Strategic Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

10 hours 8 minutes
Video Transcription
then we try to be pretty timely. But we've had a few glitches today, so we're just fighting through those and making sure that we can move forward successfully. So thanks again for being patient with us. And I do want a welcome you to certified in the governance of I T.
And this is the course where we're focusing on
the enterprise, of course, through the effective use and delivery off information technology to the business. Now, we met on Tuesday, the serve fourth session, I believe. And we talked about some important ideas. We talked about
some of the different frameworks that we might work with. When we're looking at Enterprise I t
ah, we've talked about cope it. And as I mentioned for you, Kobe definitely gonna be testable. We talked about how it maps enterprise goals all the way down to objectives, action items that I t can work on. We also talked about the capability maturity model integrated,
and we said this is a great tool for gap analysis.
We know where we are after we do some assessments and the CMM I's gonna help us figure out where we want to be or really not so much where we want to be, but how to get where we want to be. So that's an important tool as well. We also talked about the ice. So 27,001 framework.
We said This is the most popular framework in use today,
and it is, ah from the International organization of Standards. So it certainly should be because it has international backing. We also talk just a little bit about I til I t information library. And we said that I am sorry, I t service library. Um,
Again, everything I have touched today has been a little bit confusing, but that's all right. So it anyway,
I tell with service management and how every company provides a service and managing those services is the best way that we can deliver value to our customers. All right. And then we jumped into the enterprise architecture
and we talk about really understanding the role of I t in our environment.
And we talked about, you know, when we look at architecture, it's all off the mechanics and all of the elements off the strategies and processes that go into the organization and ultimately our goal is to have all of our architecture pointed in the right direction in the same direction,
working together for the good of the organized
organization. So what we looked at is we looked at, you know, up at the top. The first thing we have to examine is the business. And this element is best handled by governance by senior management by, um, your steering committee by, um, you know, board of directors perhaps, but
ultimately, they determine what
the drivers are for organization. And then those drivers become our strategy, right? We're gonna accomplish those drivers. So if our drivers, they need to maintain compliance with laws and regulations or if our driver is to see, you know, to deliver value through stocks or whatever, that driver, maybe
all about the business. Now the business drivers dictate what type of information we're gonna use, right? If I'm a health care provider or if I'm ah, you know, payment card industry. If I am an I T training company, whatever that may be.
So what type of information we have is driven by the business?
All right. That information is gonna then lead into our daven, our technical data store and how we're gonna manipulate the data, how we're gonna access that data, what type of applications that we're gonna use and then the applications are going to need to be supported by the technical structure.
So this is exactly the way
our enterprise should flow. But we start up at the top with the business, and each element is gonna feed into the element below.
Ah, we also just kind of gave a sample where we talked about Okay, You know, the industry creates the drivers for the business. The business creates the information, the information is gonna dictate the information systems. Then we have the data, how we store the data, how it's created, how it's access
all the way down to the delivery system, which is the technology itself. So I thought that was a pretty good little example, so we could see it.
Um, we talk about some other elements as well. We looked at some ideas, like the BCG, which was the Boston Consulting Group. And if you'll recall, we talked about when we're determining our strategy, we're developing our portfolio.
We're determining where to make investments and what type and where to direct our efforts.
What would be great if everything in our portfolio was a star? We had high profit. We had huge potential for growth. And that's where we want to address our efforts, right? It's high potential for running. It's a stable environment. It's growing.
This is gonna be where we're going to focus our time right. We're gonna invest that money and we're going to grow it
now. We also to the positive, have cash cows. This is where we've had a high earning potential.
The money's coming in, but it's not necessarily an area for growth per se, you know. So if I put a training book out on the shelf and week, month after month after month, it continue to use a steady stream of income or that might be a cash cow.
So what do I do? I'm milk it so to speak, and I just let it run right.
Just have published the book. It's out there, and until there's a new version to be produced, it stays now. The next element was our question mark, and we said these air sometimes referred to as our problem Children and with our problem Children, you know what we just don't know
low earning potential and possibly even costing us money. Sometimes those elements are just bleeding money, and we're not sure where they're going to go, though. Right now, we're not earning a lot of money, But this is a field. Perhaps that has the potential for growth.
So is it something that can grow for us? And we have to do a lot more analysis to determine? Is this something we just set free, or do we continue toe work towards it, devote maybe some more money to take it from being a question mark into being the star? Maybe it's possible,
and it's because of that growth potential
now and again. The dog and I really hate that that dog is used with a negative connotation because I'm a real dog person. You can see that fine looking pug there, um,
low earning. It's unstable. This is just something that continues to be difficult. We don't know what to do with it. You know, if we're putting money out, it's not a stable environment. There's no growing. This is where we cut it loose, right? Lower market share, low growth low,
you know, money's going out, or at least not coming in.
We cut it loose, definitely testable on the exam. We also looked about when we were considering investments.
We also talked about our SWAT analysis, strengths, weaknesses, opportunities and threats.
All right, so that takes us up to we where we left off. No, it doesn't. We talk about implementing controls, and we talked about how the controls are driven based on our business strategy. And we talk about certifying our controls and implementing our controls
based on the environment which we exist.
And then we talk about the essential nature of communication.
Um, last thing that we discussed was preparing for change in your organisation, communicating change in a positive manner and getting buy in from the team, getting buying from senior management, getting buy in from the staff. And change is hard. And we know it. We have to address that head off.
All right. So that does, in fact, bring us up to ah, domain to which is strategic management. And so, of course, when we talk about strategic, there's a large multi page table with primary and secondary goals
mapping in the siege. It,
do you need to manage. Okay, so I'm gonna just right for a question. Mubasher. Um
so, yes, I would definitely memorize Kobe. Its framework. I would take Kobe. It's mapping all the way down to enterprise objective, and that's called the Goals Cascade. And that's a really heart and soul kind of idea of Kobe it. Now do you need to memorize
the 17 domains You need to get none of that. But just the philosophy of
stakeholder needs drive requirements all the way down to resulting in I t. Goal. So that piece you gotta have. But as far as the more complex mapping of you know, here's how we can accomplish this particular need. Not at all, not at all. And I
provided that for you way back here,
Um, this being let me maximizes and bring this up. So this is really the framework. So I would understand how the framework walks. You know, I would I would get the gist of this,
but I wouldn't worry myself with figuring out anything. Particularly like,
you know, what the primary goals are with secondary I t related goals. Um,
I would really just kind of put these in the context of what the framework is and what information it provides. So
pretty high level here. I don't see them getting really nit picky into you know, what is financial three? What does that map to for a primary goal? Um, yeah, not at all. Not at all.
All right, So, uh, when we look at this and we do start off with only scroll that down here
the main to strategic management, this is where we want to be.
So, uh, when we look at this and we start talking about the idea that, um, we think about the agenda for strategic management any time we talk about strategy, strategy is always going to revolve around long term.
So when we're thinking about strategic management, we're looking maybe 3 to 5 years out. We're looking to take our organization to the next level, Really? And that's what this next section is about. So when we're looking at strategic management, what we're gonna have to do is really focus on
value and how we can extend our portfolio
within our organization and bring in. And it's all about bringing in more value. So in this section will talk about strategic management specifically within the enterprise and how the enterprise architecture is going to both support and be driven by our strategic goals.
One of the things that we've continued to talk about, We've talked about the fact that ah, vow I t is one of the frameworks that addresses the problem, that it can be difficult to justify investment in technology. It can be difficult to justify what the I T department does.
what we're gonna do is look at Val, i t. But also look at some of the ways that we can We can assess the investments that we're making, and then we'll wrap up by talking about project management. We likely you're not gonna get through this domain today, but we'll see how we do.
All right. So strategic management is the second topic the second domain of this course, and it will represent 20% of this Egypt exam, so that's pretty significant. It was gonna be 5 1/5 of the exam.
So I would anticipate,
you know, with strategic value and strategic management, That's one of those things that really can also appear in other sections because it ultimately comes down to,
it ultimately comes down to the, um
the value that we're delivering. So when we look at this, even though it says 20% of the exam, you may even see more questions than 20% on strategic management. So
how do we support the achievement of enterprise objectives, integration and alignment of of I t plans? Okay, so let's get a definition from my Sacha, since they're the ones that put out this exam and what is strategic planning? So ultimately
the process And this is a direct quote for my sack. It's the process of deciding on the enterprises objectives
on changes in those objectives and the policy to govern their acquisition and use.
Okay, so here we're looking at strategic planning
and the first piece deciding on what thean urge prizes. Objectives are now that's gonna happen long before were brought on board, right, And that's gonna be conducted by senior management. And at some point in time, there was an assessment of who are the key stakeholders
within this organization
in stakeholders, senior managers, board of directors, stockholders, employees, right, and ultimately, we conduct the interviews, we conduct the assessments, we have observations facilitated work groups, and we determine what are the needs of those stakeholders. So
when we see the needs of the stakeholders, those have to be translated to requirements.
Um, and requirements are going to be much more particular than needs. They're also gonna be more exclusive than needs. Everybody has a need. Everybody has a want. Everybody has something they'd like to see. But the requirements are gonna be whittled down,
giving, of course, priority to the key stakeholders and looking at feasibility
and ultimately, those were gonna be the basis for our organizational objectives. Now, what is our objective? Today may not be our objective tomorrow, especially certain businesses and organizations are in very volatile environments.
You know, a government agency, military, you know, depending on changes in,
in the global, you know the global atmosphere,
even the more localized political atmosphere changes in the marketplace. You know, for vendors, the tide may shift one direction and may turn on a dime. You know, with, um, I remember with Hurricane Katrina prior to Hurricane Katrina,
we had been looking. It seemed like we were making bigger and bigger cars that were on the Hummer floor.
And, you know, the escalates. And then all of a sudden, Hurricane Katrina hit and gas approached five bucks a gallon, you know, mainstream and in some places, even more than that. So all of a sudden the market said, Wait a minute. These gas guzzlers air costing us money, we're gonna have to shift our focus.
And so, you know, if our project was on the Hummer five,
that ultimately was disbanded because the market changed. So when we're looking at changing our strategic objectives, there has to be a means in place to do that. We've talked about change control. We have to have a way of evaluating change, approving those changes, testing the changes.
Ah, scheduling the changes, evaluating the changes, right.
And then, of course, any sort of policies that govern the mechanisms we need, whether we need to acquire him developing house, build them, use them policies. Teoh have those elements in place. So that's what strategic planning is all about.
So for this section, um, you know, we keep going back to the idea of strategic alignment,
the alignment between the enterprises goals in the ICT eagles. So once again, another direct quote for my sacha and I would always take anything that's presented as a direct quote for my sacha. I would take it as gospel, and I would take it is something I need to know in something I need to memorize.
All right, so the state of strategic alignment.
So in enterprises, investment 90 is when harmony in harmony with its strategic objectives.
Okay, so what is our intent? Our strategy and our enterprise goals thus builds capabilities necessary to deliver business values. And again, I want to stress I don't normally read these word for word, but I really want to emphasize again when it comes from my sacha. We want it just about worked to work. So let's break this down
and enterprises investment in i t.
Which means when we're able to confess to convince senior management to write us a check, we're going to implement a control. We're going to manage new project. We're gonna upgrade the infrastructure. Um, we're going to essentially put out some expenses in relation in relation to our technology.
Does it follow what our strategy is? What our objectives are. So the intent is in alignment with the intent of our organization.
Right? Well, the intent of our organ intent of our organization is to be a leader in the field of technology. Well, yeah, we can very easily justify investments or if our intent is more directed on, you know, the business that we focus on
and we don't want to spend extra money on technology, we want to reinvest in the product and the process is there. Obviously, that's gonna limit our expenses.
So everything that we do from an investment perspective, we have to examine. We've got a look at the return on investment in the cost benefit and figure out where it fits. Now I know that we keep saying this idea of alignment with strategic goals and so on and so forth that's really important.
the big emphasis here is we understand that information technology is an investment, and when we make this investment, we expect to see a return, and sometimes that returns in money. But many kinds. It's not many kinds it's in, you know, or it's less,
um, tightly mapped to money.
If we invest in our technology, were better able to serve our customers, and that will increase our profit. But what we want to be able to do is we want to be able to find that link between what we spend and then what we receive in return. So ultimately, what we want to be able to do is that value,
idea of value. And what's happening now is that companies have not traditionally seen the value.
So what that means is that you know one of the things we're seeing now everything's being sent to the cloud. And when things were sent to the cloud, I'll guarantee you that when you ask folks why, they'll say because it's cheaper, we get more money, right?
We save more money.
But that's often because senior management doesn't understand the value that having an in house I t department brings and they're having difficulty matching what we do to direct value. And I think sometimes we don't do a very good job of explaining and communicating that value.
So now this work is outsourced in one of the things that I'm seeing.
I'm not seeing it widespread, but I am seeing organizations that moved Resource is to the cloud. Some of them are bringing those resource is back home because they're finding that
what they're getting in the cloud still cost money. And if I'm paying it on a monthly basis, you know, uh, the total cost of ownership can can wind up being mawr when you're moving to the cloud. So it's not always the money saving instance that we need.
All right, so in this section, the task statements that they always work towards when we talk about task statements
these are the things that
a siege it should be capable of doing. So evaluate and direct and monitor. I t That should be I t strategy, not I t strategic. So should be able to direct and monitor our strategy,
make the alignment with the goals document and communicate the plan many times. Thes elements air lost in communication, poor communication between 90 and senior management.
All right, we want to inter prop in a great
the architecture. Through our planning, we have to be able to prioritize the initiatives into the ones that deliver the most value to the business and make sure that our objectives just like cats, just like Kobe talks about with the goals cascade
that we can take what we do in i t and map it all the way back up.
Okay, So, knowledge statements, I'll let you read through those. But again, this is kind of a little checklist to say Yep, Yep, Yep, I got it.
All right. So enterprise strategy drives i t strategy, which supports the business processes. And, of course, the enterprise strategy drives the business processes, right. What we do in the business is driven by the enterprise. So once again, the support, the nature of support.
All right, so
what is the vision and these air Definitely testable vision versus mission and so on. So the vision,
ultimately, what is that? It's what is our purpose? Why are we here? What is my vision for who we are as an organization.
So ultimately, this is gonna be, ah, verbalized or this is gonna be documented as a set of goals. Here's what we want to provide. Here's what we're going to strive for. This is the organization that we want to be. These are the elements that are important to us.
Here's where we're going to focus our effort.
all right, and then we have a goal or the company's missions. Our mission statement is going to describe
what's gonna be necessary for the business to accomplish our vision.
Okay, so this is our goal. I've said what our vision is. My mission is to accomplish my vision or my business goal is to accomplish the vision. So this vision is this idealistic? Here's what we want as an organization. And then our goal is gonna be very broad, Qualitative
about how we're gonna get there.
Okay, So ultimately, you've got vision, strategy and golds. So your vision
than your strategy
and then your goals are more specific. So strategy is gonna be big picture. It's gonna be broad. You know, our strategy is going to involve us trying toe leverage, our position in the marketplace to increase our customer base.
That's a great strategy. Our vision is to become the leader in our field. The strategy is leverage our
current exist court position. And the goals were going to see a 10% increase in sales by second quarter 2019.
so again, they kind of all lead into one another.
All right, strategy again. The means to achieve the goals off the business. It's broad. It's big picture. Ultimately, we want to have that strategy that's going to take us a lot of times. Our strategy is going to take us from current state
to desired state. How are we going to get there
and then our objectives?
You know, usually we look at objectives being stepping stones to meet our goals. So your goal is to pass the siege it exam. Your objective is to attend an online training course. Your objective is to study 15 hours. You have all of the's different objectives that will help you make your goals. OK,
let's see here.
All right. So how all of this comes together,
I don't know if you're familiar with Demings plan Do check Act model. If you haven't seen it before, it's one that comes up a lot in relation to quality. It comes up with project management software development. And the idea is, when you have
something to accomplish your plan
and then you do it, you check to see if it worked and then you act upon the change. Well, this is very, very close to what we're seeing here on the slide, right? Very comparable to the plan Do Check Act program. We're gonna plan
to accomplish our strategy. We're going to deliver our solution. We're gonna measure it to determine if it worked. We're gonna examine those measurements to see if we met our goals and objectives. And then we're gonna act upon what we've learned by being adaptive. If things didn't go the way we thought they would will make some modifications.
And these are the elements that go into strategic planning.
All right, So when we talk about supporting our strategies, um, buy in is essential. Right? So when we have a nightie strategy that we may be directly involved in developing, we still have to sell it. We got to sell it. We always have to sell it. Right?
So what we're trying to do is to justify
the value again. And value doesn't have to be in dollars. When we're looking at implementing a strategy, we got to sell it to end users. We've got to sell it to the employees who are less concerned about profit to the organization or return on investment to the organization.
They want to know what's in it for me.
So talk to me about improving, um, my workload. Talk to me about helping me be more efficient, get more done opportunities for advancement, those air, the ideas that speak to our employees.
Okay, The board board of directors should make sure our strategies reviewed regularly. Because, like we've said before our enterprise strategy, our long term goals may change because Theo environment that we all live in is one of fluctuation, right?
Some businesses are more constant than others.
Others things were changing all the time.
All right, so
alignment means we have to be very purposeful. We have to be very aware we have to be detailed in our planning. So we want to make sure that I t is represented at the top level of our environment all the way at the top, right? There's nothing more
necessary for buy in in senior management being on on board. Okay, So making sure that we know have a cell to senior management making sure that we understand.
I tease role within the organization. We enable the business right that term enable enabler is one that I sacha uses a lot. You know,
You know, the utility function is that yeah, were there kind of day in and day out. But more importantly, we enable the business processes that make the business run. And not only do we enable them toe happen, but we enable them toe happen effectively and efficiently.
I will take that information
with the help of senior management, the business units, and we're gonna create some guiding principles for the Information technology department team Resource is investments that are going to be based on the environment, which we exist.
And then, you know, the culture of I t should fit into the culture of the organization. And I'll tell you, that's not something you see a lot because in many instances, the I T department is sort of a breed unto themselves. The I T department presides in the basement. We call them, i t comes up
and, you know, we may interface with them very little.
So one of the things that we need to do is incorporate our teams.
Um, better. We need to incorporate I t into the enterprise environment. Better. We can do that by having our I t. Folks conduct training classes, be more visible, provide a better facilitation of communication between them, and that's gonna be important
because the more removed I T is from the rest of the business,
the more this mystery of what those folks do is going to continue. So we want our I t folks out and visible and present within the organization. Um, you know, at staff meetings, you know, here's Jeff for my tea is gonna let you know this state of affairs in relation to security
again just increased that visibility.
All right, now we develop alignment. Continuing to meet and maintain alignment requires again the evaluation in the oversight of the products. So monitoring in relation to, um,
the business impact, right? Looking at we've invested this money in this product is the product meeting its objectives Are those objectives delivering value for the business as a whole? So again, we have these expectations we have to monitor and manage for them. So
after we implement thes products in these services,
that's when we've got to start tracking the information. We've got a report back to the business on a regular basis and make sure that we have clear and transparent,
evaluation of the services.
All right, so with our strategy, you know, so much of this is repetitive. I feel silly saying, Look at the business objectives. We got that right. We know that we also don't want to look at the environment, the industry, how competitive is the industry in which we exist? Because that may indicate,
or that may dictate how aggressive
or conservative will be in implementing changes. Um, we've got to think down the line about continuing expenses or future expenditures. How much more money may we have to bring in to supporting our environment?
And we have to look at risks to because risks are likely going to tie into additional funding requirements.
I looking at the level of service demanded by the business. Are we meeting it now? Will we be able to meet it in the future? And if not, what degree of investments going to be necessary in order to sustain the business? Sometimes companies grow very quickly
and we have an environment that was created for 10 people,
and now all of a sudden we have 25 people and then we have 65 people and then we have 150. So if our environment has not been built upon a scalable structure, then we're going to find ourselves quickly being behind the eight ball were always
behind. You know we're not supporting business. Were playing ketchup or playing ketchup.
Well, that adds to the negative perception off. I tease value within the organization. Sometimes that's not our fault. We don't always get of the funding that we need have. Thank you for that. Because I swear to you, my head's gonna pop off if I say alignment with strategic objectives one more time.
I know you sit in my classes, and it's so
such a common thread. But that just really shows you have so many certification exams, fill the need to just keep hitting this topic that just shows you for how long? The I T department has been considered a separate element from the business,
and sure, we've always provided the services.
But we've been much more insular, and I t has been a department and almost a goal unto itself, and we've really misplaced our priorities. And we've either found that senior management doesn't want to talk about I t. They want to sell hammers or whatever they sell, or
it gets a lot of money.
Nobody knows what happens to it or, you know I t has legitimate need for investment but doesn't know how to communicate those risks. So we really see that were coming from an environment where this alignment has not always been prevalent. Okay,
when we talk about changes to strategic planning, there, all sorts of drivers that can impact our strategic plan,
right? Internal users, external users, our customers are partners. How we manage our internal services. Ah, you know, we've got a look at ideas like what we have in a Sfar support goes. So we have
all of these elements that are gonna impact our strategic planning, and we have to address them.
Um, we were just talking about the essential nature of this strategy in alignment and how we practically make that alignment between the objectives of the organization and the information technology organization. So, you know,
as we're evolving, we've already mentioned we're gonna have to continue toe update
our environment. So we're constantly assessing. Are we meeting the needs of the business? And we do that by conducting interviews with the business unit leaders by the employees that are working with the technology.
What we're constantly looking for is areas
that we can improve upon right, So we can't be passive. You know, these air No longer the days of just sitting back and waiting too weak it that call where somebody says my systems locked up and we have to say, Have you tried turning it off and turning it on again?
Right. So we have to make sure that we're a listening information from our customers from the business,
you know, waterways that you could see that we could improve, have the priorities of the business improved. So when we talk about this role of enterprise, I t we've got to be right in there with the managers of the business and we are
equals working towards the same goal were part of the same system.
We're moving towards the betterment, the improvement of the business, and the business meeting our objectives. So with our strategy, what are we looking at? How can we approve, improve or not even improve?
But how can we better meet the needs of the business? Right? Because the business may have changed. It may not be a direct
step forward, maybe a step sideways, but one that's more able to provide with the businesses looking at doing
Okay. Now, strategic planning. We say that's usually looking about three or four years out. So what that means is, you know, that's those are the processes where we conduct that formal strategic planning. However,
um, we should go back and update make sure our strategies are still consistent. You know, when you look at four years in I T. Man, that's like dog years, right? You know, my Boston tail years, 10 years old, but moves around the house like he's 120 right?
Just ah, you know, the time in
the i t. World because technology changes so much. So we have to go through in our C i o is responsible for this value delivery. So with our chief information officer, we want to make sure that they are
focusing the development of strategies in the modification of our strategies. We have to be adaptable.
All right, Now, uh, excuse me. No suspicion. I think I get some allergies or little realistically. I think I've got some dust here, so
all right, now we come back to talking about business architecture a little bit. Let me get back here.
and we talked about enterprise architecture yesterday. So this is just kind of, um a review in context of what we've talked about with the strategy. So we've said architecture is conceptual, It's the relationship of the elements, and we want our architecture standardized.
We also talked about the mapping from enterprise to business to systems to data
to the delivery network of hardware. So some of this we can move quickly. Um,
the architectural layers, you know, when we were really looking about those tangible applications that we work with, you know, we've got to consider our applications. And when we look at applications, for instance, we've got to think about what is our process for software development.
How do we approach security in relation to a software development? How do we manage our projects? Are we compliant with the capability maturity model in our project processes? You know, what is our approach to applications? How do we test? How do we manage changes for application?
What is our certification or testing
process? What are accreditation process?
Then we back up to databases and data bases are applications, of course, but a little bit broader, because the database is so critical because that's where we store our data, right? That's where the money is, so to speak.
So making sure that we restrict access appropriately that we review controls with our databases.
Um, making sure that were very leery of garbage in because we know that means garbage out.
So restricting access to our databases. Ah, providing our users, our customers, our clients, the public front end interface is that conduct input validation to prevent somebody on the outside from entering garbage on the inside.
So just those layers of control
networks. Man, when we talk about network protection and and network structure, we could talk for months about that, right? But all the elements of our network, our network connectivity devices
we're talking about switches and routers and gateways and proxies and Web servers, and you know, everything from cable type and protocol usage. So, you know, that requires a degree of expertise. Certainly.
Ah, the operating systems utilities.
Ah, front end APS for users. All of those, um, have to be considered
operating systems tend to be one of the points of introduction of malware and corruption and compromise. So certainly making sure that we're evaluating those systems because, you know, malware.
You wanna talk about an impact on the business, have your business shut down and system. It's an acceptable inaccessible
for a couple of hours due to a malware infection that has to be restored. I've seen malware wipe a server of data. Um, and unfortunately, the replacement for that data, the backups were off site, so it took hours to get those back. You know, I've just seen lots and lots of different things.
Ah, hardware,
hardware breaks. Hardware has to be replaced. Hardware's compromised. It grows old.
Hardware requires heating and air conditioning, depending on seasonal changes, humidity control. So all of these elements, these air those physical, tangible layers off
the architecture that I t has to manage and work with. And we go back toe looking at these different elements and using risk management to determine how we maximize the benefits of these technologies.
All right, now, the challenge of implementing E. A. We've already talked about this. You know, we've already talked about the difficulty of change management. Um I will also add to that legacy systems integration. We've got what we've got, right.
And many organisations air not on the cutting edge of technology. Many organizations are very
have dug their heels in, so to speak with their equipment. You know, I bought this back in 1979 and it cost me $500. I'm not updated.
That may be a stretch, but I still see organizations running Windows XP.
they don't get support for Microsoft, but they don't care. And that attitude is, well, nobody's writing viruses or malware for Windows XP.
That's not a good business strategy, right? But you know, if it ain't broke, don't fix it. And people tend to like to stick with what's tried and true. So when we're looking at modifying our enterprise architecture, we may find that we're doing this in an environment of legacy equipment.
So when we have these legacy equipments, we still have our policy. We still have our systems that are certified and then get accredited. And if our legacy systems don't meet those requirements, we either update them or we create an exception to policy. But
we don't change our policy to say, Well, we're supporting X, you know will apply the security that Windows XP dictates. That would be silly. Here's our policy here. The elements greenies i p saccharine and use all these different things.
And for the handful of systems running proprietary software that are not capable of supporting
will create an exception for them. Okay, so any sort of compliance issues must be documented. And I think you'll get on the test. You'll get, you know, a situation where a department is out of compliance with a policy. What do you do?
And they'll say, You know, they'll give you the opportunity to report senior management, enforce the policy
or don't enforce the policy. But the answer is gonna be conduct a risk assessment. Okay? You're not following policy. You're not in compliance. Why?
What are the pros and cons of having you in compliance now? I may very well turn that in the report to senior management. Very likely. But I don't do that until I've conducted my risk assessment. I think you know, once we're up at the level of senior management, our actions
are very limited in our actions,
always air dependent upon research and assessment. So, just like you know, many of the other courses I teach I would tell you as well Stop,
analyze, assess the environment, figure out where we are in the grand scheme of things
and then make a thoughtful decision. We don't jump right into anything.
All right, so key success factors what is necessary. What are those key in a pillars, you could say for an enterprise architecture to be implemented correctly and successfully
top down senior management leads
senior management has buy in. Senior management makes support. We start by looking at the business all the way down.
And so
when we talk about our strategy, our technology processes the organization as a whole are people, you know again, enterprise architectures the you know, the thread that ties us all together and helps us keep moving in the same way.
bringing in mind that not every organization is the same. Not every organization is going to use the same framework. Not every organization has the same culture. So when we come into a new environment or were tasked with,
um changing the existing environment, we have to know change comes slowly and it's very difficult to change culture within an organisation and it does not happen overnight,
right? So we have to be mindful of that, that my way or the highway doesn't really work in practicality and a lot of environments doesn't mean we don't enforce policy and that we don't draw the line in the sand. But it does mean that we have to accept the fact that we're gonna have to redirect folks within our organization.
We have to modify policies,
and usually we have to start out gently at first, if you will.
I we need an architectural review board. Absolutely. Because we asses owes or as other I T consultants, risk consultants, Internet. Ah, architects, third party advisors, whatever roles are
and we'll have many people involved
in establishing the architecture. But we need a steering committee or review board that's gonna analyze the architecture as it is and make sure again that were appropriately supporting the business is a hole, and we need a skill set here we need
by in. We need support
and the board is responsible for leading this battle.
And if the board of directors is an on board and senior management is an onboard, I can assure you end users won't be on board.
As I mentioned, you can't change culture oven environment overnight, so we have to be realistic with our goals. You can't go from a culture that doesn't care about security to all of a sudden, If you make a security error, you're fired. We have to make that shift slowly and gradually,
and we don't try to go from 0 to 60 overnight. We try to make small, manageable changes. And you know the old joke. How do you eat an elephant? One bite at a time. And that's what we're looking to do
If we find that our strategies when we're evaluating them don't support the organization in a way that's meaningful any longer, well, that's where change control comes in. And that's where we start to evaluate shifting our approach, how we handle certain things,
perhaps Decommissioning technology, perhaps acquiring new technology.
But again, it's all based on the assessment.
you know, um,
how how you know these questions that we've continued to ask, What can we do to bring the enterprise closer to where they want to be? And once we start delivering that and we provide tangible proof of what we've done has developed value.
That's the point in time when we begin to get some credibility within the organization
and that the organization understands the value of I T.
What sort of business initiatives air coming up because we want to examine those initiatives and figure out what our role is?
What is the enterprise? Need?
Same questions,
all right, and then benchmarking again. It's one thing to say. I understand the strategy and the objectives. I'm going to support it. But I need that proof. I need to provide a tangible element, tangible information on a report or
if not tangible, maybe quantitative information
so that we can talk about. OK, we've made this. I t investment here, the objectives for this particular tool or this additional service or this technology. Here's how we're gonna measure for it and this should you know, the
measurements, the objectives that's determined long before we make a purchase, right? We don't invest in a product
without having an anticipated set of objects of objectives and accomplishments for that control.
So in the planning process, we figure out what those objectives should be. We determine how we're gonna measure for them when we're gonna measure how we're gonna analyze those measurements and what to do if the control or the process isn't meeting its objectives. So ultimately,
we want to be able to show and to provide
senior management tangible evidence
of the support that the I t brings to the business as a whole. And it's so important because our goal is to keep our jobs. Our goal is to keep our I t department intact. Our goal is to continue to receive funding from senior management so that we can do our job. And
every time we're able to provide it demonstrably all
value to the business, we're that much mawr. We're that much closer to our goals. That makes sense. All right. So, you know, another value is senior management can look at our department versus other organizations,
but they have that quantitative information
to make a good decision.
All right, so 12 step approach to creating these benchmarks.
Get your management commitment. Of course. Get your mission statement. And remember, you start with a vision where you ultimately want Toby, and your mission is gonna tell us how to get there. OK, again, very broad, but we have this lofty vision.
Mission is here. The set of goals and objectives that will help us get there.
All right, So let's plan. Let's figure out how we're gonna accomplish these goals and objectives. We're gonna figure out who our customers are.
We're gonna get our hands study. We're gonna get out there, and we're gonna conduct the research. We're gonna talk to our customers. We're gonna talk to our business partners, and we're gonna take the information that they give us through. Questionnaires were gonna evaluate the data, and we're going to figure out what air those best practices.
Um, and ultimately, we're going to take all this information from our interviews. And our surveys were going to take the metrics that we have, and we're gonna present those findings and we're gonna monitor the results, and we're gonna monitor early and often.
Okay? I can't tell you, wind, but I can tell you we need to monitor early and often,
and we want those quantitative
results that we can present the senior management. We want to be ableto handed over and say this was the investment that was made by the business. And here the returns that we've been able to see.
Now, I think that's actually a good place for us to leave off for the day. Um, we're gonna come back and talk about evaluating I t investments. But you can imagine we're going down the same line talking about the same information. So how are we going to determine that
value of investments? Well, we're gonna look at
where we stood in relation to perhaps compromises
we can talk about, you know, annual loss. How much were we losing on a particular risk event versus how much we're losing after the counter measure? What the cost of the countermeasure waas and comparing. There's two elements. So we're basically doing our central calculations for return on investment.
But I always like to kind of wind down a little bit early and give you guys a chance
to ask some questions or make some contributions with the things that you have seen out in the environment and how they might relate to what we're talking about here and see Jin. So what type of questions do you have?
Come on half start us off
and Mubasher. I know you always have some great questions, some great comments and I don't know. Ah, I don't have access to the list. I'm sure I probably have a few folks that I know from other courses as well,
but just want to give you the opportunity to ask some questions about the material
I, um I'm not seeing any questions, but you guys all know how to reach me and how to reach Sai Buri for any questions that you have. We are cutting off just a little bit early because this is the Thursday before the holiday season. Ho, ho, ho
and, um, going to give you guys a little bit of a break and we're going to come back and pick up on evaluating I t investment
two weeks from today.
So Lance, Hi. Yeah, that's exactly what we're wrapping up. Lance's. I have to go get the gutters inspected at the new house. And, ah, just all the things with the new house were closing on a brand new house tomorrow with our four dogs and two kids. So thank God we're getting a bigger house.
Four of a sharing a single restroom. So my ward, that's gonna be a challenge on Mubasher. That's a great question. One of the things that I have found traditionally is that ice acas review manuals are great pieces of information. They're great. Um,
sources of reference.
They're not terrific for preparing for the exam. And I've never known a single vendor that puts out a good set of material for their own exam. So yeah, this corresponds to the manual, but you'll see that there things that we leave out and you'll see that there things that were more specific on.
So when I will tell you is the best way
to get an indication on what the test is gonna be like is start using review questions. Sai Buri has, um, has Kaplan. No, I totally hear you. That's such a valid question. Honestly, in every I sack, of course, I teach.
I start by looking at the manual. I create a new outline based on the manual and then halfway through a scrap it and I try to find something a little bit better and easier to work with and easier to communicate. So you're not gonna find this tightly bound at all to the manual,
and I agree with half. And I'll tell you,
if you confined, there's not a lot of preparation material out there for the siege it exam. So if it was C s SP. You'd have 30 different books to choose from with siege it. You don't have enough that you don't have much. But what I would do
is this class is gonna give you kind of the overview and hopefully help you direct your study. Start doing review questions, go to Kaplan's review for siege it
and just start drilling questions. And I'm not saying by any stretch, memorize those questions. That's not what we're about here. But what I am saying is let the number of questions and the types of questions you see let that guide you for your study. And I agree. This is assert that's gaining in popularity. But
the testing in the instructional field hasn't caught up
because, you know, you're just not going to find a lot of books out there. You're not gonna find press the practice questions. I do believe that Kaplan has questions. Four. Siege it and I may be wrong. Perfect may be able to answer that better than I can. Um,
so if you confined a reasonably reputable test source, I was able to find a source that had something like 279 questions so I used those kind of to shape the slides because if the test prep
is quizzing you on it, that tells me it's probably closely related to what's on the exam. Um,
so the thing is, with this certain, until the training industry gets caught up were both kind of just picking and choosing and making our best assumption. You know, I can tell you what I've seen on the examine, how I've seen it and just the various context.
But ultimately, I haven't had a ton of students get back with me. I've taught this class a handful of time, you know, often to four or five students. So we're all just kind of, Ah, with this test, it's not as clear cut as something like this is, um, or the sea risk. But we can certainly
do the best we can
drill the review questions that we have tried to make our assumptions on that and move from there. So certainly in this case you're gonna have to keep that siege it manual.
But I wouldn't feel like the depth that they go into in the manual is really relevant to their tests. They tend to be very principle and concept oriented without going into the my new shove details, I would know Kobe. I would know, Val, I t
I would know those little things, like the BCG matrix
SWAT analysis, those elements that they can quiz you about, you know, from a fact based method. But I wouldn't go. I just wouldn't go into the minutia of the manual,
Up Next