Recently in Information Security Management Category

The Two Key Roles for IT In Social Media are Business Service Enablement and Digital Asset Guardianship

What a great day we had at the Pink Elephant Social Media Event this week in Toronto! David Ratcliffe, Chris Dancy and I presented a full day agenda of topical sessions related to the opportunities and risks stemming from the tidal wave adoption of social media in both the private and commercial sectors. The attendees were very engaged and were almost to a person asking the same questions.

Q: What is the relevance of Social Media to IT Groups and what do we do with it?

This is the same question I hear over and over again from the various IT leaders and organizations we work with. For many Social Media is largely a problem, something to control or block from within company firewalls and network perimeters.

In other words Social Media is a nuisance they would rather not bother with and is getting in the way of their real work of managing the organization's technology environment.

This was certainly the perception of several of the event attendees who came looking for ways to control, limit or completely block the business users from social media sites during work hours or on company devices. "We certainly wouldn't want employees wasting company time in non-productive activities!" From that point of view Social Media is only something of interest and value to individuals for personal use. However, many organizations and IT Leaders have not understood that there is more to this topic then they might think.

What our industry is just beginning to realize is that Social Media is also an extension of our customer's business service strategy.  Business customers are hungry for ways to innovate, differentiate and improve their value proposition to the market. The world is "Literally" connecting from a variety of technology devices in unprecedented ways on these emerging networking platforms.  Millions of people globally are talking about and commenting on pretty much everything under the sun including your companies' products and services. The fact of the mater is that if an organization wishes to reach and communicate with their clients, constituents and citizens they must go where the people are!

At the Pink event we impressed upon the attendees the Tsunami speed of adoption to raise the urgency of this topic.

  • Social Media adoption has surged to staggering heights. While Facebook has over 618 million users (As of Today) 100 Million new users added in the last 6 months
  • LinkedIn has over 75 million worldwide.
  • Twitter, 105,779,710 registered users account for approximately 750 tweets each second
  • Facebook platform houses over 550,000 active applications and is integrated with more than one million websites

With recent technology advancements such as access to the web via high speed connections, the proliferation of mobile computing devices we have had years to adjust and establish methodologies and approaches. In the case of Social Media we are seeing massive change in the matter of months if not weeks.

A recent Burson-Marsteller study shows that, "of the Fortune Global 100 companies, 65% have active Twitter accounts, 54% have Facebook fan pages, 50% have YouTube video channels and 33% have corporate blogs" 

For these compelling reasons Businesses, Non-Profits, and Government Agencies are rushing to extend their existing web strategies to include and incorporate social media functionality and feeds into their service lines. Business customers of IT such as Marketing, Sales, HR, Research and Development, Product Support are engaging "NOW" in the Social Media and cloud activities.  Albeit many organizations are doing so in an uncoordinated, un- planned and ill advised manner.

The problem is that they are not necessarily working with the IT Leadership to do this! Why should they? (Sarcasm)

  • They don't need IT's permission
  • They don't need new technology (At a pinch a browser will do)
  • They are not exactly getting an enthusiastic response from us if they actually ask for help
  • They believe IT is not agile enough and are focused more on controlling and limiting their goals versus enabling them

Not surprising then why many of our business customers take a "don't ask don't tell approach" to their social media activities!

Consider for the moment the ITIL Definition of a Service: "A service is a means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific cost and risks.

So if Social Media is something the "Customer Wants" then we should be stepping up to the plate and helping them achieve the expected value by applying good practices to manage risk and costs.

In short we should be Enabling Business Service Outcomes by working this requirement through a well thought out Service Life Cycle Strategy, Design, Transition, Operations and CSI process. (Sound Familiar) We should participate in this activity as a Partner versus a Road Block

This is one of the topics I addressed in my session on Monday and will speaking to again at the Pink conference in Vegas in a couple of weeks.


Of course with opportunity and reward comes risk!

It is our job in IT to also be the Guardian of our customer's Digital Assets. Our customers look to IT leadership to help establish technology and policy controls that will mitigate the very real risks that engaging in social media or general online activities presents.

Cyber criminals are like sharks which cluster where the action is, and the action is certainly happening on Facebook, Twitter, Linked In etc.

The key consideration here is that we must stop thinking that the digital security perimeter exists only inside the company's network firewall.  Consider the following quotes from the Annual CISCO Security Report:

  • Consider social media. Its impact on computer security cannot be overstated, It is common for workers to blend business and personal communications on these social networks, further blurring the network perimeter
  • The high levels of trust that users place in social networks - that is, users' willingness to respond to information appearing within these networks - has provided ample opportunity for new and more effective scams. Instead of searching out technical vulnerabilities to exploit, criminals merely need a good lure to hook new victims
  • No longer does business take place solely behind network walls. The critical work of an organization is happening increasingly on social networks, on handheld devices, on Internet kiosks at airports, and at local cafes
  • Social Media "Were The Problem" Social media users believe there is protection in being part of a community of people they know. Criminals are happy to prove this notion wrong

The key point to consider is that we need to understand and effectively manage risks related to web and social media activity. IT leadership needs to open their eyes to the business opportunity as well as the risk and actively engage our customers in helping them to achieve their goals. Focusing our security efforts only on blocking URL's and domains from within company firewalls is too narrow minded, short sited, doomed to failure and like the story of the little Dutch boy who stuck his finger in the leaky dam. Being an effective Guardian of our Customer's Digital Assets means taking a holistic and people centric approach to managing both technical and social engineering attacks from within and outside our firewalls.

Troy's Thoughts What Are Yours?


Quote: "If you don't like change your going to like irrelevance even less" General Eric Shinseki Chief of Staff US Army

In the Chief CEO Briefing article, "WikiLeaks' Next Target: CEOs", it seems to me that Wikileaks' founder Julian Assange will make good on his vow to go after big business and to release confidential information concerning the nation's largest private companies.  The most severe threat to any organization whether it is the State Department, Department of Defense, or a large U.S. Bank or other major publicly traded company is the insider threat.

I spoke with Chrisan Herrod, our security expert, to get her view on how this will impact security policy in global enterprises. This is what Chrisan had to say:

"Wikileaks has made it completely obvious that information security breaches represent a significant risk to the enterprise and that an air tight cyber security strategy is not an option, it is a must. The question then becomes how best to counter the threat without damaging the mission of your business.

  1. CEO's should take notice now of what is happening within the US government and take extraordinary measures to protect their corporate information.  IT and the Business should focus on the principles of alignment offered by Business Service Management. Business leaders and Information Security personnel have much that they can do, and should do to be as proactive as possible.
  2. First and foremost make Information Security a top priority for your company.  If you do not have a Chief Information Security Officer (CISO) hire one and place the individual outside of IT in a role that is visibly important to the entire company. 
  3. Stand firmly behind your Corporate policies and enforce them through the best education, training, and awareness that you can afford for your employees.
  4. Adopt a culture of risk management and form an IT Risk Management group that reports to the Audit Committee of the Board of Directors. 
  5. Do not buy technologies to solve your problem, rather adopt technology that will enable your company to do a better job of ensuring who has access to information and systems and require business units to monthly validate an individual's need for access. 
  6. Finally, use technology in conjunction with improved access management processes, compliance to corporate policies and increased awareness of the risks to your company should information be leaked that could be damaging to you personally or your company as a whole.
I agree with the government's increased emphasis on improving access management and my reasoning is supported by survey data released earlier this year by the Ponemon Institute.  In their survey, sponsored by CA, they revealed that rank-and-file employees were much more likely than executives to see the necessity of certain enabling technologies to reduce or mitigate security risks within their organizations, and the technology with the widest difference: identity and access management systems.
If Identity and access management systems and processes are not in place, it places the corporation in a higher risk category.  And even if they are in place, they must be continuously monitored.  That is why it is so important not to invest in technology alone, but to invest in sound processes based on enforceable and monitored policies.

So by all means take to heart the issue of access management and address it first and foremost, but also ensure that you are taking Information Security and Risk Management seriously as part of your Business Service Management strategy in a high threat environment."
Another area that is gaining more and more attention these days is "Cloud computing" and I guess the largest issue I have is around its scope and definition. Many appear to offer hosted services and this is now renamed as Cloud computing, even outsourcing, managed services, Software as a service (SAAS) fall under this new branding. Is that all it is, a simple rebranding to allow all remotely hosted services to have a new home?

As with all new paradigm shifts the best evidence that it'll be widely adopted and accepted is by looking at the user community for this.  At this week's Westminster eForum one of the speakers, Rik Ferguson, senior security adviser at security firm Trend Micro told us that the criminal fraternity are the largest group of adopters. Well I guess if we look back to look forward, we'll see that this was the case for the early adopters of the internet (pornography being the biggest financial winner). Well Rik also highlighted that "We already see customers of Google, customers of Amazon, who are criminals and who use those services, among others, to run command-and-control services for botnets, to launch spam campaigns and to host phishing websites. They see the power, the scalability, the availability and, for them, the anonymity that is possible through cloud services and they are using it to its fullest extent."

Well the good news is that both large and small organisations will benefit from the Cloud, enabling smaller companies to automate, scale up and down depending on the market conditions whilst keeping overheads well managed. Large organisations can also reduce overheads, move into new or changing business areas quickly without being held back by in-house technology restraints. However I think that now, more than ever, process becomes king. Knowing your business services processes and IT services processes are in place, ownerships of responsibilities are understood become the key to success when the ownership of the infrastructure (including operating systems, software and applications) are left to someone who is not a part of your business. It appears to me that we are entering into the realms of treating IT as a utility, just like Electricity, gas etc. We need it to be there, we need to know the costs of utilisation, but the providers do not need to know what we run on it. This makes me think about the capacity planning and availability issues. We in the UK certainly know that the Electric providers monitor the utilisation and have to prepare for odd events like the ½ time during a football and rugby match as viewers go and put the kettle on for tea. The utility suppliers need to understand their market, its dynamics and influences, however odd, to ensure all the customers get the resources they need, when they need it without interruption. Can "the cloud" handle this now or in the future?

Who's working on the cloud right now? Well Amazon, Google, Sun, IBM etc, but some surprising companies are entering the market utilising spare capacity from their traditional business. now offers to other business to host applications on. BMC software being a recent case in point. So keep your head in the cloud and watch how things develop, in particular the process issues of dual ownership and the end to end automation, but keep your feet on the ground to ensure you protect your business and understanding the current and potential risks.

The space between the cloud (hosted infrastructure (including apps)) and the end users would be the area that needs focus. Can that be called "fresh air"?
UPDATE: we now have a BSM Maturity Model (registration required) >>

One of our unstated goals at is to create a maturity model for Business Service Management and beyond. Of course, this maturity model may differ slightly by industry, but the idea is to create a model which is good enough to create a "common roadmap" for IT and its business partners (yes, we will include cloud services).

To start the discussion, I've brought together some of the traditional thinking from IT 1.0, and some "edge insights" from people like JSB.

To start, let's look at Gartner's IT Management Process Maturity Model from 2005. Looks familiar, doesn't it? What should Level 5 and Level 6 look like? 


For nGenera, a few years ago, Vaughan Merlyn created a different sort of maturity model based on demand and supply:

He asks:

Business demand is also a function of IT supply - low supply maturity will constrain business demand.  For example, an IT infrastructure that is unreliable and hard to use will tend to dampen the business appetite to leverage IT for business innovation and for collaboration with customers and partners.  Typically, if business demand gets too far ahead of IT supply, there will be a change of IT leadership.  On the other hand, if IT supply gets too far ahead of business demand, IT will be seen to be overspending, resulting in a change of IT leadership.  The most common patterns are that at Level 1, business demand leads IT supply; in Level 2, IT supply tends to 'catch up' with and overtake demand, and in Level 3, demand and supply are closely aligned. From the perspective of late 2007, we see the majority of companies at mid-Level 2, some at high Level 2, and a minority at either low Level 3 or high Level 1.  Why are so many at mid-level 2, and seem to be struggling to get to the next level?
Good question. Any ideas?

Then there's Accenture's Service Management Maturity model from their ITILv3 practice - they rightly state that ITILv3's focus is on business results; hence their advocacy for adoption:


At Deloitte, JSB and Tom Winans have built an interesting map for "autonomic computing" which is focused on the direction of IT's evolution. It's part of a series of papers on cloud computing. It's a technology maturity model, if you will:


Finally, I borrowed this SOA Maturity model from Infosys:

Taken together, we have enough food for thought and discussion, don't you think? I have this silly notion that a business service management maturity model must begin and end not with IT but the business.  And cloud computing will certainly play a giant role in this transformation from physical datacenter to cloud service grids.  And of course we'll still have to worry about compliance and security.

Once again, I'll defer to the JSB and Winans vision for the future.  After we get to autonomic computing, then comes the service grid:


If I understand correctly, here's what they're saying: technology platforms will be business platforms.

With that, let's ask once more: what does a Business Service Management Maturity Model look like to you? 


HP has an ITIL-view which is evolutionary:



gives us a look at a maturity model developed by Macehiter Ward-Dutton:


Stay tuned.

Business Service Management (BSM) is a process, a mindset, not a product (as Peter Armstrong would say) so it is not a technology in the first place.  It is strategic, however, so let's take a quick look at each of Gartner's choices and ask:

"What has this got to do with BSM?"

Gartner's Top 10 Strategic Technologies for 2010

Cloud Computing. Cloud computing is a style of computing that characterizes a model in which providers deliver a variety of IT-enabled capabilities to consumers. Cloud-based services can be exploited in a variety of ways to develop an application or a solution. Using cloud resources does not eliminate the costs of IT solutions, but does re-arrange some and reduce others. In addition, consuming cloud services enterprises will increasingly act as cloud providers and deliver application, information or business process services to customers and business partners.
My two cents: Managing cloud services demands that companies must have a BSM strategy which can monitor and manage the physical datacenter, virtualization, and the cloud - whether it be public, private, or hybrid. We need ITIL in the Cloud and robust Cloud Service SLAs.

Advanced Analytics. Optimization and simulation is using analytical tools and models to maximize business process and decision effectiveness by examining alternative outcomes and scenarios, before, during and after process implementation and execution. This can be viewed as a third step in supporting operational business decisions. Fixed rules and prepared policies gave way to more informed decisions powered by the right information delivered at the right time, whether through customer relationship management (CRM) or enterprise resource planning (ERP) or other applications. The new step is to provide simulation, prediction, optimization and other analytics, not simply information, to empower even more decision flexibility at the time and place of every business process action. The new step looks into the future, predicting what can or will happen.

My two cents: OK, so now we know how to compete on analytics. But the decision-making process is much more complex than most people expected. Analytics are fine, but what we need is refined insight and critical understanding.  The Big Shift Index tells us about what we haven't thought about measuring yet! Where's BSM in all of this? Well, if your CRM and yoru ERP systems are mission-critical, then BSM ensures they deliver on their promise when you need it.

Client Computing. Virtualization is bringing new ways of packaging client computing applications and capabilities. As a result, the choice of a particular PC hardware platform, and eventually the OS platform, becomes less critical. Enterprises should proactively build a five to eight year strategic client computing roadmap outlining an approach to device standards, ownership and support; operating system and application selection, deployment and update; and management and security plans to manage diversity.

My two cents: Anytime, anywhere, on any device. BSM must be an integral part of managing virtualization to avoid virtual sprawl, if nothing else. Of course there's the end-user experience that needs monitoring as well.

IT for Green. IT can enable many green initiatives. The use of IT, particularly among the white collar staff, can greatly enhance an enterprise's green credentials. Common green initiatives include the use of e-documents, reducing travel and teleworking. IT can also provide the analytic tools that others in the enterprise may use to reduce energy consumption in the transportation of goods or other carbon management activities.

My two cents: Virtualization and Cloud computing will help IT become greener faster, by reducing the datacenter footprint.  And virtual collaboration can reduce carbon emissions. Isn't optimizing asset usage a BSM function?

Reshaping the Data Center. In the past, design principles for data centers were simple: Figure out what you have, estimate growth for 15 to 20 years, then build to suit. Newly-built data centers often opened with huge areas of white floor space, fully powered and backed by a uninterruptible power supply (UPS), water-and air-cooled and mostly empty. However, costs are actually lower if enterprises adopt a pod-based approach to data center construction and expansion. If 9,000 square feet is expected to be needed during the life of a data center, then design the site to support it, but only build what's needed for five to seven years. Cutting operating expenses, which are a nontrivial part of the overall IT spend for most clients, frees up money to apply to other projects or investments either in IT or in the business itself.

My two cents: See previous two cents <<

Social Computing. Workers do not want two distinct environments to support their work - one for their own work products (whether personal or group) and another for accessing "external" information. Enterprises must focus both on use of social software and social media in the enterprise and participation and integration with externally facing enterprise-sponsored and public communities. Do not ignore the role of the social profile to bring communities together.

My two cents: Have you noticed that Twitter is having availability issues lately?  I wonder if they use ITIL or BSM?  Same story on Facebook. Maybe they use ITIL-Lite.  There are unfortunately, some documented productivity issues with social computing, but we have an effective solution for improving knowledge-worker productivity.

Security - Activity Monitoring. Traditionally, security has focused on putting up a perimeter fence to keep others out, but it has evolved to monitoring activities and identifying patterns that would have been missed before. Information security professionals face the challenge of detecting malicious activity in a constant stream of discrete events that are usually associated with an authorized user and are generated from multiple network, system and application sources. At the same time, security departments are facing increasing demands for ever-greater log analysis and reporting to support audit requirements. A variety of complimentary (and sometimes overlapping) monitoring and analysis tools help enterprises better detect and investigate suspicious activity - often with real-time alerting or transaction intervention. By understanding the strengths and weaknesses of these tools, enterprises can better understand how to use them to defend the enterprise and meet audit requirements.

My two cents: See this survey on security management best practices.

Flash Memory. Flash memory is not new, but it is moving up to a new tier in the storage echelon. Flash memory is a semiconductor memory device, familiar from its use in USB memory sticks and digital camera cards. It is much faster than rotating disk, but considerably more expensive, however this differential is shrinking. At the rate of price declines, the technology will enjoy more than a 100 percent compound annual growth rate during the new few years and become strategic in many IT areas including consumer devices, entertainment equipment and other embedded IT systems. In addition, it offers a new layer of the storage hierarchy in servers and client computers that has key advantages including space, heat, performance and ruggedness.

My two cents: Wrong? We're going to see cloud storage take over this area, and it may or may not use flash memory.

Virtualization for Availability. Virtualization has been on the list of top strategic technologies in previous years. It is on the list this year because Gartner emphases new elements such as live migration for availability that have longer term implications. Live migration is the movement of a running virtual machine (VM), while its operating system and other software continue to execute as if they remained on the original physical server. This takes place by replicating the state of physical memory between the source and destination VMs, then, at some instant in time, one instruction finishes execution on the source machine and the next instruction begins on the destination machine.

However, if replication of memory continues indefinitely, but execution of instructions remains on the source VM, and then the source VM fails the next instruction would now place on the destination machine. If the destination VM were to fail, just pick a new destination to start the indefinite migration, thus making very high availability possible. 

The key value proposition is to displace a variety of separate mechanisms with a single "dial" that can be set to any level of availability from baseline to fault tolerance, all using a common mechanism and permitting the settings to be changed rapidly as needed. Expensive high-reliability hardware, with fail-over cluster software and perhaps even fault-tolerant hardware could be dispensed with, but still meet availability needs. This is key to cutting costs, lowering complexity, as well as increasing agility as needs shift.

My two cents: Now this is a BSM play if there ever was one!

Mobile Applications. By year-end 2010, 1.2 billion people will carry handsets capable of rich, mobile commerce providing a rich environment for the convergence of mobility and the Web. There are already many thousands of applications for platforms such as the Apple iPhone, in spite of the limited market and need for unique coding. It may take a newer version that is designed to flexibly operate on both full PC and miniature systems, but if the operating system interface and processor architecture were identical, that enabling factor would create a huge turn upwards in mobile application availability.

My two cents: Anytime, anywhere, on any device.  Didn't I write about that a few seconds ago? And don't we need our CMDB to track all these diverse devices and apps?

As you can see, I've attached Business Service Management (BSM) as an enabling IT strategy for just about all ten of Gartner's Strategic Technologies for 2010. And of course if it's a service provided by IT or even an external service provider, we're still going to need a Service Catalog for 2010. More on that in a later post.

Israel, where do agile practices fit into this? Just about everywhere as well?

security survey

's friends over at the Enterprise Strategy Group shared this security best practices report with us. Let us know what you think.

What Matters is the End Goal

| 1 Comment | 1 TrackBack
Its strange how history repeats itself, fashions go in cycles, and every generation comes to them for the first time thinking these things are new, innovative and revolutionary. I guess it's because we're still human and we still need to learn the same lessons over and over again. We want to listen to advice, but can't, we want to learn from the past, but don't, we all want something that's called "common" but is far from it - sense!

May years ago now the company I worked for at the time brought a new concept to the marketplace. The analysts jumped onto it and made it their own and the market hype was all over it, it was the direction all business had to get to. Eight or more years on and we're still moving in that direction, the buzz died down, but the capabilities slowed and the term used changed from IRM to BSM.  However BSM was actually only a subset of what IRM aimed to achieve. With the complexities we find ourselves in today, with Virtualisation and Cloud computing the issues are still the same only in some cases magnified and the responsibility of ownership is moving. More and more the Business is, and will continue to, relinquishing ownership of the delivery of services to the employee (who make up the business) and allow suppliers to take over. It's something that has happened for centuries now. We moved from self-sufficiency to being reliant on others. Once, we all had wells in the garden to provide water for the household, now it's all provided through piped services. Once, we had to make our own small generators for the electrification of the Home, Farm or estate, now it's all provided through piped services. The list goes on, and so it is and will continue to be within the IT environment. Hence the need for Service Management to ensure we all have the disciplines, controls, standards and processes in place, controlled and managed to ensure delivery as required by the customers, whomever they may be.  Why did we move this way? Well for various reasons, economies of scale, cost savings, and to allow us to focus on our core competency without being dragged down by day to day necessities of life.

A slide on my website shows what is required to support the employee, who is at the centre of the business, and how these are more and more being delivered via services as depicted around the circumference of the sphere.  This slide goes back 8 years or more, so not new, but it appears it was rather a vision of the future, and more and more I can see it being fulfilled. Whether we use the same term or not is irrelevant, what matters is the end goal. Something that Geoffrey Moore of Crossing the Chasm fame predicted at roughly the same time.

Check out the slide and let me know if you see it being slowly fulfilled:


Explains Richard:

Initially, compliance was an externally imposed distraction, representing just one more burden on an over-stretched enterprise and IT staff. But now, compliance activities not only provide data about current practices but also highlight areas where increasing the level of control could yield greater efficiencies in operation.

Read The Path to Compliance as a Business Strategy »

Welcome to

| 2 Comments | No TrackBacks

Agile BSM

Discussion around Business Service Management (BSM) has been ongoing for years ...and years ...and years. Yet it remains a fairly immature dialogue as vendors scope BSM to capitalize on their respective product offerings; as IT organizations struggle to articulate the desired end state; and as industry analysts deliver unique perspectives for purposes of differentiation.

Fortunately, the purpose of BSM is so fundamental, so basic, and so obvious ...that vendors, IT organizations, business managers, analysts and editors intuitively "get it" ...dwindling the confusion that so frequently accompanies newer technology concepts. This website is dedicated to the BSM dialogue by whoever wishes to participate. There is no fee to join content that requires a subscription ...and no censorship of reasonable ideas and questions.

IT has been, is and will continue to be hammered for being disconnected from the business needs of the customer that IT serves. Sometimes the IT organization is adequately connected to the business entity, with the value simply unrecognized. More often, IT is guilty of diversionary focus on technology silos that business doesn't care about. BSM is the discipline that aligns the deliverables of IT to the enterprise's business goals.

That discipline comes in the forms of activities, technologies, tools, metrics, processes, best practices and people. BSM creates a laser focus on those deliverables generated by IT into something that is meaningful to the business community. If the IT deliverable is of no importance to the business function, then IT should eliminate or repackage it into a service that carries appropriate business value. BSM success is entirely dependent upon the willingness and skill of both IT and business to have an effective two way conversation party without the other is doomed to failure.

Read my complete introduction: The Why & What of Business Service Management

About this Archive

This page is an archive of recent entries in the Information Security Management category.

Financial Management is the previous category.

Interviews is the next category.

Find recent content on the main index or look in the archives to find all content.