CIO’s Atlas: Is your CIO a Mad-Man or Ant-Man?

by in Security

The 21st century is a golden era where people can consume an abundance of applications for both life and work. We communicate and share stories via social networking software; we watch videos, shop, and play games on mobile devices; and we work around the globe virtually though collaboration applications.

There are costs associated with the proliferation of online applications and services. Consumers are swamped by the isolated and fragmented data, both structured and unstructured. Even worse, lots of data contain private and confidential information like personal identification or bank account details. When the private information is exposed accidentally or by criminal act, it would bring about serious legal and emotional consequences.  

Almost all of the commercial and enterprise software applications, IoT devices, SaaS services, real-time control systems and data today are digital products. Thus, every people and every enterprise are on a continuum of digital journey.  The complexity of the digital products within an enterprise can  turn its CIO into a Mad-Man if  things are out of control, or a Fireman if he is in fire-fighting mode all days and all nights, or an Ant-Man if he must navigate strategy from 30,000 feet high while trouble-shoot infrastructure issues one inch above the ground. To do the latter the CIO needs the right methodology, practice and tool.

Digital products are being the cornerstone of the enterprises in all the vertical industries, regardless it is a telecom company, or financial organization, or a retail supply chain, or manufacture industry. Digital products nowadays can emerge from personal mobile applications, embedded electronic systems, data acquisitions, control systems, or network infrastructures. As all digital products require careful management, Digital management is becoming essential for an enterprise transforming into a digital and smart enterprise, as critical as the water supply and electricity infrastructure to a city.

To guide the journey of digital transformation with appropriate digital management, Open Group has created a framework called Digital Product Backbone. The Open Group is an organization that anyone can join and contribute to the standard. The framework defines four capabilities of digital management: Strategy to Product Portfolio, Requirements Fulfilment, and Detection to Remediation, which is complemented with a number of Value Streams that ties it all together.

Example of implementation could refer to Micro Focus major use cases as below.

 

  1. Examples

A start-up company might not realize the necessity of Digital Management. The demand for Digital Management becomes stronger once it becomes a large enterprise. For enterprises with thousands to dozens of thousands of people, Digital Management will become indispensable. The digital product portfolio of an enterprise with a scale of 100,000 people will be extremely complex, and it will be extremely difficult without an effective Digital Management system.

A few examples.

A retail company, with thousands of stores nationwide, requires timely processing of equipment repairs in stores. Thousands of digital devices in the data center need to be monitored at real-time, and hundreds of digital products have to be released daily or weekly in aligning to the rapidly changing world and customer needs.

A telecommunication company, serving dozens of millions of users, all the information infrastructure has to be connected seamlessly from the fibre based highway to the last mile home access. Billing has to be accurate and value-added applications has to be online 24x7.

A bank has its own R&D center developing hundreds of digital products. The budget has to be carefully planned, the product backlog has to be completed on time, the quality has to be guaranteed, the products has to be released and upgraded timely, the data has to be secure and legally compliant, the service has to be monitored in milli-seconds and the incident has to be resolved immediately.

Behind the scene, Digital Management is working silently and diligently.

 

  1. Continuous planning – do the right thing

In the digital era, digital product is everywhere, from storage to networks, from personal computer to server, from private clouds to public cloud, from hardware to software, from data insight to security compliance.

Under such complexity, where should CIO starts with?

Enterprise Portfolio Management

The only reason why an enterprise exists because it provides unique business value to the society. Business aspiration defines vision, vision drives strategy, strategy determines product portfolio, product portfolio requires related digital management.

If you are about to expand the business in European market, GDPR compliance should be considered as priority. If you need to reduce capital expenditures and replace them with operating expenditures, pay-per-use by SaaS service or subscription model should be planned. If merger and acquisition just happened, any product could help accelerate consolidation should be highly ranked. This type of qualitative and quantitative hypothetical analysis is Portfolio Management, which helps CIO to decide the right thing.

Once the investment is decided and budget is allocated, it should be followed by answering the execution questions, e.g.

  • What is the MVP (Minimum Valuable Product) as the starting point to get feedback for further iteration?
  • How to ensure that the product is completed on time to catch up the business opportunity in timely manner?
  • How to find right profile to match the capability the product requires?
  • How to control the risk and dependency across the products?
  • How to ensure the quality of the product delivery?
  • How to control the cost, etc. 

 

  1. Continuous integration

Regardless it is Waterfall development or Lean Agile Development, all digital products have to be managed though the Development Lifecycle Management. From requirement to design, to programming, to testing, to integration, to packaging, to release, to deploy. Requirement Management covers requirement collection, requirement analysis, and requirement prioritization. Backlog Management covers all levels of features and user stories. Quality Management covers appropriate test cases and tracking quality defects. Pipeline Management is used to support continuous integration and continuous delivery.

Each activity can drilled down into the next level of granularity, For example, test could include Unit Test, API Test, Integration Test, Functional Test, Resilience & Performance Test, Stress Test, Security & Penetration Test, Upgrade Test. Picking up the right tool for all sorts of testing and integration is key to make repeated work automated.

Once the digital product has passed the quality gate and is ready to release, it should be compressed and packaged, sometimes be obfuscated, and finally signed by the issued company, which is called Release Management. The ISO standard requires everything to be traceable, and the management system can keep all versions of the historical records for future audits. 

 

  1. Continuous deployment

After digital product is deployed in testing, staging and finally in production environment through Deployment Management, the released product is ready to be delivered as a service that can be consumed by users. Assessment is required during deployment based on the importance of the digital product or the privacy of the data, to decide whether it should be installed in public cloud or  on-prem environment, whether the security level of the environment is qualified, whether the VPN is only used within the office network environment, whether the resource satisfy the need of the user workload, whether the network bandwidth and storage throughput (IOPS) is sufficient, whether high availability is mandatory for mission critical products, whether the database is shared or dedicated, and what external systems (such as SAML, LDAP and E-Mail) should to be integrated.

Risk and Impact Analysis is sometimes neglected however it is very crucial to prevent the issue and risk upfront, which helps to identify the potential issues in resource conflict, system availability and business continuity. After impact analysis and digital product has passed the quality gate of staging environment, approval is required before the product is deployed in production, which follows Change Management. 

 

  1. Service offer and request fulfilment

After the digital product is deployed, the final step before users able to consume the service is Service Catalogue Management, where different Service Offers could be defined, e.g. whether the service is free of charge or with a price in different options, as well the service level agreement (SLA), in which 3 sigma vs 6 sigma stands for the different level of the service quality as well the completely different cost.

Now that everything is ready, user is able to consume the new service though the portal. User is able to subscribe the service as needed. Subscription often implies cost, therefore management approval is required, and in some cases the service cost is able to be allocated based on usage (Cost Allocation).

Once user has any question or would report any issue, user can submit a request in the portal. The request will be handled by the operation personnel through Request Management in according to the severity and impacted scope, which has been pre-defined in SLA (Service Level Agreement). Automation could play an important role under such context to improve the service experience and reduce as much as possible the manual intervention, e.g. resetting a password. Common problems and solutions can be published as Knowledge Management to ease the self-service through fuzzy search or Smart Virtual Agent in user’s natural language. 

 

  1. Continuous operation

The digital service should be monitored in real-time to ensure the service quality. Monitoring covers different levels from the underlying server, network, storage to database, application, to the end user experience. Event will be reported once anomaly is detected by the Event Management.

There is high chance some events are correlated. For example, the underlying storage anomaly could cause related database anomaly and cause application anomaly in chain, and ultimately lead to abnormal user experience. Related events should be handled as one group though Event Correlation. However it is not easy to find the crux of these related events in the vast and complex digital world. In order to fully grasp the topological relationship between the entire digital world to analyze the dependency and impact, Automatic Discovery and Configuration Management are required, which could enable milliseconds real-time monitoring under hundreds of millions of digital products and topological relationships. From CPU to mainframe, from IP address to software product, from the data center to the public cloud, configuration management builds up the comprehensive map for the digital world.

In case the event cannot be restored within a short time, relevant professional will be required to repair the issue within the defined timeframe, then event is then elevated into an incident and managed by Incident Management. Major incident has its own special procedures and SLAs, which require the activation of pre-defined emergency teams and processing procedures, mitigation plan is activated, response time and repair time (MTTR) is measured.

If the major incident is caused by a disaster, Disaster Recovery is activated to restore the data and service in a disaster recovery data center usually physically located in a different city. The speed of disaster recovery is an important indicator of service reliability.

If certain pattern of incident occurs again and again, Root Cause Analysis is triggered by Problem Management. Once the incident is proved to be caused by a product defect, the defect should be fixed, released in a new version, and new version should be deployed according to the release and change management.

The natural tendency as a developer is to innovate quickly and release frequently, while operation personnel has the obligation to manage risks and ensure the stability and security of running services. The idea of DevOps is to lower down the barrier between development and operation. Balancing the development agility and operational risk requires both process automation and people collaboration. 

 

  1. Continuous compliance

Nowadays, with people and data is connected tightly with each other, Data Privacy, Security & Compliance is getting more and more attention. Data storage and transfer compliance, data backup compliance, source code compliance, user behavior compliance, software license usage compliance, third-party digital product usage compliance, identity recognition and authority management and auditing composes the Security & Compliance Management. To enable the agility of the company, functional departments are usually empowered to make decision locally and timely in acquiring and using digital products, however functional departments usually don’t have the capability to effectively assess the risk of security & compliance, which requires consistent and practical guidance and governance. 

 

  1. Automation

The system behind the architecture looks pretty complicated, while it can be simplified by professional Digital Management software. The key of such simplification is automation.

For example service can be automatically provisioned, intermittent event or incident can be automatically remediated, patch of vulnerabilities can be automatically applied to tens of thousands of servers and network devices, standard change can be automatically applied. In addition, repeated manual interaction against the digital products can be recorded and replayed through Robotic Process Automation. 

 

  1. Continuous feedback and insight - from information to data, from data to insight, from insight to action

Great CIO would never lay back once the digital products are smoothly operated. Company is under continuous transformation therefore the digital products are under continuous transformation. CIO therefore is on the way of continuous transformation as well, and he or she has the unique privilege to provide additional value from the data.

Well-managed companies have accumulated a huge amount of valuable data over the past years. There are structured data such as data in database, semi-structured data such as log and non-structured data such as document, audio and video. Not only the enterprise itself, but also customer relationship data and partner related data. Connecting the dots of isolated data islands, analysing and mining the big data can offer insights more than anyone’s imagination, and therefore propose the guidance for the next action in optimized way.

There are three realms along the journey of system construction, the metaphor is a person visit a mountain (digital wonderland). Before the person enter the mountain, he or she can see the mountain’s shape clearly, but he or she does not have an idea how complex the environment and how difficult the path ahead would be. Once the person starts to enter the mountain, he or she might get into every detail but get lost in the big picture of the mountain. Until the person has overcome all the challenges and climbed to the tip of the mountain, he or she can see the mountain’s shape again, but he or she knows much better how to connect from one area to another area in an optimal path. 

 

  1. Success factor for Digital Management

First, codeless configuration. Though the framework and architecture could be abstracted by the common needs of the enterprise, the real-life implementation could be quite specialized. One thousand enterprises may have ten thousand demands, and customization is inevitable; on the other hand, if customization is not well managed, version upgrades would become extremely challenging. The only way to balance flexible customization and lightweight upgrades is Codeless Configuration.

Second, flexible deployment. Enterprise may decide to deploy digital product in public cloud considering the maintenance cost for on-prem deployment, or deploy in private clouds for the full control of the data security, or deploy to different clouds for different types of services. Some enterprises may develop their own digital products, some may outsource to professional 3rd party companies, and some may directly leverage SaaS services. In addition, some enterprises may support flexible migration between different environments at different time horizon. Thanks to container technology which provides flexible deployment.

Third, broad content. Standards, technologies and protocols for digital products have been evolved rapidly, from mainframe to distributed system, to mobility and SaaS, and 5G is emerging, the content is increasing exponentially, the content of Digital Management should always keep the pace and up to date.

Finally, the Digital Management software itself should be able to be assembled like Lego to meet the various combination of needs for different enterprises and bridge the heterogeneous digital product architectures. 

The best state of Digital Management is nobody is aware of its existence, but its influence is everywhere. Just like the water and electricity that we use every day, while we never ask where it comes from, but it is just there.

 

This post was originally co-authored by Zhu Zhengyu (Jerry), Micro Focus R&D Director, and Lars Rossen, Open Group Acting Chair, Micro Focus CTO

Labels:

Security
Anonymous