Panel Explores How the IT4IT Reference Architecture Acts as a Digital Business Enabler

Transcript of a live panel discussion on the value and direction of The Open Group Reference Architecture for managing IT as a business.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hello, and welcome to a special BriefingsDirect thought leadership panel discussion coming to you in conjunction with The Open Group San Francisco 2016. We'll now explore the value and direction of The Open Group IT4IT initiative, a new reference architecture for managing IT as a business.

Gardner

IT4IT was a hot topic at the January 2016 conference, and the enterprise architect and IT leader attendees examined it from a variety of different angles. This panel now elevates the discussion to the level of digital business value.

And so to learn more about how IT4IT aids businesses, we are joined by Chris Davis, Professor of Information Systems at the University of South Florida and also Chairman of The Open Group IT4IT Forum; Lars Rossen, a Distinguished Technologist at Hewlett Packard Enterprise (HPE) and a chief architect for the IT4IT program; Ryan Schmierer, Business and Enterprise Architect for IT at Microsoft, and David Wright, Chief Strategy Officer at ServiceNow.

When we discuss IT4IT, I hear it described as a standard, a framework, a methodology, and a business-enabler. Chris, is it all of those, is it more, is this a whole greater than the sum of the parts? Help us understand the IT4IT potential.

Chris Davis: It could be seen as all of those. I have been academically in this space for 20 to 25 years, and the thing that is different, the thing that adds potential to this is the value-chain orientation.

Davis

As well as being a really potent technical standard, we've abstracted this to levels that can be immediately appreciated in the C Suite. People like Kathleen come along, they see it and get it, and that provides some traction. That is a very positive thing, and will enable us to pick up speed as people like Toine invite real penetration down to the CMDB level and so on.

We have this multilayer view. Lars and I articulated it as levels of abstraction, but I think the integration of Mike Porter’s stuff really adds some perspective to this technical standard that maybe isn’t present or hasn’t been present in other frameworks and tools.

Gardner: And as we explain this up the value chain into the organization, do you expect that IT4IT is something you would take to a board setting environment and have them understand this concept of a value stream and consolidating around that?

Davis: Yeah, I do. Some of the observations that were made yesterday about the persistence of models like value chain, value stream, and so on, still make enormous sense to people at the CIO level. That enables the conversation to begin and also provides the ability to see whereabouts, how much of the standard, which particular value streams, where in the organization (the various parts and perspectives) fit.

As well as being very potent and very prescriptive, we have that conceptual agility that the standard provides. I find it exciting and quite refreshing. 

Organic development

Gardner: Lars, one thing that’s also interesting to me about IT4IT is that this was an organic development within IT organizations, for and by them. Tell us how, at HPE, you developed this, and why it was a good fit for The Open Group as a standardization process? 

Lars Rossen: A couple of things made us kick this off, together with Shell initially and then a lot of members came over the years. For us in HPE, it was around consumption of our toolsets. That’s where I came from.

Rossen

I was sitting on the portfolio group and I said, well, we're all drawing all of these diagrams around how it could fit together and we have these endless discussions with customers about whether this was right or this was wrong. I was completely disagreeing with all our friendly partners, as well as not so friendly competitors, about what was the right diagram.

Putting this into the open -- and we chose Open Group for that particular reason; they have shown in the past that they can create these kinds of things -- allowed us to have that common framework for defining the To-Be architecture for our customers. That simply made it much easier for us to sell our product suite. So it made a lot of business value for us.

And it also made it much easier for our consultancy service. We didn’t have to argue about the To-Be architecture; it was a given. Then, we can talk about how to actually implement it, which is much more interesting. 

Gardner: And while we are speaking about HPE and your experience there, do you have any tangible metrics of success as to how this improved? You went through a large business separation of IT departments; that must have been a difficult process. Was there anything that the IT4IT approach brought to that particular activity that you can point to as a business driver or business benefit?

Rossen: I can. A very large organization is compartmentalized in many different ways, and you could say, well, how do all of these units interchange and work with each other, because it goes both ways; it’s not only the split, but it’s also all the acquisitions we've been doing over the years.

And then we have the framework that we can use and plot things in to, and we have a standardized toolset we can use and reuse over and over again.

Before we had IT4IT, we counted how many integrations we had between our various IT management products, and it ran to about 500. With IT4IT, we can drill down and see that there are only about 50 that are really interesting. Then, we can double down on those. We can now measure how much these are the ones that are being consumed moving forward, both internally within our service practice and as well as with our customer base.

Gardner: Ryan, at Microsoft, I’m wondering about Bimodal IT and Shadow IT. Because you perhaps have a more concentrated view on IT and you can control your organization, you don’t have that problem – or maybe you do. Is there is any degree of Bimodal IT at Microsoft or Shadow IT within your IT organization, have you addressed that, and has IT4IT been a use in that direction?

Consistency and repeatability

Ryan Schmierer: First, starting with the idea of Bimodal IT, we go back to some of the research and the thoughts coming from Gartner over the last couple of years about different parts of IT needing to work at different paces. Some need to be more agile and work faster; others need to be the foundational stalwarts of the organization, providing that consistency and that repeatability that we need.

Schmierer

At Microsoft, we tend to look at it a little bit differently. When you think about agile versus waterfall, it’s not a matter of one versus the other. Should we do one or the other? There's a place for both of these. They are tools within our toolbox. Within IT, there are places where we want to move in a more agile way -- where we want to move faster. There are also certain activities where waterfall is still an excellent methodology to drive the consistency and predictability that we need.

A good example of that comes with large releases. We may develop changes or features in a very agile way, but as we move towards making large changes to the business that impact large business functions, we need to roll those changes out in a very controlled, scripted way. So, we take a little bit different look at Bimodal than some companies do.

Your other question was on Shadow IT. One of the things that we have challenged a lot over the last year or so is this concept the role of the IT organization relative to the rest of the enterprise. As we think about that, we're not thinking about IT as a service provider to the enterprise, but as a supporting function to the enterprise.

What does that mean? It means Shadow IT doesn’t exist. It just happens to be someone else within the organization providing that function. And so it becomes less of a question of controlling and preventing Shadow IT and more of embracing that outside-in approach and being able to assimilate those changes and coordinate them in a more structured way to manage things like risk and security.

We're not thinking about IT as a service provider to the enterprise, but as a supporting function to the enterprise.

Gardner: Well, we have heard that there’s a bridging of siloes benefit to IT4IT in either Bimodal or Shadow IT. Can you relay a way in which IT4IT helped you bridge silos and consolidate culturally and otherwise your IT efforts?

Schmierer: Absolutely. Very similar to some of the experiences that Lars explained at HPE, at Microsoft we've had a number of different product groups focusing on different products and solutions and service suites over the last few years.

As we've moved to more of a One Microsoft approach, we're looking at, how to bring the organization and the enterprise together in a cohesive way?

IT plays a role in enabling that as a supportive function to the company and the IT4IT standard has been a great tool for us to have a common talking point, a common framework, to bridge those discussions about not only what we do internally within IT, but how the things that we do internally relate to the products and services that we sell out into the marketplace as well. Having that common framework, that common taxonomy, is not just about talking with customers; it’s about talking internally and getting the entire enterprise aligned.

Business service management

Gardner: Dave, as organizations are working at different paces toward being digital businesses, they might look to their IT organizations for leadership. We might, as a business, want to behave more like our IT organizations.

At ServiceNow I have heard you describe IT service management (ITSM) as one step toward business service management (BSM), rather than just ITSM. How do you see the evolution from ITSM to business service management and a digital business benefit? And how do you foresee IT4IT aiding and accelerating that?

David Wright: The interesting thing about IT4IT is the fact that it conceptualizes the whole four stages that people go through on the journey. I suppose you could say the gift that ITIL gave IT was to give it an operational framework to work with.

Wright

Most other parts of the business haven’t got an operational framework. If you want to request something off most parts of the business, you will send them an email. If you want something off legal, you want something off marketing, send them an email. They haven’t got a system where they can request something.

If we take some of the processes described in IT4IT and publish that in a business-service catalog, you effectively allow everyone to have a single system of engagement. They might have their own back-end systems, they might have their own human capital management system, their own enterprise resource planning (ERP) system, but how do you engage and link all those companies together?

The other thing that IT has learned over a number of different implementations is how important the experience becomes, because if you can generate an experience where people want to use it, that’s what’s going to drive adoption of it as a function.

Let’s take this room as a whole. If we all sat together and built Uber, it would be crap. It would be really good for the taxi drivers, but it would be terrible for the people who actually wanted to request the service, and that’s because we tend to build everything from the inside out.

The fact we have now got a way to elevate that position and look at it from above, and understand all those components, and be able to track all those components from start to finish, and give people visibility in where you are in that process, that’s not just a benefit to IT; that’s a benefit to anyone who provides a service.

Gardner: As we also explore ways that we can evangelize and advocate for this in our organizations, it’s helpful to have places where it works first, the crawl-walk-run approach. Chris, can you help us understand areas where applying IT4IT early and often as a beachhead works?

Need and competence

Davis: Where you have the need and the competence. Back to my earlier point about how the standard can be envisioned, and the point that David just made, what we offer in IT4IT is something that’s not only prescriptive and ready to hand, but it’s also ready to mind, so people get it very quickly.

The quick wins are the important ones, not necessarily the low-hanging fruit, but the parts of the business where opportunities like the ones that David just suggested -- if we were to try to do something like Uber -- that would be too much.

If somewhere in an organization like Microsoft -- where Kathleen is in-charge -- there is a group that can gain rapid traction, that would be most effective. Then the telling of the early success stories; the work by Toine that shows how from the early stages in the development of the architecture, it was useful at Rabobank, that adds momentum.

Gardner: Lars, same question, where did you see this as getting traction best? Maybe it’s new efforts, greenfield application development, mobile-first type development, or maybe it’s some other area. Where might you point to as a great starting point to build this into an organization?

It isn't until you have the value streams more in order that you can start building up that service backbone that is so crucial to IT4IT.

Rossen: It’s pretty simple actually. We've done more than 50, maybe a 100 engagements now using the IT4IT model with our customer base. Very often, it's the central IT. It comes out of saying, "We're too inconsistent." It’s the automation story that comes first, and then typically you end up in a discussion around Detect to Correct. It’s a familiar area and people understand the various components that are involved in that.

But back to what you mentioned before is the layer approach that allows us to go in with a single slide. We can put it up in large format on the wall, and you can start to put Post-It notes on it. You don’t need to understand architecture. That implies that we can have decision makers coming in, and we break down a lot of siloes in the operations area, just with Detect to Correct. That’s where 99 percent of our engagements have been starting.

Then, the Request to Fulfill with the experience is where people want to go. That’s the Holy Grail, or one of the Holy Grails. There are actually two Holy Grails, and that’s just one of them. The other one is to be able to do Strategy to Portfolio, and no longer just say, "I have this application and I need to move it to the next version or whatever." It's understanding what are the services, not the applications, but the services I'm delivering to the business.

It isn't until you have the value streams more in order that you can start building up that service backbone that is so crucial to IT4IT.

Gardner: Is there an element of educating the consumer of IT in an enterprise to anticipate services differently? Ryan, when you mentioned earlier the Request to Fulfill value stream, I can understand how that makes a great deal of sense from IT out to the organization. But do people have to make an adjustment in order to receive things as a value stream, to consume them, to think of asking things through the lens of your being a broker organization? What must we do to educate and help the consumer of IT understand that it might be a different ballgame? 

Reducing friction

Schmierer: We need to start with the goal of reducing friction within the organization. Consumers of IT are operating in a changing landscape. I talked earlier about the network effect and how the environment is constantly evolving, constantly changing. As it does, the needs and desires of the people consuming technology and information will continue to change.

Request to Fulfill helps provide the mechanics for a corporate IT organization to become that broker of services. But if we look at that from a consumption perspective (from the users of services) it's all about enabling them to change their mind, change their needs, change their business processes faster, and removing the friction that exists within the process of provisioning today.

If something is a new technology that they want to bring into their organization, because they see a potential to it, how do we get that in there faster? The whole Request to Fulfill value stream is about accelerating the time to value for new technology coming into the organization and reducing the friction of the request process. 

When you look at how people consume things now, there is definitely a trend going on, where people are becoming more service-aware.

Gardner: Dave, anything to offer on that same side, the consumption side, rather than the delivery perspective? 

Wright:  We're getting this breakdown now, where people are saying that it’s not about the CIs; it’s about the service that those CIs support, how you can take something that can have not a CI-centric CMDB, but a service-centric CMDB. How people can map those relationships. The whole consumption side of it is flipping now, as people’s expectations come in line.

The other thing I found specifically with the IT4IT concept is that people start to put together a kind of business logic very quickly around things. So they'll look at the whole process. And I had someone said to me a few weeks ago, "If I understand the cost elements of each of those, I truly know what that service costs. Could I move and actually be able to manage my system based on what it’s costing the business not the fact it’s a server on problem or it’s a red light? It’s costing me x-amount of dollars a minute for this to be down and I’ve spent this much money actually building it and getting out." But you have to have all those elements tied in, all the way from the portfolio element right the way through to the run element.

Gardner: So it really seems as if it also offers a value of rationalization, prioritization, but in business terms rather than IT terms. Is that correct?

Rossen: Correct.

Gardner: As I try to factor where this will work best, early, and often, not only would we look at specific parts of IT within organization, but we might look at specific companies as a culture, as a type of company but also vertical industries. I'll go back to you, Dave, because ServiceNow has a fairly horizontal view of many different companies. Are there particular companies that you think it would be, as a culture or a type of company, better suited for adoption of IT4IT or in other vertical industries where this makes sense first?

