survey. It seems, from my reading of it, that business strategy objectives are being given more to EA, perhaps because there is no one else in that über position to grab on to that and do something.

Hill: I think that’s very much the case. The caveat there is that it's not necessarily an ownership. It's a matter of participation and being able to weigh in on the business transformations that are happening and how EA can be instrumental in making those transformations successful.

Follow through

Now, given that, the idea is that it's been more at a strategic level, and once that strategy is defined and you put that into play within an enterprise the idea is how does the enterprise architect really follow-through with that, if they are more focused on just the strategy not necessarily the implementation of that. That’s a big part of the challenge for enterprise architects -- to understand how they percolate downwards the standards, the discipline of architecture that needs to be present within an organization to enable that strategy in transformation.

Gardner: Len.

Fehskens: One of the things that I am seeing is an idea taking hold within the architecture community that architecture is really about making the connection between strategy and execution.

If you look at the business literature, that problem is one that’s been around for a long time. A lot of organizations evolved really good strategies and then failed in the execution, with people banging their heads against the wall, trying to figure out, "We had such a great strategy. Why couldn’t we really implement it?"

I don’t know that anybody has actually done a study yet, but I would strongly suspect that, if they did, one of the things that they would discover was there wasn’t something that played the role of an architecture in making the connection between strategy and execution.

I see this is another great opportunity for architects, if we can express this idea in language that the businesspeople understand, and strategy to execution is language that businesspeople understand, and we can show them how architecture facilitates that connection. There is a great opportunity for a win-win situation for both the business and the architecture community.

There is a great opportunity for a win-win situation for both the business and the architecture community.



Gardner: Chris.

Forde: I just wanted to follow the two points that are right here, and say that the strategy to execution problem space is not at all peculiar to IT architects or enterprise architects. It's a fundamental business problem. Companies that are good at translating that bridge are extremely effective and it's the role of architects in that, that’s the important thing, we have to have the place at the table.

But, to imagine that the enterprise architects are solely responsible for driving execution of a strategy in an organization is a fallacy, in my opinion. The need is to ensure that the team of people that are engaged in setting the strategy and executing on it are compelling enough to drive that through the organization. That is a management and an executive problem, a middle management problem, and then driving down to the delivery side. It's not peculiar to EA at all in my opinion.

Gardner: Andrew at Wells Fargo Bank, you wear a number of hats outside of your organization that I think cross some of these boundaries. The idea of the enterprise architect or a business architect, where do you see this development of the occupation going, the category going, and what about this division between strategy and execution?

Guitarte: I may not speak for the bank itself, but from my experience of talking with people from the grassroots to the executive level, I have seen one very common observation, enterprise architects are caught off-guard, and the reason there is that there is this new paradigm. In fact, there is a shift in paradigm that business architecture is the new EA, and I am going out beyond my peers here in terms of predicting the future.

Creating a handbook

That is going to be the future. I am the founding chairman of the Business Architecture Society. Today, I am an advisory member of the Business Architecture Guild. We're writing, or even rewriting, the textbooks on EA. We're creating a handbook for business architects. What my peers have mentioned is that they are bridging the strategy and tactical demands and are producing the value that business has been asking for.

Gardner: Okay, we also see from the survey that process flexibility, and standardization seems to be a big topic. Again, they're looking to the architects in the organization to try to bridge that, to move above and beyond IT and applications into process, standardization, and automation across the organization.

Ahmed, where do you see that going, and how do you think the architect can play a role in furthering this goal of process flexibility and standardization?

Fattah: The way I see the market is consistent with the results of the survey in that they see the emergence of the enterprise architect as business architect to work on a much wider space and make you focus more on the business. There are a number of catalysts for that. One of them is a business process, the rise of the business process management, as a very important discipline within the organization.

That, in a way, had some roots from Six Sigma, which was really a purely business aspect, but also from service oriented architecture (SOA), which has itself now developed into business process, decomposition and implementation.

That gives very good ammunition and support for the strategic decomposition of the whole enterprise as components that, with business process, is actually connecting elements between this. The business process architect is participating as a business architect using this business process as a major aspect for enabling business transformation.

