Mike Walker on Business Architecture, Part 2


In this is Part 2 article, “Walker on Business Architecture” in the Architecture and Governance Magazine , I continue to explore and answer questions in the business and information architecture discipline. In part 2 of this article we switch the focus to real world application of BA and IA.

  • Describe examples of business architecture (BA) and/or information architecture (IA) you have seen at organizations you have worked for or been exposed.
  • Have you seen anyone make an attempt at BA or IA and fail?
  • If you had to pick one critical success factor for BA/IA, what do you think it would be?
  • General comments/thoughts as it relates or does not relate to enterprise architecture.

Before we get into the article, be sure to go to the Architecture and Governance Magazine site and check out all the other great articles as well. Just sign up and you can browse all the volumes.


Part 2, Walker on Business Architecture

A&G: Describe examples of business architecture (BA) and/or information architecture (IA) you have seen at organizations you have worked for or been exposed to (generic, no company names)? And how would you rate those efforts?

Walker: In regard to business architecture success stories, I’ve seen a company transform its entire IT landscape to make business architecture a first-class citizen. It did this by creating an executive business steering committee. And that executive business steering committee was responsible for centralizing the corporate strategy. Having that structure tied down then led to a formal business architecture team. The business architecture team reported directly to the strategy steering group. So, for the first time in that company’s history, it had a business architecture translating the business corporate strategy into something consumable by the enterprise. That function was elevated all the way up to executive vice presidents, the highest level in the corporation, to focus on the discipline of the business architecture.

The outputs of that were things like road maps, business and IT strategies, and architectures and future state models of where the company wants to go. The company was so ambitious that it said let’s forget the sins of the past and let’s focus on what this company would look like 10 years from now, and let’s create that view. Committee members spent several months creating that view, and then they went back to the enterprise and said, okay, what is the gap, because this is where we need to go as a company. It really gave the company focus and direction in what’s important and what’s not important.


A&G: Have you seen anyone make an attempt at BA or IA and fail? If so, what led to that failure?

Walker: A lot of times it comes down to a few factors. Executive support: it has to be something that’s important to your CIO level executives. If they don’t buy in, it’s not going to happen. I’ve seen those failures. I’ve seen environments where the CIOs were believers but the people didn’t have the right level of business acumens, or they didn’t have the right leadership skills that would make it happen.

All that is important to note here is none of these failures were the result of having a bad tool, a bad technology, or a bad model. I’ve seen all those failed organizations overcompensate on capability models and strategy maps, etc. The result was that they lacked the critical soft skills to make that a successful venture in their companies. The linchpin in all of this is: if the people who are booting this up don’t have great people skills, they will fail. Because, at that level, this job is based on influence and making people understand that this is important. It’s not about the model you use; it’s about how you conduct yourself and how you win the hearts and minds of the organization.


A&G: If you had to pick one critical success factor for BA/IA, what do you think it would be?

Walker: The critical success factor really comes down to two things. One is business acumen: knowing the business, what the company wants to accomplish, its goals and objectives, its strategies, etc. That will help you have a meaningful conversation. Second is soft skills. I’ve talked a lot about this on my blog: emotional intelligence, which is self-awareness of yourself but also self-awareness of other people, things like empathy. If you don’t have a high degree of emotional intelligence, if you’re not empathetic, you’re not making a connection. And if you’re not making a connection, they’re less likely to buy into what you’re doing. Why is this important? Because when you’re at the business architecture and information architecture levels, the stakes are much higher because they have broad and pervasive impacts. It becomes much harder to convince someone to change or architect their business architecture versus buying a new server.


A&G: What other general comments/thoughts do you have about business and information architecture as it relates or does not relate to enterprise architecture? To solution development and delivery?

Walker: Both of those disciplines, in my opinion, are part of enterprise architecture. There are specific things you do to make sure you have the right enterprise architecture. If you look at any methodology out there, it says you should start out with understanding the corporate strategy. Then, you should go and do a business architecture. Then, you should go understand your information architecture, application, technology, etc.

These two disciplines roll under enterprise architecture. If we look at the BAIT model, which is business, application, information, and technology architecture, enterprise architects are focused more on the business and information and will look at application and technology more secondary. The IT architects have a tendency to focus more on the application and technology architecture. Primarily speaking, they can’t divorce themselves from the other stuff, but if they’re going to focus on transforming the company those are the two disciplines they have to spend more time on.


More Resources

Use of Tor and e-mail crypto could increase chances that NSA keeps your data

Using online anonymity services such as Tor or sending encrypted e-mail and instant messages are grounds for US-based communications to be retained by the National Security Agency even when they're collected inadvertently, according to a secret government document published Thursday.

The document, titled Minimization Procedures Used by the National Security Agency in Connection with Acquisitions of Foreign Intelligence, is the latest bombshell leak to be dropped by UK-based newspaper The Guardian. It and a second, top-secret document detail the circumstances in which data collected on US persons under foreign intelligence authority must be destroyed or can be retained. The memos outline procedures NSA analysts must follow to ensure they stay within the mandate of minimizing data collected on US citizens and residents.

While the documents make clear that data collection and interception must cease immediately once it's determined a target is within the US, they still provide analysts with a fair amount of leeway. And that leeway seems to work to the disadvantage of people who take steps to protect their Internet communications from prying eyes. For instance, a person whose physical location is unknown—which more often than not is the case when someone uses anonymity software from the Tor Project—"will not be treated as a United States person, unless such person can be positively identified as such, or the nature or circumstances of the person's communications give rise to a reasonable belief that such person is a United States person," the secret document stated.

Read 5 remaining paragraphs | Comments


Checkmarx Website Running Outdated and Insecure Version of WordPress

In yet another sad sign of how bad internet security is these days, a security company named Checkmarx released findings on security vulnerabilities in WordPress plugins (PDF) while running their own website on an outdated an insecure version of WordPress:

Checkmarx Website is Running WordPress 3.4.1

Checkmarx has failed to apply the last two security update releases of WordPress. WordPress 3.4.1, which was release in September of 2012, and WordPress 3.5.1, which was released in January.

In their report one of their recommendations is keeping plugins up to date:

3. Ensure all your plugins are up to date
Do not ignore all those notification emails of an upgraded plugin version. You can even use a
purposeful WordPress plugin that notifies admins on updates to other installed plugins.
There are also third party services which provide a plugin update notification and
management offering.

How is it that security companies that seem to understand basic security practices fail to take them with their own websites?

Also, on Checkmarx’s website they tout they are a member of the Open Web Application Security Project (OWASP), which we recently noted also runs their website on outdated and insecure software.

Another Security Recommendation for WordPress Plugins

Checkmarx’s report is missing one important step that should be taken related to security of WordPress plugins. Currently if a plugin in the WordPress.org Plugin Directory is found to have a security vulnerability and it is not fixed the plugin is removed from the Plugin Directory. Unfortunately anyone who is already using the plugin is not provided any alert that the plugin is known to be insecure. We have been pushing for this situation to be handled properly for some time. Until an alert is added in WordPress itself, you can get a more limited version of this functionality using our No Longer in Directory plugin.

Stanford, Mozilla, Opera team up to tackle cookie privacy issues

For the past few months, Firefox alphas have been heuristically blocking certain cookies in a bid to protect user privacy and reduce the amount of online tracking by advertisers. Mozilla has not moved this blocking into the stable builds of its browser, however, because of problems with its effectiveness. The heuristics aren't perfect, so sometimes it blocks cookies it shouldn't block and other times lets cookies through that it should block.

A new project from Stanford University could provide the solution. The Cookie Clearinghouse intends to provide lists of cookies that should be blocked or accepted. Still in the planning stages, it will be designed to work in concert with the heuristics found in Firefox in order to correct the errors that the algorithmic approach makes.

Firefox's algorithm is simple. Essentially, if you visit a domain directly, that domain will be able to set cookies (first-party cookies) and it will continue to be permitted to set cookies even when visited indirectly (third-party cookies). For example, if you visit facebook.com, it will be allowed to set cookies both for explicit visits and whenever other sites embed Facebook content such as like buttons.

Read 13 remaining paragraphs | Comments