Marc van Zadelhoff (Director, Worldwide Strategy, IBM Security Solutions at IBM) is speaking at PCTY (Pulse Comes to You), 2011, London, an offshoot of IBM’s big Tivoli User Conference in Las Vegas, and his message is that security can be, should be (I’d say must be), an enabler for innovation and it mustn’t be lost in a security “silo”.
Good security, security by design, embedded in everything you do, lets you go places, and take business risks, where your competition dare not go.
This is true for governance generally, not just security. I’ve heard the non-siloisation message from IBM before and it’s a good one. But the devil is in the detail, and that must be around “effectiveness”—is security, for instance, more than a tick box; is it built into everything the organisation does….
One aspect of making the governance of a business automation platform effective is the availability of business-style analytics (which IBM now owns with Cognos etc.) for managing operations. IT generates a vast amount of data (log tapes etc.) which can be exploited for a lot more than simple “availability metrics”.
In fact, it needs to be, because the business isn’t all that much interested in the fact that a database was available 24×7 with no downtime last year—if for much of the time it was idle because network and application problems meant that business applications couldn’t reach it.
We need to rethink service level agreements so that they are expressed in terms like “support at least 1000 new customer acquisitions a day, with customer acquisition taking no longer than 5 minutes each”. We need to rethink performance management so that it becomes pre-emptive: not “we had a problem yesterday” but rather, “trends suggest that we will have a problem later today, and here’s a knowledgebase article on how this issue has been addressed in the past”. We now have the analytics tools to support this and we have plenty of data.
What we also need is cultural change, We need technicians that are prepared to use tools and language developed for the business; IT managers who can think in terms of (and reward) business outcomes; business managers who are able to appreciate the technology decisions (at a high level) that enable business outcomes.
Now, whatever “cloud computing” is (“business-level services completely abstracted from implementation, a bit like last-century bureau computing” will just about do for me), it can be seen as a real catalyst for these changes. The public/private cloud issue is a bit of a red herring in my opinion—private clouds make people feel more comfortable, yet I see precious little evidence that the issues that scare people off public clouds have really been addressed in-house, in many organisations.
I hear of large companies without effective hierarchical security policies (policies which can relate desirable business outcomes to security technology configurations); and of large banks running their “configuration management system” from a Excel spreadsheet rather than a federated set of CMDBs (Configuration Management Databases). One of the possible advantages of putting business-critical applications in a public cloud is that it will force organisations to suggest such issues.
It’s a maturity thing. Cloud services mean cheaper and more flexible provisioning for the business—a Good Thing—but must still be governed appropriately. That is, cloud governance mustn’t make cloud services inappropriately expensive and inflexible. A mature company will have a good idea of the business outcomes it wants to achieve with cloud and the business level SLAs it needs for the automated services in the cloud that will deliver them.
It can then make fact-based decisions on whether particular services give it a competitive edge and should be built in-house or are commodities that can be obtained from a public cloud service like Salesforce.Com. And, of course, if the workload suits cloud computing, building in-house applications for a public cloud perhaps facilitates agile migration to public cloud services as the technology matures and becomes commoditised.
In Part 2 of this article, I’ll look at what this could mean in detail, going forwards.