Are you bypassing CIO policies to access cloud services?

I recently spoke with a CIO of a large and highly regulated organization about his company’s experiences with cloud computing. Security and compliance issues are top priorities for this CIO causing the company’s leadership to move with caution into the cloud. He expects that all cloud implementations throughout the enterprise – from Software as a Service (SaaS) to Infrastructure as a Service  (IaaS) and Platform as a Service (PaaS) will receive prior approval from his office. This CIO is implementing the same approach to security and compliance that he has taken with every project undertaken within the company. In other words, security must be implemented following a centralized approach in order to ensure that information governance policies are upheld.   The company’s cloud experiences so far have included the on-demand purchase of extra compute power and storage for development and test on two small projects as well as use of Salesforce.com in several business unit sales teams. Overall, he feels confident about the level of control he has when it comes to managing cloud security issues, and understanding the potential impact of the evolving cost and economic models of cloud computing.

However, is this CIO is really as in control of the situation as he thinks?  If his experience is in line with what I have heard from CIO’s at similar enterprises, then he may well be blind sighted. For example, many businesses find that while their centralized governance processes are effective at improving security, there may also be some unintended consequences. While the CIO directs his team to implement policies to monitor the flow of information between internal users, customer, and partners, there may be some people in the company who are undermining his efforts. Tighter control at the corporate level may lead to longer approval processes for IT resources.  And departments that need to complete a project quickly have never been very patient.  As a result, developers and business unit analysts are leveraging cloud delivery models for quick and cost effective access to computing resources even if it means bypassing CIO instituted governance policies. Right now, the usage of cloud computing is small and is not impacting security or the expense structure in any significant way. However, I expect that as his company becomes more involved in cloud commuting this CIO will need to pay more attention to controlling the costs of cloud services and the management of cloud security.

Controlling costs. Cloud computing is fundamentally about the economics of delivering IT resources in a cost efficient, elastic, and secure manner.  But, the price per CPU for compute power or the price to bring the first five users onto a SaaS application is only one element of the overall economic equation.  It can be so inexpensive to access public cloud resources to meet short-term requirements that it is easy for users to enter a corporate credit card number and move ahead with the project. But, over time small projects can grow larger or take longer to complete than expected. For example, a software development team has a tight deadline to evaluate the performance of a new application prior to an upcoming sales promotion.  One of the developers uses a corporate credit card to get the extra compute power needed for this short-term test and spends a lot less money and gets faster results than by requesting additional resources from his company’s data center. Job completed. Deadline met. Cost low. However, what happens when the application requires additional testing under various scenarios and goes into production? The initial payment to Amazon may have gone unnoticed, but when the development team’s use of cloud resources expands significantly the CFO and the CEO suddenly start to ask a lot of questions.

Security. CIO’s identify security concerns as one of the top reasons why they are cautious about cloud computing. In addition to checking out the security policies of the cloud vendors under their control, CIO’s worry that you may be accessing cloud-based services without their approval. One big area of concern is the increasing use of  social networking applications accessed on mobile devices and used with little or no distinction between business and personal usage. For example, you may use LinkedIn to get help from a business contact to close a deal and Twitter and facebook to connect with friends and clients. For many people, there are few boundaries between business and personal conversations conducted in the cloud and this has some CIO worried about security and compliance issues.

The bottom Line. Unfortunately, these issues and concerns are not going away any time soon. In fact, I expect that the level of oversight will only increase. The CIO will be called to task if various departments begin relying on cloud services for various mission critical projects without any oversight.  This is only the tip of the iceberg. And I suspect this is going to be a big iceberg.


, , ,

8 Comments

Five Steps to Effective SOA Governance

I will be presenting a session titled “Five Steps to Effective SOA Governance” in BrightTALK’s online SOA Governance Summit on Thursday, February 25. The summit includes five webcasts on different aspects of industry best practices for SOA Governance. This summit is sponsored in association with the ITGRC Forum. Please join me for the live session by clicking on this link or check out the webcast online at BrightTALK at a later date.

While I was at the IBM Pulse2010 Conference for Integrated Service Management this week, I spoke with several IBM executives about governance issues. I’ve had SOA Governance on my mind because I was preparing for this webcast and found many opportunities at Pulse2010 to discuss governance as it relates to SOA, cloud, security, and business outcomes.

While there are many layers of complexity around governance, here is one basic truth that we discussed.  There are two types of governance  that can impact your business. One is the governance you need to do to keep out of jail – or at least out of trouble with government and industry regulators – and the second is the governance you want to do to ensure that your company has the flexibility to grow and innovate.  This is an important distinction.  You can establish tightly regulated governance policies with a goal of  passing your required audits, but without the right level of governance around business process issues you can’t anticipate change and find opportunities in unexpected challenges.

If you are hoping to obtain better business outcomes ( and who isn’t?) you will need to work hard at improving business and IT collaboration. Implementing a Service Oriented Architecture helps an organization to align IT with business goals and to succeed in rapidly changing business environments. In order for you to achieve these benefits of SOA, you will need to implement a governance model. SOA governance is critical for achieving business value from your SOA initiative by ensuring the reusability of business services.

What is SOA Governance? It helps define a methodology for creating, managing, and safeguarding your movement to SOA. It also supports the management of business rules in a standardized way across the business.

How do you create effective SOA Governance for your organization? It is important to fit your governance model to your SOA. You need to start small and grow.

Here are five key steps to effective SOA Governance.

  1. Approach executive management with a justification for SOA governance.
  2. Create a comprehensive plan to create the right business services with executive support.
  3. Establish process for organizational change since managing change is as important as creating SOA services.
  4. Balance risk with oversight to find a proper balance for SOA governance.
  5. Plan for the lifecycle of business services.

SOA Governance is all about finding the right balance for your organization. You need to create the right set of business services at the right level of granularity to support the business. If your services are too narrow and technically defined, then they may not have the right meaning for the business. In order to achieve business success with SOA, you need to implement a SOA governance model that ensures business service reuse and business value.

, , , ,

1 Comment

Asking the right questions about information governance

I am looking forward to attending The Smart Governance Forum (23rd meeting of the IBM Data Governance Council) in California on February 1-3, where I will be a panelist for a session on Smart Governance Analytics. As my panel group started to plan for the event, I did some background research on the Council to understand more about them. What kinds of questions were Council members asking about information governance when they began meeting in 2004 and how are things different today? Have they developed best practices that would be useful to other companies working to develop an information governance strategy?

Information governance refers to the methods, policies, and technology that your business deploys to ensure the quality, completeness, and safety of its information. Your approach to information governance must align with the policies, standards, regulations, and laws that you are legally required to follow. When a group of senior executives responsible for information security, risk, and compliance at IBM customer organizations began meeting in 2004, interest in IT governance was high, but there wasn’t as much attention focused specifically on information governance.

Books like “IT Governance: How Top Performers Manage IT Decision Rights for Superior Results” by Peter Weill and Jeanne W Ross  helped companies understand the benefit of aligning IT goals with the overall goals and objectives of the business. In addition, there were other publications at this time focused on how to take a balanced scorecard approach to managing business strategy and on best practices for implementing IT governance.   These approaches are of critical importance to business success, however there was also a need to develop a framework for understanding, monitoring, and securing the rapidly increasing supply of business data and content.

And that is what a group of IT information focused business leaders and IBM and business partner technology leaders decided to do. The amount of data they needed to collect, aggregate, process, analyze, share, change, store, and retire was growing larger every day. In addition to data stored  in traditional data bases and packaged applications like CRM (customer relationship management) systems, they were also concerned about information stored and shared in unstructured formats like documents, spreadsheets, and email.

Having more information about your companies customers, partners, and products creates great opportunity, but more information also means more risk if  you don’t manage your information with care. Council members asked each other lots of questions such as:

  • How can we be sure that the right people get access to the right information at the right time?
  • How can we make sure that the wrong people do not get access to our private information at any time?
  • How can we overcome the risks to data quality, consistency, and security increased by the siloed approach to business data ownership that is so prevalent in our organizations?
  • How can we create a benchmarking tool for information governance that will help our businesses to increase revenue, lower costs, and reduce risks?
  • How can improve our ability to meet the security and protection standards of auditors and regulators?

As a result of its discussions, The Council developed a Maturity Model to help you assess your current state of information governance and provide guidance for developing a roadmap for the future. The Model identifies 11 categories of information governance.  The categories cover all the different elements of building an information security strategy such as understanding who in the business/IT is responsible for  what information, what policies do you follow to control the flow of your information in your company,  what are your methodologies for identifying and mitigating risk,  and how do you measure the value of your data and the effectiveness of governance. I read two IBM White Paper’s on the Model that add insight to the questions you need to ask to begin building a path to better information governance,  “The IBM Data Governance Council Maturity Model: Building a roadmap for effective data governance” and  “The IBM data governance blueprint: Leveraging best practices and proven technologies“.

So, what’s changed? FInancial crises, increasing regulation, high-profile incidents of stolen private data, cloud technology, and other factors have added substance and complexity to the questions you need to ask about information governance.  There is much to do.  One question we will explore at the conference next week is, How do you measure the effectiveness of your information governance strategy and what analytical measures are appropriate? For example, some companies are using analytical tools to look for patterns of email communication across the company and discover a greater level of insight into how information is flowing and what needs more review. Look for more on analytics and governance after the conference.

, , , , , ,

1 Comment

Why you need an information governance strategy for 2010

You say you already have a plan in place to guard your company’s data? Are you sure it has you adequately protected? While you certainly understand the need for data security – your sales challenges are tough enough without exposing your customer’s credit card information to a security breech, for example – the chances are good that in 2010 you will consider various options for improving the security of your data.  If you are going to protect your company’s most valuable asset — your data —  you will begin to view data security as a component of a more comprehensive information governance strategy.

The risks of internal or external threats to your company’s data are becoming more complex as the depth and breadth of your information expands rapidly and your data is shared with business partners, suppliers, and customers.  In addition, as companies begin to take advantage of cloud services for some of their workloads, additional complexity is added to the multitude of security concerns. Many companies have deployed a disjointed approach to securing, controlling, and managing its data making it hard to anticipate and prepare for constantly changing security risks. There are lots of different ways that unauthorized users may enter your network or otherwise steal your data.  Many companies typically have a distinct solution to combat each one individually and typcially can’t each of themprotect against all of them and. For example, access control, data encryption, network traffic monitoring, vulnerability testing, and auditing may all be monitored with independent applications.

There is a good reason why many companies find they need to deploy lots of different solutions to effectively govern its information. Some of the most innovative solutions have come from emerging companies who have built a niche around a particular vertical market or some segment of the information security market. So you deploy the best solution for you biggest challenges and move on. However, as you begin to think more holistically about your needs for information governance, you will want to ensure that information security solutions are well integrated. This is one reason why emerging companies with an information security solution have become desirable acquisition candidates for larger software vendors.

Guardium, a privately-held company based in Massachusetts, is one of the most recent examples of this trend. When IBM announced its acquisition of the company in the last week of November, Guardium moved from a fast growing startup to one of the pillars of the IBM information governance strategy.The company’s technology helps clients with some of the most challenging issues around unauthorized access to critical data. Their solutions provide secure access to enterprise data – across many different database environments such as IBM, Oracle, Microsoft, Teradata and others.  In addition, customers can reduce operational costs by automating regulatory compliance tasks. While many companies may have the ability to monitor one database at a time, Guardium brings added value by enabling companies with complex environments to monitor databases across their organization.

This acquisition aligns well with IBM’s strategy to provide customers with a well-integrated and comprehensive approach to information management. IBM has spent in the range of $12 Billion over the past five years to add software assets that will help companies to make more intelligent decisions and realize more business value from their information.

, , , , , , ,

Leave a comment

Do you have an analytics strategy and why should you care?

After just returning from IBM’s Information on Demand (IOD) Conference in Las Vegas, I would like to take this opportunity to virtually whisper just one word in the ear of a current day Benjamin Braddock, “analytics”. Many businesses have spent the past 25 years or so automating and streamlining business processes in order to drive improvements in efficiency and productivity.  But now, it is becoming apparent that these businesses expect their future success will increasingly depend on how skillfully they manage, govern, and analyze information. Businesses are applying analytical techniques to business information to help reduce risk and increase the certainty that they are making the right decisions.

IBM has, in fact, spent $12 Billion in software investments (both organic multiple acquisitions like SPSS, Cognos, Filenet, iPhrase, and Ascential Software, just to name a few) over the past 4-5 years to ensure it will be able to support its customers in their quest to unlock the business value of information. In addition, in April of 2009 IBM announced a new organization comprised of 4000 consultants focused on advanced business analytics and business optimization – teams with skills in applying business intelligence technologies like mathematical modeling, simulation, data analytics, and optimization techniques.