I'm very encouraged with this development of business architecture. By the way, another catalyst now is a cloud. The cloud will actually purify or modify EA, because all the technical details maybe actually outsourced to the cloud provider, where the essence of what IT will support in the organization becomes the business process.

On one hand, I'm encouraged with the result of the survey and what I’ve seen in the organization, but on the other hand, I am disappointed that EA hasn’t developed these economic and business bases yet. I agree with Len that 20 years is a short time. On the other hand, it’s a long time for not applying this discipline in a consistent way. We’ll get much more penetration, especially with large organization, commercial organization, and not the academic side.

Gardner: So, if we look at that potential drop between the strategy and the execution, someone dropping the ball in that transition, what Ahmed is saying that cloud computing could come in whereby your strategy could be defined, your processes could be engineered, and then the tactical implementation of those could be handed off to the cloud providers. Is that a possible scenario from where you sit, Dave?

Hornford: I think it’s a possible scenario. I think more driving from it is the ability to highlight the process or business service requirements and not tie them to legacy investments that are not decomposed into a cloud. Where you have a separation to a cloud, you’re required to have the ability to improve your execution. The barriers in execution in our current world are very closely tied to our legacy investments in software asset with physical asset which are very closely tied to our organizational structure.

Gardner: How about you, Chris Forde, do you see some goodness or risk in ameliorating the issue of handing off strategy to a cloud provider?

Abdicating responsibility

Forde: Any organization that hands over strategic planning or execution activity to a third-party is abdicating its own responsibility to shareholders, as they are a profit-making organizations. So I would not advocate that position at all.

Hornford: You can’t outsource thinking?

Forde: Well, you can, but then you give up control, and that’s not a good situation. You need to be in control of your own destiny. In terms of what Ahmed was talking about, you need to be very careful as you engage with the third-party that they are actually going to implement your strategic intent.

You need to have a really strong idea of what it is you want from the provider, articulating clearly, and set up a structure that allows you to manage and operate that with their strength in the game. If you just simply abdicate that responsibility and assume that that’s going to happen, it’s likely to fail.

Gardner: So there probably be clearly be instances where handing off responsibility at some level will make sense and won’t make sense, but who better than the enterprise architect to make that determination? Ahmed.

Fattah: I agree, on one hand, the organization shouldn't abdicate the core function of the businesses in defining a strategy and then executing it right.

Having a bunch of people labeled as architects is different than having a bunch of people that have the knowledge, skills, and experience to deliver what is expected.



However, an example, which I'm seeing as a trend, but a very slow trend -- outsourcing architecture itself to other organizations. We have one example in Australia of a very large organization, which gives IBM the project execution, the delivery organization. Part of that was architecture. I was part of this to define with the organization their enterprise architecture, the demarcation between what they outsource and what they retain.

Definitely, they have to retain certain important parts, which is strategy and high-level, but outsourcing is a catalyst to be able to define what's the value of this architecture. So the number of architectures within our software organization was looked with a greater scrutiny. They are monitoring the value of this delivery, and value was demonstrated. So the team actually grew; not shrunk.

Forde: In terms of outsourcing knowledge skills and experience in an architecture, this is a wave of activity that's going to be coming. My point wasn't that it wasn't a valid way to go, but you have to be very careful about how you approach it.

My experience out of the Indian subcontinent has been that having a bunch of people labeled as architects is different than having a bunch of people that have the knowledge, skills, and experience to deliver what is expected. But in that region, and in Asia and China in particular, what I'm seeing is a recognition that there is a market there. In North America and in Europe, there is a gap of people with these skills and experience. And folks who are entrepreneurial in their outlook in Asia are certainly looking to fill that gap.

So, Ahmed's model is one that can work well, and will be a burgeoning model over the next few years. You've to build the skill base first.

Gardner: Thank you, Chris Forde. Andrew, you had something?

Why the shift?

Guitarte: There's no disagreement about what's happening today, but I think the most important question is to ask why there is this shift. As Nick was saying, there is a shift of focus, and outsourcing is a symptom of that shift.

If you look back, Dave mentioned that in any organization there are two forces that tried to control the structure. One is the techno structure, which EA belongs to, and the main goal of a techno structure is to perpetrate themselves in power, to put it bluntly. Then, there is the other side, which is the shareholders, who want to maximize profit, and you've seen that cycle go back and forth.

Today, unfortunately, it's the shareholders who are winning. Outsourcing for them is a way to manage cash flow, to control costs, and unfortunately, we're getting hit.

Gardner: Nick, going back to the survey. When you asked about some of these hot trends -- cloud, outsourcing, mobile, the impact -- did anything jump out at you that might add more to our discussion around this shifting role and this demarcation between on-premises and outsource?

Hill: Absolutely. The whole concept of leveraging the external resources for computing capabilities is something we drove at. We did find the purpose behind that, and it largely plays into our conversation behind the impact of business. It's more of a cost reduction play.

It's almost always the case that the initial driver for the business to get interested in something is to reduce cost.



That's what our survey respondents replied to and said the reason why the organization was interested in cloud was to reduce cost. It's a very interesting concept, when you're looking at why the business sees it as a cost play, as opposed to a revenue-generating, profit-making endeavor. It causes some need for balance there.

Gardner: So cutting cost, but at what price, Len?

Fehskens: The most interesting thing for me about cloud is that it replays a number of scenarios that we've seen happen over and over and over and over again. It's almost always the case that the initial driver for the business to get interested in something is to reduce cost. But, eventually, you squeeze all the water out of that stone and you have to start looking at some other reason to keep moving in that direction, keep exploiting that opportunity.

That almost invariably is added value. What's happening with cloud is that it’s forcing people to look at a lot of the issues that they started to address with SOA. But, the problem with SOA was that a lot of vendors managed to turn it into a technology issue. "Buy this product and you’ll have SOA," which distracted people from thinking about the real issue here, which is figuring out what are the services that the business needs.

Once you understand what the services are that the business needs, then you can go and look for the lowest-cost provider out in the cloud to make that connection. But, once you’ve already made that disconnection between the services that the business needs and how they are provided, you can then start orchestrating the services on the business side from a strategically driven perspective to look at the opportunities to create added value.

You can assemble the implementation that delivers that added value from resources that are already out there that you don’t have to rely on your in-house organization to create it from scratch. So, there’s a huge opportunity here, but it’s accompanied by an enormous risk. If you get this right, you're going to win big. But if you get it wrong, you are going to lose big.

Gardner: Ahmed, you had some thoughts?

Cloud has focus

Fattah: When we use the term, cloud, like many other terms, we refer to so many different things, and the cloud definitely has a focus. I agree that the focus now on reducing cost. However, when you look at the cloud as providing pure business service such as software as a service (SaaS), but also business process orchestrated services with perhaps outsourcing business process itself, it has a huge potential to create this mindset for organization about what they are doing and in which part they have to minimize cost. That's where the service is a differentiator. They have to own it. They have to invest so much of it. And, they have to use the best around.

Definitely the cloud will play in different levels, but these levels where it will work in a business architecture is actually distilling the enterprise architecture into the essence of it, which is understanding what service do I need, how I sort the services, and how I integrate them together to achieve the value.

Gardner: So, the stakes are rather high. We have an opportunity where things could be very much more productive, and I’ll use that term rather than just cost savings, but we also have the risk of some sort of disintermediation, dropping the ball, and handing off the strategic initiatives to the tactical implementation and/or losing control of your organization.

So, the question is, Dave Hornford, isn’t the enterprise architect in a catbird seat, in a real strong position to help determine the success or failure on this particular point?

Hornford: Yes, that gets to our first point, which was execution. We've talked in this group about the business struggle to execute. We also have to consider the ability of an enterprise architecture team to execute.

We're 20 years into EA, but you can look at business literature going back a much broader period, talking about the difficulty of executing as a business.



When we look at an organization that has historically come from and been very technically focused in enterprise IT, the struggle there, as Andrew said, is that it’s a self-perpetuating motion.

I keep running into architecture teams that talk about making sure that IT has a seat at the table. It’s a failure model, as opposed to going down the path that Len and Ahmed were talking about. That's identifying the services that the business needs, so that they can be effectively assembled, whether that assembly is inside the company, partly with a outsource provider, or is assembled as someone else doing the work.

