Monday, July 15, 2019

How an agile focus for Enterprise Architects builds competitive advantage for digital transformation

http://www.opengroup.org/

The next BriefingsDirect business trends discussion explores the reinforcing nature of Enterprise Architecture (EA) and agile methods. 

We’ll now learn how Enterprise Architects can embrace agile approaches to build competitive advantages for their companies. 

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. 

To learn more about retraining and rethinking for EA in the Digital Transformation (DT) era, we are joined by Ryan Schmierer, Director of Operations at Sparx Services North America, and Chris Armstrong, President at Sparx Services North America. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Ryan, what's happening in business now that’s forcing a new emphasis for Enterprise Architects? Why should Enterprise Architects do things any differently than they have in the past?


Schmierer: The biggest thing happening in the industry right now is around DT. We been hearing about DT for the last couple of years and most companies have embarked on some sort of a DT initiative, modernizing their business processes.

Schmierer
But now companies are looking beyond the initial transformation and asking, “What’s next?” We are seeing them focus on real-time, data-driven decision-making, with the ultimate goal of enterprise business agility -- the capability for the enterprise to be aware of its environments, respond to changes, and adapt quickly.

For Enterprise Architects, that means learning how to be agile both in the work they do as individuals and how they approach architecture for their organizations. It’s not about making architectures that will last forever, but architectures that are nimble, agile, and adapt to change.

Gardner: Ryan, we have heard the word, agile, used in a structured way when it comes to software development -- Agile methodologies, for example. Are we talking about the same thing? How are they related?

Agile, adaptive enterprise advances 

Schmierer: It’s the same concept. The idea is that you want to deliver results quickly, learn from what works, adapt, change, and evolve. It’s the same approach used in software development over the last few years. Look at how you develop software that delivers value quickly. We are now applying those same concepts in other contexts.

First is at the enterprise level. We look at how the business evolves quickly, learn from mistakes, and adapt the changes back into the environment.

Second, in the architecture domain, instead of waiting months or quarters to develop an architecture, vision, and roadmap, how do we start small, iterate, deliver quickly, accelerate time-to-value, and refine it as we go?

Gardner: Many businesses want DT, but far fewer of them seem to know how to get there. How does the role of the Enterprise Architect fit into helping companies attain DT?
The core job responsibility for Enterprise Architects is to be an extension of the company leadership and its executives. They need to look at where a company is trying to go ... and develop a roadmap on how to get there.

Schmierer: The core job responsibility for Enterprise Architects is to be an extension of company leadership and its executives. They need to look at where a company is trying to go, all the different pieces that need to be addressed to get there, establish a future-state vision, and then develop a roadmap on how to get there.

This is what company leadership is trying to do. The EA is there to help them figure out how to do that. As the executives look outward and forward, the Enterprise Architect figures out how to deliver on the vision.

Gardner: Chris, tools and frameworks are only part of the solution. It’s also about the people and the process. There's the need for training and best practices. How should people attain this emphasis for EA in that holistic definition?

Change is good 

Armstrong: We want to take a step back and look at how Ryan was describing the elevation of value propositions and best practices that seem to be working for agile solution delivery. How might that work for delivering continual, regular value? One of the major attributes, in our experience, of the goodness of any architecture, is based on how well it responds to change.

In some ways, agile and EA are synonyms. If you’re doing good Enterprise Architecture, you must be agile because responding to change is one of those quality attributes. That’s a part of the traditional approach of architecture – to be concerned with the interoperability and integration.

As it relates to the techniques, tools, and frameworks we want to exploit -- the experiences that we have had in the past – we try to push those forward into more of an operating model for Enterprise Architects and how they engage with the rest of the organization.
Learn About Agile Architecture
At The Open Group July Denver Event
So not starting from scratch, but trying to embrace the concept of reuse, particularly reuse of knowledge and information. It’s a good best practice, obviously. That's why in 2019 you certainly don't want to be inventing your own architecture method or your own architecture framework, even though there may be various reasons to adapt them to your environment.

Starting with things like the TOGAF® Framework, particularly its Architecture Development Method (ADM) and reference models -- those are there for individuals or vertical industries to accelerate the adding of value.

The challenge I've seen for a lot of architecture teams is they get sucked into the methodology and the framework, the semantics and concepts, and spend a lot of time trying to figure out how to do things with the tools. What we want to think about is how to enable the architecture profession in the same way we enable other people do their jobs -- with instant-on service offerings, using modern common platforms, and the industry frameworks that are already out there.

http://www.opengroup.org/
We are seeing people more focused on not just what the framework is but helping to apply it to close that feedback loop. The TOGAF standard, a standard of The Open Group, makes perfect sense, but people often struggle with, “Well, how do I make this real in my organization?”

