Quick question: how many copies of
If you’re in a large enterprise, the answer is likely to be I have no idea – or worse, perhaps you have a number in mind that in reality is woefully inaccurate.
I’m singling out Windows Server 2003 because that venerable workhorse of enterprise tech is going out of support this July – in spite of the fact that there are still untold thousands of running copies out there, frequently off the radar of IT management.
However, this aging server is but one of hundreds of applications and other software (as well as obsolete hardware) that is nearing or past its end of life in back offices and data centers around the world.
You may wonder what the big deal is. After all, if said tech gear is still working, then what’s the problem? The answer: end-of-life software is an enormous security risk, as the vendor is no longer patching any security vulnerabilities that may arise.
And arise they do, with persistent and frightening regularity. You might as well lock your windows but leave your front door wide open.
“Obsolescence is definitely a risk,” according to Nicola McCallum, professional services practice director at Troux Technologies. Troux Technologies offers enterprise intelligence, enterprise portfolio management, and IT asset management (ITAM) solutions – but may perhaps be best known for how its tools support enterprise architects.
At their annual customer event this week, the Troux Worldwide Conference, connecting the dots between portfolio and asset management on the one hand and enterprise architecture on the other was a hot topic.
The field of enterprise architecture (EA), as I’ve written about before in two articles for Forbes, struggles to show value in many organizations. For the audience at the Troux conference, the question of the day was whether EA provided value beyond IT asset management.
Conference keynoter Rick Lauderdale, chief enterprise architect for the US Department of Energy (DOE), has a practical perspective. “‘Architecture’ has a bad connotation in government,” Lauderdale says. “We use the term ‘business transformation’.”
Lauderdale is referring specifically to how he helped the DOE transform the way they dealt with the risks inherent in obsolete software. After expensive cybersecurity breaches in 2013 due to an obsolete version of
In the absence of such tooling, most IT managers use spreadsheets to keep track of all their IT assets. “Get away from spreadsheets and automate the process,” Lauderdale warns. “And make it reliable.” Large IT shops like the DOE have thousands of applications, and they all have a limited lifecycle. Expecting to keep track of everything manually is a fool’s errand.
Analysts agree. “The manual-intensive requirements for ITAM require at least a month for report generation,” according to an October 2014 case study on the DOE by IDC analyst Bill Keyworth. “This lengthy time frame prevented use of existing ITAM reports and eliminated potential cybersecurity value as the data was simply not good at the time it was needed.”
The key to Lauderdale’s solution was to operationalize the reporting of obsolescence risk – leveraging Troux and other tools to automate the collection, organization, and dissemination of asset management information to both business and technical users.
In fact, operationalization of IT asset information is an essential enabler of cybersecurity more broadly as well. “Operationalize risk reporting,” advises McCallum. “Stop building PowerPoints manually for every briefing.”
Obtaining adequate support from management was one of Lauderdale’s greatest challenges. He “was able to obtain backing and consistent support from IT and LOB [line of business] leadership and packaged the asset security proposal as a compliance initiative,” according to the IDC report, “leveraging the principles of EA to focus on business processes, specifically cybersecurity threats.”
Enterprise architecture, therefore, played an instrumental role in this solution, in part because it helped link ITAM and compliance.
“EA was an advantageous discipline to lead this effort due to the constantly changing business and technology requirements of any enterprise,” the IDC report continues. “[Lauderdale’s] EA experience emphasized that an IT asset management solution had to be flexible enough to not only accommodate existing cybersecurity needs but also other business needs yet to be recognized” – including the cost savings benefits of eliminating redundant software.
This focus on change is the key to squeezing value from EA – and thus EA is becoming increasingly important for organizations looking to move more quickly, and thus run their business at velocity.
To achieve this goal, IT managers must put into place the “right measures and right decisions to move toward a state of risk management,” according to McCallum. “You must think about risk with a capability lens.”
Obsolete software is a good place to start. “99.9% of all breaches are caused by out of date software,” according to Lauderdale. Keeping track of such software requires a proactive, automated approach. “If you never balance your checkbook, you’ll never have a problem,” Lauderdale quips.
McCallum has a more sober take: “IT managers must reduce their operational surprise.”
The end result might be called compliance at velocity. Connecting the dots between IT asset management, cybersecurity, enterprise architecture, and the operationalization of IT information is a tall order, but is an increasingly familiar enabler of business agility at enterprises that must deal with complexity and ongoing change.
Intellyx advises companies on their digital transformation initiatives and helps vendors communicate their agility stories. Troux Technologies compensated Jason Bloomberg to present a keynote at the Troux Worldwide Conference and covered his travel expenses, but as of the time of writing, there is no other business relationship between Intellyx and Troux. None of the other organizations mentioned in this article are Intellyx customers. Image credit: Kevin Dooley.
