In a security breach, the perspective of whose responsible is shifting…

securityThe implications of boards holding Chief Executive Officers accountable for breaches will be something to watch. Recently a survey of 200 public companies shows that corporate boards are now concerned about cybersecurity and willing to hold top executives accountable.

Since the board (and the CEO that they put in place) is ultimately responsible for the results of the company, making the CEO responsible shouldn’t be a surprise.  A security breach is just one example of a business risk. not just a “technical issue,” so it should be treated in a similar fashion.  There are roles like the CISOs, CIOs, CROs that may support the CEO in their efforts to steer the ship, but if the organization runs aground, the highest levels of corporate leadership need to be held accountable — just like they are rewarded for improved corporate performance. Neither scenario is accomplished by the CEO alone.

A data breach can impact customer confidence, stock price, and the company’s reputation for a long time and those are not “technical issues.” Unfortunately, it is not a matter of “if” but “when” a security incident will occur so a formal effort must be expended to anticipate, detect, develop contingency plans to limit, and correct the situation when it occurs, as quickly and effectively as possible, reducing the impact on the customers as well as the organization itself.

That is likely one reason why in job postings today there are an abundance of openings in the security space.

Waste can be Good – it’s all relative

AbundanceAs businesses makes the transition to where the edge of the enterprise is wired into the operational processes of the business, we will start to consume our resources quite differently than we have in the past. We can use the abundance of computing capabilities to shed light on all the dark data currently available to develop a deeper contextual understanding of situations we encounter. Money may not be growing on trees, but there is much more we can be doing.

An article in Wired magazine back in 2009 discussed how: Tech Is Too Cheap to Meter: It’s Time to Manage for Abundance, Not Scarcity. In this world of exponential increases in capability, 2009 is ancient history, even so, the article is useful. It works through examples like how Alan Kay used the precious resources of the computer to display pictures on the screen instead of just textual data. George Gilder called this “wasting transistors” — making people more productive by using the transistors (computing capability) available.

The funny thing about waste is that it’s all relative to your sense of scarcity.

As we look to use higher levels of automation to handle more “normal” activities and focus people’s attention to turning anomalies into opportunities, we’ll use pattern recognition and other techniques that may appear to waste cycles. I hear people today complain about the expense of cloud computing and that it is out of control. That is more about what they use these resources for, how they measure impact and exercise control than anything to do with cost, at least from my perspective. As more capabilities become available and algorithms improve, we’ll need to do even more with more – not less.

The Wired article shows how behavior needs to change as we move from a perspective of scarcity to abundance:

From a perspective of Scarcity or Abundance

Scarcity Abundance
Rules Everything is forbidden unless it is permitted Everything is permitted unless it is forbidden
Social model Paternalism (We know what’s best) Egalitarianism (You know what’s best)
Profit plan Business model We’ll figure it out
Decision process Top-down Bottom-up
Organizational structure Command and control Out of control

This kind of shift in perspective is disruptive, useful and the right thing to do to take maximum advantage of a truly scarce resource – the human attention span.

The ‘Who Moved My Cheese?’ of Legacy Systems

Having recently gone through a personal disruption related to employment, I dusted off my copy of Who Moved My Cheese? After re-reading the book, I thought about how this applies to the life of the CIO and application portfolio management. We are all too often with the world we understand and the 80% (or more) of the budget it consumes – failing to Sniff out opportunities.

Recently there was a post: CIOs make the tough call on legacy systems by Mary K. Pratt that delved into the issue of managing the layer upon layer of project success that builds up to calcify an organization’s ability to respond, that I found a worthwhile read.

Even in this day of IaaS and SaaS, the basics of optimizing the application portfolio of an organization remains relatively unchanged. It gets down to where the organization is headed and an assessment of costs vs. value generation.

Organizations need to ask some fundamental questions like:

  1. What needs to be done and why?
  2. How is it going to be accomplished?
  3. What is the expected outcome?
  4. When will it be needed or done?
  5. How will we measure outcomes, so we can validate that the task is complete and effective?
  6. What resources will be required? ($$, people…)

Essentially an assessment of leading and lagging indicators and how the portfolio can support them.

A simple view of the assessment is summed up in this quadrant chart:

Apps Portfolio Assessment

I am sure there are other complex and wonderful interpretations of this, but to me this view is the simplest. Keep what adds value and has a low cost to operate. Refactor those programs (where possible) that have a high cost to maintain and also add high value. Validate the need for anything that delivers low value – you may be surprised how many of these you can turn off. Finally, replace those that have business support and high cost.

In this age of automation, the concepts of cost need to be holistic and not just the IT maintenance costs… For a parity of Who Moved My Cheese? touching on automation look to this Abstruse Goose illustration.

It is not hard to start but it is constantly changing so it may never be done.

Enterprise architecture in a world of automated change

action 002I posted the other day on the Enterprise CIO blog an entry about the CIO’s role and the self-driving business that got me thinking about the Enterprise architect and the processes (e.g., TOGAF). There seems to be a lack of any real automation thread. Do you see one? This clearly needs to be addressed.

One of the primary roles of an Enterprise Architect is to identify, define and support business transformation projects. The capabilities of the technologies and the business drivers have changed quite dramatically in recent years but the processes in many ways remain the same. EA practitioners will need to take a very different approach to their role going forward and how it can shape the business.

Automation will be playing an ever increasing role in business. One concept that needs to be address is that of Enterprise Context Management, which is one of those foundational elements needed for automation, yet that’s not really part of any EA process work product – at least that I know of. To me this is like a repository of enterprise state (for lack of a better term) and who subscribes to the changes in state.

Gartner came up with the term of Vanguard Enterprise Architect, describing EAs that are focused on digital business techniques and its value to the business. As part of this more forward looking approach, architects need to understand that it’s not about creating documents but about blending people, process and system to meet business needs. Through the use of automation techniques the environment will still need to be human-centric, it will just use those individual’s attention more efficiently and effectively.

The days of EA’s gathering, documenting and then just placing a few recommendations on the table are likely over. EA is not about just hardware, software and projects. Sure those play a part but now it is services, relationships and a holistic ecosystem view aligned to desired outcomes. The expectation should be for the EA to deliver business outcomes, backed by contextual depth of impact and analytics that maximize the value from one of the scarcest resources in any business, the creativity of its people.