Doing the right thing – Todd Biske» IT Needs To Be More Advisory

An excellent blog post by Todd Biske.

IT needs to change its fundamental thinking from provider to advisor or be at risk of becoming irrelevant.

via Todd Biske: Outside the Box » Blog Archive » IT Needs To Be More Advisory.

What i find interesting about this post is that it supports what we are trying to do here in Devon with our Enterprise Architecture Team.

The key point about moving from provider to advisor is as Todd says “stating the obvious” but it clearly does require a fundamental shift in thinking not just within ICT departments but within the wider business as well.

Todd writes:

To illustrate this, take an example from the world of financial services. A broker may simply be someone you call up and say, “Buy 100 shares of APPL at no more than $200.” They are a provider of stock transaction services. A financial advisor on the other hand, should be asking about what your needs are, and matching those against the various financial offerings they have at their disposal. If they don’t understand client needs or if they don’t understand the financial offerings, you’re at risk of getting something sub-optimal.

This is correct, however in a work context, someone has to know that they want an advisor and not a broker, so part of the challenge is shifting the perception of the entire ICT function in the organisation from “provider” to “advisor”. This requires educating and working with your internal customers and delivering value in an advisory role. We believe that our Enterprise Architecture function is part of this transformation here in Devon.

Time will tell but it is reassuring to hear people such as Todd state the obvious and support your efforts.


ISO27001: security as a business enabler

As I alluded to in a previous post, my organisation has been working to gain ISO27001 compliance for the last year and a half. I’m pleased to report that in early December we finally achieved our first compliance certificate, and this represents the culmination of a lot of hard work, some by people who have now moved on to new things.

So why did we do it and what was involved? Well, ISO27001 is about how information security is organised. Basically you construct a dossier of all your policies, practices and standards in the ISO27001 arena and set up work packages to continuously improve in all areas. The next stage (which for us will come in December 2010) is “advanced compliance” when the auditor will want to see real improvements in all the areas you have identified.

This process has a lot going for it. Firstly, it raises awareness as we got individual practitioners to write their own policies and standards: a much larger number of people than before are now engaged with improving security. Secondly, it makes compliance easier: the “controls” in ISO27002 (basically a list of good practices that you need to evaluate yourself against) are usually recycled for compliance projects like Government Connect, PCI DSS or the NHS N3 code of connection.

In the future as organisations try to work more seamlessly with each other, we will have to go through ever more compliance processes: ISO27001 provides us with some reusable compliance material to make this process cheaper and quicker.

And this is the core reason why I’m so pleased we did it. Organisations in all sectors waste far too much time ticking security boxes and not enough time making real security happen: this allows us to direct our energies to the latter while simultaneously making partnership working quicker, cheaper and more effective. I believe that in the not too distant future it will be impossible to do business without adopting standards like ISO27001.

Our compliance certificate does not mean we will never have a data security breach, and it doesn’t mean we are doing everything we should in the security area, but it shows we have taken the first steps on our journey to becoming a fully security-enabled organisation.

Are you risk averse?

Back in the mists of time when I started working in local government, I was assured by experienced staff members that the council was a very risk-averse organisation that wouldn’t take kindly to any fancy new ideas.

Well, I’ve come to realise that nothing could be further from the truth: local government takes enormous risks all the time – they just don’t see them as risks.

So what do we mean by risk? In information security it’s often expressed numerically:

Risk = impact x likelihood

This simple equation tries to capture the essence of the risk decision: if a system has a vulnerability then it may or may not be easy to exploit. If it’s easy to exploit then the “likelihood” number goes up. If the consequences of that are major, the “impact” number goes up. Even if you use a totally arbitrary way to determine these numbers, you still end up with what you want: a prioritised list of risks so you know which ones are the most serious so you can tackle them.

Great. So why do I have a bee in my bonnett about it?

It’s just that we choose to ignore some risks and blow others out of proportion. Software vulnerabilities are well-understood and get a high profile – I’m not complaining about that – but risks in other areas, like the software portfolio or HR policies, are not. So what are these risks?

In the software portfolio, a number of things could happen: the supplier of the software may go out of business, hike licensing or support costs, lose a key member of staff, or decide to retire the software you are using. In HR any new policy carries the risk that a key member of staff might get the hump and leave. There is demographic risk that younger people won’t want to work for you leaving you with a skills shortage in key areas: the economy might take a nosedive (the very thought!) leaving you with drastically reduced budgets.

The possible sources of risk are actually as infinite as the universe. In many organisations it is the IT department that deals with IT-related risks, but what if a reduction in the risk in some IT area (for example a tightening up of policy on, say, removable media) leads to an increase in the risk carried by another area (as workers decide to use Google Wave or a social media platform to share documents instead)? This is known as risk asymettry.

There’s also the risk of doing nothing. Sometimes this is greater than the risk in doing something, even something radical, but our brains are programmed to favour stuff that is familiar so we mentally downgrade the risk of doing nothing: this can lead to some pretty nasty situations. I’ve seen projects and applications carry on many years beyond the point at which they were starting to cause instablity in other parts of organisations, simply because the risk of carrying on as before hadn’t been properly calculated and compared with the risks involved with change.

These issues can only be sensibly resolved if the risks are owned in the right place and practical frameworks are adopted to ensure that as many risks as possible are factored into decision-making. This might sound like a lot of red tape, the nanny state, health and safety gone mad etc etc but actually it’s just common sense. If you put your hand in the fire, it will get burned. If you don’t take it out again, it’ll get burned some more. Oh and by the way, we don’t solve the problem by putting the fire out: you must take your blinking hand out!

Risk-based decision-making doesn’t have to be always favouring the conservative approach. It can liberate you as well by enabling you to take decisions you wouldn’t otherwise have taken because you were afraid of the unknown risk. We recently had a supplier down to talk to us about moving to an open-source model for our software: at first sight this is a major change and fraught with danger and difficulty. But if we understood the risks we were currently running with proprietary software properly, then maybe it would look less risky by comparison (please note: I’m not saying this will happen, it’s just an example).

Thankfully my organisation is moving towards a much more comprehensive view in many of these areas as we implement ISO27000. But many organisations are still stuck in an emotional mindset: you only have to look at the banking system to see what happens when all risks aren’t factored in to decision-making!

I feel that risk is a very powerful concept when it comes to aligning IT decisions with the business because it shares a common language and a common goal. IT must realise the risks that it loads onto the rest of the business by making changes (sometimes very minor ones) – but the business must also step up and own all the risks (including the IT ones) in their respective service areas. This forces realistic IT decisions to be made as it becomes clear that risk cannot be outsourced, and procurement, training and whole lifecycle costs naturally get a higher profile in decision-making than before.

GartnerSym 2009: Back to the future with pattern-based strategy

“The general who wins a battle makes many calculations in his temple ere the battle is fought. The general who loses a battle makes but few calculations beforehand. Thus do many calculations lead to victory, and few calculations to defeat: how much more no calculation at all!” – Sun Tzu, The Art of War

I was lucky enough to get the chance to attend the Gartner Symposium and ITXpo in Cannes this year, as a guest of SOCITM. I’ve blogged about my experiences in another post, but the event was notable for the introduction by Gartner of a new strategic framework – pattern-based strategy (TM).

According to Gartner, pattern-based strategy(TM) is a “new IT value model …that is about implementing a framework to proactively seek, model, and adapt to leading indicators, often termed “weak” signals, that form patterns in the marketplace – and to exploit them for competitive advantage.”

As an EA I try to align my approach with whatever style of strategy is dominant in my organisation, and so new models of strategy are a source of constant joy to me (see my previous post on EA styles): I was excited to hear about Gartner’s new sauce.

PBS leverages some pretty impressive technological advances: one of the conference sponsors, Autonomy, is a specialist in analysing patterns in information for meaning. SAP, whose CEO was interviewed in one of the keynote sessions, believe in in-memory databases to enable realtime analytics. All this is made accessible by that old chestnut, Moore’s Law: the advances in computing power now bring large scale analytics solutions within the reach (and budget) of many more reasonably-sized organisations.

Gartner argue that organisations must seek new patterns in the morass of seemingly random data now available to them from “the collective” (the sum total of all structured and unstructured conversations in social media platforms, databases, and other information both inside and outside the organisation), provide models of how the organisation will be affected by these patterns, and provide roadmaps for adaptation of the organisation to optimise their strategic position in the future. The phrase “optempo advantage” is used to describe the ability of an organisation to change rapidly, and this phrase comes from the US military. Which is a bit of a giveaway….

… Because I believe that, while the technology might be new, this approach is actually very old. The strategic style of PBS seems to fit neatly into the “positioning” schools as defined by Henry Mintzberg – analytical approroaches to strategy initially conceived by Sun Tzu, developed by military thinkers like Carl Von Clausewitz  and popularised in business by Michael Porter in the 1980s: the only difference is that we now have access to better analytics.

It’s interesting to me that we seem to be reverting to older models of strategy formation: the only explanation I can think of is that economic pressure is forcing more short-term heuristic thinking within industry – Porter’s ideas were popularised at the time of a previous recession, and perhaps we are now seeing a retrenchment of these older ideas.

Another theory is that this is actually a reaction against the democratising forces of web 2.0 and “digital natives” who are threatening the status quo in many industries. The metaphors of the analytical school are military: we are seeing entire industries fighting for their lives and using the “big guns” of analytics to gain tactical advantages over their competitors.

Another possible reason is that the business of analysis itself is under pressure: in a recession, insight and long-term thinking can be near the top of most lists of “non-essential budget items we could conceivably cut”. The analytical school was very popular in creating the management consulting industry as we know it today, with the creation of McKinsey and the Boston Consulting Group: perhaps Gartner are hoping that Pattern-based strategy will have a similar effect on their own fortunes?

Lost In Translation – The trouble with Business/IT Alignment

One of the biggest challenges with business transformation and technology enabled change, is the ability of both people in the business and in IT to sit down and have a conversation with each other and for that conversation to be fully understood by all concerned. Ok, there are many other challenges such as benefits realisation, programme management, culture change, but aren’t they all people based and therefore conversation based?

Now i am simplifying this somewhat but it is a challenge that people in IT and that includes me now (my previous role of corporate web manager was based within corporate communications)

To give an indication as to the issue i thought i’d use a video from you tube. It is 40 seconds long and is about the German Coastguard.

What i find interesting about this video is that for me it kind of sums up the challenge faced by IT. In the video the guy has all the technology he needs in front of him to do his job and support a wider network of other professionals, who all have the same goal (save people). However with all that technology what lets the person down is the ability to understand the “customer”.

The ability to have “conversations” is becoming the new skill that people require in order to support change. Now i also want to make the point that people in the Business also need to learn how to have better and more productive conversations with people in IT.

Now having worked in the Business for some time, i can already hear people saying “Why should i learn how to interact with IT?” Well the answer is simple, as the pressure of budget reductions increases, technology will become even more critical for progressive business transformation across organisations. It is therefore a priority for Business people to get a real understanding of the applications that support their business and the opportunities they present. If Business people can’t do that then we end up losing the opportunities as they get “lost in translation” between IT people (who don’t understand business) and Business people (who don’t understand IT).

This is however a journey we all have to make together, as a partnership, a fellowship, a collaborative effort, whatever the terminology we decide to choose. Like most journey’s the value is not the destination but what you learn along the way.

EA styles 3: transforming the strategic paradigm

I’ve briefly covered how an EA team might *react* when faced with a particular dominant strategy formation style in an organisation in some previous posts .

This isn’t good enough for me though: I want it all and I want it to be the way I want it!

So if a particular strategy formation paradigm isn’t to your taste as an EA, what can you do about it? Is there a “preferred style” that EAs should always aspire to on behalf of their organisations? Is this even ethical?

Complex questions, and no clear answers. It may be that an EA team will see trends coming that they feel will negatively impact their organisation if the strategic paradigm isn’t changed. That’s good. But if the EA team aren’t the ones taking the risks in the organisation (for example, putting up the money!), perhaps they don’t have any business making senior management change their approach by fair means or foul.

I think that EAs will always have well thought-out views on the way organisations make strategic decisions – it goes with the job. Each EA will have to decide if and how they agitate for change dependent on their own values and with a mind to their own positions (especially in political organisations). So with that massive caveat, let’s look at the tools EAs have for making changes to strategy formation, based around the services that EA teams provide.

– Architecture Creation: an EA team can create architectural models that emphasise the sovereignty of a particular group or population in the organisation. Such a model could, over a long period of time, transfer decision-making power to different groups and thereby influence the strategy style. This probably comes under the category of “EA black ops” though and is vulnerable to existing powerful stakeholders pulling the plug on the EA team

– EA consulting: can promote particular styles of project delivery, and in the process embed particular ways of thinking in to the organisation

– EA compliance: can block or alter the course of projects that don’t echo the EA team’s preferred style.

– EA communication: this is the biggest way that EAs influence the organisation as a whole. It may be difficult to get into conversations with key stakeholders, however, if the organisation is very hierarchical and EAs will need to use their contacts to leverage themselves into conversations

– EA research: this is where EAs can do the ethical thing by bringing the trends that effect strategy creation styles to the attention of the people who can change them (not always senior management).

Change is always difficult: persuading powerful people that they need to personally change is even more hazardous. Building a momentum and sense of urgency behind the change is therefore always going to be important.

Culture Clash

What wins: the unstoppable force, or the immovable object?

Recently we’ve been engaged in a process, like many local authorities, of connecting ourselves up to the Government Secure extranet. In order to do this (and access a range of applications hosted by central government and other agencies) then public sector bodies have to clear a number of hurdles in the form of the Code of Connection (CoCo) – a list of security standards that we have to meet in order to provide assurance that the sensitive data that will be carried will be secure.

So far, so sensible. But there’s a problem: the rules (devised by the Government’s security wing, CESG) state that a local authority must own the equipment that is being used to access the service. That is the immovable object in the opening statement of this posting. So what is the unstoppable force?

The consumerisation of ICT has been on our minds for a long time, and even more so with the advent of cheap (or free) cloud computing services like Google Apps. If the ICT department can’t come up with solutions that satisfy the requirements of ease, speed and convenience demanded by today’s digital natives, they will simply move their data somewhere that does. To this end IT strategy has largely been about providing fast access on any device, from any location, to data.

So we have a problem: how can we enable these consumer devices to access our data whilst protecting the security of our connection to the rest of government?

Possible answers include segmenting our network to provide services to unmanaged devices on one side and fully managed services (including public sector network) on the other. But this is expensive. Alternatively, some argue that a bootable device (like the BeCrypt trusted Client) could be used to provide a trusted platform on any machine to access secure GC services. We don’t yet know if these solutions pass muster with CESG though: so stay tuned.

We’re really interested to know if other local authorities have dealt with this problem and if so, how they’ve gone about mitigating the downsides.

EA Styles 2: Services

In my last post I put forward the idea that the way an EA operation goes about its business might differ according to the sort of decision-making structures that are routinely used in an organisation.

I need to apologise for the length of that post and the occasional shorthand that crept in whilst I attempted to condense a large amount of information into something blog-sized: I totally fail at plain English!

In an attempt to rectify that somewhat, in this (also quite long) post I’d like to show how this theory might actually deliver some value. To do this I will leverage a post by Gartner’s Bruce Robertson where he describes an EA effort as a set of services that it provides to a business. To summarise Bruce’s post somewhat, these services are:

  • EA creation (development of organisational and architectural models to help unify strategic and IT planning)
  • EA consulting (where an EA adds value to a project by helping it align itself with strategy and future trends)
  • EA compliance (where a project is assessed for its fit with the organisation’s future direction, strategy, infrastructure and referred or accepted)
  • EA communication (where EAs insert themselves into the conversations that happen around the organisation, educate, inform, listen and adapt)
  • EA research (looking at new trends, new technology, industry analysis etc)

To illustrate how the concept of an EA style might be applied in the real world, let’s consider 2 extreme examples: a small owner-managed retail outlet and a medium-sized public sector organisation (oooh, like a council maybe).

Firstly lets look at how strategy is formed in these two organisations. In the small business, the owner will make all the decisions. She is an entrepreneur with a vision that caused her to start the business: she knows what she wants (but might change her mind if she gets new information): objectives will be in terms of sales and business growth. In the council, on the other hand, strategic direction is broadly set by politicians who are elected every 4 years: there is a hierarchical structure: central government makes statutory demands: audit and transparency are required.

The former, then, is an entrepreneurial business and demands an entrepreneurial style. The EA (probably in this case either the owner herself or an external consultant) needs to plug in to the vision and realise it quickly: management information from POS systems, staffing levels and training, marketing research processes are all needed.

  • EA models will be simple and amount to a description of the various processes required
  • EA consulting will be about challenging the owner’s vision, acting as a “critical friend”
  • EA compliance will be about ensuring that new initiatives (like diversifying product range or opening another outlet) are consistent with the vision
  • EA communication will be about networking with other entrepreneurs to see if synergies can be created, marketing the business informally and educating the entrepreneur about the risks she might be getting exposed to
  • EA research will involve looking at trends in the sector to see if anything is coming up that might change or disrupt the business model or create new opportunities.

All these processes will happen informally, sometimes all at once.  There will be few reports written, diagrams drawn, or software tools used.

The public sector organisation, by contrast, is fundamentally political. Direction is set by elected politicians and this creates a cultural background that the organisation has to work with. Political fashions change: one ruling party might be focussed on making investments for particular social or economic outcomes, while another might be more focussed on shrinking the organisation scope and cutting costs.

In this kind of organisation, a team will not survive if it doesn’t manage its stakeholders. A brilliant team that doesn’t do what the most powerful people want is doomed – regardless of how brilliant it is or how hard it works. So the EA team need to gain traction by identifying the most powerful stakeholders and finding out (sometimes indirectly) what their priorities are and finding ways to deliver them:

  • EA models will be just detailed enough to describe the area of stakeholder concern
  • EA consulting will challenge projects to deliver the top priorities
  • EA compliance will focus on rooting out those projects that work against the main stakeholder priorities
  • EA communication will be the biggest part of the job, trying to understand the currents of influence that run through the organisation so that the team can flow with them
  • EA research will look at new ways these priorities can be delivered

Although these are very different types of organisations, with different approaches, in both cases the EA team acts as a facilitator for the usual strategy formation process.

Sometimes, though, we might want to change that. But that’s another topic.

EA Styles

Back in August a number of posts appeared in the blogosphere following Gartner’s press release encouraging the use of “emergent architecture”. The debate is nicely summarised here ( by Todd Biske.

The language that Gartner used, however, rang some bells with me: in my recent studies I looked at the various schools of corporate strategy making as defined by Henry Mintzberg (nicely summarised at ): Mintzberg obviously had his own favourites, but nevertheless had tried to describe the various ways that strategy *could* (not necessarily should!) be formed in an organisation.

Organisations obviously come in all shapes and sizes. Some have strategy formation processes that go back a long way or are dictated by their constitutions or remits: an army will always require a certain amount of disciplined, top-down formal strategy creation compared to a web 2.0 startup with 3 people, which needs to react quickly to change strategy if something new and game-changing appears on the market. Government agencies will always be answerable to politicians and will need to change strategy every electoral period to suit the new administration. Publicly listed companies need to drive shareholder value and adopt a strategy creation process that will suit their goals, depending on which sector they are in.

So what does this mean for an enteprise architect? Perhaps the EA effort needs to initially align and then seek to transform strategy creation processes in its organisation?

Mintzberg defined 10 “schools” of strategy formation in total. I’ve listed them below and spent a grand total of 10 minutes considering what form the EA effort might take in each case.


  • Deliberate strategy creation as a process of conception. Match the internal situation of the organisation with external factors.
  • Use tools like SWOT analysis, Ashridge Model
  • Planned
  • EA must: use a “Classic” Gartner approach, based around CRV and creating strategic solutions: TOGAF


  • Deliberate strategy creation as a formal process. Separate planning teams create strategy and use a pre-defined execution methodology.
  • Scenario Planning: Parenting Styles
  • Planned
  • EA must: use Zachman approach coupled with strong project management methodology (eg Prince2, MSP): TOGAF


  • Deliberate strategy creation as an analytical process. Positioning of organisation within industry or market.
  • 5 forces: value chains: BCG matrix: game theory
  • Planned
  • EA must: use Heuristic approach utilising reference models, eg MIT EAS approach: TOGAF


  • Semi-deliberate strategy formation as a visionary process. CEO is architect of the strategy.
  • Emphasises intuition, judgement, vision, leadership styles
  • Semi-planned
  • EA must: Inform and deliver the CEO vision: challenge, support, and then formally design and programme manage: TOGAF and heuristic tools


  • Strategy creation as a mental process. Maps, schemas, concepts and viewpoints.
  • Groupthink: MBTI: Johari Window: Cognitive bias
  • Emergent
  • EA must: Support cognitive processes across the organisation and making them real


  • Strategy creation as an emergent process. What works and what doesn’t gets incorporated over time in a series of small steps.
  • Organisational Learning: Knowedge Management: SECI model
  • Emergent
  • EA must: Provide a set of standards that the strategy can use as a platform for its learning. IFAPS.


  • Strategy creation as a process of negotiation.
  • Stakeholder analysis: force-field analysis: stakeholder mapping
  • Emergent
  • EA must: Identify powerful stakeholders and realise their common visions.


  • Strategy creation as a collective process, as a reflection of the organisational culture.
  • Cultural Intelligence: Ashridge Mission model
  • Emergent
  • EA must: Define dominant values, design and build social networks, and critically appraise the corporate culture


  • Strategy creation as a reactive process. Sees the environment as the dominant factor in determining strategic direction.
  • Contingency theory: situational leadership
  • Emergent
  • EA must: Design and build solutions to give the organisation more options in the expected future environment


  • Strategy creation as a transformational process.  Organisations change structure as strategy changes.  Manage stability and discontinuous change without too much disruption.
  • Organisational configurations: chaos theory: catastrophe theory: disruptive innovation
  • Planned / Emergent
  • EA must: Propose and design valid alternative configurations (for discontinuous change) and systems of  continuous improvement (for stable phases)

Interested to maybe develop this further: what sort of strategy creation style is prevalent in your organisation?

ERP and EA

Some councils have chosen to implement ERP systems such as SAP or Oracle e-Business suite to consolidate a number of their core systems.  It is argued that, by installing a “vanilla” out of the box ERP system and by forcing changes to business processes to align with the ERP system, big savings can be made in the business processes themselves as they become more streamlined: and that consolidating systems such as finance, HR, payroll, procurement, project management, CRM and supply chain management can yield efficiencies through more integrated working and improve management information.

As an EA, however, I think I have to look at this the other way around: assuming the business wants process standardisation, better integration, and better management information, what’s the architecture that will deliver that?

I don’t know for sure, but wouldn’t integration be better delivered by an SOA implementation? Shouldn’t we implement BPM to improve and standardise our processes? Don’t we want data warehousing and BI tools to give management information?

And culturally, if we are going to implement an IT system to force through structural and process changes that we want to see, isn’t that the kind of thinking that got us into a mess in the first place?

I don’t know for sure and it is almost certain that the best practices inherent in some out of the box ERP systems will improve and streamline operations and save money. But when a business makes an investment decision on an ERP type of scale, what’s the opportunity cost?

Interested to know what others think about this, especially those working in a council that has implemented such a system.