Sunday, February 07, 2010

BriefingsDirect Analyst Panelists Peer into Crystal Balls for Latest IT Growth and Impact Trends

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 49, with panel of analysts discussing the future of cloud computing, SOA, social networks and the economy.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Charter Sponsor: Active Endpoints.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Dana Gardner: Hello, and welcome to the latest BriefingsDirect Analyst Insights Edition, Vol. 49. I'm your host and moderator Dana Gardner, principal analyst at Interarbor Solutions.

This periodic discussion and dissection of IT infrastructure related news and events, with a panel of industry analysts and guests comes to you with the help of our charter sponsor, Active Endpoints, maker of the ActiveVOS business process management system.

Our topic this week hones in on the predictions for IT industry growth and impact, now that the recession appears to have bottomed out. We're going to ask our distinguished panel of analysts and experts for their top five predictions for IT growth through 2010 and beyond.

To help us gaze into the new IT trends crystal ball we are joined by our panel. Please join me in welcoming Jim Kobielus, senior analyst at Forrester Research. Hey, Jim.

Jim Kobielus: Hey, Dana. Hi, everybody.

Gardner: Joe McKendrick, independent analyst and prolific blogger. Howdy, Joe.

Joe McKendrick: Hi, Dana. Very nice to be here.

Gardner: Tony Baer, senior analyst at Ovum. And, Brad Shimmin, principal analyst at Current Analysis. Hi, Brad.

Brad Shimmin: Hey, Dana.

Gardner: Dave Linthicum, CEO of Blue Mountain Labs. Good to have you with us, Dave.

Dave Linthicum: Hey, guys.

Gardner: Dave Lounsbury, vice-president of collaboration services at The Open Group. How do you do, Dave? [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts. See more on the consortium's recent conference in Seattle.]

Dave Lounsbury: Hello, Dana. Happy to be here.

Gardner: Jason Bloomberg, managing partner at ZapThink.

Jason Bloomberg: Good morning, everybody.

Gardner: And, JP Morgenthal, independent analyst and IT consultant. Good to have you with us, JP.

JP Morgenthal: Good to be here.

Gardner: I've decided to do this in a random order this time. So, based on the pick of the short straw, Brad Shimmin, you're up, what are your top five predictions for IT in 2010?

Brad Shimmin

Shimmin: Thanks, Dana. And, I have got a set of five. Obviously, mine are geared toward collaboration and conferencing, so I'll just put that out there as a caveat, but I think it will help if we're going to try to strive for consensus later on.

Let me just begin with the first and most obvious, which is that clouds are going to become less cloudy. Vendors, particularly those in the collaboration space, are going to start to deliver solutions that are actually a blend of both cloud and on-premise.

We've seen Cisco take this approach already with front-ending some web conferencing to off-load bandwidth requirements at the edge and to speed internal communications. IBM, at least technically, is poised do the same with Foundations, their appliances line, and LotusLive their cloud-based solution.

With vendors like these that are going to be pulling hybrid, premise/cloud, and appliance/service offerings, it's going to really let companies, particularly those in the small and medium business (SMB) space, work around IT constraints without sacrificing the control and ownership of key processes and data, which in my mind is the key, and has been one of the limiting factors of cloud this year.

Next up, I have "software licensing looks like you." As with the housing market, it's really a buyer's market right now for software. It's being reflected in how vendors are approaching selling their software. Customers have the power to demand software pricing that better reflects their needs, whether it's servers or users.

I think the weapons will be user facing enterprise apps that work in concert with line-of-business solutions on the back-end.



So, taking cues from both the cloud and the open-source licensing vendors out there, we will see some traditional software manufacturers really set up a "pick your poison" buffet. You can have purchase options that are like monthly or yearly subscriptions or flat perpetual licenses that are based on per seat, per server, per CPU, per request, per processor, or per value unit, with a shout out at IBM there -- or any of the above.

You put those together in a way that is most beneficial to you as a customer to meet your use case. We saw last year with web conferencing software that you could pick between unlimited usage with a few seats or unlimited seats with limited usage. You can tailor what you pay to what you need.

Third for me is the mobile OS wars are going to heat up. I'm all done with the desktop. I'm really thinking that it's all about the Google Chrome/Android. I know there's a little bit of contention there, but Google Chrome/Android, Symbian, RIM, Apple iPhone, Windows Mobile, all those devices will be the new battle ground for enterprise users.

I think the weapons will be user facing enterprise apps that work in concert with line-of-business solutions on the back-end. We'll see the emergence of native applications, particularly within the collaboration space, that are capable of fully maximizing the underlying hardware of these devices, and that's really key. Capabilities like geo-positioning, simultaneous web invoice and, eventually, video are really going to take off across all these platforms this year.

Win or lose

But, the true battle for this isn't going to be in these cool nifty apps. It's really going to be in how these vendors can hopefully turn these devices into desktops, in terms of provisioning, security, visibility, governance, etc. That, to me, is going to be where they're going to either win or lose this year.

Four is "The Grand Unification Theory" -- the grand unification of collaboration. That's going to start this year. We're no longer going to talk about video conferencing, web conferencing, telepresence, and general collaboration software solutions as separate concerns. You're still going to have PBXs, video codecs, monitors, cameras, desk phones, and all that stuff being sold as point solutions to fill specific requirements, like desktop voice or room-based video conferencing and the like.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

But, these solutions are really not going to operate in complete ignorance of one another as they have in the past. Vendors with capabilities or partnerships spanning these areas, in particular -- I'm pointing out Cisco and Microsoft here -- can bring and will be bringing facets of these together technically to enable users to really participate in collaboration efforts, using their available equipment.

It will be whatever they have at hand. They're not forced to go to a particular room to participate in a conference, for example. They can just pick up their mobile phone or their preferred method of communication, whether they just want to do voice, voice/video, or chat.

For enterprise-focused vendors, we're going to see them playing in the waves in a number of ways.



And last but not least ... I'm sorry. I'm probably going to get kicked for this, but, because I'm a technical optimist . . . the Google Wave is really going to kick in in 2010. I may be stating the obvious, or I maybe stating something that's going to be completely wrong, but I really feel that this is going to be the year that traditional enterprise collaboration players jump head long into this Google Wave pool in an effort to really cash in on what's already a super-strong mind share within the consumer ranks.

Even though they have a limited access to the beta right now, there are over a million users of it, that are chunking away at this writing code and using Wave.

Of course, Google hosted rendition will excel in supporting consumer tasks like collaborative apps and role playing games. That's going to be big. For enterprise-focused vendors, we're going to see them playing in the waves in a number of ways. They're going to embed them within existing collaborative applications. They're going to enable existing apps to interact with Google Waves.

This is the case with Novell’s recently announced Pulse. You guys saw that. They're going to extend existing apps to make use of wave-like capabilities. They're going to create some competitive functionality that looks like a Google Wave but isn't a Google Wave, and doesn't really care what Google is doing with Wave. And that's it, Dana.