Partnering with organizations that have had that kind of experience helps close that gap and accelerates the use in a valuable fashion. It’s pretty important.

Gardner: It’s ironic that I've heard of recent instances where Enterprise Architects are being laid off. But it sounds increasingly like the role is a keystone to DT. What's the mismatch there, Chris? Why do we see in some cases the EA position being undervalued, even though it seems critical?

EA here to stay 

Armstrong: You have identified something that has happened multiple times. Pendulum swings happen in our industry, particularly when there is a lot of change going on. People are getting a little conservative. We’ve seen this before in the context of fiscal downturns in economic climates.

But to me, it really points to the irony of what we perceive in the architecture profession based on successes that we have had. Enterprise Architecture is an essential part of running your business. But if executives don't believe that and have not experienced that then it’s not surprising when there's an opportunity to make changes in investment priorities that Enterprise Architecture might not be at the top of the list.

We need to be mindful of where we are in time with the architecture profession. A lot of organizations struggle with the glass ceiling of Enterprise Architecture. It’s something we have encountered pretty regularly, where executives are, “I really don’t get what this EA thing is, and what's in it for me? Why should I give you my support and resources?”
Learn About Agile Architecture
At The Open Group July Denver Event
But what’s interesting about that, of course, is if you take a step back you don’t see executives saying the same thing about human resources or accounting. Not to suggest that they aren’t thinking about ways to optimize those as a core competency or as strategic. We still do have an issue with acceptance of enterprise architecture based on the educational and developmental experiences a lot of executives have had.

We’re very hopeful that that trend is going to be moving in a different direction, particularly as relates to new master’s programs and doctorate programs, for example, in the Enterprise Architecture field. Those elevate and legitimize Enterprise Architecture as a profession. When people are going through an MBA program, they will have heard of enterprise architecture as an essential part of delivering upon strategy.

Gardner: Ryan, looking at what prevents companies from attaining DT, what are the major challenges? What’s holding up enterprises from getting used to real-time data, gaining agility, and using intelligence about how they do things?

Schmierer: There are a couple of things going on. One of them ties back to what Chris was just talking about -- the role of Enterprise Architects, and the role of architects in general. DT requires a shift in the relationship between business and IT. With DT, business functions and IT functions become entirely and holistically integrated and inseparable.

When there are no separate IT processes and no businesses process -- there are just processes because the two are intertwined. As we use more real-time data and as we leverage Enterprise Architecture, how do we move beyond the traditional relationship between business and IT? How do we look at such functions as data management and data architecture? How do we bring them into an integrated conversation with the folks who were part of the business and IT teams of the past?

A good example of how companies can do this comes in a recent release from The Open Group, the Digital Practitioner Body of Knowledge™ (DPBoK™). It says that there's a core skill set that is general and describes what it means to be such a practitioner in the digital era, regardless of your job role or focus. It says we need to classify job roles more holistically and that everyone needs to have both a business mindset and a set of technical skills. We need to bring those together, and that's really important.
As we look at what's holding up DT we need to take functions that were once considered centralized assets like EA and data management and bring them into the forefront. ... Enterprise Architects need to be living in the present.

As we look at what's holding up DT -- taking the next step to real-time data, broadening the scope of DT – we need to take functions that were once considered centralized assets, like EA and data management, and bring them into the forefront, and say, “You know what? You’re part of the digital transmission story as well. You’re key to bringing us along to the next stage of this journey, which is looking at how to optimize, bring in the data, and use it more effectively. How do we leverage technology in new ways?”

The second thing we need to improve is the mindset. It’s particularly an issue with Enterprise Architects right now. And it is that Enterprise Architects -- and everyone in digital professions -- need to be living in the present.

You asked why some EAs are getting laid off. Why is that? Think about how they approach their job in terms of the questions that would be asked in a performance review.

Those might be, “What have you done for me over the years?” If your answer focuses on what you did in the past, you are probably going to get laid off. What you did in the past is great, but the company is operating in the present.

What’s your grand idea for the future? Some ideal situation? Well, that’s probably going to get you shoved in a corner some place and probably eventually laid off because companies don't know what the future is going to bring. They may have some idea of where they want to get to, but they can’t articulate a 5- to 10-year vision because the environment changes so quickly. 
http://www.opengroup.org/

What have you done for me lately? That’s a favorite thing to ask in performance-review discussions. You got your paycheck because you did your job over the last six months. That’s what companies care about, and yet that’s not what Enterprise Architects should be supporting.

Instead, the EA emphasis should be what can you do for the business over the next few months? Focus on the present and the near-term future.

That’s what gets Enterprise Architects a seat at the table. That’s what gets the entire organization, and all the job functions, contributing to DT. It helps them become aligned to delivering near-term value. If you are entirely focused on delivering near-term value, you’ve achieved business agility.

Gardner: Chris, because nothing stays the same for very long, we are seeing a lot more use of cloud services. We’re seeing composability and automation. It seems like we are shifting from building to assembly.

Doesn’t that fit in well with what EAs do, focusing on the assembly and the structure around automation? That’s an abstraction above putting in IT systems and configuring them.

Reuse to remain competitive 

Armstrong: It’s ironic that the profession that’s often been coming up with the concepts and thought-leadership around reuse struggles a with how to internalize that within their organizations. EAs have been pretty successful at the implementation of reuse on an operating level, with code libraries, open-source, cloud, and SaaS.

There is no reason to invent a new method or framework. There are plenty of them out there. Better to figure out how to exploit those to competitive advantage and focus on understanding the business organization, strategy, culture, and vision -- and deliver value in the context of those.

For example, one of the common best practices in Enterprise Architecture is to create things called reference architectures, basically patterns that represent best practices, many of which can be created from existing content. If you are doing cloud or microservices, elevate that up to different types of business models. There’s a lot of good content out there from standards organizations that give organizations a good place to start.
Learn About Agile Architecture
At The Open Group July Denver Event
But one of the things that we've observed is a lot of architecture communities tend to focus on building -- as you were saying -- those reference architectures, and don't focus as much on making sure the organization knows that content exists, has been used, and has made a difference.

We have a great opportunity to connect the dots among different communities that are often not working together. We can provide that architectural leadership to pull it together and deliver great results and positive behaviors.

Gardner: Chris, tell us about Sparx Services North America. What do you all do, and how you are related to and work in conjunction with The Open Group?

Armstrong: Sparx Services is focused on helping end-user organizations be successful with Enterprise Architecture and related professions such as solution architecture and solution delivery, and systems engineering. We do that by taking advantage of the frameworks and best practices that standards organizations like The Open Group create, helping make those standards real, practical, and pragmatic for end-user organizations. We provide guidance on how to adapt and tailor them and provide support while they use those frameworks for doing real work.

And we provide a feedback loop to The Open Group to help understand what kinds of questions end-user organizations are asking. We look for opportunities for improving existing standards, areas where we might want to invest in new standards, and to accelerate the use of Enterprise Architecture best practices.

Gardner: Ryan, moving onto what's working and what's helping foster better DT, tell us what's working. In a practical sense, how is EA making those shorter-term business benefits happen?

One day at a time 

Schmierer: That’s a great question. We have talked about some of the challenges. It’s important to focus on the right path as well. So, what's working that an enterprise architect can do today in order to foster DT?

Number one, embrace agile approaches and an agile mindset in both architecture development (how you do your job) and the solutions you develop for your organizations. A good way to test whether you are approaching architecture in an agile way is the first iteration in the architecture. Can you go through the entire process of the Architecture Development Method (ADM) on a cocktail napkin in the time it takes you to have a drink with your boss? If so, great. It means you are focused on that first simple iteration and then able to build from there.

Number two, solve problems today with the components you have today. Don’t just look to the future. Look at what you have now and how you can create the most value possible out of those. Tomorrow the environment is going to change, and you can focus on tomorrow's problems and tomorrow’s challenges tomorrow. So today’s problems today.

Third, look beyond your current DT initiative and what’s going on today, and talk to your leaders. Talk to your business clients about where they need to go in the future. That goal is enterprise business agility, which is helping the company become more nimble. DT is the first step, then start looking at steps two and three.
Architects need to understand technology better, such things as new cloud services, IoT, edge computing, ML, and AI. These are going to have disruptive effects on your businesses. You need to understand them to be a trusted advisor to your organization.

Fourth, Architects need to understand technology better, such things as fast-moving, emerging technology like new cloud services, Internet of Things (IoT), edge computing, machine learning (ML), and artificial intelligence (AI) -- these are more than just buzz words and initiatives. They are real technology advancements. They are going to have disruptive effects on your businesses and the solutions to support those businesses. You need to understand the technologies; you need to start playing with them so you can truly be a trusted advisor to your organization about how to apply those technologies in business context.

Gardner: Chris, we hear a lot about AI and ML these days. How do you expect Enterprise Architects to help organizations leverage AI and ML to get to that DT? It seems really essential to me to become more data driven and analytics driven and then to re-purpose to reuse those analytics over and over again to attain an ongoing journey of efficiency and automation.

Better business outcomes 

Armstrong: We are now working with our partners to figure out how to best use AI and ML to help run the business, to do better product development, to gain a 360-degree view of the customer, and so forth.

It’s one of those weird things where we see the shoemaker’s children not having any shoes because they are so busy making shoes for everybody else. There is a real opportunity, when we look at some of the infrastructure that’s required to support the agile enterprise, to exploit those same technologies to help us do our jobs in enterprise architecture.

It is an emerging part of the profession. We and others are beginning to do some research on that, but when I think of how much time we and our clients have spent on the nuts and bolts collection of data and normalization of data, it sure seems like there is a real opportunity to leverage these emerging technologies for the benefit of the architecture practice. Then, again, the architects can be more focused on building relationships with people, understanding the strategy in less time, and figuring out where the data is and what the data means.

Obviously humans still need to be involved, but I think there is a great opportunity to eat your own dog food, as it were, and see if we can exploit those learning tools for the benefit of the architecture community and its consumers.

Gardner: Chris, do we have concrete examples of this at work, where EAs have elevated themselves and exposed their value for business outcomes? What’s possible when you do this right?

Armstrong: A lot of organizations are working things from the bottoms up, and that often starts in IT operations and then moves to solution delivery. That’s where there has been a lot of good progress, in improved methods and techniques such as scaled agile and DevOps.

http://www.opengroup.org/
But a lot of organizations struggle to elevate it higher. The DPBoK™  from The Open Group provides a lot of guidance to help organizations navigate that journey, particularly getting to the fourth level of the learning progression, which is at the enterprise level. That’s where Enterprise Architecture becomes essential. It’s great to develop software fast, but that’s not the whole point of agile solution delivery. It should be about building the right software the right way to meet the right kind of requirements -- and do that as rapidly as possible.

We need an umbrella over different release trains, for example, to make sure the organization as a whole is marching forward. We have been working with a number of Fortune 100 companies that have made good progress at the operational implementation levels. They nonetheless now are finding that particularly trying, to connect to business architecture.

There have been some great advancements from the Business Architecture Guild and that’s been influencing the TOGAF framework, to connect the dots across those agile communities so that the learnings of a particular release train or the strategy of the enterprise is clearly understood and delivered to all of those different communities.

Gardner: Ryan, looking to the future, what should organizations be doing with the Enterprise Architect role and function?

EA evolution across environments 

Schmierer: The next steps don’t just apply to Enterprise Architects but really to all types of architects. So look at the job role and how your job role needs to evolve over the next few years. How do you need to approach it differently than you have in the past?

For example, we are seeing Enterprise Architects increasingly focus on issues like security, risk, reuse, and integration with partner ecosystems. How do you integrate with other companies and work in the broader environments?

We are seeing Business Architects who have been deeply engaged in DT discussions over the last couple of years start looking forward and shifting the role to focus on how we light up real-time decision-making capabilities. Solution Architects are shifting from building and designing components to designing assembly and designing the end systems that are often built out of third-party components instead of things that were built in-house.


Look at the job role and understand that the core need hasn’t changed. Companies need Enterprise Architects and Business Architects and Solution Architects more than ever right now to get them where they need to be. But the people serving those roles need to do that in a new way -- and that’s focused on the future, what the business needs are over the next 6 to 18 months, and that’s different than what they have done in past.

Gardner: Where can organizations and individuals go to learn more about Agile Architecture as well as what The Open Group and Sparx Services are offering?

Schmierer: The Open Group has some great resources available. We have a July event in Denver focused on Agile Architecture, where they will discuss some of the latest thoughts coming out of The Open Group Architecture Forum, Digital Practitioners Work Group, and more. It’s a great opportunity to learn about those things, network with others, and discuss how other companies are approaching these problems. I definitely point them there.
Learn About Agile Architecture
At The Open Group July Denver Event
I mentioned the DPBoK™. This is a recent release from The Open Group, looking at the future of IT and the roles for architects. There’s some great, forward-looking thinking in there. I encourage folks to take a look at that, provide feedback, and get involved in that discussion.

And then Sparx Services North America, we are here to help architects be more effective and add value to their organizations, be it through tools, training, consulting, best practices, and standards. We are here to help, so feel free to reach out at our website. We are happy to talk with you and see how we might be able to help.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: The Open Group.

You may also be interested in:

Thursday, July 11, 2019

For a UK borough, solving security issues leads to operational improvements and cost-savings across its IT infrastructure


The next BriefingsDirect enterprise IT productivity discussion focuses on solving tactical challenges around security to unlock strategic operational benefits in the public sector.

For a large metropolitan borough council in South Yorkshire, England, an initial move to thwarting recurring ransomware attacks ended up a catalyst to wider IT infrastructure performance, cost, operations, and management benefits.

This security innovations discussion then examines how the Barnsley Metropolitan Borough Council information and communications technology (ICT) team rapidly deployed malware protection across 3,500 physical and virtual workstations and servers. 

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

Here to share the story of how that one change in security software led to far higher levels of user satisfaction -- and a heightened appreciation for the role and impact of small IT teams -- is Stephen Furniss, ICT Technical Specialist for Infrastructure at Barnsley Borough Council. The interview was conducted by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Stephen, tell us about the Barnsley Metropolitan Borough. You are one of 36 metropolitan counties in England, and you have a population of about 240,000. But tell us more about what your government agencies provide to those citizens.

Furniss
Furniss: As a Council, we provide wide-ranging services to all the citizens here, from things like refuse collection on a weekly basis; maintaining roads, potholes, all that kind of stuff, and making sure that we look after the vulnerable in society around here. There is a big raft of things that we have to deliver, and every year we are always challenged to deliver those same services, but actually with less money from central government.

So it does make our job harder, because then there is not just a squeeze across a specific department in the Council when we have these pressures, there is a squeeze across everything, including IT. And I guess one of our challenges has always been how we deliver more or the same standard of service to our end users, with less budget.

So we turn to products that provide single-pane-of-glass interfaces, to make the actual management and configuration of things a lot easier. And [we turn to] things that are more intuitive, that have automation. We try and drive, making everything that we do easier and simpler for us as an IT service.

Gardner: So that boils down to working smarter, not harder. But you need to have the right tools and technology to do that. And you have a fairly small team, 115 or so, supporting 2,800-plus users. And you have to be responsible for all aspects of ICT -- the servers, networks, storage, and, of course, security. How does being a small team impact how you approach security?

Furniss: We are even smaller than that. In IT, we have around 115 people, and that’s the whole of IT. But just in our infrastructure team, we are only 13 people. And our security team is only three or four people.
In IT, we have around 115 people, but just in infrastructure we are only 13 people. It can become a hindrance when you get overwhelmed with security incidents, yet it's great to have  a small team to bond and come up with solutions.

It can become a hindrance when you get overwhelmed with security incidents or issues that need resolving. Yet sometimes it's great to have that small team of people. You can bond together and come up with really good solutions to resolve your issues.

Gardner: Clearly with such a small group you have to be automation-minded to solve problems quickly or your end users will be awfully disappointed. Tell us about your security journey over the past year-and-a-half. What’s changed?

Furniss: A year-and-a-half ago, we were stuck in a different mindset. With our existing security product, every year we went through a process of saying, “Okay, we are up for renewal. Can we get the same product for a cheaper price, or the best price?”

We didn’t think about what security issues we were getting the most, or what were the new technologies coming out, or if there were any new products that mitigate all of these issues and make our jobs -- especially being a smaller team -- a lot easier.

But we had a mindset change about 18 months back. We said, “You know what? We want to make our lives easier. Let’s think about what’s important to us from a security product. What issues have we been having that potentially the new products that are out there can actually mitigate and make our jobs easier, especially with us being a smaller team?”

Gardner: Were reoccurring ransomware attacks the last straw that broke the camel’s back?

Staying a step ahead of security breaches

Furniss: We had been suffering with ransomware attacks. Every couple of years, some user would be duped into clicking on a file, email, or something that would cause chaos and mayhem across the network, infecting file-shares, and not just that individual user’s file-share, but potentially the files across 700 to 800 users all at once. Suddenly they found their files had all been encrypted.

From an IT perspective, we had to restore from the previous backups, which obviously takes time, especially when you start talking about terabytes of data.

https://www.barnsley.gov.uk/
That was certainly one of the major issues we had. And the previous security vendor would come to us and say, “All right, you have this particular version of ransomware. Here are some settings to configure and then you won't get it again.” And that’s great for that particular variant, but it doesn’t help us when the next version or something slightly different shows up, and the security product doesn’t detect it.

That was one of our real worries and pain that we suffered, that every so often we were just going to get hit with ransomware. So we had to change our mindset to want something that’s actually going to be able to do things like machine learning (ML) and have ransomware protection built-in so that we are not in that position. We could actually get on with our day-to-day jobs and be more proactive – rather than being reactive -- in the environment. That’s was a big thing for us.

Also, we need to have a lot of certifications and accreditations, being a government authority, in order to connect back to the central government of the UK for such things as pensions. So there were a lot of security things that would get picked up. The testers would do a penetration test on our network and tell us we needed to think about changing stuff.

Gardner: It sounds like you went from a tactical approach to security to more of an enterprise-wide security mindset. So let's go back to your thought process. You had recurring malware and ransomware issues, you had an audit problem, and you needed to do more with less. Tell us how you went from that point to get to a much better place.

Safe at home, and at work 

Furniss: As a local authority, with any large purchase, usually over 2,500 pounds (US$3,125), we have to go through a tender process. We write in our requirements, what we want from the products, and that goes on a tender website. Companies then bid for the work.

It’s a process I’m not involved in. I am purely involved in the techie side of things, the deployment, and managing and looking after the kit. That tender process is all done separately by our procurement team.

So we pushed out this tender for a new security product that we wanted, and obviously we got responses from various different companies, including Bitdefender. When we do the scoring, we work on the features and functionality required. Some 70 percent of the scoring is based on the features and functionality, with 30 percent based on the cost.

What was really interesting was that Bitdefender scored the highest on all the features and functionalities -- everything that we had put down as a must-have. And when we looked at the actual costs involved -- what they were going to charge us to procure their software and also provide us with deployment with their consultants -- it came out at half of what we were paying for our previous product.
Bitdefender scored the highest on all the features and functionalities -- everything that we had put down as must-have. And the actual costs were half of what we were paying.

So you suddenly step back and you think, “I wish that we had done this a long time ago, because we could have saved money as well as gotten a better product.”

Gardner: Had you been familiar with Bitdefender?

Furniss: Yes, a couple of years ago my wife had some malware on her phone, and we started to look at what we were running on our personal devices at home. And I came up with Bitdefender as one of the best products after I had a really good look around at different options.

I went and bought a family pack, so effectively I deployed Bitdefender at home on my own personal mobile, my wife’s, my kids’, on the tablets, on the computers in the house, and what they used for doing schoolwork. And it’s been great at protecting us from anything. We have never had any issues with an infection or malware or anything like that at home.

It was quite interesting to find out, once we went through the tender process, that it was Bitdefender. I didn’t even know at that stage who was in the running. When the guys told me we are going to be deploying Bitdefender, I was thinking, “Oh, yeah, I use that at home and they are really good.”

Monday, Monday, IT’s here to stay 

Gardner: Stephen, what was the attitude of your end users around their experiences with their workstations, with performance, at that time?

Furniss: We had had big problems with end users’ service desk calls to us. Our previous security product required a weekly scan that would run on the devices. We would scan their entire hard drives every Friday around lunchtime.

You try to identify when the quiet periods are, when you can run an end-user scan on their machine, and we had come up with Friday’s lunchtime. In the Council we can take our lunch between noon and 2 p.m., so we would kick it off at 12 and hope it would finish in time for when users came back and did some work on the devices.

http://www.bitdefender.com/
And with the previous product -- no matter what we did, trying to change dates, trying to change times -- we couldn’t get anything that would work in a quick enough time frame and complete the scans rapidly. It could be running for two to three hours, taking high resources on their devices. A lot of that was down to the spec of the end-user devices not being very good. But, again, when you are constrained with budgets, you can only put so many resources into buying kit for your users.

So, we would end up with service desk calls, with people complaining, saying, “Is there any chance you can change the date and time of the scan? My device is running slow. Can I have a new device?” And so, we received a lot of complaints.

And we also noticed, usually Monday mornings, that we would also have issues. The weekend was when we did our server scans and our full backup. So we would have the two things clashing, causing issues. Monday morning, we would come in expecting those backups to have completed, but because it was trying to fight with the scanning, neither was fully completed. We worried if we were going to be able to recover back to the previous week.

Our backups ended up running longer and longer as the scans took longer. So, yes, it was a bit painful for us in the past.

Gardner: What happened next?

Smooth deployer 

Furniss: Deployment was a really, really good experience. In the past, we have had suppliers come along and provide us a deployment document, some description, and it would be their standard document, there was nothing customized. They wouldn’t speak with us to find out what’s actually deployed and how their product fit in. It was just, “We are going to deploy it like this.” And we would then have issues trying to get things working properly, and we’d have to go backward and forward with a third party to get things resolved.

In this instance, we had Bitdefender’s consultants. They came on-site to see us, and we had a really good meeting. They were asking us questions: “Can you tell us about your environment? Where are your DMZs? What applications have you got deployed? What systems are you using? What hypervisor platforms have you got?” And all of that information was taken into account in the design document that they customized completely to best fit their best practices and what we had in place.

We ended up with something we could deploy ourselves, if we wanted to. We didn’t do that. We took their consultancy as a part of the deployment process. We had the Bitdefender guys on-site for a couple of days working with us to build the proper infrastructure services to run GravityZone.

And it went really well. Nothing was missed from the design. They gave us all the ports and firewall rules needed, and it went really, really smoothly.

https://www.barnsley.gov.uk/

We initially thought we were going to have a problem with deploying out to the clients, but we worked with the consultants to come up with a way around impacting our end-users during the deployment.

One of our big worries was that when you deploy Bitdefender, the first thing it does is see if there is a competitive vendor’s product on the machine. If it finds that, it will remove it, and then restart the user’s device to continue the installation. Now, that was going to be a concern to us.

So we came up with a scripted solution that we pushed out through Microsoft System Center Configuration Manager. We were able to run the uninstall command for the third-party product, and then Bitdefender triggered for the install straightaway. The devices didn’t need rebooting, and it didn’t impact any of our end users at all. They didn’t even know there was anything happening. The only thing that would see is the little icon in the taskbar changing from the previous vendor’s icon to Bitdefender.


It was really smooth. We got the automation to run and push out the client to our end users, and they just didn’t know about it.

Gardner: What was the impact on the servers?

Environmental change for the better 

Furniss: Our server impact has completely changed. The full scanning that Bitdefender does, which might take 15 minutes, is far less time than the two to three hours before on some of the bigger file servers.

And then once it’s done with that full scan, we have it set up to do more frequent quick scans that take about three minutes. The resource utilization of this new scan set up has just totally changed the environment.

Because we use virtualization predominantly across our server infrastructure, we have even deployed the Bitdefender scan servers, which allow us to do separate scans on each of our virtualized server hosts. It does all of the offloading of the scanning of files and malware and that kind of stuff.

It’s a lightweight agent, it takes less memory, less footprint, and less resources. And the scan is offloaded to the scan server that we run.

The impact from a server perspective is that you no longer see spikes in CPU or memory utilization with backups. We don’t have any issues with that kind of thing anymore. It’s really great to see a vendor come up with a solution to issues that people seem to have across the board.

https://www.barnsley.gov.uk/
Gardner: Has that impacted your utilization and ability to get the most virtual machines (VMs) per CPU? How has your total costs equation been impacted?

Furniss: The fact that we are not getting all these spikes across the virtualization platform means we can squeeze in more VMs per host without an issue. It means we can get more bank for buck, if you like.

Gardner: When you have a mixed environment -- and I understand you have Nutanix hyperconverged (HCI), Hyper-V and vSphere VMs, some Citrix XenServer, and a mix of desktops -- how does managing such heterogeneity with a common security approach work? It sounds like that could be kind of a mess.

Furniss: You would think it would be a mess. But from my perspective, Bitdefender GravityZone is really good because I have this all on a single pane of glass. It hooks into Microsoft ActiveDirectory, so it pulls back everything in there. I can see all the devices at once. It hooks into our Nutanix HCI environment. I can deploy small scan servers into the environment directly from GravityZone.

If I decide on an additional scan server, it automatically builds that scan server in the virtual environment for me, and it’s another box that we’ve got for scanning everything on the virtual service.
Bitdefender GravityZone is really good because I have this all on a single pane of glass. I can see all the devices at once. I can deploy small scan servers into the environment directly from GravityZone.

It’s nice that it hooks into all these various things. We currently have some legacy VMware. Bitdefender lets me see what’s in that environment. We don’t use the VMware NSX platform, but it gives me visibility across an older platform even as I’m moving to get everything to the Nutanix HCI.

So it makes our jobs easier. The additional patch management module that we have in there, it’s one of the big things for us.

For example, we have always been really good at keeping our Windows updates on devices and servers up to the latest level. But we tended to have problems keeping updates ongoing for all of our third-party apps, such as Adobe Reader, Flash, and Java across all of the devices.

You can get lost as to what is out there unless you do some kind of active scanning across your entire infrastructure, and the Bitdefender patch management allows us to see where we have different versions of apps and updates on client devices. It allows us to patch them up to the latest level and install the latest versions.

From that perspective, I am again using just one pane of glass, but I am getting so much benefit and extra features and functionality than I did previously in the many other products that we use.

Gardner: Stephen, you mentioned a total cost of ownership (TCO) benefit when it comes to server utilization and the increased VMs. Is there another economic metric when it comes to administration? You have a small number of people. Do you see a payback in terms of this administration and integration value?

Furniss: I do. We only have 13 people on the infrastructure team, but only two or three of us actively go into the Bitdefender GravityZone platform. And on a day-to-day basis, we don’t have to do that much. If we deploy a new system, we might have to monitor and see if there is anything that’s needed as an exception if it’s some funky application.

But once our applications are deployed and our servers are up and running, we don’t have to make any real changes. We only have to look at patch levels with third-parties, or to see if there are any issues on our end points and needs our attention.

The actual amount of time we need to be in the Bitdefender console is quite reduced so it’s really useful to us.

Gardner: What’s been the result this last year that you have had Bitdefender running in terms of the main goal -- which is to be free of security concerns?

Proactive infection protection 

Furniss: That’s just been the crux of it. We haven’t had any malware any ransomware attacks on our network. We have not had to spend days, weeks, or hours restoring files back or anything like that -- or rebuilding hundreds of machines because they have something on them. So that’s been a good thing.

Another interesting thing for us, we began looking at the Bitdefender reports from day one. And it had actually found, going back 5, 6, or 7 years, that there was malware or some sort of viruses still out there in our systems.

And the weird thing is, our previous security product had never even seen this stuff. It had obviously let it through to start with. It got through all our filtering and everything, and it was sitting in somebody’s mailbox ready -- if they clicked on it – to launch and infect the entire network.

Straightaway from day one, we were detecting stuff that sat for years in people’s mailboxes. We just didn’t even know about it.

http://www.bitdefender.com/

So, from that perspective, it’s been fantastic. We’ve not had any security outbreaks that we had to deal with, or anything like that.

And just recently, we had our security audit from our penetration testers. One of the things they try to do is actually put some malware on to a test device. They came back and said they had not been able to do that. They have been unable to infect any of our devices. So that’s been a really, really good thing from our perspective.

Gardner: How is that translated into the perception from your end users and your overseers, those people managing your budgets? Has there been a sense of getting more value? What’s the satisfaction quotient, if you will, from your end users?

Furniss: A really good, positive thing has been that they have not come back and said that there’s anything that we’ve lost. There are no complaints about machines being slow.

We even had one of our applications guys say that their machine was running faster than it normally does on Fridays. When we explained that we had swapped out the old version of the security product for Bitdefender, it was like, “Oh, that’s great, keep it up.”
There are no complaints about machines being slow. One of our apps guy says that their machine was running faster than normal. From IT, we are really pleased.

For the people higher up, at the minute, I don’t think they appreciate what we’ve done.  That will come in the next month as we start presenting to them our security reports and the reports from the audit about how they were unable to infect an end-user device.

From our side, from IT, we are really, really pleased with it. We understand what it does and how much it’s saving us from the pains of having to restore files. We are not being seen as one of these councils or entities that’s suddenly plastered across the newspaper and had its reputation tarnished because anyone has suddenly lost all their systems or been infected or whatever.

Gardner: Having a smoothly running organization is the payoff.

Before we close out, what about the future? Where would you like to see your security products go in terms of more intelligence, using data, and getting more of a proactive benefit?

Cloud on the horizon 

Furniss: We are doing a lot more now with virtualization. We have only about 50 physical servers left. We are also thinking about the cloud journey. So we want the security products working with all of that stuff up in the cloud. It’s going to be the next big thing for us. We want to secure that area of our environment if we start moving infrastructure servers up there.

Can we protect stuff up in the cloud as well as what we have here?

Gardner: Yeah, and you mentioned, Stephen, at home that you are using Bitdefender down into your mobile devices, is that also the case with your users in the council, in the governance there or is there a bring your own device benefit or some way that you are looking to allow people to use more of their own devices in context of work? How does that mobile edge work in the future?

Furniss: Well, I don’t know. I think a mobile device is quite costly for councils to actually deploy, but we have taken the approach of -- if you need it for work, then you get one. We currently have got a project to look at deploying the mobile version of Bitdefender to our actual existing Android users.

Gardner: Now that you have 20/20 hindsight with using this type of security environment over the course of a year, any advice for folks in a similar situation?

Furniss: Don’t be scared of change. I think one of the things that always used to worry me was that we knew what we were doing with a particular vendor. We knew what our difficulties were. Are we going to be able to remove it from all the devices?

Don’t worry about that. If you are getting the right product, it’s going to take care of lot of the issues that you currently have. We found that deploying the new product was relatively easy and didn’t cause any pain to our end-users. It was seamless. They didn’t even know we had done it.

Some people might be thinking that they have a massive estate and it’s going to be a real headache. But with automation and a bit of thinking about how and what are you going to do, it’s fairly straightforward to deploy a new antivirus product to your end users. Don’t be afraid of change and moving into something new. Get the best use of the new products that there are out there.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Bitdefender.

You may also be interested in: