ScienceLogic: What is “BSM Lite” and how is it different from “heavy” BSM?

Doug McClure: I think the concepts that Peter Sevcik from Net Forecast initially outlined in his blog post sum up what “BSM Lite” is all about: a simpler, less expensive, more responsive way of achieving the goals and objectives of Business Service Management (BSM).  He’s contrasted this nicely against what he termed “BSM Heavy” being the larger investments in time and resources to deploy domain specific tools and solutions each providing a view into the business service delivery with some aggregation and consolidation to tie up all of the disparate tool’s information into a concise end-to-end business service management story.

I’m pleased that he leveraged some of my thinking around a better working definition of what BSM really is from the BSM Defined page on my blog. Of course, these definitions are going to vary depending on whom you talk with and how they see the overall BSM Maturity Model.  I’ve created a BSM Maturity Model that aligns with the famous Gartner IT maturity model.  I’d like to think that a “BSM Lite” solution is one attacking the low hanging fruit, enabling one to achieve value quicker, and in a more tactical manner.  The “BSM Heavy” solutions are capable of the same, but span all along the BSM Maturity Model by adding additional point solutions, products and technologies from their broader portfolio. 

ScienceLogic: Does “BSM Lite” just refer to the tools, or can it refer to the process and methodology as well?

Doug McClure: I think that BSM is as much a philosophy as it is technology, process, people and methodology.  If we can get people to think, operate and respond differently than they do today with a focus on the business, customers, quality, revenue, or whatever else is most important to their business goals and objectives, than that is Business Service Management and could be “BSM Lite” if you will. 

Being that I work for IBM Tivoli, one of my personal objectives is to identify ways to use our key BSM enabling products in a more efficient, effective and BSM centric way. This was a huge driver for trying to hold DevCampTivoli focused on “Collaborative Development of End-to-End BSM Solutions”. 

In my opinion, we don’t make things very easy for our clients and the answer can’t be to “buy this product, module or widget” to fill in the gaps.  In my opinion, we must establish a BSM overlay within IBM Tivoli’s development and product management organization that ensures that we have clearly thought about how to enable BSM with the hundreds or products that we sell.  In my opinion, every product release must incorporate the fundamentals of enabling BSM in addition to the core domain specific functionality intended. I hope to keep this spirit alive and get our smartest IBMers and clients thinking about the best way to take a “BSM Heavy” solution and make it “lighter”. I hope to share more about my plans here and guidance for the industry in general soon.

That said, I am always interested in consulting with clients and collaborate with peers in the industry to figure out how to get the focus on the people, process and technology as key components of their BSM strategies.  I am absolutely convinced that without a documented BSM strategy, roadmap and top level sponsorship within the business and IT, the chances of BSM success greatly diminish.

ScienceLogic: Given the complexities involved in implementing a BSM strategy and dealing with the people and processes components of any business, how does “BSM Lite” really work? Should the expectations and outcomes be “lite” as well?

Doug McClure: Time will tell if “BSM Lite” will work.  I’m seeing emerging companies that are already breaking down some of the barriers to BSM success.  I do not expect that those choosing to begin with a “BSM Lite” approach should expect “lite” outcomes. 

The outcomes are the same regardless of the approach IF you’ve got a documented BSM strategy, roadmap and top level sponsorship in place before you begin. New features, capabilities and technologies will be needed as the needs of the business change and companies mature in BSM and fundamental IT management. This will likely force companies to move in more “BSM Heavy” directions to fill those gaps. 

In my opinion, this is the ideal scenario now as it gives “BSM Lite” vendors opportunities to grow their products and solutions. It also GREATLY improves the chances for success with a “BSM Heavy” solution because the organization would have already had matured enough to approach a “BSM Heavy” solution than if they hadn’t done a “BSM Lite” solution in the past.

ScienceLogic: Is “BSM Lite” more appropriate for a small or midsized organization, or does it apply equally to large companies? Is there an ideal profile for a company that can successfully implement a BSM strategy? Is there a different profile for “BSM Lite”?

Doug McClure: From an economic perspective, the concepts of “BSM Lite” are appropriate for all companies.  Remember, with “BSM Lite” we’re focused on identifying ways to make the goals and objectives of BSM easier to implement and in a more cost effective way.  Any company concerned about their IT cost overhead should care about this, especially when the risks of starting out with a “BSM Heavy” type deployment are much greater and the time to value generally much longer.

The “ideal” profile for any company is one where the BSM initiative begins by establishing top level buy in through creation of a formal BSM strategy for the company. This BSM strategy personalizes how the company defines what BSM is, what value the company expects from it, and how it will use BSM as a competitive differentiator for delivery of its business and IT services, products, etc.

The organizational “profile” I’ve seen most successful is when implementing a BSM strategy originates from within or actively includes a group that many companies have now that serves as a liaison or relationship management role between the various lines of business and IT. Sometimes this group is often seen as the gatekeeper to filter (and hinder) business driven requirements into the IT organization. In the ideal scenario, this group works very closely with the business and IT (usually staffed by business people and not IT people) to understand both the business side and IT side of complex business services and applications. 

Apart from the traditional IT components, what this group can do is help IT really understand the business perspective.  Analysis of the impact on the business in business terms is only possible by collaborating with a group such as this.  True value oriented BSM becomes attainable when we get to this level of IT and business alignment, cooperation, collaboration and communication.

If BSM is an IT only initiative, this will likely result in an IT centric perspective severely lacking in the necessary business perspective.  In these cases where IT doesn’t invest their BSM efforts with the business as an equal partner, the implementation ultimately becomes a “CYA” tool for IT and not achieve the desired value oriented expected.

To some degree “BSM Lite” may have an entirely different profile. If we see the price points, complexity and time to value change significantly we may see these types of deployments originate exclusively within the Line of Business. The possibility may exist where large enterprises operating in a shared IT services or IT outsourcing type model that the Line of Business brings in a “BSM Lite” solution to gain the visibility, checks and balances needed to ensure that the LoB’s needs are being met from the internal/external provider. I’d envision that “BSM Lite” may even be capable of operating within a “SaaS” model or other managed service type offering where the price points are below the signing levels triggering broader IT involvement and review.

To Be Continued…

ShareThis

Research Director Patricia Adams and VP and Distinguished Analyst Ronnie Colville presented this thought provoking session. It seemed to echo what ScienceLogic has been talking about regarding our thinking around the practical ways to efficiently accomplish key tactical gains against your Configuration Management Data Base (CMDB) initiatives.

They started out with, what are the prerequisites to a successful CMDB implementation?

Garbage in = Garbage out

There is no miracle occurring in all of these new fancy framework tools; these complex databases are only as good as the trusted source of information inserted. You have to put a bunch of elbow grease into figuring out what to actually put in the CMDB.

So how do you define the metrics?

First you need to know where you are starting from – you will need to baseline the environment. Then baseline what your state is 3, 6, and 12 months after installing CMDB.

Next: break metrics down to 2 strategic areas:

1. Strategic
   1. Operational Costs
   2. Application performance
   3. Compliance - internal auditors doing analysis – keep track of their findings and incorporate into your elements for data gathering
2. Operational Metrics
   1. Changes unplanned (typically 80% unplanned or emergency)
   2. Changes withdrawn (how many changes were withdrawn / roll back)
   3. Application downtime (what did it cost from app being down)
   4. Server downtime (before and after)
   5. Tickets generated (before and after)

Having the data to show how you are performing makes it much easier to show why you need more budget to improve performance in specific areas. Having metrics allows IT managers to do marketing back to the business units about the value you are delivering.

Gartner said that from their Enterprise customers they often hear “I haven’t quantified the value yet”…That is not the right answer.

During the session, Gartner did a real-time wireless poll of the audience with some interesting questions:

What are the tools to build and populate your CMDB with IT services?

Focus of CMDB?

• Inventory 20%
• IT service relationships 68%
• Other 6%
• Don’t know 6%

Interesting to note, a very consistent set of information from year to year polling which equals a mature understanding of the CMDB’s role for analysis and decision process.

Have you heard of ITIL V.2 & V.3 and considered how it impacts this discussion?

ITIL is a process framework, it is not a technology automation framework. Just because something is pink ITIL certified does not mean that it will help at all with the automation of the process framework.

Gartner quantified the market as being about 2 years old this month. So the point here is we are in early days of this technology. The way they see it, the Large Enterprise/Framework vendors selling you is like a lock-in, but the interesting thing about CMDB is that the tools that you need to integrate and federate were only recently acquired, so the entire framework vendor integration and alignment story is mostly incomplete.

Gartner’s Evolution of the CMDB deployment

On average it takes 12 – 18 months to get up and running.

Through 2011 enterprise should recognize that any of the CMDB tools bought today may require significant upgrades to offer near real time service views to support decision support analytics.

Several items from this presentation jump out at me:

1. IT Organizations need to deploy tools that will help to automate the continuous collection of IT asset inventory, configuration and business impact analysis. That is a big gap that exists in the marketplace today… the speed at which information is collected and updated into the CMDB.
2. Investing too much into this immature market before the official standards are set and then adopted by the industry (estimated 18 months after final adoption) is quite risky.

The conclusion that I made from this presentation is that you are better off with our 80 – 20 rule around CMDB’s. Use a tool that will collect 80% of what you need to operate the business in 20% of the time it takes to deploy these heavy, less than automated framework tools!

ShareThis

We need to create a system that allows people to pass identity claims (sometimes a full name perhaps, but at other times just an attribute such as proof of age or citizenship). This system must also address the issues of authentication, authorization, access and audit. Finally we need a good alignment of technological, social, political and economic forces so that we make real progress. The goal is to put users in control of their computing environments, increasing security and privacy, and preserving other values that we cherish such as anonymity and freedom of speech.

It's useful if we take a moment and consider the definition of the auditing function. Here's mine:

Audits help us ensure that we are following our own policies. Audits measure the current state, compare the results against what the state should be, and show where we are out of compliance. Essentially, audits help us know that we are indeed doing what we say we're doing.

Audits are the natural outcomes of implementing good policies and following effective procedures. It makes no sense to spend time developing policies and without having some mechanism to measure compliance. That's the role of the auditing function -- to measure compliance. If we all agree that policies are good, then we should all agree that checking up on ourselves is also good.

So, then, who should conduct the audits? For comparison, let's examine a typical software development department. Here at Microsoft, such departments are composed of four over-arching roles:

• program management
• product management
• software development
• software test

Why this way? Consider the first two. We don't have "project managers" at Microsoft because project management incorporates two conflicting goals: managing people, schedules, and budgets (program management) versus incorporating customer requirements and creating new markets (product management). Program management optimizes resources while product management optimizes features. Rather than shoulder that inherent conflict onto a single person and expect them to deal with it without going completely bonkers, we have two roles, with different people. People skilled in each area negotiate with each other and come to an agreement about what's best both for Microsoft and for our customers.

Similar thinking exists for the second pair of roles. Developers strive to write high-quality code, and even do some testing along the way. But because no one's perfect, all code has some mistakes; it's valuable to have other people bang hard on the code, abuse it almost, to find and squash more bugs. Often, even the best developers are embedded so deeply in their own code that some bugs escape them. Developers rightly concern themselves with creating code that works and provides proper output. Testers figure out how to purposefully break software and discover code vulnerabilities. These are different skill sets, and using different people results in higher quality software.

We can apply the same logic to the information security department. How about these four roles:

• security standards
• security alignment
• security operations
• security auditing

The security standards group defines an organization's security architecture, creates policies and procedures, and ultimately takes responsibility for stewarding the integrity of the organization's information assets. The security alignment group spends time understanding the needs and drivers of the various business units, and advocates the business units' positions in meetings with the security standards group. Like in the software development model, having different folks negotiate together about standards and alignment helps ensure that business needs are met while also ensuring that the business is able to rely on information that's kept secure.

Remember: the primary purpose of information security is risk management. The standards folk know all about the bad guys and their techniques, and build up knowledge about which threats create risk for the organization. The alignment folk understand, through their constant interaction with people in the business units, all about business risk and get a feel for the business's risk tolerance -- that is, the level and kinds of risk that matter or don't matter. Together, the security standards and the security alignment folk can develop a security posture that allows the business to remain agile while also addressing the risks that make sense.

(Notice that I haven't indicated where, exactly, the alignment folk sit within the organization. They might be part of the security department, or they might be part of the individual business units. A case could be made for either choice; however, except for very large organizations, the alignment role probably isn't full-time. This leans the role toward sitting in the business units.)

Day-to-day work becomes the responsibility of those in security operations. They create standard configurations, perform installs and updates, monitor traffic, and respond to incidents. Ideally, policies and procedures guide all of these activities. But having policies and procedures isn't enough: we must also have a way to measure conformance. And that's the role of security auditing. Security auditors compare a system's current configuration to what it should be, based on the policy. Where systems are out of compliance, the auditor works with operations folk to understand the reasons, without engaging in blame-storming or launching personal attacks (this goes for operations folk, too). Most of the time, it's simply a mistake; here, auditors are like software testers, uncovering configuration vulnerabilities (bugs) that otherwise might be overlooked by operations and thus exploited by attackers.

Now you auditors out there, this doesn't mean that your role is simply that of checklist slave. Especially if your checklist is something you downloaded from the Internet. Remember: these checklists are only guidance, good ideas written by a person (or a committee) based on that person's risk tolerance. Effective auditors develop relationships with people in the other three groups: standards, alignment, and operations. Effective auditors take the time to learn the security landscape, how attackers operate, where vulnerabilities lie, and which threats matter. Really effective auditors learn how to do penetration testing, thus uncovering not only code and configuration vulnerabilities but also circumvention vulnerabilities through social engineering. By doing this, effective auditors remove the "us versus them" stigma often associated with auditing and truly become part of the security team, all working together to protect the organization's information assets.

(Notice that, as with the alignment group, I haven't indicated organizationally where the audit group should sit. I do, however, have a strong opinion on this: the management chains of the audit group and the operations group must be different. The people conducting audits shouldn't work for those who have a stake in an audit's outcome. To do so would create unavoidable and unrecoverable conflicts of interest.)

I'm sure there's more to the topic of organizing a security department. What do you think of this approach? Do you like the idea of dividing conflicting roles into different groups, then structuring them to work together to achieve realistic and useful outcomes? I don't suspect I've necessarily invented anything new here, but maybe just used a few new words -- such as "security alignment" -- and thought out loud about some of the tension that exists within the standards/alignment and operations/audit pairs. (Oh, and I got to write about my code/configuration/circumvention vulnerability triple again, heh.) Please tell me your thoughts. Maybe there's an entire white paper here, possibly even a TechEd presentation. Maybe someday we should offer a "TechManagementEd" conference!

As I talk to CISOs and CIOs I find that there are many misconceptions about outsourcing security. Here are the most common ones that I come across:

1. Outsourcing security is cheaper than doing it internally. Cost is usually the one of the reasons business gets interested to outsource but Forrester has consistently found that for security managers cost is not the primary reason they want to outsource. and outsourcing may not always lead to lower costs. In fact many companies end up spending more in the outsourcing scenario. They are willing to pay a higher cost because they gain competencies and get additional capabilities such as 24x7 monitoring or compliance reporting.
2. Outsourcing security means transferring risk. You can transfer the responsibility but not the accountability when you outsource. A careful consideration must be paid to the risk management aspect of the outsourcing deal. You will never be able to transfer all the risk of data protection to your outsourcer but you can limit the amount of risk you take by developing right to audit clauses, Service level agreements and limited liability provisions in the contracts.
3. Since security services are getting commoditized, hire an outsourcer with the lowest cost. The complexity, scope, duration, and business risk of an outsourcing deal dwarf most hardware or software procurement contracts. Handing over a critical business process or technology to a third party changes the risk profile of the firm. You have to look beyond the technical capabilities while evaluating vendors. Think of it more like a partnership where alignment in corporate cultures and philosophies plays a significant role in the success of the relationship.
4. If my security operations are in a mess outsourcing security help. The famous adage garbage in – garbage out applies here. If your security processes and operations are a mess, outsourcing them will not solve the problem. It is important to establish security processes and strengthen your operations before you outsource security. Outsourcing may help improve operational control, but the chances of success are increased if the firm has a clear understanding of the processes, expectations and deliverables.
5. Outsourcing security is the quickest way to get security controls implemented. Prepare for a marathon, not a sprint. Doing a security outsourcing deal takes stamina and persistence over a fairly long period of time that can sometimes be compressed, but usually with increased risk. Prepare yourself and your teams for the long haul by connecting first to the business strategies of the firm and building from there. It is appropriate to plan for some quick wins but it takes time for the outsourcing relationship to mature. Companies that have successfully outsourced security operations typically report that it takes them six to eighteen months to really normalize the outsourcing relationship.

Outsourcing security is not for everyone and for every scenario, so before jumping on the outsourcing bandwagon, pay careful consideration to the impact of outsourcing in a particular situation. More importantly have very realistic expectations of the relationship. It is important to do the due diligence and ensure appropriate provisions are part of the contract, but it is much more important to trust your provider and work on the relationship. Think of it as a marriage – you have work on it and have to be patient.

Is CIA triad a meaningful goal to pursue? The answer depends on the company's context. Firstly, the line of business a company is in is the prime driver of the security program within the company (example: financial institution are more security savvy than others for a reason). Secondly, whether the company has enough resources (budget, people Et. Al.) to address security. Most importantly security strategy should align with your business strategy. Alignment of strategies itself does not justify your security investment. Security should enable your business else you will have an uphill battle to get your budget approved.

Recently, I heard an IT manager mention that they have a secure perimeter because they have a firewall. This is akin to saying that my house is secure because I have purchased a lock.  As an example of the right security mindset, deploying firewall should address the following concerns:

0. Have you picked the right firewall vendor?

1. How is the firewall configured?

2. How does it fit into the overall security framework?

3. How is the firewall architecture?

4. Is there a well defined process to maintain the access list on the firewall?

5. Who administers the firewall? Is there a backup admin?

6. Who monitors the firewall logs?

7. Is there a well defined documentation about the firewall, so that another firewall administrator can take over in case the primary administrator is unavailable?

8. Is the firewall being monitored for uptime, performance?

9. Is the firewall hardened for any known vulnerabilities?

10. What is the process of keeping the firewall software up to date?

I have highlighted firewall as an example. This can easily apply to IDS/IPS or any other security product implementation.

In summary, buying security product don't entitle security. Half baked security product implementation do not beget security either. Implementing security products holistically by addressing set of valid concerns is the right approach.

Generally, practitioners I know would trust Bloomberg in a majority of the raw figures that they give out. But when it comes to calculations, some would take them with a grain of salt. Personally, I find the risk solutions of Bloomberg to be less than adequate for the following reasons:

• Limited instrument coverage
• Not flexible
• Lack of transparency (Black Box)

But of course, it would never hurt to sit in a Bloomberg seminar and learn best practice (if ever they are presented) and to discover some new things that our beloved system has to offer.

And now for the seminar details.

Topics:

• Importance of Market Risk Management
• Risk measures for fixed income securities and derivatives
• Reliable data for your risk management systems
• Market risk management in alignment with Basel Accord
• Algo Risk on Bloomberg - a pre-integrated, real time market risk solution

Speakers:

• Nestor A. Espenilla, Jr. - Deputy Governor, Bangko Sentral ng Pilipinas
• Seet Kok Leong - Head of Algo Risk (Asia Pacific), Algorithmics
• Jiten Bhanap - Product Specialist, Bloomberg L.P.
• Ivan Koh - Regional Data Solutions Manager, Bloomberg L.P.
• Neo Siang Noi - Trading Systems Sales Specialist, Bloomberg L.P.

Date:

15 August 2006

Venue:

Makati Shangri-la Manila, Ayala Avenue corner Makati Avenue, Makati City 1200, Philippines

Time:

9:30am - 2:00 pm

Registration:

BU on Bloomberg

email: awang@bloomberg.net

tel: +63 2 849 7100 loc. 4794