Holistic process

Wright: The people I have seen who would be most disciplined about wanting to be able to look at things holistically right across the whole gamut have been the pharmaceutical companies. Pharmaceutical companies have come along and they're obviously very regimented in the same way finances are. They're the people who seem to be the early adopters of looking at this holistic process.

If I look at customers, the people who are adopting it first, at a low level, tend to be the financial institutions, but after that, the conversation tends to go through pharmaceuticals. I don’t think any one business has really nailed it, but this is a challenge of every company. Every company has an IT division, and they run IT, but their business isn’t to run IT; their business is inherently to provide financial services or develop drugs.

Looking at what processes people do to drive their core business, the people who are very regimented and disciplined tend to be the people who are saying there has to be a way we can gain more visibility into what we're doing from an IT perspective.

It’s a scale question and it’s a risk question. Who is under the most pressure to improve their cost performance?

Gardner: Ryan, thoughts on the similar question about where this is applicable either as a type of company or a vertical industry?

Schmierer: I'd look at who is most threatened by the changes going on in the world today. Where are cost pressures to drive efficiencies most prevalent because they're going to have the most motivation to change quickly? I'd also look at companies that were early adopters of IT who, through their early adoption, have ended up with a lot of legacy debt that they're trying to manage and they now need to rationalize that in order to get their total IT cost profile down.

In terms of specific verticals, there are pockets within each vertical or each industry that there are opportunities here. I'd look at it from a scale perspective. If you go back to the scale model that I shared this morning about the different sizes of organizations, a lot of small organizations don’t need this, and a lot of start-ups can build it into their DNA. Some of the companies that have more legacy (more mature enterprises) have more of a fundamental need for this type of structure and are going to be able to reap some benefits more quickly or with only a few pieces of it.

It’s a scale question and it’s a risk question. Who is under the most pressure to improve their cost performance?

Gardner: So if I do IT4IT correctly, how might I know a few months -- six months, a quarter or two down the road – later that I can attribute improvement to that particular activity?

Rossen: There are a couple of different things that I believe can be done at an abstract level where actually within IT4IT trying to make more concrete key performance indicator (KPI) assessments of what would make sense in terms of measuring it. More abstractly, are you really embracing the multi-supplier options that reside in IT4IT. That’s one of the reasons we kicked it off. Shell has some good examples of what it costs to integrate a supplier. And that’s tremendous high cost typically, because you have to design how to exchange an incident every time over-and-over again, and then it becomes much more reusable.

That's a place where you see that the cost of working with your partner should go down, and you can become a service broker. That's a particular area where we would see benefits very quickly. But it's also coming back to the original question or questions. That's also where we see the typical companies that wants to pick it up are the companies that really are having that pain that it's not a centralized IT any longer. It's lines of business IT, it's central, it’s suppliers and you yourself are supplying to others. If you have that problem then IT4IT is really good for you and you can quickly see benefits.

Gardner: Chris, thoughts on this notion of how do I attribute benefits in my IT organization at the business level to IT4IT?

Holy Grail for academics

Davis: This has been another Holy Grail for academics. We go all the way back to the 1970s constructive cost model and things like that. Lars hit the nail on the head. The other thing is what Cathleen said this morning. It will be less easily measured, more easily sensed, there will be changes in mindsets and so on. So it's very difficult to articulate and measure, but we're working on ways to make it much more tractable.

Wright: I've been implementing ITSM system since the mid-90s, but we still do one thing in the same way that’s truly weird and you are kind of hitting on this question. Can we define the outcomes?

Whenever anyone undertakes a project like this, they decide they're going to completely redefine the way that IT manages itself as a business. You probably should design the outcomes in the metrics that you want before you put the system in. Almost everyone I can ever remember implements a system and goes "Cool, let's write some reports." And then you take the reports you can get and say, "We'd like a report that shows this," and the consultant who put it in says, "Oh, you can't get that."

If only you step back and said, "Let's think what we want and build a system that delivers that data," is would provide a lot more value to the business.

Gardner: Well, I've had a chance to ask lots of questions. Let's go now to our architects, the people in the trenches. Dave Lounsbury, CTO at The Open Group, help us out with some practical approaches to implementing IT4IT.

Dave Lounsbury: First off, I want to mention that it's really gratifying to see that new participants like Ryan and David come in and adopt this technology, and give us their insights. So thank you very much for participating, as well as our legacy folks. IT always has a legacy, right?

Lounsbury

Each speaker mentioned the need for better data management as part of this process, and so this is a governance issue. And who in these evolving organizations should be responsible for data governance; is it the business, is it IT, is it a third entity that should be doing that? Any thoughts on that?

Schmierer: Let me take that one. We need to start by rethinking the idea of data governance. We're trying to govern the data because we're trying to create too much data. We're spending far too much time adding overhead tasks to people who need to do their day jobs, people who are trying to execute on the value stream in order to generate data needed to make decision-making. When we don't get the data that we're looking for to drive decisions, we apply governance and we apply more overhead on top of it.

As we think about IT4IT and the fact that we have a value stream and a separate set of supporting functions, it gives us an opportunity to ask "How can we reduce the amount of data required to be generated within the value stream itself?"

The extra data points that someone collects as a part of a request or the status updates that are created as a part of a project or an agile release, how do we get to the point that we can derive that from the operational systems themselves and let people just do their jobs? If we're not asking people to manually create data, there's no need to create governance processes for it. That's why IT4IT has a lot of value here. We're going to get greater [quality] data by making people’s jobs easier.

Service backbone

Rossen: I'd like to answer that, very much in line to what you are saying. One of the purposes of the service backbone is that everything relates back to that. If you really follow it, everything would be available. You don’t need to do anything further in terms of data skews, any log message, any incident, or any report or set of data from the development. It can all be related back to the conceptual service and then you can have fun with creating the reports you want to do, but you don’t add any overhead to the individuals in the value chain.

Lounsbury: Can you elaborate on how best to address the people and mindset shifts you need to make as you transition to this kind of a model?

Schmierer: From a Microsoft perspective, it starts with valuing the individuals, the contributions they’ve made to the organization, and the opportunity for them to be a part of the future where the company is going. We need to make sure that we talk with individuals and reinforce that they are valuable and appreciated.

Change is always difficult. When you talk about changing skill sets, asking people to learn new skills, adopting new ways of working, it’s uncomfortable. We're moving people out of their comfort zone and asking them to do something new. But I don’t think this one is difficult at all; it’s basic. Appreciate your people and tell them thank you.

Change is always difficult. When you talk about changing skill sets, asking people to learn new skills, adopting new ways of working, it’s uncomfortable.

Lounsbury: So given a complex service request demand by a business user, how will IT4IT assist me in designing a service with say, five different vendors?

