EA Voices

<p><span style=”color: #505050; font-size: 11px; line-height: 19px;”>No one is allowed to enter the building without proper authorization; all incoming e-mail messages are filtered; personal computers that are used to store sensitive data do not have a direct connection to the internet, and therefore cannot be accessed remotely. With these </span><strong style=”color: #505050; font-size: 11px; line-height: 19px;”>enterprise security</strong><span style=”color: #505050; font-size: 11px; line-height: 19px;”> rules, we have ensured that our private information is safe, right? Wrong! </span></p><p>Cyber-attacks are getting increasingly sophisticated, using a combination of digital, physical and social engineering techniques. A typical example is the so-called “road apple attack”. A would-be intruder “accidentally” leaves a USB flash drive – with company logo – in a public spot such as the company car park. An employee picks it up, and chances are that he will not be able to suppress his curiosity and plug it into his PC. Surprise: the drive is infected with malware which, unless proper measures have been taken, will infect the PC and send sensitive information to the intruder.</p><p><img class=”left” src=”http://www.bizzdesign.com/assets/BlogDocuments-2/_resampled/resizedimage600395-Risk-Management.png” width=”600″ height=”395″ alt=”” title=””/></p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p>Of course, there are several ways to prevent this from happening. The system administrator may decide to completely disable the use of USB drives, but perhaps this is too restrictive, causing employees to find ways to circumvent this. Or perhaps a policy against the use of unverified storage devices suffices, if people are disciplined enough to comply with it… There is no easy way to determine how much security is enough, and how much is too much. In other words, how do we find the optimal position on the trade-off between security, usability and costs?</p><p>Most of the present-day security and <strong><a title=”risk management, secuirity measures” href=”http://www.bizzdesign.com/consultancy/governance-risk-and-compliance/”>risk management </a></strong>approaches are based on checklists, heuristics and best practices. Security measures are applied in a bottom-up way, often neglecting the social aspects. This may lead to an overkill of preventive security measures, also in cases where cheaper (and less intrusive) curative measures may suffice. On the other hand, less obvious threats or vulnerabilities in the organization may easily be overlooked.</p><p> </p><div class=”captionImage left” style=”width: 424px;”><img class=”left” src=”http://www.bizzdesign.com/assets/BlogDocuments-2/Enterprise-security-management-ArchiMate.png” alt=”Enterprise Secuirity Management” title=”enterprise security management, model-based approach ” width=”424″ height=”458″/><p class=”caption”>enterprise security management, Archimate core</p></div><p><span style=”font-size: 11px; line-height: 19px;”>To avoid this, we advocate a model-based approach to </span><strong style=”font-size: 11px; line-height: 19px;”>enterprise security management</strong><span style=”font-size: 11px; line-height: 19px;”>, in which security aspects are fully integrated in the design chain: from strategy and business model, through enterprise architecture, to the design and implementation of the organization and IT support. For this purpose, risk-related concepts are included in existing architecture and design languages. At the </span><strong style=”font-size: 11px; line-height: 19px;”><a title=”enterprise architecture, Archimate” href=”http://www.bizzdesign.com/consultancy/enterprise-architecture-management/”>enterprise architecture</a></strong><span style=”font-size: 11px; line-height: 19px;”> level, </span><strong style=”font-size: 11px; line-height: 19px;”><a title=”ArchiMate open standard” href=”http://www.bizzdesign.com/consultancy/enterprise-architecture-management/archimate/”>ArchiMate</a></strong><span style=”font-size: 11px; line-height: 19px;”>, as a broadly accepted open standard (with available tool support) that is suitable to describe business and IT aspects in an integrated way, is an obvious choice. Architectures described in </span><strong style=”font-size: 11px; line-height: 19px;”><a title=”ArchiMate goals, principles and requirements” href=”http://www.bizzdesign.com/consultancy/enterprise-architecture-management/archimate/”>ArchiMate</a></strong><span style=”font-size: 11px; line-height: 19px;”> can be linked to goals, principles and requirements, and to detailed design models expressed in languages such as BPMN or UML. The resulting models provide the input for risk and vulnerability analysis, highlighting the areas in the architecture that are most susceptible to attack. In addition, they will guide the design of effective and efficient security measures.</span></p><p>With this approach, <strong><a title=”Bizzdesign the Netherlands Contact” href=”http://www.bizzdesign.com/contact/netherlands/”>BiZZdesign</a></strong> can help you to design a secure organization – without unduly restricting your people in their daily work. </p>

Open Work

An initial sketch of ideas around the concept of ‘Open work’, a developing idea for a manifesto for a new way of working that leverages concepts around openness and technology that enables openness to enable us all to work better, together.

Other than this preamble this is a straight dump of notes i’ve been jotting down, just thought i’d get it out there on the blog as a vehicle for making myself think more deeply about what i want to achieve. My plan is to start fleshing these notes out, into principles (hey i’m an architect!) and trace these concepts to some reality. When I first started thinking about these ideas I happened upon david cushman’s great writing (http://fasterfuture.blogspot.co.uk/2012/07/the-10-principles-of-open-business.html) on the area of ‘open business’, so i’m mindful not to re-hash or at worst plagiarise David’s thoughts (you’ll notice some of my headings map to some of david’s principles.

So my plans consist of trying to frame some interesting and hopefully original thinking, whether this ends up as a post on my blog an ebook, or whatever, i’m not really sure, I’ve just got fed up of thinking things through, so thought its about time I should start, er, writing them through.

concepts/principles

-Context
-radical sharing/shariarchy
-discovery
-foster emergence
-Social architecture: (thinking stack/zachman etc)
-connectedness (connectivity and psychological sense by what? shared vision?
-finding
-serendipity
-ego-less
-embrace criticism but by embracing criticism how to avoid paralysis (too many arguments)
-Clear threshold for decision making – stops paralysis
-radical un-secrecy
-Virtual Structures
-Now-ness – relate to the when/tenses of sharing future, past, present
-Presence
– Energy

Current State:

-No opportunity for serendepity
-Closed networks
-Entropy

Trends:

-Privacy as commodity
-Hyper sharing
-High bandwidth communication/consumption

Thoughts:

There is no reason not to share
There is no impediment to sharing