The Future of EA is no EA

An excellent blog post by Jeff Scott from Forrester on the future of EA has got me thinking about the most likely future state of EA in DCC.

The most obvious future and one which i entirely agree with is that EA as a function will disappear in time. My previous post about mainstreaming ICT functions supports this view as everything becomes a core business competency. But what happens between now and then and what direction are we really moving in and more importantly what direction will the organisation accept us to move in?

In my personal opinion i would suggest the there are two options which are most likely in DCC over the next few years and i think we are likely to end up with both of these scenarios:

Scenario 3: EA remains in IT, largely focused on technology architecture.This seems to be the most likely outcome for small to medium sized IT organizations. In this option business architecture will be developed primarily as input into the technical architecture. The key to success here will be for EAs to evolve from technology planners to true IT strategists.

Scenario 4: EA remains in IT but becomes more business focused.This model will be prevalent in medium to large IT organizations where IT has developed a strong partnership with the business. Here, EAs will be welcome at the business planning table and will be well regarded by business and IT for their ability to match business needs with IT capabilities. The business architecture focus here will be business-IT alignment. EA’s resources will be about evenly split between BA and technology initiatives. Successful architects will be very business savvy but keep their technology roots.

There are some justifications behind my thinking which i will share with you now.

Scenario 3
The likelihood of this future is related to a number of key factors – the ability for the EA team to maintain business people within it.  If this is maintained then this future will become less likely, however without real Business engagement and acceptance across all areas of the organisation to the benefits of Enterprise Architecture as an approach and not just conversations between ICT people and Business people trying to bridge the gap, then we will inevitably resort to Technical Architecture work.

Scenario 4
The likelihood of this future is already taking shape, our new ICT strategy is very much business focused and we already have a team in the business who are leading on Information Architecture. The challenges for this scenario however are again the ability of the team to engage with Business people and to maintain the business skills already developed in the team. However i would suggest that over time the focus of the team will be driving the technical architecture in response to the business. I also think that the business architecture function will not only be about Business/IT alignment but the architecture of the IT function itself.

If we get to a point where the IT function has had appropriate levels of business architecture then it would seem a likely next step to embrace Scenario 1 and 2 – The EA team disappears as a unique function and is absorbed totally by the Business as a core competency.

In my humble opinion we would have succeeded as an Enterprise Architecture function if this outcome is achieved.


ISO27001: security as a business enabler

As I alluded to in a previous post, my organisation has been working to gain ISO27001 compliance for the last year and a half. I’m pleased to report that in early December we finally achieved our first compliance certificate, and this represents the culmination of a lot of hard work, some by people who have now moved on to new things.

So why did we do it and what was involved? Well, ISO27001 is about how information security is organised. Basically you construct a dossier of all your policies, practices and standards in the ISO27001 arena and set up work packages to continuously improve in all areas. The next stage (which for us will come in December 2010) is “advanced compliance” when the auditor will want to see real improvements in all the areas you have identified.

This process has a lot going for it. Firstly, it raises awareness as we got individual practitioners to write their own policies and standards: a much larger number of people than before are now engaged with improving security. Secondly, it makes compliance easier: the “controls” in ISO27002 (basically a list of good practices that you need to evaluate yourself against) are usually recycled for compliance projects like Government Connect, PCI DSS or the NHS N3 code of connection.

In the future as organisations try to work more seamlessly with each other, we will have to go through ever more compliance processes: ISO27001 provides us with some reusable compliance material to make this process cheaper and quicker.

And this is the core reason why I’m so pleased we did it. Organisations in all sectors waste far too much time ticking security boxes and not enough time making real security happen: this allows us to direct our energies to the latter while simultaneously making partnership working quicker, cheaper and more effective. I believe that in the not too distant future it will be impossible to do business without adopting standards like ISO27001.

Our compliance certificate does not mean we will never have a data security breach, and it doesn’t mean we are doing everything we should in the security area, but it shows we have taken the first steps on our journey to becoming a fully security-enabled organisation.

Culture Clash

What wins: the unstoppable force, or the immovable object?

Recently we’ve been engaged in a process, like many local authorities, of connecting ourselves up to the Government Secure extranet. In order to do this (and access a range of applications hosted by central government and other agencies) then public sector bodies have to clear a number of hurdles in the form of the Code of Connection (CoCo) – a list of security standards that we have to meet in order to provide assurance that the sensitive data that will be carried will be secure.

So far, so sensible. But there’s a problem: the rules (devised by the Government’s security wing, CESG) state that a local authority must own the equipment that is being used to access the service. That is the immovable object in the opening statement of this posting. So what is the unstoppable force?

The consumerisation of ICT has been on our minds for a long time, and even more so with the advent of cheap (or free) cloud computing services like Google Apps. If the ICT department can’t come up with solutions that satisfy the requirements of ease, speed and convenience demanded by today’s digital natives, they will simply move their data somewhere that does. To this end IT strategy has largely been about providing fast access on any device, from any location, to data.

So we have a problem: how can we enable these consumer devices to access our data whilst protecting the security of our connection to the rest of government?

Possible answers include segmenting our network to provide services to unmanaged devices on one side and fully managed services (including public sector network) on the other. But this is expensive. Alternatively, some argue that a bootable device (like the BeCrypt trusted Client) could be used to provide a trusted platform on any machine to access secure GC services. We don’t yet know if these solutions pass muster with CESG though: so stay tuned.

We’re really interested to know if other local authorities have dealt with this problem and if so, how they’ve gone about mitigating the downsides.