HP Creates Security Reference Model to Better Manage Enterprise Information Risk

Transcript of BriefingsDirect podcast on best practices for integrated management of security, risk and compliance approaches.

Listen to the podcast here. Sponsor: Hewlett-Packard.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, a sponsored podcast discussion about risk, security, and management in the world’s largest organizations. We're going to talk about the need for verifiable best practices, common practices, and common controls at a high level.

The idea is for management of processes, and the ability to prevent unknown and undesirable outcomes -- not at the silo level, or the instance-level of security breaches that we hear about in the news. We will focus instead on what security requires at the high level of business process.

These processes have been newly managed through Information Security Service Management (ISSM) approaches, and there is a reference model (ISSM RM) that goes along with it.

To help us learn more about ISSM, we are joined by two Hewlett-Packard (HP) executives. We are going to be talking with Tari Schreider, the chief security architect in the America’s Security Practice within HP’s Consulting & Integration (C&I) unit.

Also joining us to help us understand ISSM is John Carchide, the worldwide governance solutions manager in the Security and Risk Management Practice within HP C&I. Welcome to you both.

Tari Schreider: Thank you.

John Carchide: Thank you, Dana.

Gardner: John, we have a lot of compliance and regulations to be concerned about. We are in an age where there is so much exposure to networks and the World Wide Web. When something goes wrong, and the word gets out -- it gets out in a big way.

Help us to understand the problem. Then perhaps we'll begin to get closer to the solutions for mitigating risk at the conceptual and practical levels.

Carchide: Part of the problem, Dana, is that we've had several highly publicized incidents where certain things have happened that have prompted regulatory actions by local, state, and foreign governments. They are developing standards, defining best practices, and defining what they call control objectives and detailed controls for one to comply with, prior to being a viable entity within an industry.

These regulatory requirements are coming at us from all directions. Our senior management is currently struggling, because now they have added personal liability and fines associated with this, as each event occurs, like the TJ Max event. The industry is being inundated with compliance and regulatory requirements.

On the other side of this, there are some industry-driving forces, like Visa, which has established standards and requirements that, if you want to do business with Visa, you need to be Payment Card Compliance (PCI) compliant.

All these requirements are hitting senior-level managers within organizations, and they're looking at their IT environment and asking their management teams to address compliance. “Are we compliant?” The answers they're getting are usually vague, and that’s because of the standards.

What Tari Schreider has done is establish a process of defining requirements, based on open standards, and mapping them to risk levels and maturity levels. This provides customers with a clear, succinct, and articulated picture. This tells them what their current state is, what they are doing well, what they are not doing well, where they're in compliance, where they're not in compliance. And it helps them to build the controls in a very logical and systematic way to bring them into compliance.

In the 32 years of security experience I have, Tari is one of the most forward-thinking individuals I've met. It gives me nothing but great pleasure to bring Tari to a much larger audience so he can share his vision.

Information Security Service Management is his vision, his brainchild. We've invested heavily, and will continue to, in the development and maturity of this process. It incorporates all of HP’s services from the C&I organizations and others. It takes HP’s best practices, methodologies, and proven processes, and incorporates them into a solution for a customer.

So, I would like to introduce everyone to the ISSM godfather, Tari Schreider -- probably one of the most innovative individuals you will ever have the privilege of meeting.

Gardner: Thank you, John. Tari, that’s a lot to live up to. Tell us a little bit about how you actually got started in this? How did you end up being the “godfather” of ISSM?

Schreider: Well, let me compose myself from that introduction. When I joined the Security Practice, we would make sales calls to some of HP’s largest customers. Although we were always viewed as great technologists and operationally competent providers of products and services, we weren’t really viewed -- or weren’t on the radar screen -- as a security service provider, or even a security consulting organization.

Through close alignment with the financial services vertical -- because they had basically heard the same message -- we came up with a strategy where we would go out to the top 30 or so financial services clients and talk with them.

"What is it that you're looking for? Where would you like to see us provide leadership? Where do you see us as a component provider of security services? What level do you view us playing at?"

We took that information, went throughout HP, and invited individuals that we felt were thought leaders within the organization. We invited people from the CTO’s office, from HP Labs, from financial services, worldwide security, as well as representation from a number of senior solution architects.

We got together in Chicago for what we look back on and refer to as the "Chicago Sessions." We hammered out a framework based upon some early work that was done principally in control assessments, building on top of that, and leveraging experiences with delivery in terms of what worked and what didn’t.

We started off with what was referred to then as the "building of the house" and the "blueprint." Then, over the last couple of years, as we have delivered and worked with various parts of the organization, as well as clients, we realized that one of the success factors that we would have to quickly align ourselves with was the momentum that we had with HP’s ITSM, now called Service Management Framework. We had to articulate security as a security service management function within that stack. It really came together when we started viewing security as an end-to-end operational process.

Gardner: What happened that required this to become more of a top-down approach? In John’s introduction, it sounded as if there was a lot of history, where a CIO or an executive would just ask for reports, and the information would flow from the bottom on up.

It sounds like something happened at some point where that was no longer tenable, that the complexity and the issues had outgrown that type of an approach. What happened to make compliance require a top-down, systemic approach?

Schreider: One problem that we were constantly faced with was that clients were asking us, "Where is your thought leadership on security? We know we bring you in here when we have to fix security vulnerabilities on the server, and we get that. We know that you know what you are doing and you're competent there. But frankly, we don’t know what it is that you do. We don’t know the value that you can bring to the table. When we invite you in, you come in with a slide deck full of products. Pretty much, you are like everybody else. So where is your thought leadership?"

Because nobody will ever argue against that HP is an operations- and process-oriented company, we wanted to leverage that. And what we wanted to do was stop the assessment and reporting bureaucracy that CIOs and CSOs and CFOs were in because of Sarbanes-Oxley and so forth, and to provide real meat to their information security programs.

The problem was, we had some very large customers that we were losing to competition, because we basically ran out of things to sell them -- only because we didn’t know we had anything to sell them. We had all of this knowledge. We had all of this legacy of doing security in technology for 20 or 30 years, and we didn’t know how to articulate it.

So we formulated this into a reference model, the Information Security Service Management Reference Model, where it would basically serve as an umbrella, by which all of the pillars of security for trusted infrastructure and proactive security management -- and identity and access management, and governance and so forth -- would be showcased under this thought leadership umbrella.

It got us invited into the door, with things like, "You guys are a breath of fresh air. We have all of these Big Four accounting firm-type organizations. They are burying us in reports. And at the end of the day we still fail audits and nothing gets done."

Gardner: I know this is a large and complex topic, on common security and risk management controls, but in a nutshell, or as simply as we can for those folks that might be coming to this from a different perspective, What is ISSM, and what does it mean conceptually?

Schreider: Well, if you look at ISSM, it’s very specifically referred to as the Information Security Service Management Reference Model. It is several things, a framework, architecture, a model, and a methodology. It's a manner in which you can take an information-security program and turn it into a process-driven system within your organization.

That provides you with a better level of security alignment with the business objectives of your organization. It positions security as a driver for IT business-process improvement. It reduces the amount of operational risk, which ensures a higher degree of continuity of business operations. It’s instrumental in uncovering inadequate or failing internal processes that stave off security breaches, and it also turns security into a highly leveraged, high-value process within your organization.

Gardner: This becomes, in effect, a core competency with a command and control structure, rather than something that’s done ad hoc?

Schreider: Absolutely. The other aspect is that through the definition of linked attributes, which we can talk about later, it allows you to actually make security sticky to other business processes.

If you're a financial institution, and you are going to have Web-based banking, it gives you the ability to have sticky security controls, rather than “stovepipes.”

If you're a utility industry, and you have to comply with North America Reliability Corporation (NERC) and Critical Infrastructure Protection (CIP) regulations, it gives you the ability to have sticky security controls around all of your critical cyber assets. Today, they’re simply security controls that are buried in some spreadsheet or Word document, and there is really no way to manage the behavior of those controls.

Gardner: Why don’t we then just name somebody the “Chief Risk Officer” and tell them to pull this all together and organize it in such a way that this is no longer just piecemeal? Is that enough or does something bigger or more methodological have to take place as well?

Schreider: What’s important to understand is that all of our clients represent fairly large global concerns with thousands of employees and billions of dollars in revenue, and with many demands on their day-to-day operations. A lot of them have done some things for security over time.

Pulling the risk manager aside and sort of leaving him with the impression that everything they are doing, they are doing wrong is probably not the best course. We've recognized that through trial and error.

We want to work with that individual and position the ISSM Reference Model as the middle layer, which is typically missing, to pull together all the pieces of their disparate security programs, tools, policies, and processes in an end-to-end system.

Gardner: It sounds as if we really need to look at security and risk in a whole new way.

Schreider: I believe we do. And this is key because what differentiates us from our contemporaries is that we are now “operationalizing” security as a process or a workflow.

Many times, when we pull up The Wall Street Journal or Information Week, and we read about a breach of security -- the proverbial tape rolling off the back of the truck with all of the Social Security numbers -- we find that, when you look at the morphology of that security breach, it’s not necessarily that a product failed. It’s not necessarily that an individual failed. It’s that the process failed. There was no end-to-end workflow and nobody understood where the break points were in the process.

Our unique methodology, which includes a number of frameworks and models, has a component called a P5 Model, where every control has five basic properties:

• Property 1 -- People, has to be applied to the control.
• Property 2 --Policies, certainly has to have clear and unambiguous governance in order for controls to work.
• Property 3 -- Processes, is an end-to-end workflow, where everyone understands where the touch points are.
• Property 4 -- Products, means technology has to be applied in many cases to these controls in order to bring them to life and to be functioning appropriately, and
• Property 5 -- Proof, because there have to be proof points to demonstrate that all of this is actually working as prescribed by a standard, a regulation, or best practice.

Gardner: It seems that you are weaving this together so that you get a number of checks and balances, backstops and redundancies -- so that there aren’t unforeseen holes through which these risky practices might fall.

Schreider: I couldn’t say it any better than that.

Gardner: How do I know that I am a company that needs this? Maybe I am of the impression that, "Well, I've done a lot. I've complied and studied and I've got my reports."

Are there any telltale signs that an organization needs to shift the way they are thinking about holistic security and compliance?

Schreider: I'm often asked that question. When I sit down with CFOs or CIOs or business-unit stakeholders, I can ask one question that will be a telltale sign of whether they have a well-managed, continuously improving information security program. That question is, "How much did you spend on security last year?" Then I just shut up.

Gardner: And they don’t have an answer for it at all?

Schreider: They don't have any answer. If you don’t know what you are spending on security, then you actually don’t know what you are doing for security. It starts from there.

Gardner: That’s because these measures are scattered around in a variety of budgets. And, as you say, they evolve through a “siloed” approach. It was, "Okay, we've got to put a band-aid here, a band-aid there. We need to react to this." Over time, however, you've just got a hairball, rather than a concerted, organized, principled approach.

Schreider: That’s correct, Dana. As a matter of fact, we have a number of tools in our methodology that expose this disfranchised approach to security. Within our Property #4 portion of the P5 Model, we have a tool that allows us to go in and inventory all of the products that an organization has.

Then we map that to things like the Open Systems Interconnection (OSI) Reference Model for security on a layered approach, a "defense in depth" approach, an investment approach, and also from a risk and a threat model approach, and in ownership.

When they see the results of that, they say, "Wait a second. I thought we only had 10 or 12 security products, and I manage that." We show them that they actually have 40, 50, or 60, because they're spread throughout the organization, and there's a tremendous amount of duplication.

It’s not unusual for us to present back to a client that they have three or four different identity management systems that they never knew about. They might have four or five disparate identity stores spread throughout the organization. If you don’t know it and if you can’t see it, you can’t manage it.

Gardner: Now, it sounds as if, from an organizational and a power-structure perspective, this could organize itself in several places. It could be a function within IT, or within a higher accounting or auditing level or capability.

Does it matter, or is there high variability from organization to organization as to where the authority comes for this? Do you have more of a prescriptive approach as to how they should do it?

Schreider: The answer to both of those questions is "yes." We recognize that just because of the dynamics, the culture, and the bureaucracy, in many of our customers' organizations, security is going to live in multiple silos or departments. Through our P5 Model, we have the ability to basically take and share the governance of the control.

So, for example, the office of the Business Information Security Officers (BISO) or the Chief Security Officer (CSO) typically owns policies and proof. For the technology piece -- which has been always a struggle between the office of security and the office of technology on who owns what -- we can define the control of the attributes. So, the network-operations people can then own the technical controls, because they are not going to give up their firewalls and their intrusion detection systems. They actually view that as an integral component of their overall network plumbing.

The beauty of ISSM is that it's very nimble and very malleable. We can assign responsibilities at an attribute level for control, which allows people to contribute and then it allows them to have a sharing-of-power strategy, if you will, for security.

Gardner: There's an analogy here to Service Oriented Architecture (SOA) from the IT side. In many respects, we want to leave the resources, assets, applications, and data where they are, but elevate them through metadata to a higher abstraction. That allows us then to manage, on a policy basis, for governance, but also to create processes that are across business domains and which can create a higher productivity level.

I'm curious, did this evolve from the way that IT is dealing with its complexity issues? Is there an analogy here?

Schreider: It's very much similar to how IT is managed, where basically you want to push out to the lowest common denominator and as close as possible to the customer the services that you provide.

By this whole concept of what we would refer to as BISOs there are large components of security that should actually live in the business unit, but they shouldn’t be off doing their own thing. It shouldn’t be the Wild West. There is a component that needs to be structured for overall corporate governance.

We're certainly not shy about lessons learned and about borrowing from what contemporaries have done in the IT world. We're not looking to buck the trend. That’s why we had to make sure that our reference model supported the general direction of where IT has been moving over the last few years.

Gardner: Conceptually I have certainly bought into this. It makes a great deal of sense. But implementation is an entirely different story. How do you approach this in a large global organization, and actually get started on this? To me, it's not so much daunting conceptually, but how do you get started? How do you implement?

Schreider: One of the reasons people come to HP is that we are a global organization. We have the ability to field 600 security consultants in over 80 countries and deliver with uniformity, regardless of where you’re at as a customer.

There is still a bit of work that goes in. Although we have the ISSM Reference Model, and we have a tremendous amount of methodology and collateral, we are not positioning ourselves as a cookie-cutter approach. We spend a good bit of time educating ourselves about where the customer is, understanding where their security program currently lies, and -- based on business direction and external drivers, for example, regulatory concerns -- where it needs to go.

We also want to understand where they want to be in terms of maturity range, according to the Capability Maturity Model (CMM). Once we learn all of that, then we come back to them and we create a road map. We say that, "Today, we view that you are probably at a maturity level of ‘One.’ Based upon the risk and threat profile of your organization, it is our recommendation that you be at a maturity level of ‘Three’."

We can put together process improvement plans that show them step-by-step how they move along the maturity continuum to get to a state that’s appropriate for their business model, their level of investment, and appetite for risk.

Gardner: How would one ever know that they are done, that you are in a compliant state, that your risk has been mitigated? Is this a destination, or is it a journey?

Schreider: It's a journey, with stops along the way. If you are in the IT world -- compliance, risk management, continuity of operation -- it will always be a journey. Technology changes. Business models change. There are many aspects to an organization that require that they continually be moving forward in order to stay competitive.

We map out a road map, which is their journey, but we have very defined stops along the way. They may not ever need to go past a level of maturity of “Three,” for example, but there are things that have to occur for them to maintain that level. There's never a time when they can say, "Aha, we have arrived. We are completely safe."

Security is a mathematical model. As long as math exists, and as long as there are infinite numbers, there will be people who will be able to scientifically or mathematically define exploits to systems that are out there. As long as we have an infinite number of numbers we will always have the potential for a breach of security.

Gardner: I also have to imagine that this is a moving target. Seven years ago, we didn’t worry about Sarbanes-Oxley, ISO, and on-going types of ill effects in the market. We don’t know what’s going to come down the pike in a few years, or perhaps even some more in the financial vertical.

Is there something about putting this ISSM model in place that allows you to better absorb those unforeseen issues and/or compliance dictates? And is there a return on investment (ROI) benefit of setting up your model sooner rather than later?

Schreider: Absolutely. Historically, businesses throughout the world have lacked the discipline to self-regulate. So there is no question that the more onerous types of regulations are going to continue. That's what happened in the subprime [mortgage] arena, and the emphasis toward [mitigating] operational risk is going to continue and require organizations to have a greater level of due diligence and control over their businesses.

Businesses are run on technology, and technologies require security and continuity of operations. So, we understand that this is a moving target.

One of the things we have done with the ISSM Reference Model is to recognize that there has to be an internal framework or a controlled taxonomy that allows you to have a base root that never changes. What happens around you will always change, and regulations always change -- but how you manage your security program at its core will relatively stay the same.

Let me provide an example. If you have a process for hardening a server to make sure that that the soft, chewy inside is less likely to be attacked by a hacker or compromised by malware, that process will improve over time as technology changes. But at the end of the day it is not going to fundamentally change, nor should it change, just because a regulation comes out. How you report on what you are doing is going to change almost on a daily basis.

So we have adopted the open standard with the ISO 27001 and 17799 security-control taxonomy. We have structured the internal framework of ISSM for 1,186 base controls that we have then mapped to virtually every industry regulation and standard out there.

As long as you are minding the store, if you will, which is the inventory of controls based on ISO, we can report out to any change at any regulatory level without having to reverse engineer or reorganize your security program. That level of flexibility is crucial for organizations. When you don't have to redo how you look at security every time a new regulation comes out, the cost savings are just obvious.

Gardner: I suppose there is another analogy to IT, in that this is like a standardized component object model approach.

Schreider: Absolutely.

Gardner: Okay. How about examples of how well this works? Can you tell us about some of your clients, their experiences, or any metrics of success?

Schreider: Let me share with you as many different cross-industry examples that come to mind. One of the first early adopters of ISSM was one of the largest banks based in Mumbai, India.

One issue they had was a great deal of their IT operation was outsourced. They were entering into an area with a significant amount of regulatory oversight for security that never existed before. They also had an environment where operational efficiencies were not necessarily viewed as positive. The cost component of being able to apply human resources to solve a problem or monitor something manually was virtually unlimited, because of the demographics of where their financial institution was located.

