Can IT Standards Facilitate Innovation?

ideaIT professionals continue to debate the benefits of standardization versus the benefits of innovation, and the potential of standards inhibiting engineer and software developer ability to develop creative solutions to business opportunities and challenges.  At the Open Group Conference in San Diego last week (3~5 February) the topic of  standards and innovation popped up not only in presentations, but also in sidebar conversations surrounding the conference venue.

In his presentation SOA4BT (Service-Oriented Architecture for Business Technology) – From Business Services to Realization,   Nikhil Kumar noted that with rigid standards there is “always a risk of service units creating barriers to business units.”  The idea is that service and IT organizations must align their intended use of standards with the needs of the business units.   Kumar further described a traditional cycle where:

  • Enterprise drivers establish ->
  • Business derived technical drivers, which encounter ->
  • Legacy and traditional constraints, which result in ->
  • “Business Required” technologies and technology (enabled) SOAs

Going through this cycle does not require a process with too much overhead, it is simply a requirement for ensuring the use of a standard, or standard business architecture framework  drive the business services groups (IT) into the business unit circle.  While IT is the source of many innovative ideas and deployments of emerging technologies, the business units are the ultimate benefactors of innovation, allowing the unit to address and respond to rapidly emerging opportunities or market requirements.

Standards come in a lot of shapes and sizes.  One standard may be a national or international standard, such as ISO 20000 (service delivery), NIST 800-53 (security), or BICSI 002-2011 (data center design and operations).  Standards may also be internal within an organization or industry, such as standardizing data bases, applications, data formats, and virtual appliances within a cloud computing environment.

In his presentation “The Implications of EA in New Audit Guidelines (COBIT5), Robert Weisman noted there are now more than 36,500 TOGAF (The Open Group Architecture Framework) certified practitioners worldwide, with more than 60 certified training organizations providing TOGAF certifications.  According to ITSMinfo.com, just in 2012 there were more than 263,000 ITIL Foundation certifications granted (for service delivery), and ISACA notes there were more than 4000 COBIT 5 certifications granted (for IT planning, implementation, and governance) in the same period.

With a growing number of organizations either requiring, or providing training in enterprise architecture, service delivery, or governance disciplines, it is becoming clear that organizations need to have a more structured method of designing more effective service-orientation within their IT systems, both for operational efficiency, and also for facilitating more effective decision support systems and performance reporting.  The standards and frameworks attempt to provide greater structure to both business and IT when designing technology toolsets and solutions for business requirements.

So use of standards becomes very effective for providing structure and guidelines for IT toolset and solutions development.  Now to address the issue of innovation, several ideas are important to consider, including:

  • Developing an organizational culture of shared vision, values, and goals
  • Developing a standardized toolkit of virtual appliances, interfaces, platforms, and applications
  • Accepting a need for continual review of existing tools, improvement of tools to match business requirements, and allow for further development and consideration when existing utilities and tools are not sufficient or adequate to task

Once an aligned vision of business goals is available and achieved, a standard toolset published, and IT and business units are better integrated as teams, additional benefits may become apparent.

  • Duplication of effort is reduced with the availability of standardized IT tools
  • Incompatible or non-interoperable organizational data is either reduced or eliminated
  • More development effort is applied to developing new solutions, rather than developing basic or standardized components
  • Investors will have much more confidence in management’s ability to not only make the best use of existing resources and budgets, but also the organization’s ability to exploit new business opportunities
  • Focusing on a standard set of utilities and applications, such as database software, will not only improve interoperability, but also enhance the organization’s ability to influence vendor service-level agreements and support agreements, as well as reduce cost with volume purchasing

Rather than view standards as an inhibitor, or barrier to innovation, business units and other organizational stakeholders should view standards as a method of not only facilitating SOAs and interoperability, but also as a way of relieving developers from the burden of constantly recreating common sets and libraries of underlying IT utilities.  If developers are free to focus their efforts on pure solutions development and responding to emerging opportunities, and rely on both technical and process standardization to guide their efforts, the result will greatly enhance an organization’s ability to be agile, while still ensuring a higher level of security, interoperability, systems portability, and innovation.

Risk Management Strategies for IT Systems

Risk management has been around for a long time.  Financial managers run risk assessments for nearly all business models, and the idea of risk carries nearly as many definitions as the Internet.  However, for IT managers and IT professionals, risk management still frequently takes a far lower priority that other operations  and support activities.

For IT managers a good, simple definition for RISK may be from the Open FAIR model which states:

“Risk is defined as the probable frequency and magnitude of future loss”   (Open FAIR)

Risk management should follow a structured process acknowledging many aspects of the IT operations process, with special considerations for security and systems availability.

Risk Management Frameworks, such as Open FAIR, distill risk into a structure of probabilities, frequencies, and values.  Each critical system or process is considered independently, with a probability of disruption or loss event paired with a probable value.

It would not be uncommon for an organization to perform numerous risk assessments based on critical systems, identifying and correcting shortfalls as needed to mitigate the probability or magnitude of a potential event or loss.  Much like other frameworks used in the enterprise architecture process / framework, service delivery (such as ITIL), or governance, the objective is to produce a structured risk assessment and analysis approach, without becoming overwhelming.

IT risk management has been neglected in many organizations, possibly due to the rapid evolution of IT systems, including cloud computing and implementation of broadband networks.  When service disruptions occur, or security events occur, those organizations find themselves either unprepared for dealing with the loss magnitude of the disruptions, and a lack of preparation or mitigation for disasters may result in the organization never fully recovering from the event.

Fortunately processes and frameworks guiding a risk management process are becoming far more mature, and attainable by nearly all organizations.  The Open Group’s Open FAIR standard and taxonomy provide a very robust framework, as does ISACA’s Cobit 5 Risk guidance.

In addition, the US Government’s National Institute of Standards and Technology (NIST) provides open risk assessment and management guidance for both government and non-government users within the NIST Special Publication Series, including SP 800-30 (Risk Assessment), SP 800-37 (System Risk Management Framework), and SP 800-39 (Enterprise-Wide Risk Management).

ENISA also publishes a risk management process which is compliant with the ISO 13335 standard, and builds on ISO 27005..

What is the objective of going through the risk assessment and analysis process?  Of course it is to build mitigation controls, or build resistance to potential disruptions, threats, and events that would result in a loss to the company, or other direct and secondary stakeholders.

However, many organizations, particularly small to medium enterprises, either do not believe they have the resources to go through risk assessments, have no formal governance process, no formal security management process, or simply believe spending the time on activities which do not directly support rapid growth and development of the company continue to be at risk.

As managers, leaders, investors, and customers we have an obligation to ensure our own internal risk is assessed and understood, as well as from the viewpoint of customers or consumers that our suppliers and vendors are following formal risk management processes.  In a fast, agile, global, and unforgiving market, the alternative is not pretty.

%d bloggers like this: