Open Source and risk
The focus of debate on Open Source is too often focused on “its free” and sometimes overstated claims about software quality.
As everybody knows, the cost and risk associated with bringing anything into an enterprise go far beyond the license costs. For OSS, a big problem is that by its nature it can bypass the controls imposed by procurement and the legal departments. This can lead to a range of potential risks from IP infringement to plain old version control. Of almost equal importance to the actual risk is the fact that the risk associated with OSS can be invisible (as the OSS use will often not be tracked as licensed software would be) and therefore undermine the whole of IT risk management.
This article covers one approach to dealing with issue: specialist software to analyse the Open Source software. There are of course more straight forward alternatives: Any vendor supplying OSS as part of a licensed product should be held to account to provide support and ‘handle’ the risk issues. For ‘pure’ OSS, there are plenty of commercial organisations who will provide a degree of quality assurance and service guarantees around projects. It may take away from the “Its free and I won’t need to talk to legal and prodcurement” but do we really want staff bringing software straight from the web into deployment?
Ronan
SOA and its effects on Business Risk
SOA is a Big Thing – it transforms the business, it is a key strategic initiative, it aligns IT more closely with business goals, etc.
But this brings up an important issue for executives. How does SOA affect the business risk picture? Does it drive additional risks? Does it provide any mitigation?
Lustratus has just published a new paper, “The Impact of SOA on Business Risk“, that looks at this subject in more detail. The paper does not try to come up with a definitive answer, but instead considers the strategic, compliance, financial and operational areas of business risk and comes up with a grid of effects generated by SOA adoption, providing a framework against which companies can carry out their own risk assessments.
I believe this is an important area for companies to be aware of, with little guidance available. Bearing this in mind, Lustratus has decided to make the paper available at no charge. But for those people who cannot take the time to read the whole paper, the broad conclusion is that although there are areas where SOA drives risk, on balance it mitigates considerably more risk than it drives, and on top of this the new exposures are largely manageable.
Steve
IBM’s Information on Demand streamroller gains speed with the Princeton Softech acquisition
IBM announced the completion of its acquisition of Princeton Softech – a company which focused on data archiving, classification and discovery software.
All of which sounds quite specialist until it is put into the context of IBM’s Information on Demand (IoD) strategy. Back in March, Ambuj Hoyal, who heads us IBM’s Information Management division (with responsibility for the Information on Demand strategy) explained:
“… an inflection point occurred in 1996 when there were many techniques to create Web sites or do Web-based business… We are at a similar inflection point in 2006. We have myriads of techniques – metadata management, ETL (extraction, transformation, and loading) tools, data creation tools, Federation tools, cleansing tools, profiling tools. People use these tools to solve the information challenge.”
To translate, IBM see a huge opportunity and are putting serious money into it – this acquisition is the latest of 21 which are part of this strategy (to see the list go here). The opportunity is to build an information management platform which allows organisations to create, maintain and (most importantly) extract value from the myriad of data sources which flow around the enterprise. Data cleansing, data distribution, data integration and master data management (among other areas) are each expensive activities but often have clear budget and value associated with them – this even before getting to semi-structured information which is also with the Information on Demand remit. While there are best of breed solutions to different parts of the puzzle, there aren’t single integrated solutions – which is what IBM hopes to offer. Interestingly, IBM has yet to move on Business Intelligence vendors – it appears to have correctly realised that the major task is not creating dashboards; it is ensuring that what goes into the dashboards is correct and timely.
Any familar with the area of enterprise data management will realise that the challenges inherent in building and deploying such a platform are formidible. At a recent briefing IBM gave Lustratus, the whole area of data governance in particular was highlighted: how do you organise structures and responsibilities to ensure that coherent and consistent data definitions can be used and reused through the enterprise (this should sound very familiar to anybody involved in SOA – just switch the word service for data!). To figure out how to do this right IBM set up the Data Governance Council back in 2005 with many leading financial services and telecoms companies (among others).
Yet again getting into detail is beyond the scope of a normal blog – but I would recommend anybody with a passing interest in BI (or indeed enterprise architectures) to take a look at IBM’s web-site on Information on Demand. Of course the strategy is not without obvious challenges: The technology is from many different sources (even if it now all belongs to IBM) and there is a significant amount of complexity associated with solving such a complex problem. Also, when there isn’t a significant regulatory stick (Basel II for instance), I imagine it could be very hard to sell at a strategic level. This is because while there are clearly valuable uses of Information on Demand, but there seems to be no common theme around which business momentum can be built. And finally, its association with the term business intelligence may well go against it – already some analysts are wondering where IBM’s query tools will stack up against Business Objects et al (not a relevant question as BO and others will sit on top of IoD) and in many cases the proposition is operational efficiency or regulatory compliance, not (to my mind at least) classic BI.
Ronan
Posted in best practices, BI, Business Intelligence, Business Objects, governance, IBM, Imported, Information on DemandSOA and Conway’s law
Jim Webber’s blog reminded me of the existence of Conway’s Law which seems particularly relevant to the challenges SOA governance attempts to address.
For those of you who haven’t come across this law, two forms of it are…
“Any piece of software reflects the organizational structure that produced it.”
or a more techie version:
“If you have four groups working on a compiler, you’ll get a 4-pass compiler.”
The first is a good encapsulation of the reality of working in enterprise IT: And SOA governance attempts to optimise the way in which software reflects the organisational structure through building expertise, capturing and formulating successful patterns of use, promoting ‘good behaviour’ and so on.
The second statement of Conway’s law, while being more jokey, also brings in implications of human nature: If you set up teams with separate responsibilities, expect them to collaborate sufficiently to complete the job but also expect them to carve out their areas of control to the potential detriment of the overall solution. This is true with all professions – however mixing in the stronger tendency to ‘not invented here’ with IT and the problem becomes even bigger. The SOA equivalent of the 4-pass compiler is poor rates of reuse and multiple versions of what is essentially the same service. Overcoming this again requires good governance – promoting communication between teams and incenting reuse – and good technology to support it.
Ronan
SOA, governance and the Trough of Disillusionment™
All shiny new things in IT go through a cycle of boom and bust before becoming an established and useful part of the enterprise IT world.
This cycle is as much about the need for marketing departments and the press to have something new to write about as it is about ‘real’ issues. The pattern is so well established that Gartner even has graphic to capture where technologies are in what they call the hype cycle – the lowest point before technologies become generally understood and used is called the trough of disillusionment.
Service Oriented Architecture is no exception and Brenda Michelson of Elemental Links even celebrates the possible arrival of SOA at the trough of disillusionment as a good sign! Moreover, I suspect that with SOA the trough may be worse than with most because it is more fundamental to the enterprise than ‘point’ technologies and attempts to address the fundamental issues of alignment with business strategic and IT agility.
I contrast SOA with point technologies because SOA is actually about changing the way IT solutions are created, deployed and maintained – not providing a single (however big) solution to a single (however big) business problem. In essence, it is about enterprise architecture (and architects) and how this fits into the whole business. This means that with SOA there should be no such thing as a stand alone project. A stand alone project is inherently suboptimal as it removes the opportunity to reuse existing services and to expose further services. It may take organisations many years to get there but this is the final destination. This means that the organisational impacts of SOA (both human and technological) are in the long run the most important aspect of SOA.
What has obfuscated this point to a degree is that most discussions around these issues are gathered into the term governance. Unfortunately, using the term governance has put off many of the people who should be interested – perhaps governance suggests discussions on how to organise committees! Furthermore, the term has to a degree been appropriated by vendors with products which assist in the technological aspects of governance. And finally, there isn’t a single clean solution to governance as it is inherently tied into the way each organisation does its business which makes it hard for the press to get to grips with it.
All of which doesn’t take away the fact that governance is where SOA success will happen or not. This of course does not mean that we now need a big-bang SOA Governance investment. To quote Fill Bowen from IBM speaking at a presentation/discussion on governance hosted by the SOA Consortium at its European event back in June:
“your SOA governance [should be] based on the level of SOA effort. So putting a
Cadillac SOA governance system in place when your SOA effort is targeted at just
trying to walk seems to be a little bit of overkill.”
Ronan