The new CIO is expected to be truly agile, deliver transformational value using new technology based services and have a deep understanding of, and engagement with the business – all whilst managing and mitigating risks. In addition to this, the CIO is also expected to be a ‘business partner’ in the real sense of the word. On top of these factors, Cloud is often seen in the eyes of business as a metaphor for timely change, and a convenient ‘get out of jail’ card in their push to lower IT cost, and collapse IT project lead times.
In this context, ensuring the effective orchestration if the various ‘best practice’ methodologies and frameworks in the areas of agile application development, project management and risk management, all whilst managing the whole ‘Cloud’ discussion is not a trivial task.
In this presentation, Rob Livingstone explores the key systemic and technical risks associated with the concurrent adoption and management of agile application development methodologies, project management, hybrid cloud and mobile devices within the enterprise in today’s volatile environment.
2. What I will be covering
• Agility, then adding in...
• Project Management, then adding in....
• Mobility, then adding in ...
• BYOD, then adding in ...
• Cloud, then exploring
• Systemic Risk to your organisation
• Managing the mixed messages
• Orchestrating the transition – some take-aways
4. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
Let’s briefly explore the topic of ‘Agile’
The “Asymmetry of expectations”
Question: Is your organisation expecting IT to be more
‗agile‘ than they themselves are able to be?
The focus is on agile
1. What is agile?
2. Core values
3. Why agile?
5. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
What is agile?
• Agile is about people, collaboration, working culture
• It is not just SCRUM
• Agile is not just for IT – applies to entire organisation!
Core values of Agile
Value Individuals and interactions over processes and tools
Value Working software over comprehensive documentation
Value Customer collaboration over contract negotiation
Value Responding to change over following a plan
Agile manifesto - Published in 2001, a one-sentence narrative, four core values, and 12
principles
www.agilemanifesto.org
6. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
Why agile?
'It is not necessary to change. Survival is not
mandatory'
-W. Edwards Deming
William Edwards Deming
(1900 – 1993)
8. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
Is business losing or has lost patience with Enterprise IT?
The answer has to be „Possibly!‟
• Forces actively shaping the transformation of enterprise IT
• Other than the failure rate of enterprise IT projects….
• The need to ‗simplify IT‘ in the eyes of the users, plus
• The ‗need for speed‘ , plus
• The need to cut costs….
….Makes cloud particularly appealing compared to internal IT
• This can trump appropriate risk, total cost, project management
governance in organisations aggressively shifting to the Cloud
• Where does that put the individual disciplines and conventional
methodologies associated with application development, project
and risk management?
• The pressure on enterprise IT is mounting!
9. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
One-size-fits-all approach Vs. Agile
(PMBOK, PRINCE2)
Vs.
10. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
One-size-fits-all approach Vs. Agile
(PMBOK, PRINCE2)
Vs. Changes in
Changes in
master project project plan
plan are seen seen as
as ‗negative‘ - ‗opportunities‘
Discouraged –
Inherent
11. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
Agile in Project Management
Important concepts include….
1. Minimising project risk by working on short iterations of clearly
defined deliverables.
2. Contingency planning in agile PM needs early and proactive
risk detection
3. Direct communication between players in the development
process is the default. (ie: Not exhaustive project
documentation).
Rationale: Project team can rapidly adapt to the volatility in
changing requirements or environment
13. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
BYOD or Bring Your Own Disaster?
Mobile Devices
• Are powerful cloud access devices
• Extend the perimeter of your cloud
• Disperse the perimeter to your cloud
Have the potential to increase the vulnerability
• The compromising of one of these mobile devices
could be significant and compromise your entire
cloud.
• Use policy based key management regimes for your
data.
Question: Is the war ―lost‖ on BYOD in your organisation?
14. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
BYOD
• Reflects the increasing demands of users
and organisations of their own IT
departments to be increasingly agile and
responsive to their needs when it comes
to iPads, tablets and other mobile
devices.
• Read the NIST Draft Guidelines
http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf
15. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
BYOD requires management: .. Some suggestions…
1. MDM (Mobile Device Management) systems (Remote
wipe, policy enforcement)
2. Introduce a non-porous Virtual Desktop environment
• No data can flow between the Cloud system and the
mobile device itself
3. Containerisation:
• Segregates corporate from personal data and
applications
• Enforces encryption and prevention of data leakage
between containers
• Application / device specific therefore can be a
challenge to expand across the entire mobile
environment for all applications.
17. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
The most quoted Definition
of Cloud:
Cloud computing is a model for enabling convenient,
on-demand network access to a shared pool of
configurable computing resources (e.g. networks,
servers, storage, applications, and services) that can
be rapidly provisioned and released with minimal
management effort or cloud provider interaction
• US National Institute of Standards and Technology‘s (NIST)
definition
18. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
The most sensible Definition of Cloud:
―Forget your technical definition of the
Cloud, ask your mom what the Cloud is….
…And what your mother will tell you about
the Cloud is that it means it‟s not on
my computer.”*
Dave Asprey – Global VP, Cloud
Security, Trend Micro
* Navigating through the Cloud Podcast Episode 23 in iTunes
19. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
Hybrid will be the dominant form in the enterprise
―Within five years, it will be primarily deployed by
enterprises working in a hybrid mode‖. - Gartner
Gartner "Predicts 2012: Cloud Computing Is Becoming a Reality‖
(Published: 8 December 2011 ID:G00226103)
20. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
…. And with the Hybrid Cloud ….
…..comes complexity… and complexity introduces..
Risk In areas such as:
• Change control, Rollback
• Security
• Identity Management
• Due diligence
• ‗Big-Data‘
• Business Intelligence –
Dashboards and drilldowns
• Forensics / eDiscovery
• BYOD
• Mobility
• Legislative / Jurisdictional
• Contractual complexity
….. To name but a few
21. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
What are the dormant risks in your Cloud contract?
It‟s YOUR brand at stake, not the vendors!
22. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
• You‘re counting on SaaS vendor in order to
provide all the multi-tenancy for your data.
• You hope they‘ve written their applications
well, secure their databases, and so on ….
• You‘re sharing the database with everyone
else.
23. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
The Inverted Risk Pyramid
HI RISK
Major enterprise instances, with
complexity, scale, risk, compliance,
deep integration, long term
Integration, enterprise
governance needed
Commodity / non-
integrated Cloud
applications
LOW RISK
24. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
Is the Systemic risk increased by the
combination of:
– Hybrid Cloud
– Mobility
– BYOD?
25. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
Hybrid cloud can contribute to….
• Increased vulnerability due to its fragmented
architecture and larger surface …
• however if it is properly architected, risks largely
eliminated by implementing measures such as…
o Deploying effective policy based key management
processes
o Properly segmenting your public and private clouds
o Encrypting each part of the hybrid Cloud with
separate keys
o … amongst other measures
26. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
Mitigate risks by defining and assigning key roles in your Cloud
environment.
– Define your Cloud Reference Architecture by reviewing applicability
against published models (Eg NIST*, IBM, etc)
– Ensure you do not miss important roles (Eg: IBM CCRA does not
include Cloud Broker, Cloud Auditor yet included in NIST CCRA)
* National Institute of Standards
and Technology
27. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
The emergence of the „Cloud Broker‟
28. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
IT Department in the Cloud?
29. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
Remember this slide?
Why is brokerage a real consideration?
Also:
• Change control, Rollback
• Security
• Identity Management
• Due diligence
• ‗Big-Data‘
• Business Intelligence –
Dashboards and drilldowns
• Forensics / eDiscovery
• BYOD
• Mobility
• Legislative / Jurisdictional
• Contractual complexity
….. To name but a few
30. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
"Cloud consumers should budget for additional
integration costs which can range from 10% to 30% —
and sometimes as high as 50% — of the total cost of
cloud IT projects.―
Gartner Predicts 2012: Cloud Services Brokerage Will Bring New
Benefits and Planning Challenges - Published: 22 November 2011
G00227370
Let‘s explore the reasons why in a bit more detail …..
31. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
Agile in Risk Management
• Time horizon misalignments:
o Agile is based on short time cycles
o Conventional Risk Management: Time to
identify, plan mitigation and implement Risk
management over a comparatively long
timeframe
• Categorisation of risks as part of the conventional
Risk Management process not helpful in
identifying the enterprise-wide systemic risks….
33. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
Systemic vs. Technical Risks
• Systemic risks are those with the greatest potential impact as
they affect the entire system (ie: Organisation, government,
country, world…)
• Case in point: How is that the finance industry, which is one
of the more regulated, and invests heavily in risk
identification, mitigation and transference could be the cause
of the current global financial problems?
• Systemic risk for the enterprise is the silent killer and is often the
hardest to identify as only a few have a complete, transparent and
objective overview of the overall enterprise.
• Mitigation through approaches such as Enterprise Risk
Management (ERM), origins in fraud, organisational governance,
and underpins the insurance industry
• Applicability to IT – Cloud especially – not often discussed
34. Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud
Systemic vs. Technical (or Functional) Risks
• Identifying, categorising and ranking technical and functional
risks is core to conventional IT risk assessment approaches:
o Risk of a specific event = (Impact x Probability of that event
occurring) + Risk Adjustment
• Underpins conventional risk certification frameworks e.g. ISO2700X
• Compliance does not necessarily equal security or effectiveness of
your risk management model
• The categorisation of risks into functional and technical categories
does not help in the identification of systemic risk
• Focusing on the diverse range of technical or functional risks, does
not account for the interaction between risks.
• Systemic risks are mostly more significant than the sum of the
individual risks
36. Managing the mixed messages
A recent survey* referred to by Forbes
claims that ―a meagre 3% of companies
considering Cloud consider it to be too
risky.‖
This was based on a survey of 785
companies, implying the inevitability of
Cloud.
Not atypical of research in Cloud, this
survey was conducted by a firm that has
investments in the Cloud industry, with 65%
of respondents being vendors so one could
say that the results were not totally
unexpected.
http://www.forbes.com/sites/joemckendrick/2012/06/20/cloud-computing-simply-isnt-that-scary-anymore-survey/
37. Managing the mixed messages
Business fears being left behind?
"By 2015, nearly $1 of every $6 spent on packaged software, and $1 of
every $5 spent on applications, will be consumed via the SaaS model."
"By 2012, about 83% of all net-new software firms coming to market
will be operationalized around creating, testing, selling, and
provisioning a service versus a packaged product (CD)."
"By 2015, about 24% of all new business software purchases will be of
service-enabled software, and SaaS delivery will constitute about
13.1% of worldwide software spending across all primary markets and
14.4% of applications spending."
ICD Dec 2011 Doc # 232239
38. Managing the mixed messages
24% of CEOs surveyed in the 2012 PWC CEO
Survey 75% of CEOs plan to change innovation
capacity in 2012, of which 24% expect ‗major
change‘, underpinned in part by technology.
The eighth annual KPMG 2012 Audit
Institute Report identified ―IT Risk
and Emerging Technologies‖ as the
second-highest concern for audit
committees, which is unprecedented in
the history of the report.
39. Managing the mixed messages
• So, in a nutshell, there are mixed messages out
• On the one hand organisations demand speed, innovation,
agility and value, largely facilitated by technology.
“Organisations that adopt new „transformational‟ technologies,
Cloud in particular, without effective consideration of the
enterprise wide, systemic and longitudinal risks, are
potentially either setting themselves up for future problems, or
not maximising the opportunities, or both.” – Rob Livingstone
41. Orchestrating the Transition – some Takeaways
#1: Adopt an integrated approach to function specific
methodologies
• Standardised, traditional methodologies within specific
disciplines such as Project Management, agile and information
security, in and of themselves, are self limiting.
• Each discipline is only really effective when applied in a
coordinated orchestration with the other key moving parts of the
organisation
• IT is well placed to help facilitate this, due to its unique
perspective of the organisation as a whole.
Harmonization of functionally specific methodologies unleashes
value and eliminates waste
42. Orchestrating the Transition – some Takeaways
#2: Manage the conflicting messages
• Cloud evangelists see cloud as imperative, others not
• Executives and line of business managers all have volatile
expectations of enterprise IT
• ‗Fairies at the bottom of the Garden‘ promises for the latest
IT ‗transformational technology‘
• Opacity of risk
Develop an effective mechanism for interpreting these
messages in the context of your business
43. Orchestrating the Transition – some Takeaways
#3: Actively identify, embrace and managing shadow IT
―Shadow IT can create risks of data loss, corruption or misuse, and
risks of inefficient and disconnected processes and information‖ –
Gartner*
Embrace shadow IT, and define what and what is not eligible to
be considered enterprise IT
Meet the challenge
*CIO New Year's Resolutions, 2012 ID:G00227785)
44. Orchestrating the Transition – some Takeaways
#4: Identify systemic risks across the organisation
• Systemic risks can kill your business
• As CIO, ensure you are seen as the trusted advisor by your
peers
Ensure your executives and key decision makers are aware of
long term, systemic risks should they make enterprise IT
decisions without appropriate due diligence
Accountabilities for these decisions are to be clearly assigned
Consider implementing Enterprise Risk Management (ERM)
45. Orchestrating the Transition – some Takeaways
#5: Local optimum vs. Global Optimum?
• Senior managers with functional responsibility over specific
vertical silos of the organisation may underestimate the overall
complexity of their own business as a whole.
• Resulting decisions may be sub-optimal for the organisation as a
whole
• From a functional perspective, specific methodologies exist to
support specific activities, but may not mitigate enterprise-wide
systemic risks
Help others see through the appeal of ‗simple IT solutions‘, that
merely mask underlying business complexity.
Test assumptions if critical, and be proactive in identifying the
risks for arbitration by the organisation as needed.