Cloud Pushes Enterprise Architects' Scope Beyond IT into Business Process Optimization Role

Transcript of a sponsored BriefingsDirect podcast on the role of architecture within the enterprise. Recorded live at The Open Group's 23rd Enterprise Architecture Practitioners Conference and 3rd Security Practitioners Conference in Toronto.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today we welcome our listeners to a special sponsored podcast discussion, coming to you from The Open Group’s 23rd Enterprise Architecture Practitioners Conference in Toronto. This podcast, part of a series of events and live discussions here the week of July 20, 2009, centers on the fast changing role and expanding impact of enterprise architecture (EA).

The EA role is in flux, especially as we consider the heightening interest in cloud computing and in the fluid sourcing options for IT applications, data services and infrastructure, not to mention business processes that fall outside of IT entirely.

The down economy has clearly focused IT spending and analysis on priorities and doing cost-benefit types of activities, with an eager eye to seek out faster, better, and cheaper means to acquire and manage IT functions and business processes.

We've already seen a great deal of interest and activity around platform as a service (PaaS) and the application development and testing phases of an application's lifecycle. Many of us expect to see a great deal more of the application lifecycle, from design time and long-term production and integration across different aspects of processes inside and outside of the organization to become more part of a mixture of services.

These will become internal, external, and hybrid, and a lot of different sourcing innovations are yet to come. Soon many of these will skirt IT altogether.

So, as these service components shift in their origins and delivery models, the task of meeting or exceeding business requirements based on these services becomes all the more complicated. The new services era calls for powerful architects who can define, govern, and adjust all of the necessary ingredients that they must creatively support and improve upon during a lifecycle over many years.

Who or what will step into this gulf between the traditional means of IT and the new cloud ecology of services? These demands will be extended, of course, across different organizations and the requirements that they have.

The architect's role, still a work in progress at many enterprises even today, may well become the key office where the buck stops in this era. What then should be the role and therefore the new opportunity for enterprise architects?

Here to help us lead the way in understanding that complex and dynamic issue set, we're joined by Tim Westbrock, managing director of EAdirections. Welcome, Tim.

Tim Westbrock: Thank you.

Gardner: We're also joined by Sandy Kemsley, an independent IT analyst and architect herself. Welcome.

We're also joined by John Gotze, international president for the Association of Enterprise Architects. Thank you, John.

Let me go to Tim first. What are you seeing as a general set of what we would now consider architects? What are they doing?

Two different kinds

Westbrock: On average, you have two different kinds of enterprise architects. One is a very solution-oriented enterprise architect. They're ones that do try to keep the breadth of the enterprise in focus, but they are focused on individual solutions. They're focused on it holistically, meaning they're not just looking at a specific technology or a specific application.

They're bringing that holistic advantage, but they tend to be less transformational. They tend to be driven by operational goals. They tend to be driven by immediacy. That is one of the biggest reasons that we don't have a lot of reuse, because of the lack of breadth at the solution layer.

The other one is still not in the main. The more strategic enterprise architects depend on the strategic nature of the executives of the organization. If we're going to bring it into layers of abstraction, they don't go more than a layer or two down from strategy. They tend to be the ones that do develop a community of practice that has solution architects involved in it. Their takeaway from that is the EA's perspective, and they have to take that down to the solution layer. That's what I see in the main today.

Gardner: Does that mean we're primarily dealing with tactical issues?

Westbrock: In the large, enterprise architects are still more tactically oriented.

Gardner: Sandy?

Sandy Kemsley: I absolutely agree, I see that a lot. I work a lot with companies to help them implement business process management (BPM) solution, so I get involved in architecture things, because you're touching all parts of the organization then. As you say, Tim, a lot of very tactical solution architects are working on a particular project, but they're not thinking about the bigger picture.

Gardner: John, it seems that the economy has focused people's attention at looking at the bigger picture. If you stay tactical, you can control and manage costs. You can manage complexity. You can't transform very well. How, in your perception, is this down economy and these new pressures, shifting this role?

John Gotze: Actually, it's helping to change the focus in EA from the more tactical to the more strategical issues. I've seen this downturn in the economy before. It's reinforcing the changes in the discipline, and EA is becoming more and more of a strategic effort in the enterprise.

There are some who call us enterprise architects by profession, and this group at The Open Group conference is primarily people who are practitioners as enterprise architects. But, the role of EA is widening, and, by and large, I would say the chief executive is also an enterprise architect, especially with the downturn.

Gardner: We saw some indications earlier that there is potentially a growth opportunity for these architects to report to the COO perhaps, rather than the CIO, the information officer. Tim, does that present to you sort of a harbinger of what you would expect?

Less technology-only focus

Westbrock: I was a little surprised to see that, quite honestly. Maybe it's because a lot of CIOs and CTOs report up through a CFO or COO. If you looked at that wording, it was "Ultimately, where does the EA report?" But, I don't see that a lot.

Combining this with a little of the answers to the last question, one of the good transformations, or evolutionary steps that I have seen in enterprise architects is less of a technology-only focus. Enterprise architect used to be synonymous with some kind of a technology architect, a platform architect, or a network architect, and now you are seeing broader enterprise architects.

I still don't think business architecture is within the domain of most IT enterprise architects. I think the economy, maybe -- external service providers, maybe. There are some different drivers that are getting some organizations to think more holistically about how the business operates.

That leads to modeling. Modeling means we need architects. We're getting involved in some of these more transformational elements, and because of that, need to look at the business. As that evolves more, you might see more business ownership of enterprise architects. I don't see it a lot right now.

Gardner: Okay. Sandy, we talked a little bit about the economic pressures, but this is

You also have to look at the authority. Who has responsibility for keeping the lights on -- for running the systems once they are in there?

happening in tandem with some other large technology trends: a greater emphasis on services orientation, more emphasis on governance, and trying to bring in services from a variety of sources.

Looking at what should be core and internal and what might be outsourced or provisioned from a cloud environment, whether it's yours or someone else's or some combination, where does the authority shift from an IT department when we start bringing in these larger external organizations?

Kemsley: That's an interesting question. We do see a shift in terms of who has authority for making the architecture decisions. You also have to look at the authority. Who has responsibility for keeping the lights on -- for running the systems once they are in there?

In many of the companies that I work with -- and maybe this is just a Canadian perspective -- architecture, in many cases, means mostly IT architecture. There is this struggle between the IT architects and or the enterprise architects, who are really IT architects, looking at, how we need to bring things in from the cloud and how we need to make use of services outside.

But, as they speak to the IT masters, of course, they're vowing to have all of that come through IT, through the technology side. This puts a huge amount of overhead on it, both from a governance standpoint, but also from an operational standpoint. That's causing a lot of issues. If you don't get EA out of IT, you're going to have those issues as you start going outside the organization.

Gardner: So the authority, the governance, the managing, the decisions about which sourcing option should be ultimately pursued, does that just get shoehorned into IT? That doesn't sound like it's going to scale. John, where does this new office reside? Is it something that grows out of IT, or is it something that comes down from some other aspect of the organization at large?

IT won't disappear

Gotze: More the latter, I think, but the IT department will not disappear, of course. It's naive to say that IT doesn't matter, as Nicholas Carr said many years ago. It's not the point that IT is irrelevant or anything, but it's the emphasis on the strategic benefits for the enterprise.

The whole notion of business-IT alignment, as we saw in the survey here, is still the predominant emphasis and concern. I actually think that it's yesterday's concern, in the sense that business-IT alignment is really about capturing business needs and designing better IT. We've done that for 20, 30, 40 years now, and it's time to move on.

It's more about thinking about the coherent enterprise that everything should fit together. It's not just alignment. You can have perfectly well aligned systems and processes, without having a coherent enterprise. So, the focus basically must be on coherency in the enterprise.

Westbrock: I don't think that this is a new problem. If you look back to the late '80s and '90s, when there was a big boom in large outsourcing, the organizations that did well were ones that didn't make IT decisions about their outsourcers. They were ones that took what we were calling then "value chains" and said, "What are the parts of our value chain where we get a lot of value out? We need to invest internal resources more heavily." -- versus -- "What are more the commodity elements of our chain? That may be a place that we can have an outsourcer to take over."

The difference between '80s and '90s and now is that it's not a chain with seven big links. It's an intricate network with hundreds, if not thousands of pieces. Instead of there being 10 or 12 big, targeted vendors to help us, there is an infinite number of vendors. That adds complexity an element of governance that we need to mature towards.