In an era of intense competition, tight credit, and cost concerns across global and vertical markets, this focus on getting the most value from the information you have makes a lot of sense. Companies find they are processing more information than ever before, but less of this information is being accurately and adequately used.  The quantity of available data that a business needs to manage and understand has skyrocketed along with the increase in instrumented and intelligent products. For example, RFID tags that are embedded in manufactured products,  plants and animals generate an enormous amount of data in efforts to control inventories and improve security and safety.  Trying to make decisions with inadequate,  inaccurate, or untimely  information is like driving a fast sports car down the highway with a very large blind spot impeding your view of the truck approaching on your side. You need to know about the obstacles that might appear in  your pathway before you try to make a “real-time” correction and steer your car (or your business) of a cliff.  So, students and business leaders alike please take note, I see some “analytics” in your future.

, , , , , , , ,

Leave a comment

Can software developers leverage social networking?

If you are a software developer, the chances are pretty good that you’ve across  IBM’s developer Works. With approximately 8 million registered users this site has received a lot of use by developers looking for resources on coding, standards, and technical details on  software languages like Java or  applications like Lotus Notes.  Lots of great information, but let’s face it –traditional web environments  feel a little static once you begin to use social networking sites like Facebook or Twitter.   This is why I was interested to learn about IBM”s recent introduction of My developerWorks – a transformation of developer Works that incorporates many of the attributes of social networking.

Why is this important for developers? Technology is changing too fast and the pace of the work environment it too intense for most developers to gain new skills quickly. You can research and learn a lot of material on your own, but you can get a lot smarter and produce higher quality results if you have an effective way of learning from others and collaborating across teams.   Given the economic realities of 2009, many software developers recognize that time spent keeping up with emerging technologies and understanding the business value of IT projects may make a real difference in meeting tight deadlines at work, getting a promotion or even landing a new job. These software developers often gain a lot of their information by following bloggers in their special area of interest or blog themselves to reach out to their peers. They use online reference sources, Linked In, Facebook, and Twitter to find solutions to a tough problem and keep in touch with colleagues.  My developer Works was designed to enable developers to  incorporate many of these resources and tools into one place.

Social networking is changing the way people meet, interact, and share information.  That doesn’t mean you can always make the right connections and get the right  information  in your specific technical area.   You may know you need help with a problem, but you don’t know where to find  the answer.  You may expect that somewhere in your own large company there is an expert with the expert knowledge to help you out, but it take s a week to find him because he is located in another continent.  My developer works is designed to help developers find the technical communities that will help them speed up this process. These are some of the things  that I think developers will like about My developer Works:

  • The ability to create your own view by adding  feeds for favorite bloggers and online forums
  • Easy ways to identify and find subject matter experts using tools  like virtual business cards
  • New ways to share ideas and project details with  work teams
  • Use of  keywords and tagging to locate people to help with your research and skill development

My expectation is that the true benefits of My develop Works  to developers will go beyond having one coordinated portal for  research  and blogging or twitter feeds. The unique dynamics of social software enable people to gain value from non-predictable events. It is hard to predict the right formula or set of circumstances that will lead to innovation. You sometimes get great ideas from following unplanned threads or from pulling together information across many different environments. Developers should be able to use My developerWorks to more easily locate  the right circle of  industry experts and business colleagues to help foster personal growth and innovation.

In a fast-paced work environment, time  often feels like your most limited resource. The business needs to get products to market faster and there is pressure on IT to deliver more efficient solutions in shorter time frames, and with  lower budgets.  We often needs answers faster than we can even think of the question. MyDeveloper Works is designed to help developers to become more productive at their jobs and have more fun doing it.

, , , ,

Leave a comment

The battle to grab customers in a down market

I attended the HP Analyst Meeting in Boston a few weeks ago and had several discussions with the business intelligence (BI) group. It is clear to me that HP is struggling to try to figure out the best way to sell in this type of down market. Obviously, this isn’t easy for anyone.  HP’s approach to solving this problem for its BI, data warehousing, and analytics solutions was to create a BI solutions group consisting of consulting (based on the 2006 Knightsbridge acquisition) and technology (Neoview, an integrated hardware and software platform for enterprise data warehousing).  One of the best articulations of the approach HP has adopted came from a discussion by a sales executive who is on the front lines of trying to convince customers to part with cash. What struck me was the coordinated effort that was necessary to sell to a large global organization with huge data management challenges.  This got me thinking about what it takes to sell in a very tough market.

To be successful, this sales person went all out. The Neoview product team and BI consultants all pulled to together to provide the right solution for the customer. Over the course of about ten weeks they conducted at least 100 interviews with the company to build strategy, roadmaps, and ROI estimates. The  team worked with the customer to create a master plan that showed how HP could help the company with its goal of transforming its business.

The HP sales team leveraged many different resources to make sure they had an excellent understanding of the customer’s needs and that the company understood how HP could help. HP made sure to get executive sponsors in key leadership positions at the customer organization. They also brought in some of HP’s top thought leaders and made sure that happy customers were available to discuss their experiences. In addition, HP leveraged its partner network (including Ab Initio, SAS, and SAP Business Objects) to provide a complete solution.

Neoview was a good fit for the customer’s data management challenges. Problems with inconsistent customer information and disconnected IT systems were so hard to manage that it was becoming impossible for IT to adequately support the business. This customer’s top priorities were to regain control of its existing analytics data store and revamp enterprise customer intelligence and enterprise risk management. They liked the way Neoview was built. It is based on HP’s NonStop engineering expertise that has been used for over 30 years in industries such as financial services (stock exchanges) and telecommunication (switching) where the management of vast amounts of data is essential. Neoview is designed to support hundreds of terabytes of data and over one thousand processors. The customer also had some concerns about issues like getting its team up to speed on the product. HP stepped up to meet their concern by offering training and help with Neoview’s operation to ensure a smooth transition..

As I stepped back from this discussion, it occurred to me that successful technology sales in this type of complex market is incredibly challenging. It is simply not enough to make an announcement and hope for the best. On the one hand,  the ingredients for a successful sale  sound pretty simple – you need to understand the customer’s pain and provide the right solution at the right price. Easy? Try telling that to a team that just implemented a full-scale, coordinated sales push, made all the right moves, and beat out formidable competitors to win the sale. It’s not so easy, particularly with a complicated IT solution in a market where  the business demands fast and cost effective results.And, if it takes such a coordinated effort to win one sale, how realistic is it to expect to sustain these efforts over the long term?

There are three main requirements for selling IT products and solutions in today’s market:

Get the basics right.You need to provide good technology at the right price. Your marketing plan needs to be based on clear and concise messages and your sales team needs to be able to articulate  those messages in a way  that is just right for your customer. This sounds like a good plan in any market. The difference today is that you can’t count on some of the sales that might previously have been considered “low-hanging fruit”. For example, assume you are preparing a proof-of-concept for a prospective customer and several of this company’s developers know you and your product from their work at other companies. Although it is helpful to have strong supporters of your product on the prospect’s IT team, their support can not overcome a product or solution that doesn’t solve real business problems. Today, the business is demanding more from IT – more business value, more trusted data, more control over costs, and more control over project time lines.

Understand your customer’s needs. You need to understand your customer’s challenges and expectations in order to make sure your product/solution is a good fit One of the most common mistakes that software product marketing teams make when preparing marketing materials is to focus on the outstanding and differentiating features of their product from a product-centric instead of a customer-centric point of view. You need to understand what problem you are solving for your customer and how your solution will solve this problem faster-cheaper-or with more flexibility for future changes than your competitors products. An understand of customer needs should happen at two levels. First, it helps to look at customers in a vertical market so your solution and  marketing strategy account for industry specific complexities and challenges. Second, you need to understand the requirements of the prospect at hand -within the context of its industry as well as unique situations such as a recent acquisition or internal changes that may impact their sales decision.

Develop a coordinated and well organized approach. The difference between a good sales effort and a great one is in the way internal teams and business partners collaborate to put knowledge about customer needs and product/solution capabilities together to find the right fit for the customer. For many software vendors, the services or consulting team (internal team or external partnership) has a large role to play to help close the deal. For example, regulatory requirements in industries such as  health care and financial services industries are continuing to change making significant demands on IT environments for companies in these industries. Although, you may have a great solution for handling vast amounts of data and improving data security and governance, you may not have the opportunity to prove it to your prospect without a coordinated sales effort. By bringing your product and sales teams together with a consulting team with deep experience in the regulatory and data requirements for health care and financial services you will be better equipped to show the business value of your solution.

As you try to finalize your deal, it often comes down to very similar issues across different types of customers.  They are all looking for quick, inexpensive fixes to hard problems! The reality is that there are no easy solutions to closing deals in this economy. Understanding what the customer needs is hard, but  what is even harder is making all of this scalable.


, , , , ,

Leave a comment