However, they needed to structure a program to manage the fact that they had literally hundreds of security professionals working in dozens of different areas of the bank, and they were all basically doing their own things, creating their own best practices, and they lacked sort of that middleware that brought them all together.

ISSM gave them the flexibility to have a model that accounted for the fact that they could have a great number of security engineers and not worry so much about the cost aspect, but for them what was important is that they were basically all following the same set of standards and the same control model.

It worked very well in their example, and they were able to pass the audits of all of the new security regulations.

Another thing was, this organization was looking to do financial instruments with other financial organizations from around the world. They now had an internationally adopted, common control framework, in which they could provide some level of assurance that they were securing their technology in a manner that was aligned to an internationally vetted global and widely accepted standard.

Gardner: That brings to mind another issue. If I am that organization and I have gone through this diligence, and I have a much greater grasp on my risks and security issues, it seems to me I could take that to a potential suitor in a merger and acquisition situation.

I would be a much more attractive mate in terms of what they would need to assume, in terms of what they would be inheriting in regard to risk and security.

Schreider: Sure. When you acquire a company, not only do you acquire their assets, you also acquire their risk. And it’s not unusual for an organization not to pay any attention whatsoever to the threats and vulnerabilities that they are inheriting.

We have numerous stories of manufacturing or financial concerns that open up their network to a new company. They have never done a security assessment, and now, all of a sudden, they have a lot of Barbarians behind the firewall.

Gardner: Interesting. Any other examples of how this works?

Schreider: Actually there are two other ones that I would like to talk about quickly. One of the largest public municipalities in the world was in the process of integrating all of their disparate 911 systems into a common framework. What they had basically was 700 pages of security controls spread over almost 40 different documents, with a lot of duplication. They expected all of their agencies to follow this over the last number of years.

What resulted was that there was no commonality of security approach. Every agency was out there negotiating their own deals with security providers, service providers, and product providers. Now that they were consolidating, they basically had a Tower of Babel.

One thing we were able to do with the ISSM Reference Model was to take all of this disparate control constructs, normalize it into our framework, and articulate to them a comprehensive end-to-end security approach that all of the agencies could then follow.

They had uniformity in terms of their security approaches, their people, their roles, responsibilities, policies, and how they would actually have common proof points to ensure that the key performance indicators and the metrics and the service-level agreements (SLAs) were all working in unity for one homogenized system.

Another example, and it is rapidly exploding within our security practice is the utility industry. There are the NERC CIP regulators, which have now passed a whole series of cyber incident protection standards and requirements.

This just passed in January 2008. All U.S.-based utility organizations -- it could be a water utility, electric utility, anybody who is providing and using a control system -- has to abide by these new standards. These organizations are very “stove-piped.” They operate in a very tightly controlled manner. Most of them have never had to worry about applying security controls at all.

Because of the malleability of the ISSM Reference Model, we now have one that is called the ISSM Reference Model Energy Edition. We have it preloaded with all the NERC CIP standards. There are very specific types of controls that are built into the system, and the types of policies and procedures and workflows that are unique to the energy industry, and also partnerships with products like N-Dimension, Symantec, and our own TCS-e product. We build a compliance portfolio to allow them to become NERC CIP-compliant.

Gardner: That brings to mind another ancillary benefit of the ISSM approach and that is business continuity. It is your being able to maintain business continuity through unforeseen or unfortunate issues with nature or man. What’s the relationship between the business continuity goals and what ISSM provides?

Schreider: There are many who will argue that security is just one facet of business continuity. If you look at continuity of operations and you look at where the disrupters are, it could be acts of man, natural disasters, breaches of security, and so forth. That’s why when you look at our Service Management Framework and availability, continuity, and security-service management functions are all very closely aligned.

It's that cohesion that we bring to the table. How they intersect with one another, and how we have common workflows developed for the process in an organization gives the client a sense that we are paying attention to the entire continuum of continuity of business.

Gardner: So when you look at it through that lens, this also bumps up against business transformation and how you run your overall business across the board?

Schreider: Continuity of business, and security in particular, is an enabler for business transformation. There are organizations out there that could do so much better in their business model if they were able to figure out a way to get a higher degree of intimacy with their customer, but they can’t unless they can guarantee that transaction is secure.

Gardner: Well, great. We've learned a lot today about ISSM as a reference model for getting risk, security, and management together under a common framework, best practices and common controls approach.

I want to thank our guest, Tari Schreider, the chief security architect in the America’s Security Practice at HP’s Consulting & Integration Unit. We really appreciate your input. Tari, great to have you on the show.

Schreider: Thank you, Dana.

Gardner: I also want to thank our introducer, John Carchide, the worldwide governance solutions manager in the Security & Risk Management Practice, also within HP C&I. Thanks to you, John, as well.

Carchide: Thank you very much, Dana.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored podcast discussion. This is the BriefingsDirect Podcast Network. Thank you for joining, and come back next time.

Listen to the podcast here. Sponsor: Hewlett-Packard.

Transcript of BriefingsDirect podcast on best practices for integrated security, risk and compliance approaches. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.

Holiday Peak Season Hits for Retailers Alibris and QVC -- A Logistics and Shipping Carol

Transcript of BriefingsDirect podcast on peak season shipping efficiencies and UPS retail solutions with Alibris and QVC.

Listen to the podcast here. Sponsor: UPS.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions and you're listening to BriefingsDirect.

Today, a sponsored podcast discussion about the peak holiday season for retail shopping -- online and via television -- and the impact that this large bump in the road has logistically and technically for some major retailers.

We’re going to discuss how Alibris, an online media and bookseller, as well as QVC, a global multimedia shopping network, handles this peak demand issue. The peak is culminating for such shippers as UPS this week, right around Dec. 19, 2007.

We’re going to talk about how the end-user in this era of higher expectations is now accustomed to making a phone call or going online to tap in a few keystrokes, and then -- like Santa himself -- having a package show up within a day or two. It's instant gratification, if you will, from the logistics point-of-view.

Helping us understand how this modern miracle can be accomplished at such high scale and with such a huge amount of additional capacity required during the November and December shopping period, we’re joined by two guests. We’re going to be talking with Mark Nason, vice president of operations at Alibris, and also Andy Quay, vice president of outbound transportation at QVC. I want to welcome you both to the show.

Mark Nason: Thank you, Dana.

Gardner: Tell us a little bit about what’s different now for Alibris, given the peak season demands, over just a few years ago. Have the expectations of the end-user really evolved, and how do you maintain that sort of instant gratification despite the level of complexity required?

Nason: What we strive for is a consistent customer experience. Through the online order process, shoppers have come to expect a routine that is reliable, accurate, timely, and customer-centric. For us to do that internally it means that we prepare for this season throughout the year. The same challenges that we have are just intensified during this holiday time-period.

Gardner: For those who might not be familiar, tell us a little about Alibris. You sell books, used books, out-of-print books, rare media and other media -- and not just directly, but through an online network of independent booksellers and retailers. Tell us more about how that works.

Nason: Alibris has books you thought you would never find. These are books, music, movies, things in the secondary market with much more variety, and that aren’t necessarily found in your local new bookseller or local media store.

We aggregate -- through the use of technology -- the selection of thousands of sellers worldwide. That allows sellers to list things and standardize what they have in their store through the use of a central catalogue, and allows customers to find what they're looking for when it comes to a book or title on some subject that isn’t readily available through their local new books store or media seller.

Gardner: Now, this is a very substantial undertaking. We're talking about something on the order of 70 million books from a network of some 10,000 booksellers in 65 or more countries. Is that right?

Nason: Roughly, that’s correct. Going in and out of the network at any given time, we've got thousands of sellers with literally millions of book and other media titles. These need to be updated, not only when they are sold or added, but also when they are priced. Prices are constantly changing. It’s a very dynamic market.

Gardner: What is the difference in terms of the volume that you manage from your slowest time of the year compared to this peak holiday period, from mid-November through December?

Nason: It’s roughly 100 percent.

Gardner: Wow!

Nason: In this industry there are actually two peak time periods. We experience this during the back-to-school season that occurs both in January and the latter-half of August and into September.

Gardner: So at the end of the calendar year you deal with the holidays, but also for those college students who are entering into their second semester?

Nason: Exactly. Our peak season associated with the holidays in December extends well into January and even the first week of February.

Gardner: Given this network and the scale and volume and the number of different players, how do you manage a consistent response to your customers, even with a 100 percent increase at the peak season?

Nason: Well, you hit on the term we use a lot -- and that is "managing" the complexity of the arrangement. We have to be sure there is bandwidth available. It’s not just staffing and workstations per se. The technology behind it has to handle the workload on the website, and through to our service partners, which we call our B2B partners. Their volume increases as well.

So all the file sizes, if you will, during the transfer processes are larger, and there is just more for everybody to do. That bandwidth has to be available, and it has to be fully functional at the smaller size, in order for it to function in its larger form.

Gardner: I assume this isn’t something you can do entirely on your own, that you depend on partners, some of those B2B folks you mentioned. Tell us a little bit about some of the major ones, and how they help you ramp up.

Nason: In the area of fulfillment, we rely heavily on our third-party logistics partners, which include carriers. At our distribution centers, typically we lease space, equipment, and the labor required to keep up with the volume.

Then with our B2B partners -- those are the folks that buy from us on a wholesale or distribution basis -- we work out with them ahead of time what their volume estimates might be and what their demands on us would be. Then we work on scheduling when those files might come through, so we can be proactive in fulfilling those orders.

Gardner: When it comes to the actual delivery of the package, tell us how that works and how you manage that complexity and/or scale.

Nason: Well, we have a benefit in that we are in locations that have scalable capacity available from the carriers. That includes lift capacity at the airport, trucking capacity for the highway, and, of course, railheads. These are all issues we are sensitive to, when it comes to informing our carriers and other suppliers that we rely on, by giving them estimates of what we expect our volume to be. It gives them the lead time they need to have capacity there for us.

Gardner: I suppose communication is essential. Is there a higher level of integration handoff between your systems and their systems? Is this entering a more automated level?

Nason: It is, year-round. For peak season it doesn’t necessarily change in that form. The process remains. However, we may have multiple pick-ups scheduled throughout the day from our primary carriers, and/or we arrange special holiday calendar scheduling with those carriers for pick-up, perhaps on a Saturday, or twice on Mondays. If they are sensitive to weather or traffic delays, for example, we know the terminals they need to go through.

Gardner: How about returns? Is that something that you work with these carriers on as well? Or is that something you handle separately?

Nason: Returns are a fundamental part of our business. In fact, we do our best to give the customer the confidence of knowing that by purchasing in the secondary market, the transaction is indemnified, and returns are a definite part of our business on a day-to-day basis.

Gardner: What can we expect in the future? Obviously this volume continues, the expectations rise, and people are doing more types of things online. I suppose college students have been brought up with this, rather than it being something they have learned. It’s something that has always been there.

Do you see any prospects in the future for a higher level of technology need or collaboration need, how can we scale even further?

Nason: Constantly, the improvements in technology challenge the process, and managing the complexity is what you weigh against streamlining even further what we have available -- in particular, optimizing inter-modal transport. For example, with fuel costs skyrocketing, and the cost of everyone's time going up, through the use of technology we look for opportunities on back-haul lanes, or in getting partial loads filled before they move, without sacrificing the service interval.

These are the kinds of things that technology allows when it's managed properly. Of course, another layer of technology has to be considered from the complexity standpoint before you can be successful with it.

Gardner: Is there anything in the future you would like to see from such carriers as UPS, as they try to become your top partners on all of this?

Nason: Integration is the key, and by that I mean the features of service that they provide. It’s not simply transportation, it’s the trackability, it’s scaling; both on the volume side, but also in allowing us to give the customer information about the order, when it will be there, or any exceptions. They're an extension of Alibris in terms of what the customer sees for the end-to-end transaction.

Gardner: Fine, thanks. Now we’re going to talk with Andy Quay, the vice president of outbound transportation at QVC.

QVC has been having a very busy holiday peak season this year. And QVC, of course, has had an illustrious long-term play in pioneering, both retail through television and cable, as well as online.

Welcome Andy, and tell us a little bit about QVC and your story. How long you have been there?

Andy Quay: Well, I am celebrating my 21st anniversary this December. So I can say I have been through every peak season.

Although peak season 20 some years ago was nothing compared to what we are dealing with now. This has been an evolutionary process as our business has grown and become accepted by consumers across the country. More recently we’ve been able to develop with our website as well, which really augments our live television shows.

Gardner: Give us a sense of the numbers here. After 21 years this is quite a different ball game than when you started. What sort of volumes and what sort of records, if any, are we dealing with this year?

Quay: Well, I can tell you that in our first year in business, in December, 1986 -- and I still have the actual report, believe it or not -- we shipped 14,600 some-odd packages. We are currently shipping probably 350,000 to 450,000 packages a day at this point.

We've come a long way. We actually set a record this year by taking more than 870,000 orders in a 24-hour period on Nov. 11. This led to our typical busy season through the Thanksgiving holiday to the December Christmas season. We'll be shipping right up to Friday, Dec. 21 for delivery on Christmas.

Gardner: At QVC you sell a tremendous diversity of goods. Many of them you procure and deal with the supply chain yourselves, therefore cutting costs and offering quicker turnaround processing.

Tell us a little about the technology that goes into that, and perhaps also a little bit about what the expectations are now. Since people are used to clicking a button on their keyboard or making a quick phone call and then ... wow, a day or two later, the package arrives. Their expectations are pretty high.

Quay: That’s an excellent point. We’ve been seeing customer expectations get higher every year. More people are becoming familiar with this form of ordering, whether through the web or over the telephone.

I’ll also touch on the technology very briefly. We use an automated ordering system with voice response units that enable my wife, for example, to place an order in about 35 seconds. So that enables us to handle high volumes of orders. Using that technology has allowed us to take some 870,000 orders in a day.

The planning for this allows the supply chain to be very quick. We are like television broadcasts. We literally are scripting the show 24-hours in advance. So we can be very opportunistic. If we have a hot product, we can get it on the air very quickly and not have to worry about necessarily supplying 300 brick-and-mortar stores. Our turnaround time can be blindingly quick, depending upon how fast we can get the inventory into one of our distribution centers.

We currently have five distribution centers, and they are all along the East Coast of the U.S., and they are predominantly commodity driven. For example, we have specific commodities such as jewelry in one facility, and we have apparel and accessories as categories of goods in another facility. That lends itself to a challenge when people are ordering multiple items across commodities. We end up having to ship them separately. That’s a dilemma we have been struggling with as customers do more multi-category orders.

As I mentioned, the scripting of the SKUs for the broadcast is typically 24 hours prior, with the exception of Today's Special Value (TSV) show and other specific shows. We spend a great deal of time forecasting for the phone centers and the distribution carriers to ensure that we can take the orders in volume and ship them within 48 hours.

We are constantly focused on our cycle-time and in trying to turn those orders around and get them out the door as quickly as possible. To support this effort we probably have one of the largest "zone-jumping" operations in the country.

Gardner: And what does "zone-jumping" mean?

Quay: Zone jumping allows me to contract with truckload carriers to deliver our packages into the UPS network. We go to 14 different hubs across the country, in many cases using team drivers. This enables us to speed the delivery to the customer, and we’re constantly focused on the customer.

Gardner: And this must require quite a bit of integration, or at least interoperability in communications between your systems and UPS’s systems?

Quay: Absolutely, and we carefully plan leading up to the peak season we're in now. We literally begin planning this in June for what takes place during the holidays -- right up to Christmas Day.

We work very closely with UPS and their network planners, both ground and air, to ensure cost-efficient delivery to the customer. We actually sort packages for air shipments, during critical business periods, to optimize the UPS network.

Gardner: It really sounds like a just-in-time supply chain for retail.

Quay: It's as close as you can get it. As I sometimes say, it's "just-out-of-time"! We do certainly try for a quick turnaround.

Coming back to what you said earlier, as far as the competition goes it is getting more intense. The customer expectations are getting higher and higher. And, of course, we are trying to stay ahead of the curve.

Gardner: What's the difference between your peak season now and the more regular baseline of volume of business? How much increase do you have to deal with during this period, between late-November and mid- to late-December?

Quay: Well, it ramps up considerably. We can go from a 150,000 to 200,000 orders a day, to literally over 400,000 to 500,000 orders a day.

Gardner: So double, maybe triple, the volume?

Quay: Right. The other challenge I mentioned, the commodity-basis distribution that we operate on -- along with the volatility of our orders -- this all tends to focus on a single distribution center. We spend an inordinate amount of time trying to forecast volume, both for staffing and also planning with our carriers like UPS.

We want to know what buying is going to be shipping, at what distribution center, on what day. And that only compresses even more around the holiday period. We have specific cutoff times that the distribution center operations must hit in order to meet the customers' delivery date. We work very closely on when we dispatch trucks ... all of this leading up to our holiday cutoff sequence this week.

We try to maximize ground service versus the more expensive airfreight. I think we have done a very good job at penetrating UPS’s network to maximize ground delivery, all in an effort to keep the shipping and handling cost to the customers as low as possible.

Gardner: How about the future? Is this trend of that past 21 years sustainable? How far can we go?

Quay: I believe it is sustainable. Our web business is booming, with very high growth every year. And that really augments the television broadcast. We have, honestly, a fair amount of penetration, and we can still obtain more with our audiences.

Our cable broadcast is in 90 million-plus homes that actually receive our signal, but a relatively small portion actually purchase. So that’s my point. We have a long way to go to further penetrate and earn more customers. We have to get people to try us.

Gardner: And, of course, people are now also finding goods via Web search. For example, when they go to search for a piece of apparel, or a retail item, or some kind or a gift -- they might just go to, say, Google or Yahoo! or MSN, and type something in and end up on your web site. That gives you a whole new level of potential volume.

Quay: Well, it does, and we also make the website very well known. I am looking at our television show right now and we’ve have our www.qvc.com site advertised right on it. That provides an extended search capability. People are trying to do more shopping on the web, in addition to watching the television.

Gardner: We have synergies on the distribution side; we have synergies on the acquisition, and of using information and how to engage with partners. And so the technology is really in the middle of it all. And you also expect a tremendous amount of growth still to come.

Quay: Yes, absolutely. And it’s amazing, the different functions within QVC, the synergies that we work together internally. That goes from our merchandising to where we are sourcing product.

You mentioned supply chains, and the visibility of getting into the distribution center. Our merchants and programmers watch that like a hawk so they can script new items on the air. We have pre-scripted hours that we’re definitely looking to get certain products on.

The planning for the television broadcast is something that drives the back end of the supply chain. The coordination with our distribution centers -- as far as getting the operation forecast, staffed and fulfilled through shipping to our customers -- is outstanding.

Gardner: Well, it’s very impressive, given what you’ve done and all of these different plates that you need to keep spinning in the air -- while also keeping them coordinated. I really appreciate the daunting task, and that you have been able to reach this high level of efficiency.

Quay: Oh, we are not perfect yet. We are still working very hard to improve our service. It never slows down.

Gardner: Great. Thanks very much for your input. I have learned a bit more about this whole peak season, what really goes on behind the scenes at both QVC and Alibris. It seems like quite an accomplishment what you all are able to do at both organizations.

Nason: Well, thank you, Dana. Thanks for taking the time to hear about the Alibris story.

Gardner: Sure. This is Dana Gardner, principal analyst at Interarbor Solutions. We have been talking with Mark Nason, the vice president of operations at Alibris, about managing the peak season demand, and the logistics and technology required for a seamless customer experience.

We’ve also been joined by Andy Quay, vice president of outbound transportation, at the QVC shopping network.

Thanks to our listeners for joining on this BriefingsDirect sponsored podcast. Come back and listen again next time.

Listen to the podcast here. Sponsor: UPS.

Transcript of BriefingsDirect podcast on peak season shipping efficiencies and UPS retail solutions. Copyright Interarbor Solutions, LLC, 2005-2007. All rights reserved.

BriefingsDirect SOA Insights Analysts on IBM's Information On Demand, SAP's Business Objects Grab, and How WOA Meets Guerilla SOA

Edited transcript of weekly BriefingsDirect[TM] SOA Insights Edition podcast, recorded October 19 , 2007.

Listen to the podcast here. If you'd like to learn more about BriefingsDirect B2B informational podcasts, or to become a sponsor of this or other B2B podcasts, contact Interarbor Solutions at 603-528-2435.

Dana Gardner: Hello, and welcome to the latest BriefingsDirect SOA Insights Edition, Volume 26, a weekly discussion and dissection of Services Oriented Architecture (SOA) related news and events with a panel of industry analysts, experts, and guests. I'm your host and moderator, Dana Gardner, principal analyst at Interarbor Solutions.

We’re joined by a crew of three analysts and experts this week (week of Oct. 15, 2007) to discuss three basic topics, some timely, some deep and interesting. We’re going to discuss the recent IBM Information On Demand Conference and some of the news that’s emerged from that.

We’re also going to discuss Business Objects, its pending acquisition by SAP, and the news that Business Objects has been making in a very hot business intelligence market.

We’re also going to take a quick look at the pending or I suppose "sought- after" acquisition by Oracle of BEA, and what that might portend for SOA-oriented vendors in the space or the consolidation trend that we’ve been seeing for several years now.

[UPDATE: Latest business story around BEA and Oracle.]

The rest of the show today is going to deal with SOA and what’s also called Web Oriented Architecture (WOA). We want to sort out how they relate to one another, look at the notion of RESTful and some lightweight approaches and whether that is a subset of SOA or an alternative parallel universe.

To help us sort out these interesting topics, we’re joined today by Tony Baer. He is a principal at onStrategies. Welcome, Tony.

Tony Baer: Hi, Dana. How are you doing?

Gardner: Doing great. Also joining us, Jim Kobielus, principal analyst at Current Analysis. Thanks for joining Jim.

Jim Kobielus: Thanks Dana. Hi everybody!

Gardner: Also joining JP Morgenthal, CEO of Avorcor. Welcome JP!

JP Morgenthal: Hello, everyone and thank you.

Gardner: Let’s first get into the more time-sensitive issues. Jim Kobielus, you just came back from an intense road trip, attending both the IBM event and a Business Objects event this week. Let’s start with IBM. What are the main takeaways from the On Demand event that you attended?

Kobielus: It was Information On Demand in Las Vegas. About two years ago, IBM established an organizing framework for their data management, database integration, and other data solutions, called Information On Demand, and it’s just a big catch-all for the products they already had, as well as lots of new projects they’ve been developing to address data management under the SOA big top.

Last year there was a big splash, when they brought together all of their data integration and data quality tools under the solution family called IBM Information Server and integrated it all through common metadata and tooling. That was an excellent show.

This year another excellent show. I’ve been to lots of industry shows and have never been to a show with this many announcements on one day. On Monday of this week, IBM released 10 press releases, and even those press releases didn’t capture every nuance of every product announcement, enhancement, and initiative they've got going on.

It was overwhelming and impressive. First of all, IBM is enhancing pretty much every single component of their Information On Demand portfolio. They announced upgrades or enhancements to their databases, data warehousing products, their master data management (MDM) products, their data integration products under the Information Server portfolio, their enterprise content management products, the FileNet products, plus the preexisting IBM content management products.

They announced enhancements to the pre-packaged industry-solution accelerated frameworks for banking, retail, telco and so forth, to enable quick deployment of data integration and MDM.

They announced a broader range of new global professional services geared toward Information On Demand and various verticalized project accelerator offerings in Global Services. I'm looking at my cheat sheet right now, because I have to keep reminding myself exactly what transpired.

They announced that they have integrated their recent acquisition of DataMirror and its changed-data capture and a real-time replication technology into the Information Server data integration suite and also their database warehouse products and their MDM Products for real-time business intelligence (BI), data warehousing, and so forth. They also announced that they had re-branded the recent acquisition of Princeton Softech products Optim family under the IBM brand, but didn’t make any significant feature enhancements beyond what Princeton Softech was already providing.

They did lay out a reasonably good roadmap for further integration of Optim into IBM’s overall data governance and data management solution offerings. One very important uptake is that IBM, which has multiple MDM products they acquired from vendor acquisitions, is converging them onto a single product platform. That will be extensible and will be their flagship MDM server platform fully integrated into IBM Information Server and fully integrated into the DB2 9.5, the new version of the database and into the DB2 Warehouse 9.5 Data Warehouses. That’s a work in progress.

They’ve basically taken one of the existing MDM products, IBM WebSphere Customer Data Integration offering and they’ve made that essentially the DNA underlying this new converged MDM server, which will address more than just customer data integration for product information management, financial hubs, etc. So they have clearly designated a convergence platform that will be released sometime in the first quarter of 2008.

Gardner: Let me pause you right there. Now, just for a little historical context, IBM, which was very strong in databases for years with DB2, went on a bit of a buying spree a few years ago, including Ascential and some others, elevating the value of data, as a precursor to the move toward SOA. They recognized there were several major trends taking place that people wanted to cleanse and consolidate data, wanted to look at data as something separate from specific applications, and move towards the services-layer approach to data as well as MDM, and data warehousing, which is intelligence.

So, a number of industry-wide trends have buttressed IBM. They’ve been aggressive just recognizing that if they can offer a complete, integrated, and simplified approach to data as a separate resource unto itself, it gives them great entree into other aspects of SOA, as well as taking advantage of the hardware and storage requirements beneath this, the storage area network (SAN) requirements and also the management that helps their other management products such as Tivoli. Does that make sense?

Kobielus: Everything you said applies directly to IBM. One of the most exciting things from the show was that IBM is getting deeper into mashups with their tooling and their overall product and solution portfolio. In other words, everything in the IBM Information Server and the latest enhancement through all the databases is very SOA-focused, but now IBM seems to be getting into what someone call WOA through a mashup toolkit, IBM Mashup Starter Kit.

They have a mashup hub, this mashup online community called QEDWiki. And, more than just the tooling, they laid out a very interesting overall organizing framework to address this area called Info 2.0. It’s not a product, but simply a vision. They had a very good discussion of where they’re going, and it’s equivalent to some of the other interesting visionary mashup offerings in the data mashup.

Gardner: Just hold that thought. I want to go to Tony Baer. Tony, given what Jim has said about IBM and what you know about their emphasis and approach to data information, content, and almost any objects now, when you bring in FileNet and its capabilities, where do you put IBM in the greater scheme of things.

Do they really have a leadership position here or they’re trying to bite off too much? How do they compare to the other big data players, particularly Oracle?

Baer: What's really interesting is the whole idea of IBM biting of more than they can chew. IBM and Oracle are among the few organizations that could pull off something like this and not be overwhelmed by it. You and I saw this several years ago when Ascential had it’s analyst conference right after the acquisition by IBM and they revealed the roadmap. What's impressed me is that it’s been a very deliberate plan.

A cornerstone of that was Information Server, the whole information-server strategy. Ascential itself was kind of a mini IBM, a company that was glued together by acquisition. What they realized was they had all these disparate tools that ultimately related to the lifecycle of data in all those different forms, and, prior to the acquisition by IBM, they had a roadmap which, I believe, was called Hawk.

Kobielus: Hawk and Serrrano. They had two roadmaps, Tony. They had to converge last year.