Organizationally, we're probably okay. We're probably positioned okay to handle it. Where is

You're still going to do due diligence around who you're connecting to, but you don't have as many concerns about that as you do in the bad, old days of outsourcing.

that expertise going to come from? How are we going to capture which vendors that popped up this week are still going to be around next week? The longevity of these organizations is measured more in months than it is years.

Kemsley: That's frightening for a lot of IT groups in large organizations. All of a sudden, they have all of these new vendors to deal with. They don't really know which ones are going to be around and which ones are not going to be around, and they don't know how to create the appropriate separation between the internal and the external.

If you get some governance in place, so that you can say, "Well, I can snap out this service and snap in another one, if that vendor goes out of business," then you don't worry as much.

You're still going to do due diligence around who you're connecting to, but you don't have as many concerns about that as you do in the bad, old days of outsourcing. This is still going on, where all of a sudden the whole business process goes out to somewhere else, or a huge piece of your infrastructure goes out somewhere else.

Gardner: Let's go back to the start of our discussion. There are so many different flavors of architects now -- different descriptions, different roles, different budgeting, and authority patterns.

When those architects start interfacing with architects at other organizations, if they have very different roles, are they going to be in that position of pulling this together? Does that really call for the need of a more general definition of this new-age architect? Anyone?

Levels of experience

Westbrock: This is an issue that we've been dealing with since the term EA started being used. I don't think that's changing any time soon. Right now, that's the nature of our "profession." I use the quotes on profession because there are several, very valid efforts to standardize the profession of enterprise architect. There are several certification efforts. There are several different levels of experience. There is not a common and consistent and unified approach to doing this.

We're going to have more standardization, more commonality, but right now, what I do, what I make a living at, is helping organizations figure out how they can be effective as enterprise architects. The reason I make a good living is because company A has to do different things to be effective as enterprise architects than company B does, than company C does, than company D does.

Gardner: Well then, will it not be architects that help combine the ways in which these organizations interface at a services level, or are we going to look for someone else to do that? John?

Gotze: Absolutely. There will be a lot of innovation in the discipline. There will also be a

If you're just consuming a service, as long as that service works the way it's supposed to and is there when you need it, you don't really get the architects to talk to each other.

standardization and certification, and so on. That will not go away. I hope not. I'm also certifying architecture. But, the strategic level of architecture is one where you must have an emphasis on innovation and diversity to make it work.

Kemsley: I'm not sure I agree, because if you're looking in a cloud-services paradigm, you don't necessarily care about the architecture of the service provider. You care about the interfaces and the functionality of that service.

So, it really depends on whether you're talking about a partnership between two companies, where they are getting very much involved with each other, or whether you're really talking about consuming a service from someone. If you're just consuming a service, as long as that service works the way it's supposed to and is there when you need it, you don't really get the architects to talk to each other.

Gardner: We're getting quite a bit of additional role and responsibility thrown in, I suppose, when we think about the architect as starting to foster business transformation above and beyond the IT roles and some of the communication and collaboration issues.

But, if we talk about the more horizontal architecting of entire business processes among a variety of different service options, this is where we get caught between the organic "each company has to have its own definition for its business transformation," and then that more strategic, methodological standardized approach.

Are we going to look at this as a hybrid model, and there is no other way around it? John?

A hybrid model

Gotze: It will be some kind of hybrid model. Look at how government is working with it. They are enterprises after all -- it's not just a private sector. There's much more emphasis in government about getting all the agencies and departments to work together and to understand each other.

We just heard here from the Canadian government about the reference models and the excellent work they've done with the GSL, the strategic reference model.

That's really important. We have the same language and we understand each other across agencies. Who knows? There might be a new election tomorrow, and they'll reshape, reform, and reshuffle the agencies. So, you have to be agile also in that sense.

Westbrock: Since we're at a framework event, I'm going to relate it to frameworks a little bit. One of the steps that we need to take as a profession, from a framework standpoint, is to look at all four of the levels.

Traditionally, we have a business and information or data and an application or solutions and a

We're still decades away from any kind of maturity in the business architecture space, whether that be method, process, or organization.

technology or infrastructure layer. I think there is a lot of maturity and a lot of standardization in the technical frameworks that exist. If you look at different models, they might use different words, but they're all covering the same thing. The specific maturity that we need now is in the applications and the data spaces.

We're still decades away from any kind of maturity in the business architecture space, whether that be method, process, or organization. But, we're now at the point where more standardization in the applications or solutions and the data or information layers is going to help us with this particular challenge that's facing enterprise architects.

Gardner: Let's take a question from the audience. The questioner asked, "I'm seeing companies getting lost in the complexities that you're describing. What are the attributes of people and organizations that are more successful at managing this?"

As you say, we've been through this before. It's sort of the peeling-the-onion approach, even as the external issues and variables change. Do we have any poster children to look at and say, "Aha, that’s how you do it?" Sandy?

Handling a complex world

Kemsley: I certainly see some characteristics with companies that I work with, some that work well and some that don’t work well. I don’t know if I've got any poster children to bring forward.

The ones that can handle this new world of complexity well are ones that can bring some of the older aspects of governance, because you still have to worry about the legacy systems and all of the things that you have internally. You're not going to throw that stuff away tomorrow and bring in some completely new architecture. But, you need to start bringing in these new ideas.

It's the ones who are starting to regenerate their architect community internally -- both with business architects and with architects on the IT side -- who can bring these ideas about cloud computing, different kinds of models, things like using business process modeling notation (BPMN) that can be done by the business architects and even business people, as opposed to having all of that type of work done in the IT area.

Gardner: John, any radical instances of success?

Gotze: I see some in the European context, because that’s the one I know the best. By and large, I agree with Sandy. It’s really how pervasive and embedded the architecture work is in the organization. The more you have enterprise architects and other architects living in ivory towers, the less success you have.

Some in the financial sector in Europe are doing quite well, even though the financial sector is

. . . we get a lot of energy, instantiate the processes, put the governance in place, build the models, do the transformations, and then we fall back on old habits.

not doing well as such. But, the survival strategies brought froward by the strategists and the architects are actually very valuable to the companies.

Westbrock: People are looking for names, right? Prudential has done a really good job. National City Bank did a tremendous job right around the turn of the century. They were engaged in a very, wide-reaching transformational effort called The Bank of the 21st Century. They actually endorsed at a shareholder's meeting the role that EA would play in enabling the transformation to the banks of the 21st Century -- DuPont, Bank of America.

Here’s the funny thing, though. I've seen a lot of organizations that have reached a tremendous level of maturity and effectiveness with EA, due to a large SAP implementation or a strategic initiative like the transformation to The Bank of the 21st Century, but it doesn’t sustain. I can’t point to somebody who, on a consistent basis over 20 years, has done this well.

What happens is that we get a lot of energy, instantiate the processes, put the governance in place, build the models, do the transformations, and then we fall back on old habits. We don’t update the documentation. We forget the strategic imperatives. We get back down into the nitty-gritty. We're fixing bugs, and we lose sight of the big picture again.

Gardner: John, you wanted to add something?

Gotze: Just by way of example, I'd mention the Swiss-based Syngenta, which is in the field of producing seeds and stuff. So, for every tomato, or every fifth tomato, that you eat, they've made the seeds.

EA supporting science

It's an atypical business to be in for EA, but they're doing extraordinarily good work. There’s a lot of science in this, and how do you support science and research through architecture? They actually managed to do that by having very well functioning communities internally and a special way to get people to get the title of architect. They have about 2,000 architects, but not by title.

Gardner: From your responses, it sounds as if these are more the exception than the rule, and that even when they are the rule they can be fleeting.

Westbrock: I think this goes back to the expectations that the organization has of EA. I don’t think that the expectations for most enterprise architects are to enable business transformation. In most organizations that I deal with it’s to help with better solutions here and there. It’s to do some technology research and mash it up against business capabilities. It’s not this grand vision that I think most of us have as enterprise architects in the profession of what we can accomplish.

Kemsley: That’s right. They're there to bless the designs of a solution, but not to really do the big architectural picture.

Gardner: Here’s another question from our audience that addresses that. As we get towards that goal of business transformation, don’t you think that executives, as they become more aware that these opportunities exist, will want to then move in and take their role within that larger role. The technologists who come up as architects might get overtaken or usurped by more general business leadership or politics? Sandy?

Kemsley: I don’t see the business leadership clamoring to take over architecture anytime soon.

I think the executive leadership will want to take over the work that the strategic EA is doing. They might not call it EA, but they will be the ultimate architect.

In large part, it’s seen as being mostly an IT role. They just see it as part of IT. When you look at those survey results, it said that 60-70 percent of the architecture groups reported through to the CIO or the CTO. That’s how people think about it. It’s a piece of the IT department. So, you're not going to get the CEO coming in and saying on day one, "Oh, I want to takeover that architecture stuff."

Gotze: I agree, but that’s also because we in the profession have managed to create a vocabulary that's nearly impossible-to-understand for people outside the profession.

I think the executive leadership will want to take over the work that the strategic EA is doing. They might not call it EA, but they will be the ultimate architect. The CEO is the ultimate chief architect for a forward-looking and an innovative enterprise.

Westbrock: I thought that question was going someplace else completely. I thought that question was going to say, "Once they realize what enterprise architects can do, are they going to be interested in taking advantage of it?" When I mentioned some of those examples of companies that have done this well, that’s what has happened. There’s been real relationship that exists between the EA teams -- it's not a person -- and the board.

The board members know the EA team at these organizations, because there is a relationship of partnering there. It didn’t start out that way. It started out with the EA team becoming aware of the vision, and they did that in interactions, but it was a one-way. It was, "What can we take from you, Board of Directors?

Two-way conversation

But, as they evolved their sets of artifacts and positioned those sets of artifacts to be communicable to executives rather than developers, they were able to communicate the strategic nature of what they're doing as enterprise architects. Then it became a two-way conversation.

Gardner: Well, whoever fills this role and from wherever they come within the organization, it’s going to be an extremely powerful role, if we follow through with what we've seen with globalization, outsourcing, business process issues, outsourcing an entire department, perhaps to an overseas organization.

What’s left of the enterprise but the architecture, the rules, the governance, the policies, if there are in fact all sorts of other organizations supporting the underlying services? So, doesn’t this role become something that should be board level role?

Kemsley: It should. We have to learn to use EA power for good, rather than evil, though. In a lot of cases, it’s just about implementation. It’s sort of downward looking. Enterprise architects tend to look down into the layers rather than, as Tim was saying, feed it back up to the layers above that.

How EA is perceived within the enterprise and how it presents itself needs a total makeover. It’s

When we talk to folks about the kinds of capabilities, skills, and credentials that they're looking for in enterprise architects, deep technical ability is nowhere on the list.

just so that people, especially the executives at the high level, the board members, and so on, can see the value and what this brings to them.

Gardner: Well, saying they need a makeover is another way of saying there is a tremendous opportunity for an innovative promoter, to get involved and to pull some of these threads together, because there is a gulf or a vacuum.

Westbrock: When we talk to folks about the kinds of capabilities, skills, and credentials that they're looking for in enterprise architects, deep technical ability is nowhere on the list. It's not because that deep technical ability is not useful. It's because generally people that are performing those deep technical task lack the breadth of experience that make enterprise architects good.

They have that deep technical knowledge, because they've done that a long time. They've become experts in that silo. That's very, very much needed, which is why EA is a collaborative forum. The folks that are going to be called to function as enterprise architects are folks that need a much broader set of skills and experience.

Gotze: I agree. The deep technical skills will come way down the list. Communication is very high on the list -- understanding, contracting, and so on, because we have the cloud and similar stuff also very high on the list.

Career promotion path

Kemsley: But, it's being used as a career promotion path for people who start out in technology. It used to be, if you were like a programmer and you got to a certain level, it was like, "Well, we'll promote you. We'll make you project manager." Somebody who has no ability, no skills, and no experience to do that was given that as a title, because that was in the career path.

That's happening to some degree with architecture as well. You get to a certain level as a very deep technical person within an organization, and one of your career options is, "Well, you can move into architecture." It doesn't mean that somebody has the skills or even the inclination to do that, but that's the only way they can move up the chain.

Gotze: Then, if they're not competent, they move into management.

Gardner: Here's another question from the audience that says, "There are quite a number of anti-architecture forces in play, for perhaps a variety of reasons. Are they going to run out of gas?" Is there so much complexity with the economy, with source options, with this shift towards business transformation and efficiency of processes, when the organization does architecture well and receives the rewards and bears the fruit of that do the anti-architecture forces finally collapse? Any prophecies?

Kemsley: Well, they will, but it's dependent on that statement you said, "When architecture is done well." In many organizations, architecture is not done all that well. It's done on an ad hoc basis. It's done at more of the deep technical level. I can understand why the anti-architecture people get frustrated with that type of architecture, because it's not really EA.

Gardner: We see the need. We have the vision. They have the technical understanding of what

The folks that have been successful are the ones that take the time to do two things. They build artifacts and processes that work down, they build artifacts and processes that work up, and they realize that they're different.

IT is capable of. Are we talking about a lack of power and budget? What needs to happen?

Westbrock: Quite honestly, it's our own fault. It's the way we talk about EA in the main. We don't talk about EA as a strategic enabler or as a translation of strategy into activities. We say alignment, but what does that mean?

The folks that have been successful are the ones that take the time to do two things. They build artifacts and processes that work down, they build artifacts and processes that work up, and they realize that they're different. You don't build an artifact for a developer and take that to a member of the board. You don't build project design review processes and then say, "Okay, we're going to apply that same process at the portfolio level or at the department level."

We don't have communication strategies that are going to facilitate the broadcast of results to the people that use the standards, and then use the same strategy and modes of communication for attaining strategic understanding of business drivers. It's really been a separation, knowing that there's a whole different set of languages and models and artifacts that we need here and a whole different set here.

Gardner: Here is another very interesting question from our audience. Is it too pessimistic to expect that cloud vendors will offer architecture as a service? In the past, we've seen that when there is a vacuum in a business, a consulting or outside opportunity for filling that comes in. Should we expect architecture to go in the same direction?

Not effective as a service

Kemsley: I'm not sure that's something you can really do effectively as a service. It's one thing to talk about a consulting service that helps you with architecture, offering it as a service in the way that a cloud vendor offers a service, I'm not sure that fits.

Gardner: First is the problem with the acronym.

Kemsley: That's true.

Gardner: John, you can't outsource it?

Gotze: I would never outsource my architecture. When I helped the Danish government in launching the national EA program, the top mantra was "Take home your architecture," the responsibility for the architecture. If Google, MSN, or whichever cloud vendors come out now and say, "Well, you don't have to bother with this architecture tricky stuff. Let us take care of it," we're back to a model from the '70s and the '80s, where we outsource everything and give the power to the vendor.

I strongly believe in architecture as a service, but that's an internal service, rather than ivory tower architecture or whatever. It's a service offered in the enterprise whenever it's needed.

Gardner: Tim, an alternative view?

Westbrock: I don't disagree with our esteemed colleagues here, but the question was whether

It's been proven time and again that it's not a great idea, but absolutely, there will continue to be architecture-as-a-service offerings.

we should expect it to be offered, and I think it already is.

Gardner: How so?

Westbrock: It always has been. I used to work for a Big Six. I won't mention them by name, but I was, at one time, called an Android. It's not uncommon to find the architecture from the consulting group, from the vendor, a three-inch binder sitting on somebody's shelf. That was an attempt for an external service provider to do architecture for you. It's been proven time and again that it's not a great idea, but absolutely, there will continue to be architecture-as-a-service offerings.

Gardner: Do you want to respond to that -- perhaps not a service from the cloud, but a professional service capability?

Kemsley: Certainly, that will be done as a professional service. I don't know if that's the best way to do it. If you're really doing EA at the levels that it should be done, it's corporate strategy, and you don't outsource your corporate strategy.

Gotze: But, you can buy consultants that can help you in that. So, of course yes, it will be a service in the market.

Looking to the future

Gardner: Why don't we begin to wind down a little bit and take an opportunity to look to the future? I'm primarily interested in this opportunity that we're seeing with cloud. There's a tremendous amount of interest.

The business side of the house is wondering if this is going to cause them to be able to cut budgets, reduce the total cost as a percentage that they devote to IT, and, at the same time, give them what's generally referred to as better agility.

Sandy, this cloud thing, what's the impact, from your perspective, on the role and position of the enterprise architect?

Kemsley: There are a lot of different ways you can implement the cloud. The role of the enterprise architect is to look at how it comes in. One is to do something that totally bypasses IT. Salesforce.com is sort of ideal, where the business goes out and works directly with a cloud provider to give them a service that use to be provided by IT.

EA is certainly in a position to say, "Well, this is the best way to handle this sort of thing, to

EA is certainly in a position to say, "Well, this is the best way to handle this sort of thing, to outsource this particular functionality."

outsource this particular functionality."

The second choice is, when you're looking at orchestrating business processes of various sorts, you need to call services. So, you've got a service-oriented architecture (SOA) together with some BPM. You want to look at calling services from the cloud. Then, it's almost like you're calling out to Google Maps, or you're calling to a variety of other services that might provide a discrete function within a piece of functionality there. That's pretty common and is going on. It doesn't even need to be addressed necessarily at an architectural level, but certainly the one where the business goes out.

What does happen, though, in many cases is that, this will still be done. It might start out as, "Let's look at doing things in the cloud and reducing our cost and so on." It ends up being a big IT outsourcing operation.

IT is still there and all they're doing is taking some big severs and moving them from one building to another building. It doesn't provide the kind of benefits that can be there. Again, that's something that's probably below, or could be below, the radar of what the architects are doing, except for network architects or solution architects, who are concerned with how all this gets wired together.

Gardner: John, impact of the cloud?

Incoherency and chaos

Gotze: There will be a huge impact, of course, and hopefully more than we see already. But, it has to be in the hands of someone, and that's a real tricky one. If it's just that line-of-business units go out and one contracts Salesforce and another contracts "whatever force," then we'll have incoherency and chaos.

My best bet or suggestion is to control the contracting and have the architects do the filtering on contracts. Of course, with free services, you cannot avoid people just choosing all of these services, but as long as it's something that cost money, you can control the budget. That's one way to sit on the decisions, but allow for innovation.

So, apart from the contracting, try to get the principles of the architecture as embedded as possible in the organization, so that people really understand that it's bloody stupid, if you are in government, to put personal, private data out in the cloud, if it's an insecure cloud. So, yeah, it's a challenge.

Gardner: Something to keep us busy for a while.

Gotze: Yeah.

Gardner: Tim?

Westbrock: There is a huge opportunity for enterprise architects relative to not just the cloud.

The cloud is just one more of the enablers of service orientation, not SOA, service orientation. Somebody needs to own the services portfolio.

The cloud is just one more of the enablers of service orientation, not SOA, service orientation. Somebody needs to own the services portfolio. Maybe we're going to call them the "Chief Services Architect." I don't know. But, what I see in so many organizations is service oriented infrastructure being controlled by one group, doing a good job of putting in place the kinds of foundational elements that we need to be able to do service orientation.

Then, we see application development teams and groups figuring out which frameworks to use, where are we going to put the library, and they're building services and they're integrating services. What's missing is somebody with this portfolio, meaning holistic, enterprise-wide view of what services we need, what services we have, where we can go get other services -- basically the services portfolio. Enterprise architects are uniquely positioned to do that justice.

Gardner: Well, great. I want to thank our panelist for their tremendous and insightful input. We've been joined by Tim Westbrock, managing director of EAdirections. Thank you.

Westbrock: Thank you, Dana.

Gardner: Sandy Kemsley, independent IT analyst and architect. Thank you so much.

Kemsley: Thank you.

Gardner: And John Gotze, the international president of the Association for Enterprise Architects.

I also want to thank the audience for some really great questions.

I'm Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a BriefingsDirect special presentation from The Open Group's 23rd Enterprise Architecture Practitioners Conference in Toronto. Thanks for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Transcript of a BriefingsDirect sponsored podcast on the role of architecture within the enterprise. Recorded live at The Open Group's 23rd Enterprise Architecture Practitioners Conference in Toronto. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

Seeking to Master Information Explosion: Enterprises Gain Better Ways to Discover and Manage their Information

Transcript of a BriefingsDirect podcast on new strategies and tools for dealing with the burgeoning problem of information overload.

Listen to the podcast. Download the podcast. Download the transcript. Find it on iTunes/iPod and Podcast.com. Learn more. Sponsor: Hewlett-Packard.

Join a free HP Solutions Virtual Event on July 28 on four main IT themes. Learn more. Register.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on how enterprises can better manage the explosion of information around them. Businesses of all stripes need better means of access, governance, and data lifecycle best practices, given the vast ocean of new information coming from many different directions. By getting a better handle on information explosion, analysts and users gain clarity in understanding what is really going on within the businesses, and, especially these days, across the dynamic market environment.

The immediate solution approach requires capturing, storing, managing, finding, and using information better. We’ve all seen a precipitous drop in the cost of storage and a dramatic rise in the incidents of data from all kinds of devices and across more kinds of business processes, from sensors to social media.

To help us better understand how to best manage and leverage information, even as it’s exploding around us, we’re joined by Suzanne Prince, worldwide director of information solutions marketing at Hewlett-Packard (HP). Welcome, Suzanne.

Suzanne Prince: Thanks, Dana.

Gardner: As I mentioned, things have changed rather dramatically in the past several years, in terms of the amount of information, the complexity, and the sources of that information. From your perspective, how has the world changed for the worse when it comes to managing information?

Prince: Well, it’s certainly a change for the worse. The flood is getting bigger and bigger. You’ve touched on a couple of things already about the volume and the complexity, and it’s not getting any better. It’s getting worse by the minute, in terms of new types of information. But, more importantly, we’re noticing major shifts going on in the business environment, which are partially driven by the economy, but they were already happening anyway.

We’re moving more into the collaboration age, with flatter organizations. And the way is information is consumed is changing rapidly. We live in the always-on age, and we all expect and want instant access, instant gratification for whatever we want. It’s just compounding the problems.

Gardner: I’m afraid there's a price to be paid if one loses control over this burgeoning level and complexity of information.

Prince: Absolutely. There are these horror stories that we all regularly read in the press that range from compliance and eDiscovery fines that are massive fines. And, we’re also seeing major loses of revenue.

I’ll give you an example of an oil company that was hit by hurricane Katrina in the Gulf of Mexico. Their drilling rigs were hit and damaged severely. They had to rebuild them and they were ready to start pumping, but they had to regenerate the paperwork, because the environmental compliance documentation was actually on paper.

Guess what happened in the storm -- it got lost. It took them two weeks to regenerate that documentation and, in that time, they lost $200 million worth of revenue. So, there are massive numbers associated with this risk around information.

Gardner: We’re talking about not just information that’s originating in a digital format, but information that originates in number of different formats across a number of different modalities, from rich media to just plain text. That has to be brought into a manageable digital environment.

Information is life

Prince: Absolutely. You often hear people saying that information is life -- it’s the lifeblood of an organization. But, in reality, that analogy breaks down pretty quickly, because it does not run smoothly through veins. It’s sitting in little pockets everywhere, whether it’s the paper files I just talked about that get lost, on your or my memory sticks, on our laptops, or in the data center.

Gardner: We’ve heard a lot about data management and data mining. That tends to focus on structured data, but I suppose we need to include other sorts and types of information.

Prince: Yes. The latest analyst tracker reports -- showing what type of storage is being bought and used -- reveal that the growth in unstructured content is double the growth that’s going on in the structured world. It makes sense, if you think about it, because for the longest time now, IT has really focused on the structure side of data, stuff that’s in databases. But, with the growth of content that was just mentioned -- whether it's videos, Twitters, or whatever -- we’re seeing a massive uptick in the problems around content storage.

Gardner: While we’re dealing with a hockey stick curve on volume, I suppose that the amount of time that we have to react to markets is shrinking rapidly. We’ve had an economic storm and folks have had to adjust, perhaps cutting 30-40 percent of their businesses as quickly as possible. So, in order to react to environments that are themselves changing, we can’t wait for a batch reply on some look at information from 3-10 weeks ago.

Prince: No. That comes back to what I said previously about instant gratification. In reality, it’s a necessity. Where do I shed? Where do I cut my costs? Where are the costs that I can cut and still not cut into the meat of my company? More importantly, it’s all about where are my best customers? How do I focus my sales energy on my best customers? As we all know, it costs more to get a new customer than it does to retain an old one.

Gardner: Also compounding the complexity nowadays, we’re hearing quite a bit about cloud computing. One of the promises of the vision around cloud computing

We’ve seen very good returns on investment (ROIs) ranging from 230 percent to 350 percent. We’ve seen major net benefits in the millions.

is being able to share certain data to certain applications, certain people, certain processes, but not others. So, we need to start managing how we then allow access to data at a much more granular level.

Prince: The whole category of information governance really comes into play when you start talking about cloud computing, because we’ve already talked about the fact that we’ve got disparate sources, pockets of information throughout an organization. That’s already there now. Now, you open it up with cloud and you’ve got even more. There are quality issues, security issues, and data integration issues, because you most likely want to pull information from your cloud applications or services and integrate that within something like a customer relationship management (CRM) system to be able to pull business intelligence (BI) out.

Gardner: I just spoke with a number of CIOs last week at an HP conference, and their modus operandi these days is that they need to show a return on whatever new investments they make in a matter of one or two months. They don’t have a 12- or 18-month window for return on their activities. What are the business paybacks, when one starts to do data mining, management, cleansing, storing, the whole process? When they do it right, what do they get?

Prince: We’ve seen very good returns on investment (ROIs) ranging from 230 percent to 350 percent. We’ve seen major net benefits in the millions. And, in today’s world, the most important thing is, to get the cost out and use that cost to invest for growth. There are places you can look, where you can get cost out quite quickly.

I already mentioned one of them, which is around the costs of eDiscovery. It may not be provisioned yet in the IT budget, but may be in your legal department’s budget. They are spending millions in responding to court cases. If you put an eDiscovery solution in, you could get that cost back and then reallocate that to other projects. This is one example. Storage virtualization is another one. Also outsourcing -- look into what you could outsource and turn capital expenditure into operating expenditure.

Gardner: I suppose too that productivity, when lost, comes with a high penalty. So, getting accurate timely information in the hands of your decision makers perhaps has a rapid ROI as well, but it’s not quite as easy to measure.

Right information at the right time

Prince: No, it’s not as easy to measure, but here’s something quite interesting. We did a survey in February of this year in several countries around the world. It was both for IT and line-of-business decision makers. The top business priority for those people that we talked to, way and above everything else, was having the right information at the right time, when needed. It was above reducing operating costs, and even above reducing IT costs. So what it’s telling us is how business managers see this need for information as business critical.

Gardner: I suppose another rationale for making investments, even in a tough budgetary environment, is regulatory compliance. One really doesn’t have a choice.

Prince: You don’t have a choice. You have to do it. The main thing is how can you do it for least cost and also make sure that you’re covering your risk.

Gardner: Well, we’ve had an opportunity to look at the problem set. What sorts of solutions can organizations begin to anticipate and put into place?

Prince: I touched on a few, when I was talking about some of the areas to look for cost savings. At the infrastructure layer: we’ve talked about storage. You can definitely optimize your storage -- virtualization, deduplication. You really need to look at deleting what I would call "nuisance information," so that you’re not storing things you don’t need to. In other words, if I’m emailing you to see if you’d like to come have a cup of coffee, that doesn’t need to be stored. So, optimizing storage and optimizing your data center infrastructure.

Also, we talked about the pockets of information everywhere.

You need to have a governance plan that brings together business and IT. This is not just an IT problem, it’s a business problem and all parties need to be at the table.

Another area to look at is content repository consolidation, or data mart consolidation. I’m talking about consolidating the content and data stores.

As an example, a pharmaceutical company that we know of has over 39 different content management solutions. In this situation, a) How do we get an enterprise view of what’s going on and b) What's the cost? So, at the infrastructure layer, it's definitely around consolidation, standardizing, and automating.

Then, at the governance layer, you need to look at data integration. You need to have a quality plan. You need to have a governance plan that brings together business and IT. This is not just an IT problem, it’s a business problem and all parties need to be at the table. You’re going to need to have your compliance officers, your legal people, and your records manager involved.

One of the most important things we believe is that IT needs to deliver information as a business-ready service. You need to be able to hide the complexity of all of that plumbing that I was talking about with those 39 different applications. You need to be able to hide that from your end users. They don’t care where information came from. They just want what they want in the format that they want it in, which is usually an Office application, because that’s what they’re most used to. You’ve got to hide the complexity underneath by delivering that information as a service.

Gardner: It sounds like an integration problem as well, given that we’re not going to take all these different types of information and data and put them into a single repository. It sounds as if we’re going to leave it where it is natively, but extract some values and some indexing and gain the ability to access it rather rapidly.

Prince: Yes, because business users, when they want things, want them quickly or they do it themselves. We all do it. Each one of us does it. "Oh, let’s get some spreadsheet going" or whatever. We will never be in a place where we have everything in one bucket. So, it’s always going to be federated. It’s always going to be a data integration issue. As I said, we really need to shield the end users from all of that and give them an easy-to-use interface at the top end.

Gardner: Are there any standards that have jumped out in recent years that seem more valuable in solving this problem than others?

No single standard

Prince: No, not really. There are a lot of people who keep taking runs at it. There are the groups looking at it. There are industry groups like ARMA looking at the records management. AIIM is looking at the information content management. But, there is not any one particular standard that’s coming out above the others. I would recommend, because of the complexity underneath and the fact that you will always have a heterogeneous environment, open standards are important, so that you can do more of a plug-and-play game.

Gardner: It seems that what we were doing with information in some ways is mimicking what we have done with applications around integration and consolidation. Are there means that we have already employed in IT that can be now reused or applied to this information explosion in terms of infrastructure, service orientation, enterprise service buses, or policy engines? How does this information chore align with some of the other IT activity?

Prince: It sort of lines up. You touched on something there about the applications. What you said is exactly true. People are now looking at information as the issue. Before they would look at the applications as the issue. Now, there's the realization that, when we talk about IT, there is an "I" there that says "Information." In reality, the work product of IT is information. It’s not applications. Applications are what move it around, but, at the end of the day, information is what is produced for the business by IT.

Gardner: Years ago, when we had one mainframe that had several applications, all drawing on the same data, it wasn’t the same issue it is today, where the data is essentially divorced from the application.

Prince: Yes, and you mentioned it before. It’s going to get even more so

We've definitely got the expertise and the flexible sourcing, so that we can help reduce the total cost of ownership and move expenditure around.

with cloud. It’s going to get even more divorced.

Gardner: From HP’s perspective, what do you have to bring to the table from a methods, product, process, and people perspective? I'm getting the impression that this has to be done in totality. How do you get started? What do you do?

Prince: There are two questions there. From an HP perspective, as you said, we bring the total package from our expertise and experience, which is vital in all of this. One of the main things is that you need people have done it before. They know the tricks and have got maturity models and best practices in their back pockets and they bring those out.

We've definitely got the expertise and the flexible sourcing, so that we can help reduce the total cost of ownership and move expenditure around. We've got that side of the fence and we've obviously got the adaptive infrastructure. We already talked about the data warehouse consolidation. We've got services around governance. So, we've got the whole stack. But, you also asked where to start, and the answer is wherever the customer needs to start.

Gardner: It's that big of a problem?

Increasing law suits

Prince: Yes, it is that big, and it’s going to depend. If I'm a manufacturing company I might be getting a lot of law suits, because the number of law suits have gone sky high since people are trying to get money out of enterprises any way they can. So, look for where your cost is, get that cost out, and then, as I said before, use that to fund innovation, which is where growth comes from. It's all about how you transform your company by using information.

Gardner: So, you identify the tactical cost centers, and that gives you the business rationale and opportunity to invest perhaps at a strategic level along the way, employing governance as well?

Prince: It’s like any other large project. You need to get senior executive commitment and sponsorship -- and I mean real commitment. I mean that they are involved. It’s also the old adage of "how do you eat an elephant?" You eat an elephant in small chunks. In other words, you have a strategic plan and you know where you are going, but you tackle it in tactical projects that return business benefits. And then, IT needs to be very visible in communicating the benefits they are making in each of those steps, so that it reinforces the re-investment cycle.

Gardner: Something you mentioned earlier that caught my attention was the new options around sourcing. Whether it's on-premises, modernized data center, on-premises cloud-like or grid-like or utility types of resource pools, moving towards colocation, outsourcing and even a third-party cloud provider, how does that spectrum of sourcing come into play on a solutions level for information explosion?