That gets back to that core focus of the sub-discipline that is evolving at an even faster rate than enterprise architecture. That’s business architecture. We're 20 years into EA, but you can look at business literature going back a much broader period, talking about the difficulty of executing as a business.

This problem is not new. It’s a new player in it who has the capability to provide good advice, and the core of that I see for execution is an architecture team recognizing that they are advice providers, not doers, and they need to provide advice to a leadership team who can execute.

Gardner: Anyone else want to add to this issue of the role and importance of architect, be it business or be it information or IT, and this interesting catalyst position we are in between on-premises and outsource?

Varying maturity

Forde: I have a comment to make. It’s interesting listening to Dave’s comments. What we have to gauge here is that the state of EA varies in maturity from industry to industry and organization to organization.

For the function to be saying "I need a place at the table" is an indication of a maturity level inside an organization. If we're going to say that an EA team that is looking for a place at the table is in a position to strategically advise the executives on what to do in an outsourcing agreement, that's a recipe for disaster.

However, if you're already in the position of being a trusted adviser within the organization, then it's a very powerful position. It reflects the model that you just described, Dana.

Organizations and the enterprise architecture team at the business units need to be reflecting on where they are and how they can play in the model that Ahmed and Dave are talking about. There is no one-size-fits-all here from an EA perspective, I think it really varies from organization to organization.

Gardner: Nick, from the survey, was there any data and information that would lead you to have some insight into where these individuals need to go in order to accommodate, as Chris was saying, what they need to do from a self-starting situation to be able to rise to these issues even as these issues of course are variable from company to company?

There is this transition happening and the enterprise architects are right in the middle of that, trying to coach and counsel the business leadership.



Hill: One of the major focus areas that we found is that, when we talk about business architecture, the reality is that there's a host of new technologies that have emerged with Web 2.0 and are emerging in grid computing, cloud computing, and those types of things that surely are alluring to the business. The challenge for the enterprise architecture is to take a look at what those legacy systems that are already invested in in-house and how an organization is going to transition that legacy environment to the new computing paradigms, do that efficiently, and at the same time be able to hit the business goals and objectives.

It's a conundrum that the enterprise architects have to deal with, because there is a host of legacy investment that is there. In Infosys, we've seen a large uptake in the amount of modernization and rationalization of portfolios going on with our clientele.

That's an important indicator that there is this transition happening and the enterprise architects are right in the middle of that, trying to coach and counsel the business leadership and, at the same time, provide the discipline that needs to happen on each and every project, and not just the very large projects or transformation initiatives that organizations are going through.

The key point here is that the enterprise architects are in the middle of this game. They are very instrumental in bringing these two worlds together, and the idea that they need to have more of a business acumen, business savvy, to understand how those things are affecting the business community, is going to be critical.

Gardner: Very good. We're going to have to leave it there. I do want to thank you, Nick, for sharing the information from your Infosys Technologies survey and its result. So, thank you to Nick Hill, the Principal Enterprise Architect at Infosys Technologies.

I'd also like to thank our other members of our panel today. Len Fehskens, the Vice President of Skills and Capabilities at The Open Group. Thank you.

Fehskens: Thanks for the opportunity. It was a very interesting discussion.

Gardner: And Dave Hornford, the Architecture Practice Principal at Integritas. Thank you.

Hornford: Thank you very much, Dana, and everyone else.

Gardner: And Chris Forde, Vice President of Enterprise Architecture and Membership Capabilities at The Open Group. Thank you.

Forde: My pleasure. Thanks, Dana.

Gardner: And of course, we've also been joined by Andrew Guitarte. He is the Enterprise Business Architect of Internet Services at Wells Fargo Bank. Thank you.

Guitarte: My pleasure.

Gardner: And lastly, Ahmed Fattah. He is the Executive IT Architect in the Financial Services Sector for IBM, Australia.

Fattah: Thank you, Dana.

Gardner: And I want to thank our listeners who have been enjoying a sponsored podcast discussion in conjunction with The Open Group Conference here in San Diego, the week of February 7, 2011. I'm Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks for joining and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Transcript of a sponsored podcast panel discussion on the findings of a study on the current state and future direction of enterprise architecture, recorded at The Open Group 2011 U.S. Conference. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in:

Examining the Current State of the Enterprise Architecture Profession With The Open Group's Steve Nunn

Transcript of a sponsored podcast discussion on enterprise architecture and current moves toward gaining greater status as a profession from The Open Group 2011 U.S. Conference.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference held in San Diego, the week of February 7, 2011. We're here with an executive from The Open Group to examine the current state of enterprise architecture (EA). We'll hear about how EA is becoming more business-oriented and how organizing groups for the EA profession are consolidating and adjusting. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

We'll get an update on The Association of Open Group Enterprise Architects (AOGEA) and learn more about its recent merger with the Association of Enterprise Architects. What's more, we'll get an assessment of the current maturity levels and overall professionalism drive of EA, and we're going to learn more about what to expect from the EA field and these organizing groups over the next few years.

Here to help us delve into the current state of EA, please join me now in welcoming Steve Nunn, Chief Operating Officer of The Open Group and CEO of The Association of Open Group Enterprise Architects.

Welcome back, Steve.

Steve Nunn: Hi, Dana. Good to be back.

Gardner: We're hearing an awful lot these days about EA being dead, outmoded, or somehow out of sync. I know there's a lot more emphasis on the business issues, rather than just the technical or IT issues, but what's going on with that? Are we at a point where this topic, this professional category, is in some danger?

Nunn: Absolutely not. EA is very much the thing of the moment, but it's also something that’s going to be with us for the foreseeable future too. Both inside The Open Group and the AOGEA, we're seeing significant growth and interest in the area of EA. In the association, it’s individuals becoming certified and wanting to join a professional body for their own purposes and to help the push to professionalize EA.

Within The Open Group it’s entities and organizations. Whether they be commercial, governments, academic, they are regularly joining The Open Group Architecture Forum. So, it's far from dead and in terms of the importance of business overall, EA being relevant to business.

Tomorrow's plenary session here at the conference is a good example. It's about using EA for business transformation. It's about using EA to tie IT into the business. There is no point in doing IT for IT's sake. It's there to support the business, and people are finding that one way of doing that is EA.

Gardner: I would think too Steve that some of the major trends around mobile, security, and cyber risk would augment the need for a more holistic governing role, and the architect seems to fit that bill quite nicely. So is there wind in your sails around some of these trends?

Central to the organization

Nunn: Absolutely. We're seeing increasingly that you can't just look at EA in some kind of silo. It's more about how it fits. It's so central to an organization and the way that organizations are built that it has all of the factors that you mentioned. Security is a good one, as well as cloud. They're all impacted by EA. EA has a role to play in all of those.

Inside the Open Group, what's happening is a lot of cross-functional working groups between the Architecture Forum, the Security Forum, and the Cloud Work Group, which is just recognition of that fact. But, the central tool of it is EA.

Gardner: In addition to recognizing that the function of the EA is important, you can't just have people walking the door and say, well, I'm an enterprise architect. It's hard to define the role, but it seems necessary. Tell me about the importance of certification, so that we really know what an enterprise architect is.

Nunn: That’s right. Everyone seems to want to be an enterprise architect or an IT architect right now. It's that label to have on your business card. What we're trying to do is separate the true architects from one of these, and certification is a key part of that.

If you're an employer and you're looking to take somebody on to help in the EA role, then it’s having some means to assess whether somebody really has any experience of EA, whether they know any frameworks, and what projects they've led that involve EA. All those things are obviously important to know.

One of the great things we see is the general acceptance of certification as a means to telling the wood from the trees.



There are various certification programs, particularly in The Open Group, that help with that. The TOGAF Certification Program is focused on the TOGAF framework. At the other end of the spectrum is the ITAC Program, which is a skills and experience based program that assesses by peer review an individual’s experience in EA.

There are those, there are others out there, and there are more coming. One of the great things we see is the general acceptance of certification as a means to telling the wood from the trees.

Gardner: So, we certainly have a need. We have some major trends that are requiring this role and we have the ability to begin certifying. Looking at this whole professionalism of EA, we also have these organizations. It was three years ago this very event that The AOGEA was officially launched. Maybe you could tell us what’s happened over the past three years and set the stage for what’s driving the momentum in the organization itself?

Nunn: Three years ago, we launched the association with 700 members. We were delighted to have that many at the start. As we sit here today, we have over 18,000 members. Over that period, we added members through more folks becoming certified through not only The Open Group programs, but with other programs. For example, we acknowledged the FIAC Certification Program as a valid path to full membership of the association.

We also embraced the Global Enterprise Architecture Organization (GEAO), and those folks, relevant to your earlier question, really have a particular business focus. We've also embraced the Microsoft Certified Architect individuals. Microsoft stopped its own program about a year ago now, and one of the things they encouraged their individuals who were certified to do was to join the association. In fact, Microsoft would help them pay to be members of the association, which was good.

So, it reflects the growth and membership reflects the interest in the area of EA and the interest in individuals' wanting to advance their own careers through being part of a profession.

Valuable resource

Enterprise architects are a highly valuable resource inside an organization, and so we are both promoting that message to the outside world. For our members as individuals what we're focusing on is delivering to them latest thinking in EA moving towards best practices, white papers, and trying to give them, at this stage, a largely virtual community in which to deal with each other.

Where we have turned it in to real community is through local chapters. We now have about 20 local chapters around the world. The members have formed those. They meet at varying intervals, but the idea is to get face time with each other and talk about issues that concern enterprise architects and the advancement of profession. It’s all good stuff. It’s growing by the week, by the month, in terms of the number of folks who want to do that. We're very happy with what has gone in three years.

Gardner: We've got a little bit of alphabet soup out there. There are several organizations, several communities, that have evolved around them, but now you are working to bring that somewhat together.

As I alluded to earlier, the AOGEA has just announced its merger with the Association of Enterprise Architects (AEA). What’s the difference now? How does that shape up? Is this simply a melding of the two or is there something more to it?

Nunn: Well, it is certainly a melding of the two. The two organizations actually became one in late fall last year, and obviously we have the usual post merger integration things to take care of.

As we develop, we're getting closer to our goal of being able to really promote the profession of EA in a coherent way.



But, I think it’s not just a melding. The whole is greater than the sum of the parts. We have two different communities. We have the AOGEA folks who have come primarily through certification route, and we also have the AEA folks who haven’t been so, so focused on certification, but they bring to the table something very important. They have chapters in different areas than the AOGEA folks by and large.

Also, they have a very high respected quarterly publication called The Journal of Enterprise Architecture, along the lines of an academic journal, but with a leaning towards practitioners as well. That’s published on a quarterly basis. The great thing is that that’s now a membership benefit to the merged association membership of over 18,000, rather than the subscribed base before the merger.

As we develop, we're getting closer to our goal of being able to really promote the profession of EA in a coherent way. There are other groups beyond that, and there are the early signs of co-operation and working together to try to achieve one voice for the profession going forward.

Gardner: And this also followed about a year ago, the GOAO merger with the AOGEA. So, it seems as if we're getting the definitive global organization with variability in terms of how it can deal with communities, but also that common central organizing principle. Tell me about this new über organization, what are you going to call it and what is the reach? How big is it going to be?

Nunn: Well, the first part of that is the easy part. We have consulted the membership multiple times now actually, and we are going to name the merged organization, The Association of Enterprise Architects. So that will keep things nice and simple and that will be the name going forward. It does encompass so far GEAO, AOGEA and AEA. It's fair to say that, as a membership organization, it is the leading organization for enterprise architects.

Role to play

There are other organizations in the ecosystem who are, for example, advocacy groups, training organizations, or certification groups, and they all have a role to play in the profession. But, where we're going with AEA in the future is to make that the definitive professional association for enterprise architects. It's a non-profit 501(c)(6) incorporated organization, which is there to act as the professional body for its members.

Gardner: You have been with The Open Group for well over 15 years now. You've seen a lot of the evolution and maturity. Let’s get back to the notion of the enterprise architect as an entity. As you said, we have now had a process where we recognize the need. We've got major trends and dynamics in the marketplace. We have organizations that are out there helping to corral people and manage the whole notion of EA better.

What is it about the maturity? Where are we in a spectrum, on a scale of 1 to 10? What does that mean for where there is left go? This isn’t cooked yet. You can't take it out of the oven quite yet.

