An article published on Open Group’s site has a nice Q&A with Jeanne Ross a Scientist at MIT Center for information systems research, and an author of 3 books. She is a speaker on how adoption of enterprise architecture (EA) leads to greater efficiencies and better business agility. Reading the interview I had a few challenges for business leaders and information security professionals.
The first is that when a target is established and projects are executed to achieve that target, the business performs better. This is demosntrated by a few examples of the author, and highlighted in the article:
“…we can ascribe to architecture is that when companies have competition, then they can establish any kind of performance target they want, whether it’s faster revenue growth or better profitability, and then architect themselves so they can achieve their goals. Then, we can monitor that.”
It seems ANY target will improve the business. Grasping onto the Getting Things Done mindset, this leads teams all the way up to the CIO/CISO leaders to set stretch goals. These targets could be lower incidents; better response time; lower downtime; lower end-user complaints; faster turn around of projects; lower fail rates; etc… the key of course is to be ethical in how these metrics are achieved (obviously, or not, that reaching better customer complaint ratios should be done where quality and speed are measured to ensure that dual either are not lost as a result of the new target.
“We also have statistical support in some of the work we’ve done that shows that high performers in our sample of 102 companies, in fact, had greater architecture maturity. They had deployed a number of practices associated with good architecture.”
Architecture breeds discipline and matures an organization from “heroes’. An interesting advantage for those growing their businesses in a rapid fashion and need to achieve a broader security posture. This though is also true in most other businesses. It is hard to consider a business where defining a discipline (that still enables brilliance and innovation) on architecture and in this case information security practices is not an advantage:
- Businesses grown by acquisition benefit from having a superior on-boarding process of new companies allowing for single measurable and manageable structures
- Historic / existing establishments benefit where processes gain efficiency and effectiveness against newly defined targets
“We really just need architecture to pull out unnecessary cost and to enable desirable reusability”
This is a key point – technology is evolving and is incredibly capable, but the utility of such are not efficient. There is tremendous opportunity to remove duplication and leverage existing information security processes and technology. This is a natural effect of systems and technology growing in capability, but also shifting needs directed by the business and risk landscape. The joke of “shelf-ware” can be referred to here, just be sure it is not a reflection.
The article / interview for me brought forward ideas where we can be different within information security and leverage the approach and toolsets to enhance businesses. I would encourage a read of the article, here, and a deeper consideration as to what goals the business could (or even a team within a larger entity) set and adjust accordingly. Tis the New Year afterall.
James DeLuccia IV