Prince: Again, it goes back to the strategies that we were talking about. There needs to be an underpinning strategy, and people need to look at the business values of information.

There needs to be an underpinning strategy, and people need to look at the business values of information. There is some information that you will never want outsourced. You will always want it close at hand.

There is some information that you will never want outsourced. You will always want it close at hand -- the CEO’s numbers that he is monitoring the business with. They're under lock and key in his office. It’s core business value information. There are others that you can move out. So, it’s going to involve the spectrum of looking at the business value, the security, and the data integration needs, assessing all of that, and then making your decisions.

Gardner: Are there some examples we can look to and get a track record, an approach, and learned some lessons along the way? After we have a sense of what people have done, what kind of success rates do they tend to enjoy?

Prince: Because it’s such a broad topic, it’s hard to hone in on any one thing, but I will give you an example of document processing outsourcing. It’s just an example. With the acquisition of EDS, we offer a service where we will automate the mailroom. So, when the mail comes into the mailroom, it gets digitized and then sent to the appropriate application or user. If it’s a customer complaint, it will go to the complaints department. If it’s a sales request, it will get sent to the call center.

That’s a totally outsourced environment. What all of our customers are seeing is a) reduction in cost, and b) an increase in efficiency, because that paper comes in and, once digitized, moves around as a digital item.

Gardner: We perhaps wouldn’t name names, but have you encountered situations where certain companies, in fact, found themselves at a significant deficit competitively as result of not doing the right thing around information.

Lack of information

Prince: Well, I can give you one. Actually, it’s in the public domain. So, I can name names. New Century. They were the first sub-prime mortgage company to go under in the US, and it’s publicly documented.

The bankruptcy examiner has actually written in his report that one of the major reasons they went crash was because of the lack of information at the management level. In fact, they were running their business for the longest time on Excel spreadsheets, which were not being transmitted to management. So, they were not aware of the risks that they were actually exposed to.

Gardner: We’ve certainly seen quite clear indicators that risk wasn’t always being measured properly across a number of different industries over the past several years. I suppose we would have to attribute that not only to a process, but to simply not knowing what’s going on within their systems.

Prince: Yes. I'll give you another public domain example of something from a completely different angle -- a European police database. They have just admitted -- in fact, I think it went public in February -- that they had 83 percent errors in their database. As a result of that, over a million people either lost their jobs or were fired because they were wrongly categorized as being criminals.

You have absolutely catastrophic events, if you don’t look after your quality and if you don’t have governance programs in place.

Gardner: I want to hear more about how we get started in terms of approaching a problem, but I also understand that we should have some hope

The bankruptcy examiner has actually written in his report that one of the major reasons they went crash was because of the lack of information at the management level.

that new technologies, approaches, and processes are coming out. Has there been anything at the labs level or the R&D level, where investments are being made that offer some new opportunities in terms of some of the problems and solution tension that we have been discussing?

Prince: In HP Labs, we have eight major focus areas, and I would categorize six of them as being focused on information -- the next set of technology challenges. It ranges all the way from content transformation, which is the complete convergence of the physical and digital information, to having intelligent information infrastructure. So, it’s the whole gamut. But, six out of eight of our key projects are all based on information, information processing, and information management.

I'll give you example of one that’s in beta at the moment. It’s Taxonom, which is an information-as-a-service (IaaS) taxonomy builder. One thing that is really important, especially in the content world, is the classification of the content. If you don’t classify, you can’t find it. We are in beta at the moment, but you are going to see a lot of more energy around these types of solution.

Gardner: So the majority of R&D money’s, at least at HP, is now being focused on this information explosion problem set.

Prince: Yes, yes, absolutely.

Gardner: Interesting. Well, some folks may be interested in getting some more detailed information. They perhaps have some easily identified pain points and they want to drill down on that tactical level, consider some of the other strategic approaches, and look to some of those benefits and risk reduction. Where can they go to get started?

Prince: The first one to call is your HP account representative. So, talk to them and start exploring how we can help you solve the issues in your company. If you want to just generally browse, go to hp.com. I'd also strongly recommend a sub page -- hp.com/go/imhub.

Gardner: Very good. Well, we were discussing this burgeoning problem around information explosion, along with some of the risks and penalties that unfortunately many folks suffer and some of the paybacks for those who start to get a handle on this problem.

We've also looked at some examples of winners and, unfortunately, losers and we have found some early ways to start in on this solutions road map. I want to thank our guest today. We have been talking with Suzanne Prince, worldwide director of information solutions marketing at HP. Thank you, Suzanne.

Prince: Thanks, Dana. It was a pleasure.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to BriefingsDirect. Thanks and come back next time.

Listen to the podcast. Download the podcast. Download the transcript. Find it on iTunes/iPod and Podcast.com. Learn more. Sponsor: Hewlett-Packard.

Join a free HP Solutions Virtual Event on July 28 on four main IT themes. Learn more. Register.

Transcript of a BriefingsDirect podcast on new strategies and tools for dealing with the burgeoning problem of information overload. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

Panda's SaaS-Based PC Security Manages Client Risks, Adds Efficiency for SMBs and Providers

Transcript of a BriefingsDirect podcast on security as a service and cloud-based anti-virus protection and business models.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com.

Download the transcript. Learn more. Sponsor: Panda Security.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on automating and improving how PC security can be delivered as a service. We'll discuss how the use of cloud-based anti-virus and security protection services are on the rise, and how small to medium-size businesses (SMB) can find great value in the software-as-a-service (SaaS) approach to manage PC support.

We'll also examine how the use of Internet-delivered security provides a strong business opportunity for resellers and channel providers to the businesses trying to protect all of their PCs, regardless of location.

Recent announcements by Panda Security for cloud-based PC anti-virus tools, as well as a Managed Office Protection solution, highlight how "security as a service" is growing in importance and efficiency.

Here to help us better understand how cloud-delivered security tools can improve how PCs are protected across the spectrum of end users, businesses, resellers, and managed-service providers, we're joined by Phil Wainewright, independent analyst, director of Procullux Ventures, and a ZDNet SaaS blogger. Welcome back to the show, Phil.

Phil Wainewright: It's great to be here, Dana.

Gardner: We're also joined by Josu Franco, director of the Business Customer Unit at Panda Security. Welcome to the show, Josu.

Josu Franco: Hello, Dana. Nice to be here.

Gardner: Let's start, Josu, with looking at the big picture. The general state of PC security, the SaaS model, and the dire economy are, for many organizations, conspiring to make a cloud-based solution more appropriate, perhaps now more than ever. Tell us why a cloud-based solution approach to PC security is a timely approach to this problem.

Franco: There are two basic problems that we're trying to solve here, problems which have increased lately. One is the level of cyber crime. There are lots and lots of new attacks coming out every day. We're seeing more and more malware come into our labs. On any given day, we're seeing approximately 30,000 new malware samples that we didn't know about the day before. That's one of the problems.

The second problem that we're trying to solve for companies is the complexity of managing the security. You have systems with more mobility. You have vectors for attack -- in other words, ways in which a system can be infected. If you combine that with the usage of more and more devices in the networks, that combination makes it very difficult for administrators to really be on top of the security mechanisms they need to watch.

In order to address the first problem, the levels of cyber crime, we believe that the best approach that we, as an industry, need to take is an approach that is sustainable over time. We need to be able to address these rising levels of malware in the future. We found the best approach is to move processing power into the cloud. In other words, we need to be able to process more and more malware automatically in our labs. That's the part of cloud computing that we're doing.

In order to address the second problem, we believe that the best approach for most companies is via management solutions that are easier to administer, more convenient, and less costly for the administrators and for the companies.

Centralized approach

Gardner: Now, Phil, we've seen this approach of moving out toward the Web for services -- the more centralized approach to a single instance of an application, the ability to manage complexity better through a centralized cloud-based approach across other applications. It seems like a natural evolution to have PC security now move to a SaaS model. Does that make sense from your observations?

Wainewright: It certainly does. To be honest, I've never really understood why people wanted to tackle Web-based malware in an on-premise model, because it just doesn't make any sense at all.

The attacks are coming from the Web. The intelligence about the attacks obviously needs to be centralized in the Web. It needs to be gathering information about what's happening to clients and to instances all around the Web, and across the globe these days. To have some kind of batch process, whereby your malware protection on your PC is something that gets updated every week or even everyday, is just not fast enough, because the malware attacks are going to take advantage of those times when your protection is not up-to-date.

Really making sure that the protection is up-to-date with the latest intelligence and is able to react quickly to new threats as they appear means that you've go to have that managed in the center, and the central management has got to be able to update the PCs and other devices around the edge, as soon as they've got new information.

Gardner: So, the architectural approach of moving more back to the cloud, where it probably belongs, at least certainly from an architectural and a timeliness or a real-time reaction perspective, makes great sense. But, in doing this, we're also offloading a tremendous burden from the client in terms of these large agents, tremendous demand on the processing of this client, the need to move large files around, drag on the networks, labor for moving around the organization, and physically getting to these machines. It seems almost blatantly obvious that we need to change this model. Do you agree, Josu?

Franco: I do. One point that I want to make, though, is that when we refer to SaaS, we use the term to refer to the management console of the security solutions. So, SaaS for us is an interface for the administrator, it’s an interface obviously based on the Web.

When we refer to cloud computing, it refers to our capacity to process larger and larger volumes of malware automatically, so that our users are going to be better protected. Ideally, cloud computing and SaaS should be going together, but that's going to take a little bit of time, although, in our case at least, all of our solutions align into those two concepts. We've been moving towards that. The latest announcements that we've made about this product for consumers go certainly into that direction.

I just want to make clear that SaaS for me is one thing. Cloud computing is a different thing. They need to work together, but as a concept we should not confuse the terms.

Wainewright: That's very important, Dana. One of the key things that people misunderstand about notions of cloud computing and SaaS is this idea that everything gets sucked up into the network and you don't do anything on the client anymore.

That's actually a rather primitive way of looking at the SaaS and cloud spectrum, because the client itself is part of the cloud. It's a device that interacts with other peers in the Web environment, and it's got processing power and local resources that you need to take advantage of.

The key thing is striking the right balance between what you do on the client and what you do in the cloud, and also being cognizant of where people are at in terms of their overall installed infrastructure and what works best in terms of what they've got at the moment and what their roadmap is for future migration.

Separating SaaS and cloud

Gardner: I see. So, we do need to separate SaaS and cloud. We need to recognize that this is a balance and not necessarily an all-or-nothing approach -- neither all-cloud nor all-client. This seems to fit particularly well into the demands of an SMB, a distributed business, or perhaps even a multi-level marketing (MLM) company, where there are people working at home, on the road, in remote offices, and it's very difficult for the administrators or the managed providers or resellers to get at these machines. Moving more of that balance towards the cloud is our architectural goal.

Let's move to the actual technical solution here. Josu, you described some new products. Clearly, there's still an agent involved, coming down to the PC. I wonder if you could describe some of the two big announcements you've had, one around this consumer security cloud service, and then the second around your Managed Office Protection solution.

Franco: The announcement that we've made about the Cloud Antivirus, is a very important announcement for us, because we've been working on this for a couple of years now, and this involves rebuilding the endpoint agent from scratch.

We saw the opportunity, or, I would say, the necessity of building a much lighter agent, much faster than previous agents, and, very importantly, an agent that is able to leverage the cloud computing capacity that we have, which we call "Collective Intelligence," to process malware automatically.

As I said before, this aligns with our technology vision, which is basically these three ideas: cloud computing or collective intelligence, as we call it, regarding the capacity to process

We believe that the more intelligence that we can pack into the agent, the better, but always respecting the needs of consumers -- that is to be very fast, to be very light, to be very transparent to them.

malware; SaaS as the approach that we want to take for managing our security solutions; and third, nano-architecture as the new endpoint architecture, in which we want to base all of our endpoint based solutions.

So, Cloud Antivirus is a very tiny, very fast agent that sits on the endpoint and is going to protect you by some level of local intelligence. I want to stress the fact that we don't see the agents disappearing anytime soon to protect the endpoints. We believe that the more intelligence that we can pack into the agent, the better, but always respecting the needs of consumers -- that is to be very fast, to be very light, to be very transparent to them.

This works by connecting with our infrastructure and asking for file determinations, when the local agent doesn't know about a particular file that it needs to inspect.

The second announcement is more than an announcement. Panda Managed Office Protection is a solution that we've been selling for some time now, and is working very well. It works by having this endpoint agent locally in every desktop or PC or laptop. Once you've downloaded this agent, which works transparently for the end user, all the management takes place via SaaS.

It's a management console that's hosted from our infrastructure, in which any admin, regardless of where they are, can manage any number of computers, regardless of where they are located. This works by having every agent talk to this infrastructure via Internet, and to talk to other agents, which might be installed in the same network, distributing updates or distributing other types of polices.

Gardner: Now, an interesting and innovative approach here is that you've made the Cloud Antivirus agent free to consumers, which should allow them to get protection for virtually nothing, but in doing so you've increased the network population for what you can do to gather instances of problems. The agent immediately sends that back to your central cloud processing, which can then create the fix and then deliver it back out. Is that oversimplifying it?

Staying better protected

Franco: That's a very true statement. We're not the first ones giving away a security agent for free. There are some other companies that I think are using the Freemium model. We've just released this very first version of Cloud Antivirus. We're distributing it for free with the idea that first we want people to know about it. We want people to use it, but very importantly, the more people that are using it, the better protected they're all going to be. As you say, we're going to be gathering intelligence about the malware that's hitting the streets and we're going to able to process that faster and to protect all those users in real-time.

Gardner: Phil, this strikes me as Pandora opening the box. I can't imagine us going back meaningfully in the marketplace to the older methods in architecture for security. Do you agree with me that this is a compelling shift in the market?

Wainewright: It is, obviously. We're talking about network scale here. The malware providers are already using network scale to great effect, particularly in the use of these zombie elements of malware that effectively lurk on devices around the Web, and are called into action to coordinate attacks.

You've got these malware providers using the collective intelligence of the Web, and if the good guys don't use the same arsenal, then they're just going to be left behind.

The malware providers are already using network scale to great effect, particularly in the use of these zombie elements of malware

I think the other thing that’s great about this Freemium model is that, even though the users aren't paying anything for the software, in effect they're giving something back, because the intelligence that's being collected is making the potential protection stronger. So, it's a great demonstration of how you can derive value even from something that is actually distributed for free.

Gardner: Sort of all for one, one for all?

Wainewright: Yes, that's right.

Gardner: So, if this works well for security, it strikes me that this also makes a great deal of sense for remediation, general support, patches, upgrades, or managing custom applications. It certainly seems to me that crossing the Rubicon, if you will, into security from a cloud perspective will open up an opportunity for doing much, much more across the general total cost of ownership equation for PCs. Is that in your future? Do you subscribe to that vision, Josu?

Franco: Yes, I do. First, we've been a specialized player in the anti-malware business, but I certainly do see the opportunity to do more things once you are installing an endpoint to be able to use the same management approach and be able to configure the PC, or to do a remote session on it based on the same console. For now, we're just doing the full anti-malware and personal firewall in this way, but we do see the opportunity of doing more PC lifecycle management functionalities within it.

Gardner: That brings us back to the economy. Phil, I've heard grousing from CEOs, administrators, and just about anybody in the IT department for years about how expensive it is, from the total cost perspective, to maintain a rich PC-client experience. Nowadays, of course, we don't have a luxury of, "It would be nice to cut cost." We really have to cut cost. Do you see a significant move towards more cloud-based services as an economic imperative?

Increasing the SaaS model

Wainewright: Oh yes, and one of the interesting phenomena has been that things like help desk, security, and remote support have increasingly been delivered using the SaaS model, even in large enterprises.

If you are the chief security officer for a large enterprise that's very dependent on the Web for elements for its operations, then you've got a tremendously complex task. There's an increasing recognition that it's much better to access pools of expertise to get those jobs done, than for everyone trying to become a jack of all trades and inevitably fall behind the state of the art in the technology.

More and more, in large enterprises, but also in smaller businesses, we're seeing people turning to outside providers for expertise and remote management, because that's the most cost effective way to get at the most up-to-date and the most proficient knowledge and capabilities that are out there. So yes, we're going to see more and more of that, spot on.

Gardner: I understand how this is a benefit to end-users -- a simple download and you're protected. I understand how this makes sense for SMBs who are trying to manage PCs across distributed environment, but without perhaps having an IT department or a security expertise on staff. But, I'm not quite sure I understand how this relates now to an additional business model benefit to a reseller or a value-added provider of some kind, perhaps a managed service provider.

Josu, help me understand a little bit better how this technology shift and some of these new products benefit the channel.

This means that for the end user it's going to reduce the operating cost, and for the reseller it's going to increase the margins for the services they're offering.

Franco: In the current economic times, more and more resellers are looking to add more value to what they are offering. For them, margins, if they're selling hardware or software licenses, are getting tougher to get and are being reduced. So, the way for them to really see the opportunity into this is thinking that they can now offer remote management services without having to invest any amount in what is infrastructure or in any other type of license that they may need.

It's really all based on the SaaS concept. They can now say to the customers, "Okay, from now on, you'll forget about having to install all this management infrastructure in-house. I'm going to remotely manage all the endpoint security for you. I'm going to give you this service-level agreement (SLA), whereby I'm going to check the status of your network twice or three times a week or once a day, and if there is any problem, I can configure it remotely, or I can just spot where the problems are and I can fix them remotely."

This means that for the end user it's going to reduce the operating cost, and for the reseller it's going to increase the margins for the services they're offering. We believe that there is a clear alignment among the interests of end users and partners, and, most importantly, also from our side with the partners. We don't want to replace the channel here. What we want is to become the platform of choice for these resellers to provide these value-added services.

Gardner: Does Panda then lurk behind the scenes, the picks and shovels for solution? Do you allow them to brand around it? Are you an OEM player? How does that work?

Franco: We can certainly play with a certain level of branding. We've been doing so with some large sales that we've made, for example, here in Spain. But, most of them want to start touching and kicking the tires and see if it works. They don't need the re-branding in the first instance, but yes, we've seen some large providers who do want some customization of the interface for their logos, and that's certainly a possibility.

Gardner: We've also seen in the market more diversity of endpoints. We've seen, for cost and convenience, reason to move towards netbooks. Smartphones have certainly been a fast growing part of the mix, despite the tough economy. This model of combining the best of SaaS, the best of cloud, and a small agent coordinating and managing them, strikes me as something that will move beyond the PC into a host of different devices. Am I wrong on that Phil?

Attacking the smartphones

Wainewright: No, you're absolutely right. One of the scary things is that many of us are carrying around smartphones now. It's only a matter of time before these very capable, intelligent platforms also become vulnerable to the kind of attacks that we've seen on PCs.

On top of that, there is a great deal more support required to make sure that the users gets the best out of those devices. Therefore, we're going to see much more of this kind of remote support being provided.

For example, the expertise to support half a dozen different types of mobile devices within our organization is something that the typical small business can't really keep up with. If they're able to access a third-party provider that has got the infrastructure and the experts on how to do that, then it becomes a manageable issue again. So, yes, we're going to see a lot more of this.

Ultimately, it's going to give us a lot more freedom just to be able to get on with our jobs, without having to worry about understanding how the device works, or even worse, working out how to fix it when something goes wrong. Hopefully, there will be much fewer instances when that downtime happens.

Gardner: Well, let's hope that we nip the bud here for this malware on multiple devices in the cloud before it ever gets to the device, and that removes the whole incentive or rationale

I think that we're going to see a convergence between the world of the consumer and the world of what we call a business.

for trying to create these problems in the first place. So, maybe moving more into the cloud actually starts stanching the problem from its root and core.

Let's move forward now to some of the proof points. We've talked about this in theory. It certainly makes sense to me from an architectural and vision perspective, but what does it mean in dollars and cents? Josu, do you have any examples of organizations that have started down this path -- SMBs perhaps, and/or resellers? How has this affected their bottom line?

Franco: Yes, we do have very good examples of people who have moved along this path. Our largest installation with the Managed Office Protection product is over 23,000 seats in Europe. It's a very large school or education institution, and they're managing their entire network with just a very few people. This has considerably reduced their operating cost. They don't need to travel that much to see what's happening with their systems.

We also have many other examples of our resellers that are actually using this product, not only to manage business spaces, but also managing even consumer spaces. I think that we're going to see a convergence between the world of the consumer and the world of what we call a business.

Moving to the consumer space

Some analyst friends are talking a lot about the consumerization of IT. I think that we'll also see that consumers are going to start using technologies that perhaps we thought belonged in the business space. I'm talking, for example, about the ability for a reseller to centrally manage the PCs of consumers. This is an interesting business model, and we have some examples of this emerging trend. In the US, we have some researchers who are managing thousands of computers from their basement.

So, even though our intention was to position this product for SMBs, we do see that there are some verticalized niches in the market into which this model fits really well. Talking about highly distributed environments, what's more highly distributed than a network of consumers, everyone in their own home, right? So, I think this is definitely something that we're going to see happening more and more in the future.

Gardner: Without going down this very interesting track too much, we're starting to see some CIOs cotton to the notion of letting people pick their end device, but then accessing services back in the enterprise, and with some modest governance and security. It sounds as if a service like this might fill that role.

Then, in addition to the choice of the consumer or end user on device, it seems to me that we're also in a position now for the providers of the bit pipes -- the Internet, telephony,

The value that's being created and is being shared out by the vendors and the providers in the SaaS model is that time saving and opportunity cost saving

communications, and collaboration -- to start offering the whole package, a PC with security, remediation, protection, and you pay a flat fee per month. Do you think these two things are around the corner, Phil, or maybe three or four years out?

Wainewright: To the previous point, people often think of the consumer Web as completely separate from the business Web. In fact, the reality today is that individual users at home are just as likely to be doing business things or work things on their home PCs as they are to be doing actually home things or even side businesses on their work PCs.

If someone is auctioning off their collection of plastic toys on eBay, then are they an individual consumer or are they a business? The lines are shading. I think what you need to look at is, what is the opportunity cost? If it's going to cost me time that I can't afford, or if it's going to mean that I'm not going to be able to earn money that I could otherwise be earning, then it's going to be worth my while to pay that monthly subscription.

One of the key things that people forget, when they're comparing the cost of a SaaS solution or a Web provided solution to a conventional installed piece of packaged software, is they never look at the resource and time that the user actually spends to get things setup with the packaged software, to fix things when they go wrong, or to do upgrades.

The value that's being created and is being shared out by the vendors and the providers in the SaaS model is that time saving and opportunity cost saving.

Gardner: Now, we have to assume that the security is going to be good, because if it doesn't protect, then that's going to become quite evident. But what we're also talking about, now that I understand it better, Josu, is really we're focusing on simplicity and convenience vis-à-vis these devices, vis-à-vis security, but also in the larger context of the level of comfort, of trust that the device will work, that the network will be supported, and that I'm not going to run into trouble. Is that what we're really talking about here as a value proposition -- simplicity and convenience?

Franco: As you said, it needs to protect. It needs to be very effective at a time when we're seeing really huge amounts of malware coming out every day. So, that's preconditioned. It needs to protect.

But if it's something that is going to be there protecting users, and many users see security as something that they need to live with, it's not truly something that they see as a positive application that they have. It's something that sometimes annoys people. Well, let's make it as simple, as transparent, as fast, as imperceptible as possible, and that's what this is all about.

Gardner: Very good. We've been learning a lot today about PC security and how it can be delivered as a service in conjunction with the cloud-based central management and processing. This architectural approach is now quite prominent for security, and perhaps will become more prominent across other aspects of client device support and convenience and lower cost and higher trust. So a lot of goodness. I certainly hope it works out that way.

Cost and protection benefits, along with productivity benefits, and as a result less downtime, is a good thing. We've looked at it across the spectrum of end users and businesses, resellers, and managed service providers. Helping us understand this we've been joined by our panel. I want to thank them. Phil Wainewright, independent analyst, director of Procullux Ventures, and a ZDNet SaaS blogger. I appreciate your time, Phil.

Wainewright: It's been great to be with you today, Dana.

Gardner: We've also heard from Josu Franco, director of the Business Customer Unit at Panda Security. Thank you Josu.

Franco: It's been my pleasure, thanks.

Gardner: I also want to thank the sponsor of this discussion, Panda Security, for underwriting its production.

This is Dana Gardner, principal analyst at Interarbor Solutions, thanks for listening, and come back next time.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com.

Download the transcript. Learn more. Sponsor: Panda Security.

Transcript of a BriefingsDirect podcast on security as a service and cloud-based anti-virus protection and business models. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.