Rossen: Well, the first thing is that within S2P, which is really where such a thing comes in, it’s a new service that needs to be introduced. We now have the framework for working on the conceptual service that we will make up whatever is requested. But everybody in the room here should probably appreciate the fact. We're not throwing away all the good stuff that goes around TOGAF and architecture in general for the business. If it's a very complex thing, you need to have an enterprise architecture worked out for that.

But it feeds into the pipeline of that, executing it. You can split it up into projects. You can still attract them as being part of the bigger things, but it does lead to that. A very important thing in IT4IT and in the industry in general is that you have to design small things that are making dependences to each other so one service depends on another service and so on. It’s not just an app on top of the infrastructure or platform infrastructure. It becomes much more complex with respect to that, but it’s the way the industry goes.

Lounsbury: What are the most important steps a small-to-medium sized enterprise (SME) could take to move to this service broker model that’s been advocated in IT4IT?

Wright: If it’s an SME, typically they're going to be using multiple systems coupled together. There won’t be any real formality around it. But the first thing for them is to get a common place where they can go and request these services. So that catalog is going to be structured in a way that’s easy to use.

I have a funny story. We were looking at how we designed UI/UX for our customers to interact with software, and we hired a group of people who were 23 or 24 years old to build the UI. We were showing a lot of them a standard service-management type of process you go through, and he said it was very complex, and I said it was. He asked how people learn to use it? I said, "What typically happens is you roll the system out and then you send all your users on a training course." He was horrified. He said, "You're allowed to write a software that’s so bad, you have to train people how to use it?" I said, "Yes, I’ve made a good living for 25 years doing that."

Service catalog

To be able to get a catalog, especially in a smaller business where you’ve perhaps got a younger workforce, more rapid turnover, or a potential to expand, it's development system is where you don’t have to train people how to use them where it’s very intrusive. 

I go onto this, I request something, and then suddenly something pops-up. I've got a task I need to do. It’s not like the going in sorting through records wondering what it all means and why have I got like 300 fields on the form and a couple of tabs to go through. It’s making work as simple as possible, that’s what’s going to drive the adoption of this.

But at a high level, what really drives the adoption is the visibility of the end result that you get from this, having that clarity of information. Imagine everyone in this room used to seeing incidents by category, so you can see a percentage of where you're spending your time, you are on hardware issues, you are doing software upgrades. No other part of the business, especially in this consolidated business model, can see that.

If you go to human resources and ask for a breakdown of percentages, how much you spend on each different type of task, you'll get some tribal knowledge ballpark figures. Same for legal, same for finance. Everyone who has been there for a while knows it, but there are no metrics. If you can provide those metrics at a top level, that just drives it further and further into the organization.

Because you don’t have a service backbone, you don’t really have connected information, so implementing IT4IT will allow you to make these decisions much easier.

Lounsbury: One more, okay, so which one to choose? And of course people will be able to interact with these folks at the breaks and at our evening reception if I don’t get to your question. So how does IT4IT help in a situation where a company is trying to eliminate a data center and move to the public cloud? As a broker of services who owns the system integration and process services, how does that flow in the IT4IT model?

Rossen: I'll take the first crack. Again it’s a classical scenario around saying where can you rationalize your portfolio? So do I outsource it, do I move the infrastructure to the cloud, do I still maintain the actual application, etc. You can’t make these decisions without having assistance of insight around what you're actually running, how it’s being consumed, what business value does it bring, which goes back to strategy to portfolio, what conceptual services do you have, how are they currently implemented, how are they running, what is the quality, how many consumers are there on it?

If you have that data, it’s actually fairly easy to make these decisions, but typically most organizations, this exercises require 60 spread sheets, half a calendar year 60 people trying to figure that out and in the meantime it’s not really correct, right? And that’s again because you don’t have a service backbone, you don’t really have connected information, so implementing IT4IT will allow you to make these decisions much easier.

Schmierer:  Let me add onto that a little bit. As we talked about, "If you want to move something in a cloud, how can I get IT4IT to help me?" We have to remember that this is an area where the industry is evolving. We haven’t got it all figured out yet. IT4IT is a great starting point for having the conversation with those folks helping you in system integration and your cloud service provider to step through the questions about how things need to change, what needs to be done differently. "What are the things that the consuming IT organization no longer needs to do because the cloud service provider is doing for them?"

For now, start by using IT4IT as a checklist, use it as a starting point for brokering the conversation to ask if we've thought about everything. Over time, this will get repeatable -- it will become a common pattern, and we'll just know and won’t need to have that conversation. But for now, IT4IT is a great reference model to help us have that conversation.

Gardner: Would it not make sense for you as a consumer of cloud services to wonder whether your cloud provider is using IT4IT and wouldn’t that give you a common denominator by which to pursue some of these benefits?

Tool certification

Rossen: That would certainly be in the future when we come to tool certification within The Open Group. A cloud provider would also need to be certified to saying, well, if you find my service, I can actually provide you with an incident interface according to the standards, so it's easy for you to hand over and go back and forth if there are issues just to take one example, right?

Gardner: Any more to offer from anyone?

Schmierer: One thing I can offer is this: since the IT4IT standard launched in Edinburgh three months ago, I can’t tell you how many emails I receive from our account teams and from customers who are asking us this exact question.

For now, start by using IT4IT as a check list, use it as a starting point for brokering the conversation to ask if we've thought about everything. Over time, this will get repeatable.

Customers are asking the question about IT4IT, how it plays into the service provider landscape and how they can use it to drive the conversation. So the word is getting out, and the best thing you can do as a consumer of this stuff, as you go work with different service providers is to ask the questions, and ask their opinion and their thoughts on it.

Gardner: I am afraid we will have to leave it there. We’ve been talking about the value and direction of The Open Group’s IT4IT initiative, a new reference architecture for managing IT as a business. And we’ve heard how the power of IT4IT can help businesses gain effective and practical business transformation benefits.

I’d like to thank our panelists, Chris Davis, Professor of Information Systems at the University of South Florida and also Chairman of The Open Group IT4IT Forum; Lars Rossen, a Distinguished Technologist at Hewlett Packard Enterprise and a chief architect for the IT4IT program; Ryan Schmierer, Business and Enterprise Architect for IT at Microsoft, and David Wright, Chief Strategy Officer at ServiceNow.

Also, a big thank you to The Open Group for sponsoring this discussion. And lastly, a big thank you to our audience for joining us.

This is Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator throughout these Enterprise IT Thought Leadership panel discussions. Thanks again for listening, and do come back next time.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: The Open Group.

Transcript of a live panel discussion on the value and direction of The Open Group Reference Architecture for managing IT as a business. Copyright The Open Group and Interarbor Solutions, LLC, 2005-2016. All rights reserved.