Baer: Thanks, Jim. The interesting part was that it was all going to become metadata driven and that would drive all the data-integration and data-access strategies. So, I see that as the unsung hero of all this. It provided a more global perspective IBM needed and rationalizes all of these other initiatives. It’s not that everything is acting off of Information Server as a hub, but it provides a logical core or gut unification theory.

Gardner: Oracle, also dominant with their database and installed base, moved aggressively into middleware and business applications, particularly back office applications. Did Oracle give short shrift to this whole notion of warehousing, cleansing, canonical views of data and the whole BI area? Is Oracle catching up to IBM?

Baer: Oracle has had an obviously different focus, which is more at the application layer, whereas IBM has been more focused at the integration layer. Yes, Oracle now has the integration strategy called Fusion, but Fusion is like a big, blank space waiting to be filled. I don’t want to get ahead of ourselves here, but it’s part of what underlies the BEA acquisition.

Gardner: Of course, they paid a pretty penny for Hyperion trying to catch up in that.

Baer: Up until about a year-and-a-half or two years ago, Hyperion was IBM’s OLAP data-warehousing partner. One surprising thing during all those years was why IBM didn’t acquire OLAP. IBM eventually grew that capability themselves, but to answer your question, Oracle has been clearly focused on application integration, and they have all these application lines that are becoming the critical mass, the core focus of their business. So, from that standpoint, they probably have taken their eye off the ball in terms of data as a service, per se.

Gardner: Let’s go to JP Morgenthal. JP, as a CEO of a professional services and consulting organization, you are in the field. Rather than talk about this through the eye of vendor sports and who is doing what versus another, what are the users interested in, and how important are all these exclusive advanced data issues to them?

Morgenthal: You always have two different communities -- one very active, very leading-edge groups like financial services, and then there are always on the lookout for new technologies that are going to help them do their business faster and better, doing lots of more. They are not risk averse they are willing to throw some additional capital at those projects and see what they’ll bear. Right now they are the primary community that I see that’s really gung-ho on this.

The other group, let’s call them the moderates or the laggards, definitely view this technology as questionable. There are a number of people who walk the line, especially in IT, and say, "Oh yeah, SOAs the future," but have no idea why they are saying that. They have no understanding exactly how they would leverage it in an organization and, when given the opportunity to gain a better understanding, are more likely, at least in my experience, to push it off, stick with their existing environments, and not worry so much about SOA. In fact, they still lean towards, "I want a complete application. I really don’t want to play with this stuff."

Gardner: What about this issue of creating a comprehensive strategy around the lifecycle of data and about how that would be a precursor to SOA activities, but in the meantime getting the benefit of things like BI, data warehousing, data mining, and a better view across all the data that’s available into what's going on in the business?

Morgenthal: They love the idea. Right now, a majority of business management is focused on the business, the economy, and the other things affecting them. Those are nice to have right now, but aren't critical for most of them and that’s the way they view it.

Gardner: That's an interesting take, because this notion of getting your data act together isn't trivial. It’s very complicated, and there are a lot of interdependencies. It’s costly and it smacks of doing your homework in preparation for something that might pay off later. It's like eating your peas. Nobody wants to do it, but this is a discipline.

Therefore, people might be pushing it off, which relates to what IBM is doing, which is trying to make this comprehensive, more simplified, and more integrated, so that, in addition to those cutting edge organizations in such fields as financial services, this could be more palatable for the larger bell curve of enterprises. Does that make sense?

Morgenthal: From their perspective, yes. My concern for the industry as a whole is that people are going to view it as throwing a lot of consulting dollars down the drain and not seeing any value for it. I’ve recently joined the camp, at least academically, not in any way physically or throwing my weight behind it, but Guerrilla SOA is what I have been doing in my business. I just haven’t put a title to it.

I'm much more in favor of small, non-enterprise oriented, focused projects that deliver value within 30 to 90 days. I see that’s the greatest value right now for using these technologies based on SOA, Web services, and the like, because the enterprise stuff is nice, but right now it is too fluid for the industry to grab hold of. It’s resulting in potential large-scale problems for companies that have no idea how to build the distribution.

It all comes down to distribution. The problem with distributed environments is that very few people actually know how to manage them. In IBM’s case, they are one of the founders of distributed computing. At their core, they understand it well, but they buy too much into their own marketing hype and don’t tell customers well enough, "Hey, look, at the core of all this, of what you’re trying to do, trying to get more agile, we lived there. We built the first computers that became agile and communicated across network."

Gardner: Okay hold that, because we’re going to come back to that with our WOA discussion. That was very good. Let’s circle back quickly to Jim Kobielus. You also attended the Business Objects show, what was the big news there and what were people saying about the SAP acquisition?

Kobielus: The big news there of course was the pending acquisition by SAP. One of the good things was, at the very start of the keynote, Bernard Liautaud, the founder of the Business Objects, reassured the customers, employees, and partners that Business Objects will be a standalone product group under SAP. It will autonomous. It can continue to pursue its vision.

Right after Bernard spoke, they has a video from Henning Kagermann, the Chairman of SAP, issuing the same set of reassurances. Kagermann went into a little bit more detail in that video than they did the previous week when they announced that they are planning to acquire Business Objects. He said explicitly that SAP will not force Business Objects to use SAP technology.

It will up to Business Objects whether it makes sense to use a particular piece of SAP technology in any given product, but he reassured everybody that there will be growing integration between Business Objects and SAP offerings.

But Kagermann intends to have it both ways, because he then said, “We will also make sure that Business Objects maintains an equivalent level of tight integration with all of our competitors.” He's trying to have it both ways, but at least Kagermann was speaking the right speak. From my discussions afterwards, everybody said, "Yeah, I think they are speaking in good faith. So far, so good. We’ll wait and see." The deal has not been closed yet, and it will be a couple of months.

Gardner: This proposed merger, I think, caught some people by surprise. There is continuing consolidation in the BI space, and there are a couple of other players out there, including Cognos, that people are curious about. SAP seems to have maintained for some time that they didn’t need something like this, that they had already a sufficient visibility into operations and intelligence. What changed in the world or what changed in SAP that required them to go out and get this company?

Kobielus: Oracle. Oracle is into aggressive acquisitions and continuing to bulk up performance management, BI and everything else. I think SAP saw the writing on the wall. If you look at Business Objects, its total product portfolio, in many ways, overlaps with what SAP already has under the NetWeaver umbrella, but SAP has much more, of course. They are complete SOA vendor and a complete application vendor.

I see the convergences that are going on are all being driven by SOA mega brands that are continuing to bulk up on the full range of best-of-breed tools that enterprises are asking for. SAP, although it has BI, data warehousing, and data integration under NetWeaver, none of that is best of breed. It’s all primarily just in the box when you license their CRM or ERP applications.

Gardner: Not a lot of market presence for those yet, is there?

Kobielus: No, not really. SAP’s BI tools aren't on anybody's short list -- "Oh, I have to get BI and, therefore, I want to evaluate NetWeaver BI." SAP realizes that to go after Oracle or defend themselves against Oracle, they needed to bring in a BI mega brand under their big top, which is what they are doing.

Then again, there are a lot of complimentary aspects between the two companies in terms of product portfolio, but clearly there is a lot of head-on competition. Performance management is getting crazy now, because SAP acquired OutlookSoft, Business Objects acquires Cartesis, and several other companies, and now they've got excessive duplication of financial analytics applications under the SAP family.

Gardner: Speaking about mega brands and vendors, let’s move to this BEA-Oracle, proposed acquisition. Oracle apparently making a maybe not hostile, but not seemingly friendly, bid for BEA. BEA doesn't necessarily say "Go away," but, perhaps, "Sweeten the deal and we can talk."

Again, we don’t know how this is going to pan out over the several weeks, but we do seem to be having a bifurcated approach in the market. On one hand we've got the Larry Ellison view that it’s only going to be two or three IT companies in the world in 10 years, and he's going to be one of them.

Then we have this other view around WOA. What JP mentioned. Let’s just do Guerrilla SOA. Let’s do what's going to make sense for us and have a relatively short return on investment, something that brings us agility. It explains why stacks around LAMP and Open Source have been popular and why tools have moved to more of an open source in an Eclipse framework. It explains why things like Amazon’s EC2 are popular with people -- just make something, load it up, and use it -- and the advance of things like scripting languages and Ruby on Rails. This is a different approach to the market.

Let's go first to Tony Baer. Tony, do we need both? Do we need the big-vendor, top-down, mega-brand -- "We’ll do it all for you and in fact, we won’t even be your vendor, in a sense, we’re going to be a partner of your company. We are going to be linked at the hips for the next 50 years?" Do we need that, and, if so, at the same time, do we also have to have this grassroots, "Let’s do it with what we can -- simple, down and dirty?"

I believe Adam Bosworth a few years ago jumped on this and said, “Geez, let’s just do what we can do, use the Web, use the simple protocols, keep it simple.” How do these two things relate, top down and bottom up?

Baer: It really reflects the state of the software-development world today. Parts of this argument we could have had 10 years ago, the whole idea of the big umbrella vendor. If nobody wanted a big umbrella vendor and wanted best of breed, SAP would not be what it is today.

I remember during the emergence of the ERP market about 10 or 12 years ago, there was a debate: “Shall we go best of breed, versus an umbrella approach?" The market has clearly spoken. However, what you've gotten at the same time is a revolution that picked up steam with the original Borland IDEs and the popularity of bottom-up development, and was energized by the original Visual Basic. There is a powerful constituency of organizations that need Guerilla SOA and need to get it done now. It’s also behind the rise of agile development.

So, you're always going to have the two, because no matter how heavily an organization enforces enterprise architecture standards or has a standard reference architecture or preferred vendors and sources and technologies, there are always going to be people within the organization's small pockets doing their own thing. That was very much behind the rise of Linux.

So, the two will coexist, and the degree of presence within organization will reflect the internal culture and politics. I don’t think in any organization you are going to have a 100 percent of one and 0 percent of the other. They are going to co-exist, and the challenge is reconciling the two.

Gardner: Jim Kobielus, isn't there the likelihood that there are going to be some organizations that are centralized, that are going to make big strategic decisions and say, "We are an IBM shop, a Microsoft shop, or an Oracle shop?" And they will go to a full across-the-board partnership with that vendor. There might be certain advantages to that over time, in that they’ve only got one or two skill sets to maintain for development and deployment, and they can make deals with the vendor, but there is also risk. They get lock-in and they can be told what they are going to pay for IT, and not get a chance to bid for it.

So, there’s one type of organization, and we've seen plenty of examples of that. At the same time we've seen organizations that say, "Listen, we want to have a variety of technologies, to be experimental, to innovate, and to take advantage of the latest and greatest. We'd like open source, we like visibility." Are we talking about bifurcation between one kind of a company and another kind of a company or are these going to be influences that happen inside the same company, and but might lead to tension and even discord.

Kobielus: I don’t think it’s bifurcation between one type of company versus another. Most companies will continue to standardize on a limited range of strategic vendors for their core infrastructure. However, in every organization you have alternate sourcing approaches that different individuals and groups and functions pursue at various times.

Everybody is going to run around the corporate standard, if the corporate standard doesn’t meet their needs. It’s the actual knowledge workers, the end users. If IT can't give them what they need, they are going to find it some other way. If what the knowledge worker needs is not being funded out of capital budgets and being supported by IT, they're going to pay for it our of their monthly expenses. They are just going to grab it for free on the Internet and mash it up.

One of things that I liked at the IBM show was, as I said, the Info 2.0 strategy. They explicitly said, "We recognize that our core customers, the Fortune 500, the IT groups, etc., are very top down in terms of, "We would love them to go with the IBM mothership, but we recognize that the people on the front lines are feeling the pain points."

The knowledge workers don’t necessarily subscribe to that top-down, monolithic approach. They will go out and grab what they need from the Internet. IBM would love to provide the basic tools, be they closed source, open source, or whatever, that becomes de facto standard for knowledge workers meshing up everything allover creation. Different individuals in organizations take different approaches to get the solutions they need ASAP.

Gardner: JP, in the field, do you find that some of the clients you work with are of a mind to be either centralized and big-vendor oriented, comprehensive and strategic, or do they have a culture that tends to be more of the Guerilla SOA approach. Is it a shift from one company to another and how they do this? Or are these things happening simultaneous inside the same organization, both the top-down and bottom-up approaches?

Morgenthal: In the past year and a half, I've been focusing more on the small and mid-sized market, and these guys just want to get something done. The interesting thing is that they don’t spend their time sitting there wondering, whether they're going to do Web services or SOA. It’s more like 1,500 calls coming in a day, they’re being bombarded, and yet they still have to get stuff done. So, it’s the backlog.

Then you come in and you tell them, "Hey, in three weeks I can give you a completely new wrapper around everything you have, leave exactly what you have in place, but allow you to do everything you wanted to, the way you want to do it." At first, they say, "Right, show me." Once you show them, it opens up a non-stop flow. They get it the minute they see it.

The biggest and most exciting thing I have seen is that the end users, who have been using the same system the same way for maybe 5 or 15 years, get a whiff of this new stuff. At first they’re hesitant, but they approach it, they grab it, and they absorb it. A week later, they're asking you, "Can we do this, can we do that, can we do . . . " All of a sudden, it just starts a fire, and that is really the most amazing thing I have seen a long time.

The alternative in my world is to spend a year implementing Red Prairie, Manhattan Associates, JDA or something like that, and, maybe after painful process of learning how to use all the new screens and new data, you might get something good out of it. You can just almost feel the "running on ice" that the end users are getting through this process, versus the modern quick, "Wow, this is amazing. Let’s build it and let the business drive it." They take hold of it and they take the responsibility. They're hungry and they start asking for new features within a week

Gardner: It really opens up innovation at a level where people in IT can have a complementary relationship, rather than a sequential one.

Baer: Yeah, it’s a cool development by so-called amateurs, facilitated by their social network-- the whole Web 2.0 thing. It has a Facebook paradigm almost.

Gardner: Lets do a little primer stop here on WOA. As I said, my first smell of this in the market was probably four or five years ago, when Adam Bosworth, who, I think, at the time was with BEA, and who recently just left Google, brought a sort of manifesto. "Enough with all this distributed Java stuff, the heavy lifting, the intense object orientation, and these long, sequential development projects that take 6-12 months. Let’s get down and dirty with the lightweight, take advantage of open source, start using scripting and being 'of, for and by' the Web."

That sort of led to talk of rich Internet applications (RIAs) and we had the arrival of and wildfire around AJAX, that was related to SOA activities, where we could have mashups and front ends of Web services that would relate to a SOA backend or architectural approach.

Then about a year or year-and–half-ago, we started seeing WOA. I believe it was a Gartner acronym -- they are very good at acronyms -- and it’s also been called Enterprise Web 2.0 or Enterprise 3.0. But, it’s really putting emphasis on REST, as a way of leveraging HTTP as a Web service, and now WOA is becoming more of an emerging best practice. Guerrilla SOA better captures what it’s up to or about than WOA. We have seen a number of people, including Dion Hinchcliffe, be prolific on this.

So, this notion of an application with a REST style for building Web services based on straight HTTP and XML sort of applies to what JP has been talking about. Are we talking about the same thing? Are Guerilla SOA and WOA the same thing, Tony Baer?

Baer: I would say that conceptually they're similar. I'm sure there are probably purists who would probably come up with their own unique definitions to reflect the idiosyncrasies of each of the terms, but, I think it refers to an overall style that JP describes very well from his experiences in the field. It’s the same drive that’s basically made agile-development techniques so popular.

The idea is that we have pain points we need to address today, but we need a planning methodology that’s robust enough so that we don’t keep chasing our tails. At the same time, we also need technologies we can use to make this simple.

For example, when you look at just the difference in style between conventional Web service and RESTful, there is a little bit of an irony. Conventional Web services were touted as a simpler alternative to an earlier incarnation of SOA, which was CORBA. This reflects a growing maturity in the field. As we started getting a little more experience working with some of those Web-services technology, we realized that maybe we didn't always need those complicated SOAP headers. So, why not dispense with that, because most of our needs right now are for simple things like fetching data.

So, going back to some of the old SQL metaphors, a lot of the RESTful style owes a huge debt to SQL, simple commands for getting, inserting, and changing data. So, if it gets the job done, who cares about trying to do these complex, composite, orchestrated applications? Let’s just use some REST style, and by the way, why don’t we just mash up the results on a screen.

Kobielus: Can I say a few things?

Gardner: Yes, please.

Kobielus: I could out-acronym Gartner any day of the week, so I'm going to call it GOA. We have Guerilla Oriented Architecture versus Governance Oriented Architecture. When we talk about standard SOA, it’s GOA, for governance, software development lifecycle, and so forth. Until a couple of days ago, when you guys told me of this acronym, I hadn’t even realized that there was a new acronym here.

The ‘W’ in WOA stands for Web. If you think about the new paradigm, the ‘W’ could stand for Water cooler, it’s Water cooler Oriented Architecture. It could stand for Wow!, the user doing something and saying "Wow, hey, I'm going to share this with you in my social network. Look at this that I just built. Can you add on to this? It could stand for Wiki . .

Gardner: Or Widget.

Kobielus: Yes, Widget, exactly. Hey, I’m going to write this down. It could stand for Wiki Oriented Architecture, that sort of governance-light, or governance-free style. It could stand for Widget…

Gardner: Wisdom Oriented Architecture, wisdom of the crowds, right?

Kobielus: Yeah, I'm agreeing with everything that Tony, JP, and you, Dana, have said. This is coming on like gang busters. If IBM feels that it needs to assertively establish its own framework in this new paradigm, and then to provide multiple tools, and to really put a high-level mucky muck to talk about this vision with the analyst community, I think it’s pretty serious.

Gardner: All right. Is this a case of barbarians at the gate, where we have got the water-cooler folks, who are just technically savvy enough that they can do mashups? Some of the younger folks who come into organizations from colleges where they have been building their own pages for years are very adept at working with scripts, HTML, and XML. Are they just going to say, "Listen, we’re not going to have anything to do with IT. You just give us the APIs, give us access to the data, and we'll make the business processes, the Guerilla SOA happen." Is that what we've got here?

Baer: Yeah, pretty much.

Gardner: JP, what do you think? Is that what you’re seeing?

Morgenthal: We can’t help but to constantly be impacted by the knowledge of students coming out of school more and more technologically savvy. My kids started using a computer at three years old. They were already programming at 13-14 years old. So, are you telling me that they’re going to sit around and wait for Joe up in IT to come down and fix something? Are you kidding me? These kids are setting up their own network. They’re hooking up wireless. They’re using cell phones as tools.

These people are not going to sit around waiting for some guy in a glass house, and businesses better learn that now, and better start preparing for it now.

The way to do that is to start looking at their existing systems and figuring out where things are bottlenecked, where things are log jammed, and let them run with it. Otherwise, they’re going to get frustrated and they’re going to go to the places where they can do that.

Gardner: So, it’s almost a radical departure. We’re looking at innovation almost like we’ve seen in markets. Venture capital will spend dollars across multiple startups, knowing that a large percentage of them will fail, but that they get innovation and they get disruption as a result, and they are willing to accept that risk.

It seems as if we could take this a radical step further, which is to say, we need to decompose and change the actual structure of corporations, to not be large assemblages of reusable and extendable and scalable resources; whether it’s logistics, shipping, manufacturing, energy, or IT. Instead, we should look at this more like an ecology, a universe of different folks -- either individuals or small groups -- going out, being innovative, letting some of them fail, but when something sticks and works, then start using it as a standard operating procedure.

Does anybody share my view that this could really move towards a radical change of how corporations are actually structured?

Kobielus: What it comes down to is that a corporation innovates, differentiates, and survives based on the initiative of individuals taking the bull by the horns and solving problems. So, in a sense, BI could stand for Business Initiative.

It comes down to the knowledge workers and the people who are in the operational front lines. Generally they feel the pain, and, therefore, they have the greatest personal stake in implementing a solution ASAP at some micro level that addresses at least their local pain point.

So, you want to empower these people. You want them to feel that there is a quick time to a solution, that the solution is within their control, and that they can implement it without too much paperwork and bureaucracy.

Gardner: The recent The Economist magazine that came out October 15 has a special section on innovation. Interestingly enough, they sort of pointed out the same conundrum. The corporations traditionally needed to exist because of the requirement of huge capital brought together in large R&D budgets to solve massive technical problems. They're being overshadowed by groups of 8 to 10 people that then create a startup using their credit cards, access to Web services, and low-cost computing, storage, and networking. Innovation is happening among these small groups.

It almost negates the advantage that large corporations have had. If it's the case that the structure of the corporation shifts towards grassroots, be it inside the organization or from small companies that they look to as suppliers, or potential acquisition targets, then what does that say to the view of somebody like an Oracle or an IBM which are bulking up and trying to become everything to everyone, particularly those large corporations?

Kobielus: Well, it comes down to the fact that the centers of initiative or centers of excellence need to be encouraged. When I say "centers," actually decentralized centers of excellence, need to be encouraged, empowered, and have control over the tools available to them. They need to be able to mix and match across the SOA universe. They're not going to necessarily want to buy everything from Oracle, SAP, or IBM. It comes down to: they need their money and they need to be able to control the purse strings locally to meet their local requirements.

Gardner: What I’m getting at is that the rationale, or one major rationale, for the very existence of corporations was that they needed to have scale. They needed to be able to create enough capital under one roof to create efficiencies for all the participants in the corporation to leverage. Now, it's shifting away from "under one roof" to the Web, so that you can now get a lot of the resources. The scale and efficiency actually works more in your favor, when you go decentralized. That much you needed to do before under a large cap-ex expenditure kind of environment.

Does anybody following me on this? The Web itself and the WOA and the Guerilla SOA are all part of the same trend, which is away from the need for a large corporate umbrella, but that you can get things done, satisfy customer needs, be innovative and agile in new markets, and can go global, all based on not needing one big umbrella, but leveraging what’s able across a rich, fertile, open ecology?

Kobielus: You hit on the important metaphor there, and it’s a horticultural metaphor, away from the walled garden, toward more of a wildflower meadow. Let a thousand flowers bloom. A vibrant corporation is one that can to sustain an ecology of wildflowers. The beautiful ones pop-up and get cultivated, and, hopefully, it’s a prettier meadow, generation after generation, through natural selection.

Gardner: We’ve discussed on the show many times how SOA is disruptive, requires cultural and organizational change in companies, and it’s really hard. We’ve had the discussion of the culture within IT, and the culture within business. How are we ever going to get them to come together?

Maybe we ought to take the disruption discussion to another abstraction level, which is to say, "To hell with the big corporation, and the central IT department. Let’s create small, independent companies, where people can live and work anywhere, can contribute their expertise, can be innovative, and, in a sense, we're talking about the deconstruction of the monolithic corporation that’s been with us for a couple of hundred years.

Baer: Dana, if you look at the evolution of the manufacturing sectors versus the automotive industry, it’s a great case in point. There's been a devolution from the classic, "build everything under one roof," which was epitomized by the Ford River Rouge Complex to today's auto industry, where essentially they're putting together what could be called agile coalitions of suppliers. The companies that best tap that are the ones that can reduce time to market.

Gardner: What do you think, JP? Does that make sense, given the small and medium-sized companies you work with? Are they becoming aspects of various business change, and that it would never make sense for them to be all trying to bulk up under one large roof?

Morgenthal: I think they are years behind focusing on that. There are two aspects. There are small companies that have started in the last five years with the paradigm on their side. Then, there are hundreds of thousands of small companies that were started let’s say prior to the end of 1990s, not born of the paradigm, focusing on how to survive day-to-day. I think a Tsunami is coming their way, and they have no idea how to get out of the way, and they’re going to drown.

Gardner: Interesting! Well, I would like to take these technology discussions up a notch and see how they affect economics and behavior. I agree that we’re up against a real sea change. It’s not just the use of SOA or the changing relationship between IT and business within large companies, but the very notion of how capital can best be used, productivity be best leveraged and extended, how people can be made happy and fulfilled in their lives, make enough of a living, and have a stake in what they are doing?

It's going to take years or decades, but we really seem to be at more than just a shift here technologically. It really seems to be a shift in how business is done and how people relate to one another.

Baer: I'll add something to that, because I wrote a white paper, and this was one of my actual ROI propositions to these people. They have to face -- and nobody wants to face this key issue -- the labor shortage we're facing as the baby boomers start to leave the IT environment.

Everyone thinks that India, northern Asia, and Eastern Europe are going to be able to pick up the pieces of this old code, and keep running with it, as people start to leave the workforce here in America. The truth of the matter is that maybe in 15, 20, or 30 years they might be ready to, but there is more to understanding codes than just reading it. It’s understanding the context behind it.

I worked with an offshore India team quite closely. They get the code. They can do anything you tell them to do, but they don’t understand the business context behind the code. You can explain it 20 times, and they still won’t get it. They absorb things most times at a very, very technical level. They can be excellent development teams, but there is a difference between being able to understand the business context of why something is done and doing it just because this is the sequence of events.

Therefore, you’re going to have a huge gap in about 10 years of people who understand the business context behind the stuff leaving the workforce. Nobody wants to face that. Nobody wants to invest in it. Nobody wants to understand it. And, nobody wants to think about how do I move from where they are to where they need to be, so that they're never impacted by this again? That is our next "millennium problem." The millennium bug, the year changeover, the devastation it caused, that’s nothing compared to people leaving the workforce in droves.

Gardner: We have this big labor swap out, and they’re not fungible. One can’t replace the other. It has to be a shift toward something new and different.

Baer: It doesn’t have to be new or different. You need to get to a point where the business context isn’t so tightly encapsulated in the working system, but with the people. You can’t lose knowledge. Right now that knowledge is heavily entwined.

Gardner: All right, let’s leave it there. Again, another great discussion. I appreciate your time. We’ve been talking about the announcements from IBM at their Information On Demand Conference, the pending merger of Business Objects with SAP, the proposed merger of BEA and Oracle, and how all those things relate to what we now know as Web Oriented Architecture, but what I like better is Guerilla SOA.

To help us work through this, we’ve been talking to Tony Baer, a principal at onStrategies. Thanks again, Tony.

Baer: Dana, thanks much.

Gardner: Jim Kobielus, principal analyst at Current Analysis. Thanks again, Jim.

Kobielus: Always a pleasure!

Gardner: And JP Morgenthal, the CEO of Avacor. Thanks, JP.

Morgenthal: Thank you, and I’m glad this time I could have more input and value than I did in the last conversation.

Gardner: You were fine before too. Don’t worry about it. The last time, we had seven people on, so, a smaller group is better.

I want to thank you for listening, this is Dana Gardner, principal analyst at Interarbor Solutions. You’ve been listening to the latest BriefingsDirect SOA Insights Edition, Volume 26. Come back next time. Thank you.

Listen to the podcast here. If any of our listeners are interested in learning more about BriefingsDirect B2B informational podcasts or to become a sponsor of this or other B2B podcasts, please fill free to contact Interarbor Solutions at 603-528-2435.

Transcript of BriefingsDirect SOA Insights Edition podcast, Vol. 26, on industry mergers and acquisitions, Guerilla SOA, and Web Oriented Architecture. Copyright Interarbor Solutions, LLC, 2005-2007. All rights reserved.