Nunn: No, absolutely no. There's a long way to go, and I think to measure it on a scale of 1 to 10, I'd like to say higher, but it's probably about 2 right now. Just because a lot of things that need to be done to create profession are partly done by one group or another, but not done in a unified way or with anything like one voice for the profession.

It's interesting. We did some research on how long we might expect to take to achieve the status of a profession. Certainly, in the US at least, the shortest period of time taken so far was 26 years by librarians, but typically it was closer to 100 years and, in fact, the longest was 170-odd years. So, we're doing pretty well. We're going pretty quickly compared to those organizations.

There's a long way to go, but we've made good progress in a short numbers of years, really.



We're trying to do it on a global basis, which to my knowledge is the first time that's been done for any profession. If anything, that will obviously make things a little more complicated, but I think there is a lot of will in the EA world to make this happen, a lot of support from all sorts of groups. Press and analysts are keen to see it happen from the talks that we've had and the articles we've read. So, where there is a will there is a way. There's a long way to go, but we've made good progress in a short numbers of years, really.

Gardner: So, there's a great deal of opportunity coming up. We've talked about how this is relevant to the individual. This is something good for their career. They recognize a path where they can be beneficial, appreciated, and valued. But, what's in it for the enterprise, for the organizations that are trying to run their businesses dealing with a lot of change already? What does a group like the AEA do for them?

Nunn: It's down to giving them the confidence that the folks that they are hiring or the folks that they are developing to do EA work within their enterprise are qualified to do that, knowledgeable to do that, or on a path to becoming true professionals in EA.

Certainly if you were hiring into your organization an accountant or a lawyer, you'd be looking to hire one that was a member of the relevant professional body with the appropriate certifications. That's really what we're promoting for EA. That’s the role that the association can play.

Confidence building

When we achieve success with the association is when folks are hiring enterprise architects, they will only look at folks who are members of the association, because to do anything else would be like hiring an unqualified lawyer or accountant. It's about risk minimization and confidence building in your staff.

Gardner: Now, you wear two hats. You're the Chief Operating Officer at The Open Group and you're the CEO of the AEA. How do these two groups relate? You're in the best position to tell us what's the relationship or the context that the listeners should appreciate in terms of how these shakeouts?

Nunn: That’s a good point. It's something that I do get asked periodically. The fact is that the association, whilst a separately incorporated body, was started by The Open Group. With these things, somebody has to start them and The Open Group's Membership was all you needed for this to happen. So, very much the association has its roots in The Open Group and today still it works very closely with The Open Group in terms of how it operates and certain infrastructure things for the association are provided by The Open Group.

The support is still there, but increasingly the association is becoming a separate body. I mentioned the journal that’s published in the association's name that has its own websites, its own membership.

It's one of the leading organizations in the EA space and a group that the association would be foolish not to pay attention to.



So, little by little, there will be more separation between the two, but the aims of the two or the interests of the two are both served by EA becoming recognized as profession. It just couldn't have happened without The Open Group, and we intend to pay a lot of attention to what goes on inside The Open Group in EA. It's one of the leading organizations in the EA space and a group that the association would be foolish not to pay attention to, in terms of the direction of certifications and what the members, who are enterprise architects, are saying, experiencing, and what they're needing for the future.

Gardner: So, I suppose we should expect an ongoing partnership between them for quite some time.

Nunn: Absolutely. A very close partnership and along with partnerships with other groups. The association is not looking to take anyone's turf or tread on anyone’s toes, but to partner with the other groups that are in the ecosystem. Because if we work together, we'll get to this profession status a lot quicker, but certainly a key partner will be The Open Group.

Gardner: Well, very good. We have been looking at the current state of EA as profession, learning about the organizing groups around that effort and the certification process that they support. We've been talking with Steve Nunn, the Chief Operating Officer at The Open Group and also the CEO of the newly named Association of Enterprise Architects. Thank you so much, Steve.

Nunn: Thank you, Dana.

Gardner: You've been listening to a sponsored BriefingsDirect podcast coming to you in conjunction with the Open Group Conference here in San Diego, the week of the February 7, 2011. This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks for joining, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Transcript of a sponsored podcast discussion on enterprise architecture and current moves toward gaining greater status as a profession from The Open Group 2011 U.S. Conference. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in: