Where worlds collide: Agile, Project Management, Risk and Cloud?

Where Worlds Collide- Agile,
Project Management, Risk and
Cloud

Gold Coast, Australia

ROB LIVINGSTONE
- Fellow, University of Technology, Sydney, Australia, and
- Principal, Rob Livingstone Advisory Pty Ltd

29th August 2012

© All rights reserved. Rob Livingstone Advisory Pty Ltd ABN 41 146 643 165.
Unauthorized redistribution prohibited without prior approval. ‗Navigating
through the Cloud‘ is a Trademark of Rob Livingstone Advisory Pty Ltd.

What I will be covering

• Agility, then adding in...
• Project Management, then adding in....
• Mobility, then adding in ...
• BYOD, then adding in ...
• Cloud, then exploring
• Systemic Risk to your organisation
• Managing the mixed messages
• Orchestrating the transition – some take-aways

Where Worlds Collide? Agile, Project Management,
BYOD, Risk and Cloud

Let’s briefly explore the topic of ‘Agile’

The “Asymmetry of expectations”
Question: Is your organisation expecting IT to be more
‗agile‘ than they themselves are able to be?

The focus is on agile

1. What is agile?
2. Core values
3. Why agile?


What is agile?
• Agile is about people, collaboration, working culture
• It is not just SCRUM
• Agile is not just for IT – applies to entire organisation!

Core values of Agile
Value Individuals and interactions over processes and tools
Value Working software over comprehensive documentation
Value Customer collaboration over contract negotiation
Value Responding to change over following a plan
Agile manifesto - Published in 2001, a one-sentence narrative, four core values, and 12
principles
www.agilemanifesto.org


Why agile?

'It is not necessary to change. Survival is not
mandatory'

-W. Edwards Deming

William Edwards Deming
(1900 – 1993)


Is business losing or has lost patience with Enterprise IT?
The answer has to be „Possibly!‟
• Forces actively shaping the transformation of enterprise IT
• Other than the failure rate of enterprise IT projects….
• The need to ‗simplify IT‘ in the eyes of the users, plus
• The ‗need for speed‘ , plus
• The need to cut costs….
….Makes cloud particularly appealing compared to internal IT
• This can trump appropriate risk, total cost, project management
governance in organisations aggressively shifting to the Cloud
• Where does that put the individual disciplines and conventional
methodologies associated with application development, project
and risk management?
• The pressure on enterprise IT is mounting!


One-size-fits-all approach Vs. Agile
(PMBOK, PRINCE2)

Vs.


One-size-fits-all approach Vs. Agile
(PMBOK, PRINCE2)

Vs. Changes in
Changes in
master project project plan
plan are seen seen as
as ‗negative‘ - ‗opportunities‘
Discouraged –
Inherent


Agile in Project Management

Important concepts include….
1. Minimising project risk by working on short iterations of clearly
defined deliverables.
2. Contingency planning in agile PM needs early and proactive
risk detection
3. Direct communication between players in the development
process is the default. (ie: Not exhaustive project
documentation).

Rationale: Project team can rapidly adapt to the volatility in
changing requirements or environment


BYOD or Bring Your Own Disaster?

Mobile Devices
• Are powerful cloud access devices
• Extend the perimeter of your cloud
• Disperse the perimeter to your cloud

Have the potential to increase the vulnerability
• The compromising of one of these mobile devices
could be significant and compromise your entire
cloud.
• Use policy based key management regimes for your
data.
Question: Is the war ―lost‖ on BYOD in your organisation?


BYOD
• Reflects the increasing demands of users
and organisations of their own IT
departments to be increasingly agile and
responsive to their needs when it comes
to iPads, tablets and other mobile
devices.
• Read the NIST Draft Guidelines
http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf


BYOD requires management: .. Some suggestions…
1. MDM (Mobile Device Management) systems (Remote
wipe, policy enforcement)
2. Introduce a non-porous Virtual Desktop environment
• No data can flow between the Cloud system and the
mobile device itself
3. Containerisation:
• Segregates corporate from personal data and
applications
• Enforces encryption and prevention of data leakage
between containers
• Application / device specific therefore can be a
challenge to expand across the entire mobile
environment for all applications.


The most quoted Definition
of Cloud:

Cloud computing is a model for enabling convenient,
on-demand network access to a shared pool of
configurable computing resources (e.g. networks,
servers, storage, applications, and services) that can
be rapidly provisioned and released with minimal
management effort or cloud provider interaction

• US National Institute of Standards and Technology‘s (NIST)
definition


The most sensible Definition of Cloud:

―Forget your technical definition of the
Cloud, ask your mom what the Cloud is….
…And what your mother will tell you about
the Cloud is that it means it‟s not on
my computer.”*

Dave Asprey – Global VP, Cloud
Security, Trend Micro

* Navigating through the Cloud Podcast Episode 23 in iTunes


Hybrid will be the dominant form in the enterprise
―Within five years, it will be primarily deployed by
enterprises working in a hybrid mode‖. - Gartner

Gartner "Predicts 2012: Cloud Computing Is Becoming a Reality‖
(Published: 8 December 2011 ID:G00226103)


…. And with the Hybrid Cloud ….
…..comes complexity… and complexity introduces..
Risk In areas such as:
• Change control, Rollback
• Security
• Identity Management
• Due diligence
• ‗Big-Data‘
• Business Intelligence –
Dashboards and drilldowns
• Forensics / eDiscovery
• BYOD
• Mobility
• Legislative / Jurisdictional
• Contractual complexity
….. To name but a few


What are the dormant risks in your Cloud contract?

It‟s YOUR brand at stake, not the vendors!


• You‘re counting on SaaS vendor in order to
provide all the multi-tenancy for your data.
• You hope they‘ve written their applications
well, secure their databases, and so on ….
• You‘re sharing the database with everyone
else.


The Inverted Risk Pyramid
HI RISK
Major enterprise instances, with
complexity, scale, risk, compliance,
deep integration, long term

Integration, enterprise
governance needed

Commodity / non-
integrated Cloud
applications

LOW RISK


Is the Systemic risk increased by the
combination of:
– Hybrid Cloud
– Mobility
– BYOD?


Hybrid cloud can contribute to….
• Increased vulnerability due to its fragmented
architecture and larger surface …
• however if it is properly architected, risks largely
eliminated by implementing measures such as…
o Deploying effective policy based key management
processes
o Properly segmenting your public and private clouds
o Encrypting each part of the hybrid Cloud with
separate keys
o … amongst other measures


Mitigate risks by defining and assigning key roles in your Cloud
environment.
– Define your Cloud Reference Architecture by reviewing applicability
against published models (Eg NIST*, IBM, etc)
– Ensure you do not miss important roles (Eg: IBM CCRA does not
include Cloud Broker, Cloud Auditor yet included in NIST CCRA)

* National Institute of Standards
and Technology


The emergence of the „Cloud Broker‟


IT Department in the Cloud?

Remember this slide?
Why is brokerage a real consideration?
Also:
• Change control, Rollback
• Security
• Identity Management
• Due diligence
• ‗Big-Data‘
• Business Intelligence –
Dashboards and drilldowns
• Forensics / eDiscovery
• BYOD
• Mobility
• Legislative / Jurisdictional
• Contractual complexity
….. To name but a few


"Cloud consumers should budget for additional
integration costs which can range from 10% to 30% —
and sometimes as high as 50% — of the total cost of
cloud IT projects.―

Gartner Predicts 2012: Cloud Services Brokerage Will Bring New
Benefits and Planning Challenges - Published: 22 November 2011
G00227370

Let‘s explore the reasons why in a bit more detail …..


Agile in Risk Management
• Time horizon misalignments:
o Agile is based on short time cycles
o Conventional Risk Management: Time to
identify, plan mitigation and implement Risk
management over a comparatively long
timeframe
• Categorisation of risks as part of the conventional
Risk Management process not helpful in
identifying the enterprise-wide systemic risks….


Systemic vs. Technical Risks
• Systemic risks are those with the greatest potential impact as
they affect the entire system (ie: Organisation, government,
country, world…)
• Case in point: How is that the finance industry, which is one
of the more regulated, and invests heavily in risk
identification, mitigation and transference could be the cause
of the current global financial problems?
• Systemic risk for the enterprise is the silent killer and is often the
hardest to identify as only a few have a complete, transparent and
objective overview of the overall enterprise.
• Mitigation through approaches such as Enterprise Risk
Management (ERM), origins in fraud, organisational governance,
and underpins the insurance industry
• Applicability to IT – Cloud especially – not often discussed


Systemic vs. Technical (or Functional) Risks
• Identifying, categorising and ranking technical and functional
risks is core to conventional IT risk assessment approaches:
o Risk of a specific event = (Impact x Probability of that event
occurring) + Risk Adjustment
• Underpins conventional risk certification frameworks e.g. ISO2700X
• Compliance does not necessarily equal security or effectiveness of
your risk management model
• The categorisation of risks into functional and technical categories
does not help in the identification of systemic risk
• Focusing on the diverse range of technical or functional risks, does
not account for the interaction between risks.
• Systemic risks are mostly more significant than the sum of the
individual risks

Managing the mixed messages

A recent survey* referred to by Forbes
claims that ―a meagre 3% of companies
considering Cloud consider it to be too
risky.‖

This was based on a survey of 785
companies, implying the inevitability of
Cloud.

Not atypical of research in Cloud, this
survey was conducted by a firm that has
investments in the Cloud industry, with 65%
of respondents being vendors so one could
say that the results were not totally
unexpected.
http://www.forbes.com/sites/joemckendrick/2012/06/20/cloud-computing-simply-isnt-that-scary-anymore-survey/


Business fears being left behind?
"By 2015, nearly $1 of every $6 spent on packaged software, and $1 of
every $5 spent on applications, will be consumed via the SaaS model."

"By 2012, about 83% of all net-new software firms coming to market
will be operationalized around creating, testing, selling, and
provisioning a service versus a packaged product (CD)."

"By 2015, about 24% of all new business software purchases will be of
service-enabled software, and SaaS delivery will constitute about
13.1% of worldwide software spending across all primary markets and
14.4% of applications spending."

ICD Dec 2011 Doc # 232239


24% of CEOs surveyed in the 2012 PWC CEO
Survey 75% of CEOs plan to change innovation
capacity in 2012, of which 24% expect ‗major
change‘, underpinned in part by technology.

The eighth annual KPMG 2012 Audit
Institute Report identified ―IT Risk
and Emerging Technologies‖ as the
second-highest concern for audit
committees, which is unprecedented in
the history of the report.


• So, in a nutshell, there are mixed messages out

• On the one hand organisations demand speed, innovation,
agility and value, largely facilitated by technology.

“Organisations that adopt new „transformational‟ technologies,
Cloud in particular, without effective consideration of the
enterprise wide, systemic and longitudinal risks, are
potentially either setting themselves up for future problems, or
not maximising the opportunities, or both.” – Rob Livingstone

Orchestrating the Transition – some Takeaways

Consider these 5 pointers:


#1: Adopt an integrated approach to function specific
methodologies

• Standardised, traditional methodologies within specific
disciplines such as Project Management, agile and information
security, in and of themselves, are self limiting.
• Each discipline is only really effective when applied in a
coordinated orchestration with the other key moving parts of the
organisation
• IT is well placed to help facilitate this, due to its unique
perspective of the organisation as a whole.

 Harmonization of functionally specific methodologies unleashes
value and eliminates waste


#2: Manage the conflicting messages

• Cloud evangelists see cloud as imperative, others not
• Executives and line of business managers all have volatile
expectations of enterprise IT
• ‗Fairies at the bottom of the Garden‘ promises for the latest
IT ‗transformational technology‘
• Opacity of risk

 Develop an effective mechanism for interpreting these
messages in the context of your business


#3: Actively identify, embrace and managing shadow IT

―Shadow IT can create risks of data loss, corruption or misuse, and
risks of inefficient and disconnected processes and information‖ –
Gartner*

 Embrace shadow IT, and define what and what is not eligible to
be considered enterprise IT
 Meet the challenge
*CIO New Year's Resolutions, 2012 ID:G00227785)


#4: Identify systemic risks across the organisation

• Systemic risks can kill your business
• As CIO, ensure you are seen as the trusted advisor by your
peers

 Ensure your executives and key decision makers are aware of
long term, systemic risks should they make enterprise IT
decisions without appropriate due diligence
 Accountabilities for these decisions are to be clearly assigned
 Consider implementing Enterprise Risk Management (ERM)


#5: Local optimum vs. Global Optimum?

• Senior managers with functional responsibility over specific
vertical silos of the organisation may underestimate the overall
complexity of their own business as a whole.
• Resulting decisions may be sub-optimal for the organisation as a
whole
• From a functional perspective, specific methodologies exist to
support specific activities, but may not mitigate enterprise-wide
systemic risks

 Help others see through the appeal of ‗simple IT solutions‘, that
merely mask underlying business complexity.
 Test assumptions if critical, and be proactive in identifying the
risks for arbitration by the organisation as needed.

ThankYou!

ROB LIVINGSTONE
- Fellow, University of Technology, Sydney
- Principal, Rob Livingstone Advisory Pty Ltd

W1: www.rob-livingstone.com
W2: www.navigatingthroughthecloud.com
E: rob@rob-livingstone.com
P: +61 2 8005 1972
M: +61 419 632 673
F: +61 2 9879 5004
@rladvisory

© All rights reserved. Rob Livingstone Advisory Pty Ltd ABN 41 146 643 165.
Unauthorized redistribution prohibited without prior approval. ‗Navigating
through the Cloud‘ is a Trademark of Rob Livingstone Advisory Pty Ltd.

Where worlds collide: Agile, Project Management, Risk and Cloud?

More Related Content

What's hot (20)

Viewers also liked (16)

Similar to Where worlds collide: Agile, Project Management, Risk and Cloud? (20)

More from Livingstone Advisory (6)

Recently uploaded (20)

Where worlds collide: Agile, Project Management, Risk and Cloud?