You may also be interested in:

• The UNIX evolution: A history of innovation reaches an unprecedented 20-year milestone
• The Open Group president, Steve Nunn, on the inaugural TOGAF User Group and new role of EA in business transformation
•  A Tale of Two IT Departments, or How Cloud Governance is Essential in the Bimodal IT Era
• Securing Business Operations and Critical Infrastructure: Trusted Technology, Procurement Paradigms, Cyber Insurance 
• Enterprise Architecture Leader John Zachman on Understanding and Leveraging Synergies Among the Major EA Frameworks
• Cybersecurity standards: The Open Group explores security and safer supply chains
• Explore synergies among major Enterprise Architecture frameworks with The Open Group
• Health Data Deluge Requires Secure Information Flow Via Standards, Says the Open Group's New Healthcare Director
• The Open Group Amsterdam Conference Panel Delves into How to Best Gain Business Value from Open Platform 3.0
• Healthcare Among Thorniest and Yet Most Opportunistic Use Cases for Boundaryless Information Flow Improvement

The Open Group San Diego Panel Explores Global Cybersecurity Issues for Improved Enterprise Integrity and Risk Mitigation

Transcript of a live panel discussion at February's The Open Group San Diego 2015.

Welcome to a special BriefingsDirect panel discussion overview from The Open Group San Diego 2105 on Feb. 2 through 5, 2015. Download a copy of the transcript.

The group, which examines issues and improvements for global enterprise cybersecurity, consists of moderator Dave Lounsbury, Chief Technology Officer, The Open Group; Edna Conway, Chief Security Officer for Global Supply Chain, Cisco; Mary Ann Mezzapelle, Americas CTO for Enterprise Security Services, HP; Jim Hietala, Vice President of Security for The Open Group, and Rance DeLong, Researcher into Security and High Assurance Systems, Santa Clara University. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Dave Lounsbury: Following on from the tone that they have set about where the standards have to go and what constitutes a good standard, we have a very exciting Cybersecurity Panel on what is cybersecurity in 2015.

Lounsbury

We've heard about the security, cybersecurity landscape, and, of course, everyone knows about all the many recent breaches. Obviously, the challenge is growing in cybersecurity. So, I want to start asking a few questions, directing the first one to Edna Conway.

We've heard about the Verizon Data Breach Investigation of DBIR report that catalogs the various attacks that have been made over the past year. One of the interesting findings was that in some of these breaches, the attackers were on the networks for months before being discovered.

What do we need to start doing differently to secure our enterprises?

Attend The Open Group Baltimore 2015
July 20-23, 2015
Early bird registration ends June 19

Edna Conway: There are a couple of things. From my perspective, continuous monitoring is absolutely essential. People don't like it because it requires rigor, consistency, and process. The real question is, what do you continuously monitor?

It’s what you monitor that makes a difference. Access control and authentication, should absolutely be on our radar screen, but I think the real ticket is behavior. What kind of behavior do you see authorized personnel engaging in that should send up as an alert? That’s a trend that we need to embrace more.

Conway

The second thing that we need to do differently is drive detection and containment. I think we try to do that, but we need to become more rigorous in it. Some of that rigor is around things like, are we actually doing advanced malware protection, rather than just detection?

What are we doing specifically around threat analytics and the feeds that come to us: how we absorb them, how we mine them, and how we consolidate them?

The third thing for me is how we get it right. I call that team the puzzle solvers. How do we get them together swiftly?

How do you put the right group of experts together when you see a behavior aberration or you get a threat feed that says that you need to address this now? When we see a threat injection, are we actually acting on the anomaly before it makes its way further along in the cycle?

Executive support

Mary Ann Mezzapelle: Another thing that I'd like to add is making sure you have the executive support and processes in place. If you think how many plans and tests and other things that organizations have gone through for business continuity and recovery, you have to think about that incident response. We talked earlier about how to get the C suite involved. We need to have that executive sponsorship and understanding, and that means it's connected to all the other parts of the enterprise.

Mezzapelle

So it might be the communications, it might be legal, it might be other things, but knowing how to do that and being able to respond to it quickly is also very important.

Rance DeLong: I agree on the monitoring being very important as well as the question of what to monitor. There are advances being made through research in this area, both modeling behavior -- what are the nominal behaviors -- and how we can allow for certain variations in the behavior and still not have too many false positives or too many false negatives.

Also on a technical level, we can analyze systems for certain invariants, and these can be very subtle and complicated invariance formulas that may be pages long and hold on the system during its normal operation. A monitor can be monitoring both for invariance, these static things, but they can also be monitoring for changes that are supposed to occur and whether those are occurring the way they're supposed to.

Jim Hietala: The only thing I would add is that I think it’s about understanding where you really have risk and being able to measure how much risk is present in your given situation.

DeLong

In the security industry, there has been a shift in mindset away from figuring that we can actually prevent every bad thing from happening towards really understanding where people may have gotten into the system. What are those markers that something is gone awry and reacting to that in a more timely way -- so detective controls, as opposed to purely preventative type controls.

Lounsbury: We heard from Dawn Meyerriecks earlier about the convergence of virtual and physical and how that changes the risk management game. And we heard from Mary Ann Davidson about how she is definitely not going to connect her house to the Internet.

So this brings new potential risks and security management concerns. What do you see as the big Internet of Things (IoT) security concerns and how does the technology industry assess and respond to those?

Hietala: In terms of IoT, the thing that concern me is that many of the things that we've solved at some level in IT hardware, software, and systems seemed to have been forgotten by many of the IoT device manufacturers.

Hietala

We have pretty well thought out processes for how we identify assets, we patch things, and we deal with security events and vulnerabilities that happen. The idea that, particularly on the consumer class of IoT type devices, we have devices out there with IP interfaces on them, and many of the manufacturers just haven’t had a thought of how they are going to patch something in the field, I think should scare us all to some degree.

Maybe it is, as Mary Ann mentioned, the idea that there are certain systemic risks that are out there that we just have to sort of nod our head and say that that’s the way it is. But certainly around really critical kinds of IoT applications, we need to take what we've learned in the last ten years and apply it to this new class of devices.

New architectural approach

DeLong: I'd like to add to that. We need a new architectural approach for IoT that will help to mitigate the systemic risks. And echoing the concerns expressed by Mary Ann a few minutes ago, in 2014, Europol, which is an organization that tracks criminal  risks of various kinds, predicted by the end of 2014, murder by Internet, in the context of Internet of Things. It didn't happen, but they predicted it, and I think it's not farfetched that we may see it over time.

Lounsbury: What do we really know actually? Edna, do you have any reaction on that one?

Conway: Murder by Internet. That’s the question you gave me, thanks. Welcome to being a former prosecutor. The answer is on their derrieres. The reality is do we have any evidentiary reality to be able to prove that?

I think the challenge is one that's really well-taken, which is we are probably all in agreement on, the convergence of these devices. We saw the convergence of IT and OT and we haven't fixed that yet.

We are now moving with IoT into a scalability of the nature and volume of devices. To me, the real challenge will be to come up with new ways of deploying telemetry to allow us to see all the little crevices and corners of the Internet of Things, so that we can identify risks in the same way that we have. We haven't mastered 100 percent, but we've certainly tackled predominately across the computer networks and the network itself and IT. We're just not there with IoT.

Mezzapelle: Edna, it also brings to mind another thing -- we need to take advantage of the technology itself. So as the data gets democratized, meaning it's going to be everywhere -- the velocity, volume, and so forth -- we need to make sure that those devices can maybe be self-defendable, or maybe they can join together and defend themselves against other things.

The real challenge will be to come up with new ways of deploying telemetry to allow us to see all the little crevices and corners of the Internet of Things.

So we can't just apply the old-world thinking of being able to know everything and control everything, but to embed some of those kinds of characteristics in the systems, devices, and sensors themselves.

Lounsbury: We've heard about the need. In fact, Ron Ross mentioned the need for increased public-private cooperation to address the cybersecurity threat. Ron, I would urge you to think about including voluntary consensus standards organizations in that essential partnership you mentioned to make sure that you get that high level of engagement, but of course, this is a broad concern to everybody.

President Obama has made a call for legislation on enabling cybersecurity and information sharing, and one of the points within that was shaping a cyber savvy workforce and many other parts of public-private information sharing.

So what more can be done to enable effective public-private cooperation on this and what steps can we, as a consensus organization, take to actually help make that happen? Mary Ann, do you want to tackle that one and see where it goes?

Collaboration is important

Mezzapelle: To your point, collaboration is important and it's not just about the public and the private partnership. It also means within an industry sector or in your supply chain and third-party. It's not just about the technology; it's also about the processes, and being able to communicate effectively, almost at machine speed, in those areas.

So you think about the people, the processes, and the technology, I don't think it's going to be solved by government. I think I agree with the previous speakers when they were talking about how it needs to be more hand-in-hand.

There are some ways that industry can actually lead that. We have some examples, for instance what we are doing with the Healthcare Forum and with the Mining and Minerals Forum. That might seem like a little bit, but it's that little bit that helps, that brings it together to make it easier for that connection.

It's also important to think about, especially with the class of services and products that are available as a service, another measure of collaboration. Maybe you, as a security organization, determine that your capabilities can't keep up with the bad guys, because  they have more money, more time, more opportunity to take advantage, either from a financial perspective or maybe even from a competitive perspective, for your intellectual property.

You need those product vendors or you might need a services vendor to really be able to fill in the gaps, so that you can have that kind of thing on demand.

You really can't do it yourself. You need those product vendors or you might need a services vendor to really be able to fill in the gaps, so that you can have that kind of thing on demand. So I would encourage you to think about that kind of collaboration through partnerships in your whole ecosystem.

DeLong: I know that people in the commercial world don't like a lot of regulation, but I think government can provide certain minimal standards that must be met to raise the floor. Not that companies won't exceed these and use that as a competitive basis, but if minimum is set in regulations, then this will raise the whole level of discourse.

Conway: We could probably debate over a really big bottle of wine whether it's regulation or whether it's collaboration. I agree with Mary Ann. I think we need to sit down and ask what are the biggest challenges that we have and take bold, hairy steps to pull together as an industry? And that includes government and academia as partners.

But I will give you just one example: ECIDs. They are out there and some are on semiconductor devices. There are some semiconductor companies that already use them, and there are some that don't.

A simple concept would be if we could make sure that those were actually published on an access control base, so that we could go and see whether the ECID was actually utilized, number one.

Speeding up standards

Lounsbury: Okay, thanks. Jim, I think this next question is about standards evolution. So we're going to send it to someone from a standards organization.

The cyber security threat evolves quickly, and protection mechanisms evolve along with them. It's the old attacker-defender arms race. Standards take time to develop, particularly if you use a consensus process. How do we change the dynamic? How do we make sure that the standards are keeping up with the evolving threat picture? And what more can be done to speed that up and keep it fresh?

Hietala: I'll go back to a series of workshops that we did in the fall around the topic of security automation. In terms of The Open Group's perspective, standards development works best when you have a strong customer voice expressed around the pain points, requirements, and issues.

We did a series of workshops on the topic of security automation with customer organizations. We had maybe a couple of hundred inputs over the course of four workshops, three physical events, and one that we did on the web. We collected that data, and then are bringing it to the vendors and putting some context around a really critical area, which is how do you automate some of the security capabilities so that you are responding faster to attacks and threats.

Standards development works best when you have a strong customer voice expressed around the pain points, requirements, and issues.

Generally, with just the idea that we bring customers into the discussion early, we make sure that their issues are well-understood. That helps motivate the vendor community to get serious about doing things more quickly.

One of the things we heard pretty clearly in terms of requirements was that multi-vendor interoperability between security components is pretty critical in that world. It's a multi-vendor world that most of the customers are living with. So building interfaces that are open, where you have got interoperability between vendors, is a really key thing.

DeLong: It's a really challenging problem, because in emerging technologies, where you want to encourage and you depend upon innovation, it's hard to establish a standard. It's still emerging. You don't know what's going to be a good standard. So you hold off and you wait and then you start to get innovation, you get divergence, and then bringing it back together ultimately takes more energy.

Lounsbury: Rance, since you have got the microphone, how much of the current cybersecurity situation is attributed to poor blocking and tackling in terms of the basics, like doing security architecture or even having a method to do security architecture, things like risk management, which of course Jim and the Security Forum have been looking into? And not only that, what about translating that theory into operational practice and making sure that people are doing it on a regular basis?

DeLong: A report I read on SANs, a US Government issued report on January 28 of this year, said that that many, or most, or all of our critical weapons systems contain flaws and vulnerabilities. One of the main conclusions was that, in many cases, it was due to not taking care of the basics -- the proper administration of systems, the proper application of repairs, patches, vulnerability fixes, and so on. So we need to be able to do it in critical systems as well as on desktops.

Open-source crisis

Mezzapelle: You might consider the open-source code crisis that happened over the past year with Heartbleed, where the benefits of having open-source code is somewhat offset by the disadvantages.

That may be one of the areas where the basics need to be looked at. It’s also because those systems were created in an environment when the threats were at an entirely different level. That’s a reminder that we need to look to that in our own organization.

Another thing is in mobile applications, where we have such a rush to get out features, revs, and everything like that, that it’s not entirety embedded in the system’s lifecycle or in a new startup company. Those are the some of the other basic areas where we find that the basics, the foundation, needs to be solidified to really help enhance the security in those areas.

Hietala: So in the world of security, it can be a little bit opaque, when you look at a given breach, as to what really happened, what failed, and so on. But enough information has come out about some of the breaches that you get some visibility into what went wrong.

Attend The Open Group Baltimore 2015
July 20-23, 2015
Early bird registration ends June 19

Of the two big insider breaches -- WikiLeaks and then Snowden -- in both cases, there were fairly fundamental security controls that should have been in place, or maybe were in place, but were poorly performed, that contributed to those -- access control type things, authorization, and so on.

Even in some of the large retailer credit card breaches, you can point to the fact that they didn’t do certain things right in terms of the basic blocking and tackling.

There's a whole lot of security technology out there, a whole lot of security controls that you can look to, but implementing the right ones for your situation, given the risk that you have and then operating them effectively, is an ongoing challenge for most companies.

Mezzapelle: Can I pose a question? It’s one of my premises that sometimes compliance and regulation makes companies do things in the wrong areas to the point where they have a less secure system. What do you think about that and how that impacts the blocking and tackling?

Hietala: That has probably been true for, say, the four years preceding this, but there was a study just recently -- I couldn’t tell you who it was from -- but it basically flipped that. For the last five years or so, compliance has always been at the top of the list of drivers for information security spend in projects and so forth, but it has dropped down considerably, because of all these high profile breaches. Senior executive teams are saying, "Okay, enough. I don’t care what the compliance regulations say, we're going to do the things we need to do to secure our environment." Nobody wants to be the next Sony.

Mezzapelle: Or the Target CEO who had to step down. Even though they were compliant, they still had a breach, which unfortunately, is probably an opportunity at almost every enterprise and agency that’s out there.

The right eyeballs


DeLong: And on the subject of open source, it’s frequently given as a justification or a benefit of open source that it will be more secure because there are millions of eyeballs looking at it. It's not millions of eyeballs, but the right eyeballs looking at it, the ones who can discern that there are security problems.

It's not necessarily the case that open source is going to be more secure, because it can be viewed by millions of eyeballs. You can have proprietary software that has just as much, or more, attention from the right eyeballs as open source.

Mezzapelle: There are also those million eyeballs out there trying to make money on exploiting it before it does get patched -- the new market economy.

Lounsbury: I was just going to mention that we're now seeing that some large companies are paying those millions of eyeballs to go look for vulnerabilities, strangely enough, which they always find in other people’s code, not their own.

It's not millions of eyeballs, but the right eyeballs looking at it, the ones who can discern that there are security problems.

Mezzapelle: Our Zero Day Initiative, that was part of the business model, is to pay people to find things that we can implement into our own products first, but it also made it available to other companies and vendors so that they could fix it before it became public knowledge.

Some of the economics are changing too. They're trying to get the white hatter, so to speak, to look at other parts that are maybe more critical, like what came up with Heartbleed.

Lounsbury: On that point, and I'm going to inject a question of my own if I may, on balance, is the open sharing of information of things like vulnerability analysis helping move us forward, and can we do more of it, or do we need to channel it in other ways?

Mezzapelle: We need to do more of it. It's beneficial. We still have conclaves of secretness saying that you can give this information to this group of people, but not this group of people, and it's very hard.

In my organization, which is global, I had to look at every last little detail to say, "Can I share it with someone who is a foreigner, or someone who is in my organization, but not in my organization?" It was really hard to try to figure out how we could use that information more effectively. If we can get it more automated to where it doesn't have to be the good old network talking to someone else, or an email, or something like that, it's more beneficial.

And it's not just the vulnerabilities. It's also looking more towards threat intelligence. You see a lot of investment, if you look at the details behind some of the investments in In-Q-Tel, for instance, about looking at data in a whole different way.

So we're emphasizing data, both in analytics as well as threat prediction, being able to know where some thing is going to come over the hill and you can secure your enterprise or your applications or systems more effectively against it.

Open sharing

Lounsbury: Let’s go down the row. Edna, what are your thoughts on more open sharing?

Conway: We need to do more of it, but we need to do it in a controlled environment.

We can get ahead of the curve with not just predictive analysis, but telemetry, to feed the predictive analysis, and that’s not going to happen because a government regulation mandates that we report somewhere.

So if you look, for example, DFARS, that came out last year with regard to concerns about counterfeit mitigation and detection in COTS ICT, the reality is not everybody is a member of GIDEP, and many of us actually share our information faster than it gets into GIDEP and more comprehensively.

I will go back to it’s rigor in the industry and sharing in a controlled environment.

There is a whole black market that has developed around those things, where nations are to some degree hoarding them, paying a lot of money to get them, to use them in cyberwar type activities.

Lounsbury: Jim, thoughts on open sharing?

Hietala: Good idea. It gets a little murky when you're looking at zero-day vulnerabilities. There is a whole black market that has developed around those things, where nations are to some degree hoarding them, paying a lot of money to get them, to use them in cyberwar type activities.

There's a great book out now called ‘Zero Day’ by Kim Zetter, a writer from Wired. It gets into the history of Stuxnet and how it was discovered, and Symantec, and I forget the other security researcher firm that found it. There were a number of zero-day vulnerabilities there that were used in an offensive cyberwar a capacity. So it’s definitely a gray area at this point.

DeLong: I agree with what Edna said about the parameters of the controlled environment, the controlled way in which it's done. Without naming any names, recently there were some feathers flying over a security research organization establishing some practices concerning a 60- or 90-day timeframe, in which they would notify a vendor of vulnerabilities, giving them an opportunity to issue a patch. In one instance recently, when that time expired and they released it, the vendor was rather upset because the patch had not been issued yet. So what are reasonable parameters of this controlled environment?

Supply chains

Lounsbury: Let’s move on here. Edna, one of the great quotes that came out of the early days of OTTF was that only God creates something from nothing and everybody else is on somebody’s supply chain. I love that quote.

But given that all IT components, or all IT products, are built from hardware and software components, which are sourced globally, what do we do to mitigate the specific risks resulting from malware and counterfeit parts being inserted in the supply chain? How do you make sure that the work to do that is reflected in creating preference for vendors who put that effort into it?

Conway: It's probably three-dimensional. The first part is understanding what your problem is. If you go back to what we heard Mary Ann Davidson talk about earlier today, the reality is what is the problem you're trying to solve?

I'll just use the Trusted Technology Provider Standard as an example of that. Narrowing down what the problem is, where the problem is located, helps you, number one.

We have a tendency to think about cyber in isolation from the physical, and the physical in isolation from the cyber, and then the logical.

Then, you have to attack it from all dimensions. We have a tendency to think about cyber in isolation from the physical, and the physical in isolation from the cyber, and then the logical. For those of us who live in OT or supply chain, we have to have processes that drive this. If those three don't converge and map together, we'll fail, because there will be gaps, inevitable gaps.

For me, it's identifying what your true problem is and then taking a three-dimensional approach to make sure that you always have security technology, the combination of the physical security, and then the logical processes to interlock and try to drive a mitigation scheme that will never reduce you to zero, but will identify things.

Particularly think about IoT in a manufacturing environment with the right sensor at the right time and telemetry around human behavior. All of a sudden, you're going to know things before they get to a stage in that supply chain or product lifecycle where they can become devastating in their scope of problem.

DeLong: As one data point, there was a lot of concern over chips fabricated in various parts of the world being used in national security systems. And in 2008, DARPA initiated a program called TRUST, which had a very challenging objective for coming up with methods by which these chips could be validated after manufacture.

Just as one example of the outcome of that, under the IRIS Program in 2010, SRI unveiled an infrared laser microscope that could examine the chips at the nanometer level, both for construction, functionality, and their likely lifetime -- how long they would last before they failed.

Lounsbury: Jim, Mary Ann, reactions?

Finding the real problem

Mezzapelle: The only other thing I wanted to add to Edna’s comment was reiteration about the economics of it and finding where the real problem is. Especially in the security area, information technology security, we tend to get so focused on trying to make it technically pure, avoiding the most 100 percent, ultimate risk. Sometimes, we forget to put our business ears on and think about what that really means for the business? Is it keeping them from innovating quickly, adapting to new markets, perhaps getting into a new global environment?

We have to make sure we look back at the business imperatives and make sure that we have metrics all along the road that help us make sure we are putting the investments in the right area, because security is really a risk balance, which I know Jim has a whole lot more to talk about.

Hietala: The one thing I would add to this conversation is that we have sort of been on a journey to where doing a better job of security is a good thing. The question is when is it going to become a differentiator for your product and service in the market. For me personally, a bank that really gets online banking and security right is a differentiator to me as a consumer.

Consumers -- and they surveyed consumers in 27 countries -- think that governments and businesses are not paying enough attention to digital security.

I saw a study that was quoted this week at the World Economic Forum that said that, by 2:1 margin, consumers -- and they surveyed consumers in 27 countries -- think that governments and businesses are not paying enough attention to digital security.

So maybe that’s a mindset shift that’s occurring as a result of how bad cybersecurity has been. Maybe we'll get to the point soon where it can be a differentiator for companies in the business-to-business context and a business-to-consumer context and so forth. So we can hope.

Conway: Great point. And just to pivot on that and point out how important it is. I know that what we are seeing now, and it’s a trend, and there are some cutting-edge folks who have been doing it for a while, but most boards of directors are looking at creating a digital advisory board for their company. They're recognizing the pervasiveness of digital risk as its own risk that sometimes it reports up to the audit committee.

I've seen at least 20 or 30 in the last three months come around, asking, did you advise every board members to focus on this from multiple disciplines? If we get that right, it might allow us that opportunity to share the information more broadly.

Lounsbury: That’s a really interesting point, the point about multiple disciplines. The next question is unfortunately the final question -- or fortunately, since it will get you to lunch. I am going to start off with Rance.

At some point, the difference between a security vulnerability failure or other kind of failures all flow into that big risk analysis that a digital-risk management regime would find out. One of the things that’s going on across the Real-Time and Embedded Systems Forum is to look at how we architect systems for higher levels of assurance, not just security vulnerabilities, but other kinds of failures as well.

The question I will ask here is, if a system fails its service-level agreement (SLA) for whatever reason, whether it’s security or some other kind of vulnerability, is that a result of our ability to do system architecture or software created without provably secure or provably assured components or the ability of the system to react to those kind of failures? If you believe that, how do we change it? How do we accelerate the adoption of better practices in order to mitigate the whole spectrum of risk of failure of the digital enterprise?

Emphasis on protection

DeLong: Well, in high assurance systems, obviously we still treat them as very important detection of problems when they occur, recovery from problems, but we put a greater emphasis on prevention, and we try to put greater effort into prevention.

You mentioned provably secure components, but provable security is only part of the picture. When you do prove, you prove a theorem, and in a reasonable system, a system of reasonable complexity, there isn’t just one theorem. There are tens, hundreds, or even thousands of theorems that are proved to establish certain properties in the system.

It has to do with proofs of the various parts, proofs of how the parts combine, what are the claims we want to make for the system, how do the proofs provide evidence that the claims are justified, and what kind of argumentation do we use based on that set of evidence.

So we're looking at not just the proofs as little gems, if you will. A proof of a theorem  think of it as a gemstone, but how are they all combined into creating a system?

If a movie star walked out on the red carpet with a little burlap sack around her neck full of a handful of gemstones, we wouldn’t be as impressed as we are when we see a beautiful necklace that’s been done by a real master, who has taken tens or hundreds of stones and combined them in a very pleasing and beautiful way.

And so we have to put as much attention, not just on the individual gemstones, which admittedly are created with very pure materials and under great pressure, but also how they are combined into a work that meets the purpose.

And so we have assurance cases, we have compositional reasoning, and other things that have to come into play. It’s not just about the provable components and it’s a mistake that is sometimes made to just focus on the proof.

Attend The Open Group Baltimore 2015
July 20-23, 2015
Early bird registration ends June 19

Remember, proof is really just a degree of demonstration, and we always want some demonstration to have confidence in the system, and proof is just an extreme degree of demonstration.

Mezzapelle: I think I would summarize it by embedding security early and often, and don’t depend on it 100 percent. That means you have to make your systems, your processes and your people resilient.

This has been a BriefingsDirect panel discussion overview from The Open Group Conference in San Diego on Feb. 2 through 5, 2015.

The panel, which examined issues and improvements for global enterprise cybersecurity, consisted of moderator Dave Lounsbury, Chief Technology Officer, The Open Group; Edna Conway, Chief Security Officer for Global Supply Chain, Cisco; Mary Ann Mezzapelle, Americas CTO for Enterprise Security Services, HP; Jim Hietala, Vice President of Security for The Open Group, and Rance DeLong, Researcher into Security and High Assurance Systems, Santa Clara University.

This has been a special BriefingsDirect presentation and panel discussion from The Open Group San Diego 2015. Download a copy of the transcript. This follows an earlier discussion on cybersecurity standards for safer supply chains. Another earlier discussion from the event focused on synergies among major Enterprise Architecture frameworks. And a presentation by John Zachman, founder of the Zachman Framework.

Transcript of a live panel discussion at February's The Open Group San Diego 2015. Copyright  The Open Group and Interarbor Solutions, LLC, 2005-2015. All rights reserved.

You may also be interested in:

• Enterprise Architecture Leader John Zachman on Understanding and Leveraging Synergies Among the Major EA Frameworks
• Cybersecurity standards: The Open Group explores security and safer supply chains
• Explore synergies among major Enterprise Architecture frameworks with The Open Group
• Health Data Deluge Requires Secure Information Flow Via Standards, Says the Open Group's New Healthcare Director
• The Open Group Amsterdam Conference Panel Delves into How to Best Gain Business Value from Open Platform 3.0
• Healthcare Among Thorniest and Yet Most Opportunistic Use Cases for Boundaryless Information Flow Improvement
• Gaining Dependability Across All Business Activities Requires Standard of Standards to Tame Dynamic Complexity, Says The Open Group CEO
• Big Data success depends on better risk management practices like FAIR, say conference panelists
• Improving signal-to-noise in risk management
• CSC and HP team up to define the new state needed for comprehensive enterprise cybersecurity