EA Voices

By: Dave Hood, CEO, Troux

Forbes Contributor Jason Bloomberg recently wrote a few articles addressing the current state of Enterprise Architecture. In his first post, he explored whether enterprise architecture is completely broken, a question not uncommonly heard in our industry.

We often discuss the changing world of Enterprise Architecture on the Troux blog, and it has been an ongoing debate inside Troux as to whether we should even use the term EA when defining our market. I have to admit, when I first arrived at Troux, I didn’t even know what Enterprise Architecture was. I have always viewed what we do as being about delivering business value. I think the original EA practitioners had that in mind too, but maybe they were a decade too early or just couldn’t land at the right process and tools to deliver on the vision.

In Bloomberg’s article he compares EA practitioners to Milton, the Innotech employee from the 90’s movie classic, Office Space, who continued to get paid while not actually having a role in the organization.

While EA’s role has drastically changed over the years, I like to think we are all now part of a sequel – Office Space 2: The Rise of Milton. Enterprise architecture is no longer an IT-centric discipline focused on creating complex colorful maps and models only understood by a few. To use another Office Space analogy, it is no longer about producing “pieces of flare” in hopes of proving to the business that EA is delivering some sort of value.

Does that mean EA is obsolete? Quite the contrary.

The art of making business decisions has been around since the dawn of trade. Today, every aspect of a business is part of a digitally connected enterprise, meaning the impact of every business decision ripples across the entire organization. Making critical decisions without understanding these effects can have devastating effects. The speed of industry change and the complexity represented by the portfolios that make up your business mean that informed decisions need to happen quicker than ever to remain competitive. It’s our EA friends who were shamed to the basement office that are now poised to make that happen.

Sounds overwhelming, but at Troux, we teach our customers that there is no need to boil the ocean. Understanding your connected enterprise can happen with bite size undertakings, along a logical timeline. By identifying critical business capabilities and harnessing the right data to gain perspective we can land at an ideal course of action for moving the business forward.

While Bloomberg’s article starts out questioning whether there is a future for EA, he actually arrives at the similar conclusion to us and expands on that vision in his follow up article “Agile Enterprise Architecture Finally Crosses the Chasm.”

The sequel is here, and from what we have experienced with our own customers, it is going to be a big hit at the box office. Milton was able to quickly determine that the “people to cake ratio” was too big. With today’s data, knowledge and tools, we can quickly learn so much more. Here are just a few examples of companies using the Troux’s version of enterprise architecture to make timely, informed business decisions.

Cisco: Global networking solutions giant, Cisco, has successfully implemented Troux’s Enterprise Portfolio Management solution to help define a common desired operating model across its business units. This in-turn helps them identify and divest businesses that are unlikely to deliver the desired top-or-bottom-line results.  In addition, Troux is also used to compare potential acquisition targets to the target model to help quickly identify the true value of potential acquisitions.

U.S. Census Bureau: In 2012, the U.S Census Bureau set out to build optimal IT solutions to handle a myriad of challenges to the business. With an Enterprise Architecture (EA) discipline enabled by Troux, the Bureau now has a more integrated business overall, underpinned by an IT decision process, collaborative governance, and a common knowledge base. It all adds up to increased agility, efficiency and innovation

Bayer: Bayer started working with Troux in 2008, and the two companies have had much success together. To date, Bayer has used Troux to manage and optimize its landscape across information, technology, applications and business architecture portfolios.

Last week I talked about 10 Easy Steps to Good Data.  This week I would like to continue talking about good data and how to manage it following an Enterprise Information Management strategy.
What is Enterprise Information Management (EIM)?
Gartner de…

I just stumbled by accident accross a nice video: RSA Animate – The Internet in Society: Empowering or Censoring Citizens? And there is one key take-away for me in that video: Never confuse the intended use of technology (good architecture) with the a…

In this blog post, Marc Lankhorst discussed  the value of EA in managing risk, compliance and security in the enterprise. He suggested a number of next steps. Two next steps are discussed in more detail in this blog:

• Capture and visualize risk and security aspects of your organization. Visualize hazards, risks and mitigation measures in relation to the overall architecture and business strategy.
• Measure and visualize the impact of risks and use these insights for decision making. Visualize data from e.g. penetration tests and use this to decide at the business level about necessary IT measures.

 

Enterprise Risk Management approach overview

The two steps from above are incorporated in an Enterprise Risk Management approach, visualized in Figure 1. This approach helps in understanding the consequences of risk & security policies, because the definition of risks and control measures on strategic level are step by step detailed into operational control measures.

 

Figure 1: Enterprise Risk Management approach

 

This is a model driven and cyclic approach which can be started on multiple points in the cycle, depending whether you are using a more top-down approach or a more bottom-up approach. Each phase will be explained briefly below:

1. Assess risks. In this step, the risks that the enterprise has to cope with are identified and documented. This covers multiple risk types: these can be IT related (like cyber-attacks) risks, but also business related risks. Furthermore, risks can be based on identified threats (see step 6).
2. Specify required control measures. For each risk is identified which control measures are required. Some risks may require extensive control measures (because of the high impact of the risk), as others may require less control measures. The combination of risks and control measures can be modelled with elements of the ArchiMate motivation extension (Assessment, Goal and Requirement) which makes the relation between these aspects clear. Furthermore, it can be incorporated in your existing EA models by linking risks and control measures to ArchiMate core elements. More details on this approach will be presented in a follow up blog.
3. Implement control measures. The required control measures needs to be implemented. This is the step where the shift from design to implementation is made. Control measures can be implemented in several ways: some may be IT control measures like firewalls or authentication mechanisms. Others can be business focused control measures like the four-eyes principle.
4. Execute & monitor. The implemented control measures needs to be executed. Furthermore, monitoring on operational level is necessary to get statistics of the performance and effectiveness of implemented controls. An example is to use pentesting on the technical infrastructure. With pentesting you look with a systematic and automated approach for weak spots in the infrastructure. Results of pentests are used to analyze vulnerabilities in the infrastructure and define new control measures.
5. Analyze vulnerabilities. From executing & monitoring you obtained the necessary insights about performance and effectiveness of implemented controls for example via pentesting). In this step this data is analyzed to determine which vulnerabilities there are and how dangerous these are. The link is made between vulnerabilities and identified risks from step 2, by using the existing EA models. This gives insights in how well the risks are managed or that new or improved control measures are needed.
6. Identify threats. In this step threats from the external or internal environment are identified. Threats from the internal environment can be based on the results of the previous step (analyze vulnerabilities). The identification of new threats can lead to new or changed risk assessments in step 1.

 

Top down vs bottom up

The approach described above can be applied top down or bottom up. In a top down approach will be started with the identification of threats and assessment of risks, which serve as a basis for design and implementation of control measures. A bottom up approach would typically start at the monitor & execute step: investigating the current implementation with pentests or other mechanisms and use this information to determine vulnerabilities in the current landscape.
Which approach fits best in your organization, depends on a number of aspects. In general, organizations with a more mature EA approach can follow more easily a top down approach.

Benefits of this approach

This approach includes the following benefits:

• Systematic analysis of threats and vulnerabilities
• Integrated design of control measures
• EA models support business impact analysis of technical risks / vulnerabilities
• Translate business risk & security decisions into effective enterprise changes. This requires a strong cooperation between business and IT.

These benefits help to embed security more in the business layer of your organization and will help to make well informed decisions based on operational risk impact and costs. 

Learn more about Security Architecture in our webinar, September 18th. Or Join our Security Architecture training course in the Netherlands, October 2nd.