Gardner: Well, Brad, that was an excellent list. If I can plumb through this a little bit, it sounds like we are going to be using Google Wave to do unified collaboration on a mobile operating system, coming from the cloud and we are going to get to negotiate for the price we will pay for it.

Shimmin: Perfect. You strung them together like jewels on a thread. Thanks.

Gardner: Dave Linthicum, you're up next. What are your top five?

Dave Linthicum

Linthicum: My top five are going to be, number one, cloud computing goes mainstream. That's a top prediction, I'm just seeing the inflection point on that.

I know I'm going out on the edge on this one. Go to indeed.com and do a search on the cloud-computing jobs postings. As I posted on my InfoWorld blog few weeks ago, it's going up at an angle that I have never seen at any time in the history of IT. The amount of growth around cloud computing is just amazing. Of course, it's different aspects of cloud computing, not just architecture with people who are cloud computing developers and things like that.

The Global 2000 and the government, the Global 1, really haven't yet accepted cloud computing, even though it's been politically correct for some time to do so. The reason is the lack of control, security concerns, and privacy issues, and, of course, all the times the cloud providers went down. The Google outages and the loss of stuff with T-Mobile, hasn't really helped, but ultimately people are gearing up, hiring up, and training up for cloud computing.

We are going to see a huge inflection point in cloud computing. This can be more mainstream in Global 2000 than it has been in the past. It's largely been the domain of SMBs, pilot projects, things like that. It's going to be a huge deal in 2010 and people are going to move into cloud computing in some way, shape, or form, if they are in an organization.

People are pushing back on that now. They’ve had it. They really don’t want all of their information out there on the Internet ...



That's going to continue going forward. I don’t think we are going to outsource everything as a cloud, but, in the next five years, there is going to be a good 10-20 percent existing on the cloud, which is huge.

The next is privacy. I’ll shift gears a bit. Privacy becomes important. Facebook late last year pulled a little trick, where they changed the privacy settings, and you had to go back and reset your privacy settings. So, in essence, if you weren’t diligent about looking at the privacy settings within your Facebook account and your friends list, your information was out on the Internet and people could see it.

The reason is that they're trying to monetize people who are using Facebook. They're trying to get at the information and put the information out there so it's searchable by the search engines. They get the ad revenue and all the things that are associated with having a big mega social media site.

People are pushing back on that now. They’ve had it. They really don’t want all of their information out there on the Internet, who their friends are, who they are dating, all these sorts of things. They want it secured. I think the rank and file are going to demand that regulations be set.

People are going to move away from these social media sites that post their private information, and the social media sites are going to react to that. They're going to change their policies by the end of 2010, and there's going to be a big uproar at first.

Cloud crashes

Next, the cloud crashes make major new stories. We've got two things occurring right now. We've got a massive move into the cloud. That was my first prediction. We have the cloud providers trying to scale up, and perhaps they’ve never scaled up to the levels that they are going to be expected to scale to in 2010. That's ripe for disaster.

A lot of these cloud providers are going to over extend and over sell, and they're going to crash. Performance is going to go down -- very analogous to AOL’s outage issues, when the Internet first took off.

We're going to see people moving to the cloud, and cloud providers not able to provide them with the service levels that they need. We're going to get a lot of stories in the press about cloud providers going away for hours at a time, data getting lost, all these sorts of things. It's just a matter of growth in a particular space. They're growing very quickly, they are not putting as much R&D into what these cloud systems should do, and ultimately that's going to result in some disasters.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Next, Microsoft becomes cloud relevant. Microsoft, up to now, has been the punch line of all cloud computing. It had the Azure platform out there. They've had a lot of web applications and things like that. They really have a bigger impact in the cloud than most people think, even though when we think of cloud, we think of Amazon, Google, and larger players out there.

Suddenly, you're going to see Microsoft with a larger share of the cloud, and they're going to be relevant very quickly.



With Azure coming into its own in the first quarter of next year in the rise of their office automation applications for the cloud, you are going to see a massive amount of people moving to the Microsoft platform for development, deployment, infrastructure, and the office automation application. The Global 2000 that are already Microsoft players and the government that has a big investment in Microsoft are going to move in that direction.

Suddenly, you're going to see Microsoft with a larger share of the cloud, and they're going to be relevant very quickly. In the small- and medium-sized business, it's still going to be the domain of Google, and state and local governments are still be going to be the domain of Google, but Microsoft is going to end up ruling the roost by the end of 2010.

Finally, the technology feeding frenzy, which is occurring right now. People see the market recovering. There is money being put back into the business. That was on the sidelines for a while. People are going to use that money to buy companies. I think there is going to be a big feeding frenzy in the service-oriented architecture (SOA) world, in the business intelligence (BI) world, and definitely in the cloud-computing world.

Lots of these little companies that you may not have heard about, which may have some initial venture funding, are suddenly going to disappear. Google has been taking these guys out left and right. You just don’t hear about it. You could do a podcast just on the Google acquisitions that have occurred this week. That's going to continue and accelerate in 2010 to a point where it's almost going to be ridiculous. Well, with that, Dana, those are my predictions.

Gardner: Excellent, Dave. We appreciate that. Let's go to other Dave today. This is Dave Lounsbury. Tell us please from your perspective at The Open Group, what your top five predictions are?

Dave Lounsbury

Lounsbury: I'm going to jump on the cloud bandwagon initially. We’ve seen huge amounts of interest across the board in cloud and, particularly, increasing discussions about how people make sense of cloud at the line-of-business level.

Another bold prediction here is that the cloud market is going to continue to grow, and we'll see that inflection point that Dave Linthicum mentioned. But, I believe that we're going to see the segmentation of that into two overarching markets, an infrastructure-as-a-service (IaaS) or platform-as-a-service market (PaaS) and software-as-a-service (SaaS) market. So that's my number one prediction.

We'll see the continued growth in the acceptance by SMBs of the IaaS and PaaS for the cost and speed reasons. But, the public IaaS and PaaS are going to start to become the gateway drug for medium- to large-size enterprises. You're going to see them piloting in public or shared environments, but they are going to continue to move back towards that locus of controlling their own resources in order to manage risk and security, so that they can deliver their service levels that their customers expect.

My third prediction, again in cloud, is that SaaS will continue to gain mainstream acceptance at all levels in the enterprise, from small to large. What you’ll see there is a lot of work on interfaces and APIs and how people are going to mash up cloud services and bring them into their enterprise architectures.

Of course all of this is set against the context that all distributed computing activities are set against, which is security and privacy issues.



This is actually going to be another trend that Dave Linthicum has mentioned as a blurring of a line between SaaS and SOA at the enterprise level. You’ll see these well on the way to emerging as disciplines in 2010.

The fourth general area is that all of this interest in cloud and concern about uptake at the enterprise level is going to drive the development of cloud deployment and development skills as a recognized job function in the IT world, whether it's internal to the IT department or as a consultancy. Obviously, as a consultancy, we look to the cloud to provide elasticity of deployment and demand and that's going to demand an elastic workforce.

So the question will be how do you know you are getting a skilled person in that area. I think you'll see the rise of a lot of enterprise-level artifacts such as business use cases, enterprise architecture tools, and analytic tools. Potentially, what we'll see in 2010 is the beginning of the development of a body of knowledge: practitioners in cloud. We'll start to recognize that as a specialty the way we currently recognize SOA as a specialty.

Of course all of this is set against the context that all distributed computing activities are set against, which is security and privacy issues. I don’t know if this is a prediction or not, but I wonder whether we're going to see our cloud harbor in 2010 its first big crash and the first big breach.

We've already mentioned privacy here. That's going to become increasingly a public topic, both in terms of the attention in the mainstream press and increasing levels of government attention.

There have been some fits and starts at the White House level about the cyber czar and things like that, but every time you turn around in Washington now, you see people discussing cyber security. How we're going to grow our capability in cyber security and increasing recognition of cyber security risk in mainstream business are going to be emerging hot topics of 2010.

Gardner: Thanks so much. Next up, Jim Kobielus. Tell us where you see things going in 2010. Your top five, please?

Jim Kobielus

Kobielus: Yes, my top five in 2010. In fact, I blogged that yesterday. I blogged six yesterday, but I'll boil it down to five and I'll make them even punchier. It's only going to be focused on analytics my core area.

Number one: IT more or less gives up BI. Let me constrain that statement. IT is increasingly going to in-source much of BI development of reports, queries, dashboards, and the like to the user through mash up self-service approaches, SaaS, flexible visualization, and so forth, simply because they have to.

IT is short staffed. We're still in a recession essentially. IT budgets are severely constrained. Manpower is severely constrained. Users are demanding mashups and self-service capabilities. It's coming along big time, not only in terms of enterprise deployment, but all the BI vendors are increasingly focused on self-service solution portfolios.

Number two: The users who do more of the analytics development are going to become developers in their own right. That may sound crazy based on the fact that traditionally data mining is done by a cadre of PhD statisticians and others who are highly specialized.

Basically, we're taking data mining out of the hands of the rocket scientists and giving it to the masses through very user-friendly tools.



Question analysis, classification and segmentation, and predictive analytics is coming into the core BI stack in a major way. IBM’s acquisition of SPSS clearly shows that not only is IBM focusing there, but other vendors in this space, especially a lot of smaller players, already have some basic predictive analytics capabilities in their portfolios or plan to release them in 2010.

Basically, we're taking data mining out of the hands of the rocket scientists and giving it to the masses through very user-friendly tools. That's coming in 2010.

Number three: There will be an increasing convergence of analytics and transactional computing, and the data warehouse is the hub of all that. More-and-more transactional application logic will be pushed down to be executed inside of the data warehouse.

The data warehouse is a greater cloud, because that's where the data lives and that's where the CPU power is, the horse power. We see Exadata, Version 2 from Oracle. We see Aster Data, nCluster Version 4.0. And, other vendors are doing similar things, pointing ahead to the coming decade, when the data warehouse becomes a complete analytic application server in its own right -- analytics plus transaction.

Predictive analysis

Number four: We're seeing, as I said, that predictive analytics is becoming ever more important and central to where enterprises are going with BI and the big pool of juicy data that will be brought into predictive model. Much of it is coming from the whole Web 2.0 sphere and from social networks -- Twitters, Facebooks and the like, and blogs. That's all highly monetizable content, as Dave Linthicum indicated.

We're seeing that social network analysis has a core set of algorithms and approaches for advanced analytics that are coming in a big way to data mining tools, text analytics tools, and to BI. Companies are doing serious marketing campaign planning, optimization, and so forth, based on a lot of that information streaming in real-time. It's customer sentiment in many ways. You know pretty much immediately whether your new marketing campaign is a hit or a flop, because customers are tweeting all about it.

That's going to be a big theme in 2010 and beyond. Social network analysis really is a core business intelligence for marketing and maintaining and sustaining business in this new wave.

Right now, we're in the middle of a price war for the enterprise data warehousing stack hardware and software.



And, finally, number five: Analytics gets dirt cheap. Right now, we're in the middle of a price war for the enterprise data warehousing stack hardware and software. Servers and storage, plus the database licenses, query tools, loading tools, and BI are being packaged pretty much everywhere into appliances that are one-stop shopping, one throat to choke, quick-deploy solutions that are pre-built.

Increasingly, they'll be for specific vertical and horizontal applications and will be available to enterprises for a fraction of what it would traditionally cost them to acquire all those components separately and figure it out all themselves. The vendors in the analytics market are all going appliance. They're fighting with each other to provide the cheapest complete application on the market.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

You can see what Oracle has already done with Exadata Version 2, 20K per usable terabyte. We see other vendors packaging even more functionality into these appliances and delivering them to mid-market and large enterprises. Small companies can deploy a complete analytics environment with BI, ETL, and everything for much less than they could just a few years ago.

And, one last thing. There is a cloud twist in everything I am describing or discussing here. Analytics gets dirt cheap, and even more so, as more of this functionality is available in the cloud. We're seeing a boom of SaaS-based BI and data warehousing vendors. In the coming years, pay-as-you-go, subscription-based, low risk, fund it out of OpEx rather than CapEx, is coming to analytics everywhere. So, that will be a huge trend in the coming year.

Gardner: Thanks Jim. Next, we're going to Joe McKendrick. Joe, what's your top five for 2010?

Joe McKendrick

McKendrick: Thanks, Dana. You also gave us the option to talk about the decade ahead, and I was thinking whether I should talk about the year ahead or the decade ahead. It occurred to me that just as we had a 2000 problem a decade ago, we now have a year 2012 problem. I just saw the movie 2012 a couple of weeks ago. The world is going to end and it's going to get flooded.

Gardner: So, the cloud is going to be big, dark, and made of soot. That's it. It's all over. We are all going to – cloud.

McKendrick: Exactly. I might have some arks floating around, and you worry about the IT systems on those arks.

Gardner: Well, you are a pessimist. Back down to earth.

McKendrick: Back down to earth. Okay, 2010. My world, of course, is SOA, and the big question for 2010 is what will Anne Thomas Manes have to say about SOA to start off the year?

Gardner: What's dead this year?

McKendrick: Right. In the first week of this year, Anne came out and said that SOA is dead. That caused a lot of angst, anxiety, discussion, and brooding for pretty much the entire year. It really had an impact.

Gardner: It kept you in page views.

McKendrick: Yeah, thanks, Anne. So, I am hoping Anne will come out with something good at the beginning of 2010. She'll probably say that SOA is still dead. That's my prediction.

Gardner: What is the state of SOA in 2010, Joe?

McKendrick: Part of it will be tied into the economy. By all indications, 2010 is going to be a growth year in the economy. We're probably in this V shape. See, I'm actually an optimist, not a pessimist. The world may end in 2012, but for 2010, we're going to have a great economy. It's going to move forward.

For this decade, we're looking forward to the rise of something called "social commerce," where the markets are user-driven and are conversations.



What happened with SOA? SOA really proved itself through 2009. I know a lot of instances where companies had a service-oriented culture, had flexibility, had visibility into their applications, their services, and their data. This played a great role in helping them pull through in terms of visibility into the supply chains and logistics. I know of a home builder -- and that's a tough industry -- where a SOA implementation really increased its sales turnaround time and enabled it to tighten up, be more efficient, and pull through this economic dark hole we went through.

I think 2010 will be a year of growth. As I said in previous podcast, we had these economic downturns: 2000-2001, 1990-1991, 1981-82. These downturn periods were always followed by periods of spectacular growth, especially in terms of technology -- and usually a huge paradigm shift in technology.

It's hard to say what. Nobody at the time of those downturns could have predicted what was ahead. Nobody predicted the dot-com boom back in 1992. But, what we're seeing is the service-oriented thinking. It's not just IT. It's service-oriented across the board -- the idea of the loosely coupled business, businesses that could start on a shoe string budget in IT, thanks to the availability of cloud, and move forward in the market.

Ten years ago, we saw the rise of e-commerce. For this decade, we're looking forward to the rise of something called "social commerce," where the markets are user-driven and are conversations. To use the quote from the book "The Cluetrain Manifesto," markets will be driven by users who interact with each other. Companies that will succeed and get ahead will encourage this social commerce, the interaction with customers over social networking sites.

Gardner: Alright Joe, I'm confused. Are we still on number one prediction or are you on number two?

McKendrick: That was my number one prediction, the impact of the economy. We're going to start seeing some new paradigms rising. Folks here talk about cloud computing.

The new normal

Number two: Cloud computing. We’ve all been talking about that. That's the big development, the big paradigm shift. Clouds will be the new "normal." From the SOA perspective, we're going to be seeing a convergence. When we talk about cloud, we're going to talk about SOA, and the two are going to be mapped very closely together.

Dave Linthicum talks a lot about this in his new book and in his blog work. Services are services. They need to be transparent. They need to be reusable and sharable. They need to cross enterprise boundaries. We're going to see a convergence of SOA and cloud. It’s a service-oriented culture.

Number three: Google is becoming what I call the Microsoft of the clouds. Google offers a browser and email. It has a backend app engine. It offers storage. They're talking about bringing out an OS. Google is essentially providing an entire stack from which you can build your IT infrastructure. You can actually build a company’s IT infrastructure on the back of this. So, Google is definitely the Microsoft of the cloud for the current time.

Microsoft is also getting into the act as well with cloud computing, and they are doing a great job there. It’s going to be interesting to see what happens. By the way, Google also offers search as a capability.

Gardner: Is there anything that Google won’t do? That’s the easier list. What won’t Google get into this year?

McKendrick: They probably won’t get into building and selling hardware.

Gardner: I heard about a phone they’re into selling. Are they in partnership with a phone?

Everybody will be providing and publishing services, and everybody will be consuming services.



McKendrick: Right, with Verizon, but it's the only thing they won’t really touch.

Gardner: My prediction is that they won’t get into snow plowing. Google will not get into snow plowing in 2010. That’s my only safe bet.

McKendrick: That’s probably about it.

Number four: We're going to see less of a distinction between service providers and service consumers over clouds, SOA, what have you. That's going to be blurring. Everybody will be providing and publishing services, and everybody will be consuming services.

You're going to see less of a distinction between providers and consumers. For example, I was talking to a reinsurance company a few months back. They offer a portal to their customers, the customers being insurance companies. They say that they offer a lot of analytics capabilities that their customers don’t have, and the customers are using their portal to do their own analytic work.

They don’t call it cloud. Cloud never entered the conversation, but this is a cloud. This is a company that’s offering cloud services to its consumers. We're going to see a lot of that, and it’s not necessarily going to be called cloud. You're not going to see companies saying, "We're offering clouds to our partners." It’s just going to be as the way it is.

Number five: In the enterprise application area, we've seen it already, but we're going to see more-and-more pushback against where money is being spent. As I said, the economy is growing, but there is going to be a lot of attention paid to where IT dollars are going.

I base this on a Harvard Medical School study that just came out last month. They studied 4,000 hospitals over a three-year period and found that, despite hundreds of millions of dollars being invested at IT, IT had no impact on hospital operations, patient care quality, or anything else.

Gardner: And, that’s why I don’t go to hospitals.

McKendrick: There are ramifications for other industries as well. What’s the impact of all this IT expenditure? Ultimately, this may help the cloud model in the long run. Okay, that's my five.

Gardner: Excellent. Let’s go to JP Morgenthal. What are your top five predictions, JP?

JP Morgenthal

Morgenthal: First, I'm going to predict that Microsoft, Oracle, Google, IBM -- none of them are going to be supporting Tiger Woods as a sponsor next year.

Gardner: Another risk-taker.

Morgenthal: Sorry, man. I had to throw it out there. It was just sitting there, and no one else picked it up, like a $100 bill on the street. Okay, number one: Cyber security. As someone stated earlier, it's interesting what’s going on out there. I am beginning to understand how little people actually understand about the differences between what security is and information assurance is, and how little people realize that their systems are compromised and how long it takes to eliminate threat within an organization.

Because of all of this connectedness, social networking, and cloud, a lot of stuff is going to start to bubble up. People who thought things were taken care of are going to learn that it wasn’t taken care of, and there will be a sense of urgency about responding to that. We're going to see that happen a lot in the first half of 2010.

Number two: Mobile. The mobile platforms are now the PC of yesterday, right? The real battle is for how we use these platforms effectively to integrate into people’s lives and allow them to leverage the platform for communications, for collaboration, and to stay in touch.

It seems everywhere I go, people are willing to spend a lot of money on their data plan. So, that’s a good sign for telecoms.



My personal belief is that it overkills information overlook, but that’s me. I know that everywhere I go, I see people using their iPhones and flicking through their apps. So, they hit upon a market segment, a very large market segment, that actually enjoys that. Whether small people like me end up in a cave somewhere, the majority of people are definitely going to be focused on the mobile platform. That also relates to the carriers. I think there still a carrier war here. We've yet to see AT&T and iPhone in the US break apart and open up its doors to other carriers.

Gardner: Let that happen in 2010.

Morgenthal: We all say that, but this is a fertile ground for priming what’s been a notoriously dead pump. Two years ago, I wrote a blog entry about what happens to technology in an era where the economy is down? It seems everywhere I go, people are willing to spend a lot of money on their data plan. So, that’s a good sign for telecoms.

Gardner: Yeah, the human species has spoken. They like mobile and they like ubiquitous broadband, and that’s not going to change, right?

Morgenthal: I agree with you. But the question is, should people pay for it or should the government give to you free? In the US, I hear a lot of social groups saying, "Hey, everybody should have broadband like it’s electricity."

Gardner: So, maybe Tiger Woods pays for everybody’s broadband for six months. He's got the money to do it, and then everybody will forget about this marriage thing.

BI and analytics

Morgenthal: I think you’ve got a new business model. Number three: Business intelligence and analytics, especially around complex event processing (CEP). CEP is still in an immature state. It does some really interesting things. It can aggregate and correlate. It really needs to go to that next step and help people understand how to build models for correlation. That’s going to be a difficult step.

As somebody was saying earlier, you had these little Poindexters sitting in the back room doing the stuff. There's a reason why the Poindexters were back there doing that. They understand math and the formulas that are under building these analytical models. Teaching your average USA Today reader how to build an analytical model is akin to teaching everybody how to write programs by drawing pictures. It still hasn’t happened. There's a reason why.

Gardner: So, you are saying that this is a year of CEP, that’s your stake in the ground?

Morgenthal: CEP and analytics -- and the two tied together. You’ll see that the BI, and data aspects of the BI, side will integrate with the CEP modeling to not only report after the fact on a bunch of raw data, but almost be proactive, and try to, as I said in my blog entry, know when the spit hits the fan.

Gardner: Right. So, at this time next year, I won’t be having analysts on to predict that what’s going to happen in 2011. We’ll just plug it into a CEP engine and we’ll get all the right answers.

Morgenthal: That’s assuming you could find the right people to program it, which is a whole other issue. I had done as my number five, so I’ll save that, but number four is collaboration. We’ve crossed the threshold here. People want it. They're leveraging it.

The labor market has not caught up to take advantage of these tools, design them, architect the solutions properly, and deploy and manage them.



I've been seeing some uptake on Google Wave. I think people are still a little confused by the environment, and the interaction model is not quite there yet to really turn it on its ear, but it clearly is an indication that people like large-scale interactions with large groups of people and to be able to control that information and make it usable. Google is somewhat there, and we'll see some more interesting models emerge out of that as well.

Gardner: So, is there another way to say that, JP, which is the people stop living in their email and start living in something more like Google Wave?

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Morgenthal: I don't see them doing that and wouldn't predict that, but they are clamoring for collaboration, and I think the market will respond.

Gardner: Alright.

Morgenthal: New and innovative ways to collaborate.

Gardner: Alright, number five for you.

Morgenthal: Labor. We're at a point where the market is based on all these other things based on the cloud. We had a lot of disruptive technologies hit in the past five years -- enterprise mashups, SOA, and cloud computing. The labor market has not caught up to take advantage of these tools, design them, architect the solutions properly, and deploy and manage them.

I think that 2010 has to be a year for training, rebuilding, and getting some of those skills up. Today, you hear a lot of stories, but there is a large gap for any company to be able to jump into this. Skills are not there. The resources are not there and they are not trained. That's going to be a huge issue for us in 2010.

Gardner: Thanks. We're on to our next analyst prediction, and that would be with Jason Bloomberg. Jason, what are your top five?

Jason Bloomberg

Bloomberg: Thanks for getting to me, Dana. I'm going to be a bit of the naysayer of the bunch. We work primarily with enterprise architects now, so we are on the demand side more than the supply side for IT capabilities. So, our perspective is colored through the glasses of the architect.

Dana, you asked us for not just the one- or 10-year predictions, but also positive and negative. So, my first four are things that I predict won't happen, and we can fill in the blanks in terms of what will happen.

First of all, sorry, Dave, I just don't see cloud computing striking it big in 2010. When we talk to enterprise architects, we see a lot of curiosity and some dabbling. But, at the enterprise scale, we see too much resistance in terms of security and other issues to put a lot of investment into it. It's going to be gradually growing, but I don't see such a point coming as soon as you might like.

Small organizations are a different story. We see small organizations basing their whole business models on the cloud, but at the enterprise level, it's sort of a toe in the water, and we see that happening in the 2010.

Another thing we don't see really taking off in any big way is Enterprise 2.0. That is Web 2.0 collaborative technologies for the enterprise. You know, "Twitter On Steroids," and that kind of thing. Again, it's going to be more of a toe in the water thing. Collaborative technologies are maturing, but we don't see a huge paradigm shift in how collaboration is done in the enterprise. It's going to be more of a gradual process.

Another thing that we are not seeing happening in 2010 is CIOs and other executives really getting the connection between business process management (BPM) and SOA. We see those as two sides of the same coin. Architects are increasingly seeing that in order to do effective BPM you have to have the proper architecture in place. But, we don't see the executives getting that and putting money where it belongs in order to effect more flexible business process. So, this is another work in progress, and it's going to be a struggle for architects to make progress over the course of the year.

Gardner: Alright, Jason, would today's announcement that IBM is acquiring Lombardi be a buttress to your point there?

Bloomberg: Well, that's a software story at this point. It's not a best practice story. IBM, being on the supply side, is attempting to push products like this into the market and they have this strategy for integrating the Lombardi technology with their existing technology. That doesn't necessarily mean that, from the buyer perspective, they see the full connection of how BPM and how SOA fit together and how leveraging architecture will support the business process optimization efforts in the enterprise.

Software vendors were hoping for a huge year, but they're going to be disappointed. It's going to be a growth year, but it's going to be moderate growth for the vendors.



So, tools are there and the tools are maturing, but as far as the demand, I see it growing slowly in fits and starts, as people figure out the role architecture plays.

Gardner: Okay, next one please.

Bloomberg: As far as the end of the recession, yeah, we're all hoping that the economy picks up, and I do see that there is going to be a lot of additional activity as a result of an improving economy, but I don't see a huge uptake in spending on software per se.

Spending in IT is going to go up, but in terms of what the executives going to invest in, they're going to be very careful about purchasing software. That's going to drive some money to cloud-based solutions, but that's still just a toe in the water as well.

Software vendors were hoping for a huge year, but they're going to be disappointed. It's going to be a growth year, but it's going to be moderate growth for the vendors.

Gardner: So that must be why Oracle bought Sun, right?

Bloomberg: Well, we'll have to see. There's been a lot of press on their core strategy in terms of what they are trying to do. Clearly, consolidation is in the cart. I'd agree with that. Part of that is because there are only so many software dollars to go around, and that's going to continue to be the case for a while.

Gardner: Okay, thank you. What’s your next point?

Bloomberg: Those are my first four. Those are the negatives. Not to be too negative, in terms of the positive, what we see happening in 2010 is increased focus on "MSW." You know what MSW is, right? Politely speaking it's "Make Stuff Work." Of course, you could put a different word in there for the S, but Make Stuff Work, that's what we see the architects really focusing on.

They have a good idea now of what SOA is all about. They have a good idea about how the technology fits in the story and the various technologies that have been mentioned on this call, whether it's analytics, data management, SaaS, and the cloud-based approaches. Now, it's time to get the stuff to work together, and that's the real challenge that we see.

SOA-Plus

The SOA story is no longer an isolated story. We're going to do SOA, let's go do SOA. But, it's SOA plus other things. So, we're going to do SOA, BPM, and the architecture driving that, despite the fact that the CIO may not quite connect the dots there.

SOA plus master data management (MDM) -- it's not one or the other now. It's how we get those things to work together. SOA plus virtualization. That's another challenge. Previously, those conversations were separate parts of the organization. We see more and more conversations bringing those together.

SOA and SaaS -- somebody already mentioned that SaaS is one segment of the cloud category. It's little more mature than the rest. We see more organizations understanding the connection between those two and trying to put them together.

Gardner: Are you that we're seeing services orientation of the enterprise?

Bloomberg: You can put it that way, and we like putting it that way, because we're the SOA guys. It depends on who you talk to whether the people in the organization see it that way or, rather, see that that there's a role for architecture as part of how you do things right. When we talk about architecture broadly, we're just talking about general best practices.

No one piece of the story is the whole story anymore. It's going to be a heterogeneity story in the enterprise and how we actually get this stuff to work together.



If you think about governance, for example, as a core set of best practices for running an organization, the key best practice is for it to be architecture driven, and that simply means best-practice driven. So, you can think of architecture as a way of codifying and communicating IT best practices as well as organizational best practices for leveraging IT.

We see that becoming more prevalent over time, as organizations understand the importance of connecting architectural best practices with the other things they're doing.

Before, we had this disconnect. We'll do middleware and we'll do SOA, but we don't really see the connection where we confuse one for the other, and that was a big issue. A large part of why Anne Manes said SOA was dead was because we were confusing SOA with the software enablers that vendors were trying to sell them. With the SOA label on the box, they opened the box and said, "Where's my SOA? I don't get it."

Well, organizations are getting that. Now, they're seeing that there is a connection, and they're trying to get this stuff to work together. In the enterprise context where it's heterogeneous, it needs to scale. It’s broad based, and there are a lot of moving parts. No one piece of the story is the whole story anymore. It's going to be a heterogeneity story in the enterprise and how we actually get this stuff to work together.

Gardner: A services-oriented whole greater than the sum of the IT parts?

Bloomberg: Yeah. We're happy to call this services-oriented, even though the organization, as a whole, may call it variety of different things, depending on the perspective of the individual.

Gardner: Great. Thanks so much. Okay, last but not least, Tony Baer, are you still out there? Thanks for your patience.

Tony Baer: I am here, present, and I am alive.

Gardner: You have to be quick, because we're almost out of time. What are your top five, Tony?

Tony Baer

Baer: Not a problem. I’ll make it very, very quick. Actually, I am just going to add various comments. On cloud and virtualization, basically I agree with Jason, and I don't agree with David or with Joe. It’s not going to be the "new normal." We're going to see this year an uptake of all the management overhead of dealing with cloud and virtualization, the same way we saw with outsourcing years back, where we thought we'd just throw labor costs over the wall.

Secondly, JP, I very much believe that there is going to be convergence between BI and CEP this year. I agree with him that there's not going to be a surge of Albert Einsteins out there. On the other hand, I see this as a golden opportunity for vendors to package these analytics as applications or as services. That's where I really see the inflection curve happening.

Number three: Microsoft and Google. Microsoft will be struggling to stay relevant. Yes, people will buy Windows 7, because it's not Vista. That’s kind of a backhanded compliment to say, "We're buying this, because you didn't screw up as badly as last time." It doesn't speak well for the future.

Google meets a struggle for focus. I agree with Joe that they are aspiring to be the Microsoft of the cloud, but it may or may not be such a good thing for Google to follow that Microsoft model.

Finally, I agree with Jim that you are going to see a lot more business-oriented, whether it's BI, BPM, or IBM buying Lombardi. I hope they don't mess up Lombardi and especially I hope they don't mess up Blueprint. I've already blogged about that.

I very much believe that there is going to be convergence between BI and CEP this year.



One other point -- and I don't know if this fits into a top five or not -- but I found what Joe was talking about very interesting in terms of the let-down on health-care investment in IT. There's going to be lot a of pushing in electronic medical records (EMR) this year. I very much believe in EMRs, but, on the other hand, they are no panacea. We're going to see a trough of disillusionment happen on that as well.

I don't know if that's fast, but that's my story and I am sticking to it.

Gardner: Well, that was great, very zippy, I appreciate that and I'm afraid we're out of time. I want to thank our guests and our panel for these very insightful predictions. It's going to be a fun year. Everything from Google and snow plowing to cheap, but not private and not secure, cloud -- a lot to look forward to.

Let me again thank our panel, Jim Kobielus, senior analyst of Forrester Research, thank you so much.

Kobielus: Have a good, happy new year everybody.

Gardner: Joe McKendrick, independent analyst and prolific blogger. Thank you, sir.

McKendrick: Thank you and looking forward to a great 2010.

Gardner: Tony Baer, senior analyst at Ovum, thank you.

Baer: Yes, thanks.

Gardner: Great insights from Brad Shimmin, principal analyst at Current Analysis. Thanks.

Shimmin: Thanks much, Dana.

Gardner: Dave Linthicum, CEO of Linthicum Group, again appreciating your insights.

Linthicum: Thanks, everybody.

Gardner: Dave Lounsbury, vice president, collaboration services at The Open Group, thanks so much for joining us.

Lounsbury: Thank you, Dana.

Gardner: Jason Bloomberg, managing partner at ZapThink. Very good. I appreciate your input.

Bloomberg: Thanks, Dana.

Gardner: And JP Morgenthal, independent analyst and IT consultant. Thank you, sir.

Morgenthal: Thank you, Dana. Thank you for inviting me. It's always a pleasure to be with this group.

Gardner: And, I would like to thank our sponsors for the BriefingsDirect Analyst Insights Edition, Active Endpoints.

This is Dana Gardner, principal analyst at Interarbor Solutions. Thanks for listening, and come back next time. Have a great and happy new year.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Charter Sponsor: Active Endpoints.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 49, with panel of analysts discussing the future of cloud computing, SOA, social networks and the economy. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in:

Saturday, February 06, 2010

ISM3 Brings Greater Standardization to Security Measurement Across Enterprise IT

Transcript of a sponsored BriefingsDirect podcast on ISM3 and emerging security standards recorded live at The Open Group’s Enterprise Architecture Practitioners Conference in Seattle.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion coming to you from The Open Group’s Enterprise Architecture Practitioners Conference in Seattle on Feb. 2, 2010.

We've assembled a panel to examine the need for IT security to run more like a data-driven science, rather than a mysterious art form. Rigorously applying data and metrics to security can dramatically improve IT results and reduce overall risk to the business.

By employing and applying more metrics and standards to security, the protection of IT becomes better, and the known threats can become evaluated uniformly. People can understand better what they are up against, perhaps in close to real-time. They can know what's working -- or is not working -- both inside and outside of their organization.

Standards like Information Security Management Maturity Model (ISM3) are helping to not only gain greater visibility, but also allowing IT leaders to scale security best practices repeatably and reliably.

We're here to determine the strategic imperatives for security metrics, and to discuss how to use them to change the outcomes in terms of IT’s value to the business.

Please join me in welcoming a security executive from The Open Group, as well as two experts on security who are presenting here at the Security Practitioners Conference. I want to welcome Jim Hietala, Vice President for Security at The Open Group. Hi, Jim.

Jim Hietala: Hi Dana.

Gardner: We are also here with Adam Shostack, co-author of The New School of Information Security. Welcome, Adam.

Adam Shostack: Hey, Dana. Great to be here.

Gardner: And also Vicente Aceituno, director of the ISM3 Consortium. Welcome.

Vicente Aceituno: Thank you very much.

Gardner: Now that we have got a sense of this need for better metrics and better visibility, I wonder if I could go to you, Jim. What is it to be a data-driven security organization, versus the alternative?

Hietala: In a sentence, it's using information to make decisions, as opposed to what vendors are pitching at you or your gut reaction. It's getting a little more scientific about gathering data on the kinds of attacks you're seeing and the kinds of threats that you face, and using that data to inform the decisions around the right set of controls to put in place to effectively secure the organization.

Gardner: Is it fair to say that organizations are largely not doing this now?

All over the map

Hietala: It's probably not a fair characterization to say that they're not. A presentation we had today from an analyst firm talked about people being all over the map. I wouldn’t say there's a lot of rigor and standardization around the kinds of data that’s being collected to inform decisions, but there is some of that work going on in very large organizations. There, you typically see a little more mature metrics program. In smaller organizations, not so much. It's a little all over the map.

Gardner: Perhaps it's time to standardize this a little bit?

Hietala: We think so. We think there's a contribution to make from The Open Group, in terms of developing the ISM3 standard and getting it out there more widely.

Gardner: Adam, what, in your perception, is different now in terms of security than say two, three, or four years ago?

Shostack: The big change we've seen is that people have started to talk about the problems that they are having, as a result of laws passed in California and elsewhere that require them to say, "We made a mistake with data that we hold about you," and to tell their customers.

We've seen that a lot of the things we feared would happen haven't come to pass. We used to say that your company would go out of business and your customers would all flee. It's not happening that way. So, we're getting an opportunity today to share data in a way that’s never been possible before.

Gardner: Is it fair to say we are getting real about security?

Shostack: We've been real about security for a long time, but we have an opportunity to be a heck of a lot more effective than we have been. We can say, "This control that we all thought was a really good idea -- well, everyone is doing it, and it's not having the impact that we would like." So, we can reassess how we're getting real, where we're putting our dollars.

Gardner: Vicente, perhaps you could help us understand the application of metrics and data for security with external factors, and then internal. What's the difference?

Aceituno: Well, you can only use metrics to manage internal factors, because metrics are all about controlling what you do and being able to manage the outputs that you produce and that contribute value to the business.

I don’t think it brings a bigger return on investment (ROI) to collect metrics on external things that you can't control. It’s like hearing the news. What can you do about it? You're not the government or you're not directly involved. It's only the internal metrics that really make sense.

Gardner: From your perception, what needs to be a top priority in terms of this data-driven approach to security inside your own organization?

What you measure

Aceituno: The top priority should be to make sure that the things you measure are things that are contributing positivity to the value that you're bringing to business as a information security management (ISM) practitioner. That’s the focus. Are you measuring things that are actually bringing value or are you measuring things that are fancy or look good?

Gardner: We've heard "fit for purpose" applied to some other aspects of architecture and IT. How does this notion, being fit for purpose, apply to your security efforts?

Aceituno: Basically, we link business goals, business objectives, and security objectives in a way that’s never been done before, because we are painfully detailed when we express the outcomes that you are supposed to get from your ISM system. That will make it far easier for practitioners to actually measure the things that matter.

Gardner: We've been talking fairly generally about metrics and data. Jim, what do we really talk about? What are we defining here? Is this about taxonomy and categories, metadata, all the above -- or is there something a bit more defined that we're trying to measure?

Hietala: There's some taxonomy work to be done. One of the real issues in security is that when I say "threat," do other people have the same understanding? Risk management is rife with different terms that mean different things to different people. So getting a common taxonomy is something that makes sense.

The kinds of metrics we're collecting can be all over the map, but generally they're the things that would guide the right kind of decision making within an IT security organization around the question, "Are we doing the right things?"

Today, Vicente used an example of looking at vulnerabilities that are found in web applications. A critical metric was how long those vulnerabilities are out there before they get fixed by different lines of business, by different parts of the business, looking at how the organization is responding to that. We're trying to drive that metric toward the vulnerabilities being open for less time and getting fixed quicker.

Gardner: Adam, in your book, I believe you addressed some of these issues. How do look at metrics? How do you characterize them? I know it could go on for an hour about that, but at the high level ...

Shostack: At the high level, Vicente’s point about measuring the things you can control is critical. Oftentimes in security, we don’t like to admit that we've made mistakes and we conceal some of the issues that are happening. A metrics initiative gives you the opportunity to get out there and talk about what's going on, not in a finger pointing way, which has happened so often in the past, but in an objective and numerically centered way. That gives us opportunity to improve.

Gardner: I suppose this is a maturation of security. Is that fair to say that we're bringing this to where some other aspects of business may have been, in say manufacturing, 30, 40, or 50 years ago?

Learning from other disciplines

Shostack: I think that’s a fair statement. We're learning a lot from other fields. We're learning a lot from other disciplines. Elements of that are going to uncomfortable for some practitioners, and there are elements that will really enable practitioners to connect what they are doing to the business.

Gardner: The stakes here, I imagine, are quite high. This is about the trust you have with your partners, your customers, and the brand equity you have in your company. These are not small considerations.

Hietala: No, they're big considerations, and they do have a big effect on the business. Also, the important outputs of a good metrics program can be that it gives you a different way to talk to your senior management about the progress that you're making against the business objectives and security objectives.

That’s been an area of enormous disconnect. Security professionals have tended to talk about viruses, worms, relatively technical things, but haven't been able to show a trend to senior management that justifies the kind of spending they have been doing and the kind of spending they need to do in the future. Business language around some of that is needed in this area.

Gardner: I have to imagine, too, that if we formalize, structure, and standardize, we can make these repeatable. Then there's not that risk of personnel leaving and taking a lot of the tribal knowledge with them. Is that fair?

I can't think of anything better than for ISM3 to be managed from The Open Group from here on.



Hietala: That's fair as well. That's something that came out today in some of the discussions. Documenting the processes and what you're doing makes it easier to transition to new personnel and that kind of thing.

Gardner: Vicente, tell us a little bit about the ISM3 Consortium, its history, and what it is that you are principally involved with at this time.

Aceituno: The main task of the ISM3 Consortium so far was to manage the ISM3 standard. I'm very happy to say that The Open Group and ISM3 Consortium reached an agreement and, with this agreement, The Open Group will be managing ISM3 from here on in. We'll be devoting our time to other things, like teaching and consulting services in Spain, which is our main market. I can't think of anything better than for ISM3 to be managed from The Open Group.

Gardner: Adam, do you have a sense of this particular standard, the ISM3? Where do you see it fitting in?

Shostack: Actually, I don't have a great sense of where it fits in. There are a tremendous number of standards out there, and what I heard today I am very impressed by. I'm going to go read more about it, but it's not something I have a lot of operational exposure to that really lets me say, "This is where it's working for me."

Gardner: Jim, do you have a sense of where it fits in, and perhaps for those of our listeners who are not that familiar, can you give a quick tutorial?

Business value approach

Hietala: Sure. In terms of where I'd place it in the information security community, it adds a business value approach to information security, a metrics and maturity model approach that you had not necessarily had there with some of the other standards that are out there.

I'd also say that it's approachable from the standpoint that it's geared toward having different target maturity levels for different kinds of enterprises. That makes sense.

One of the things we talk about is that there's an 80-20 rule. You get 80 percent of the benefit from a subset of security controls. You can tailor ISM3 to the organization and get some benefit out of it, without setting the bar so high that it's unachievable for a mid-size or small business. That's the way I would characterize it.

Gardner: I think it's really important that these things are developed and brought into an organization at a practical level for those people who are in the trenches and are down there doing the work. Is there anything about this particular standard that you think is really not academic, but something quite effective in practice?

Hietala: Well, it spans the breadth of information security. You have metrics and control approaches in various areas and you can pick a starting point. You can come at this top-down, if you're trying to implement a big program. Or, you come at it bottoms-up and pick a niche, where you know you are not doing well and want to establish some rigor around what you are doing. You can do a smaller implementation and get some benefit out of it. It's approachable either way.

It was easier to communicate with other teams, and we had metrics to understand the results we were getting from making changes in the process.



Gardner: Adam, any thoughts about this issue of practicality when it comes to security, something that's more scientific and not perhaps a mysterious dark art of some kind?

Shostack: I really liked seeing the practical extracted. "Here are the things we're measuring. Here is why it matters to the business." That's what Vicente was talking about with regards to ISM3 through the day. Getting away from these very broad, hand wavy measures of risk or improvement, down to, "We are measuring this precise thing and this is why we need it to improve," is refreshing.

Gardner: Vincente, do you have any examples of organizations that have taken a lead on this and what sort of results have they been able to provide?

Aceituno: At this moment, the one organization that has implemented the ISM3 is Caja Madrid, which is the fourth biggest financial institution in Spain, and they had very impressive results. We found six times as many vulnerabilities. We were making more than twice as many ethical hacking tests. We could bring down the cost of unethical hacking by a big percentage, and we were getting more vulnerabilities fixed.

It was easier to communicate with other teams, and we had metrics to understand the results we were getting from making changes in the process. We have knowledge management that allows us to change the whole team of people and still carry on doing exactly the same thing in the same way that we were doing it.

I think that Caja Madrid is very happy and, actually, the director of security at Caja Madrid is very impressed with ISM3.

Gardner: Who typically are the folks who would be bringing this into an organization? I suppose there is some variability and the organizational landscape is still quite diverse, but is there a methodology in terms of how to bring this into an organization?

Works either way

Aceituno: It could work either way. Either you're a top-level manager, the CISO, or whatever, and you can think, "Okay, I want to do this" and you can implement a top-down implementation of the method.

Or, you can have no support from higher management and understand that you need to put in some rigor for management and you can think, "Okay, I'm going to organize my own work around this framework."

It can work either way, as Jim was saying before. You can implement it top down or bottom up and get benefit from it.

Gardner: Jim, this is a specific Open Group question. Does this work well inside of some other framework activity or architectural initiatives? Are there some other ITIL related activities? Does this have a brotherhood, if you will, in terms of standards and approaches that The Open Group's heritage is a bit more attuned to?

Hietala: I don't know that there's a direct statement you can make about how well this will work in an enterprise architecture framework or something like that. This is more about managing security objectives and operational things that you are going to do in a information security frame within an enterprise.

It's process-oriented. So, in terms of working well with other things, it works well with ITIL. Some of the early implementations have suggested that, but there is a good synergy there. I'll leave it there.

Gardner: Adam, any thoughts, from your perspective, on how this fits into some larger initiatives around security?

We've seen over the last few years that those security programs that succeed are the ones that talk to the business needs and talk to the executive suite in language that the executives understand.



Shostack: We've seen over the last few years that those security programs that succeed are the ones that talk to the business needs and talk to the executive suite in language that the executives understand.

The real success here and the real step with ISM3 is that it gives people a prescriptive way to get started on building those metrics.

You can pick it up and look at it and say, "Okay, I'm going to measure these things. I'm going to trend on them." And, I'm going to report on them."

As we get toward a place, where more people are talking about those things, we'll start to see an expectation that security is a little bit different. There is a risk environment that's very outside of people's control, but this gives people a way to get a handle on it.

Gardner: Vicente, it seems quite important, as a first step, to know where you are, in order to know how you've progressed. This seems to be an essential ingredient to being able to ascertain your risks over time.

Aceituno: The very first step, when it comes to the usual implementing, is to understand the needs and the goals of the business and the obligations of the business, because that's what drives the whole design of the ISM system There is no need to align security goals and business goals, because there are no goals outside of business goals. You have to serve the business first.

Gardner: There really isn't much difference between the goals of security and the general goals of the business. They are inexorably tied.

Aceituno: Yes, of course, they are.

Gardner: We've been learning more about security, some new metrics, and the ability to tie this into business outcomes. I want to thank our panel. We've been talking to Jim Hietala, Vice President for Security at the Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: Adam Shostack, co-author of the book, The New School of Information Security. Thank you.

Shostack: Thank you.

Gardner: And, also Vicente Aceituno, who is the Director of the ISM3 Consortium. Thank you.

Aceituno: Thanks so much.

Gardner: We are coming to you from The Open Group Security Practitioners Conference in Seattle, the week of Feb. 1, 2010.

This is Dana Gardner, principal analyst at Interarbor Solutions. Thanks for listening to this BriefingsDirect podcast, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Transcript of a sponsored BriefingsDirect podcast on ISM3 and security standards recorded live at The Open Group’s Enterprise Architecture Practitioners Conference in Seattle. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in: