Security as a Service (SecaaS)?

The paradigm shift to Cloud Computing is probably the most significant one in IT our industry has experienced since the internet. The move to utility computing goes from infrastructures over platforms to software and to applications.  However there’s been a great deal of confusion in the industry about Cloud Computing. The cloud can be seen as the next phase in the evolution of the internet.

The call for Cloud Computing is not new. 15 years ago, when the dot.com bubble took off and broadband connections became more and more available, the term ‘on demand’ was used referring to a scalable and customized service. New business models with service offering like ‘video on Demand’ and ‘software on Demand’ brought a new class of centralized computing, called Application Service Providers (ASP). However it took still some years to mature this new computing model. Now that broadband connections are ubiquitous present with even higher speeds than ever before, more mobility and powerful end-user devices, the cloud – a metaphor for the internet of today-  became a reality.

ASPs are now called Cloud Computing Providers and through the cloud, everything will be delivered not ‘on Demand’ but ‘as a service‘, from raw computing power to high-end business processes and personal computing. IT seems like everything can be offered ‘as a Service’. In the blog of Peter Laird the ‘as a Service’ is presented as minestrone soup with several aaS-terms categorized in several group as shown in his map:

 

http://peterlaird.blogspot.com/2008/05/saas-soup-navigating-a-service-acronyms.html

Here we will focus on ‘Security as a Service’ (SecaaS). With the centralizing of computer resources cloud consumers have recognized the need for secure service offerings from providers. Computer security is defined as the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications). Cloud computing is mainly focused on availability but is quite elusive on integrity and confidentiality. We hear all kind of rumors of large Cloud providers that harvest the stored data in their huge data centers to offer new and personalized marketing information to advertisers. Cloud vendors has attempted to satisfy the (implicit) call for security by offering security services, but these services can take many forms and lack transparency regarding deployed security controls. Common known areas of security that can be of interest are: Network security, Web security, Business Continuity and Disaster Recovery, Data Loss Prevention, Access Controls, Malicious software, Identity Services, IDS/IPS, CERT (Computer Emergency Response Team), Security Management, Security Audit, … The market of IT security products and services seems to go in the direction of a Lemon market. Since security products are difficult to measure for users, vendors are unable to charge a premium for extra security due to the information asymmetry. Still the market for security products is very prosperous and is growing continuously. According to Gartner cloud-based security service usage will more than triple in many sectors by 2013 (Cloud Security Alliance).

But if businesses migrate to the cloud, does this imply also a migration of all necessary security measures? In other words: is the risk for security breaches transferred to the cloud provider? If we give a positive answer to that question, we come to the next question: can computer security than be seen as a utility that can be delivered on demand or should it be seen as a necessary requirement incorporated in every computing service offering?

Computer (and information) security has become strategic for most businesses and enables an organization to accomplish its mission however security is not at the center of a competitive advantage. Slowly, it becomes a business process but it has no clear focus. It is a game of chance with no one understanding the odds. Security is often unaccountable and unmanaged. On a broader perspective computer security is an expanding element of global warfare. Therefore I do not believe that the full risk for security breaches can be transferred in a cloud computing agreement. The agent setting will again prevail in the relation between a customer and a cloud computing provider. In that way security will be sold as a service. Since we lack the necessary standards, transparency and trust will be the necessary ingredients to obtain third party security assurance services. Customers will have to negotiate on the specific metrics defining the required service level to achieve security objectives together with the more familiar SLAs already present in a tenant agreement. For most customers this can only be done with the help a third party audit or by a SLA mediation service.

My prognosis is that Security as a Service (SecaaS) will soon overshadow Saas, IaaS and PaaS.

jan devos

eTIC dag te Brussel op 15 maart 2012 | KMO-IT

Keynote on:

eTIC dag te Brussel op 15 maart 2012 | KMO-IT.

and you can find the slides on:

http://www.slideshare.net/jandevos/vertrouwen-sleutel-tot-geslaagde-it-projecten

 

jan devos

Je wordt er zo moe van: gefaalde IT-projecten!

De frequentie en de intensiteit waarmee de pers uitpakt met gefaalde IT-projecten is bij wijlen soms hallucinant. Ook vanuit het academisch front komen er geregeld artikelen onze richting uitgewaaid waarbij ‘IT failures’ gretig bestudeerd worden. Het gevaar dreigt dat de gemeenschap van IT-ers deze berichten niet meer serieus neemt. Ook de remedies hebben een zeer hoog ‘Been There, Seen That, Done That’-gehalte.

Uit onderzoek blijkt dat voornamelijk de controletheorie voorop wordt gesteld als dé aanpak voor het beheer van IT-projecten. Dit wordt praktisch vertaald en gereduceerd tot het beheer van drie basisvariabelen: budget, planning en scope, die allen met elkaar zijn verbonden en elkaar wederzijds sterk beïnvloeden. Hoe ogenschijnlijk eenvoudig dit ook lijkt, dit is het heus niet. Een recente wetenschappelijke studie  meldt opnieuw een massaal falen van een reeks van 22 projecten in een grote organisatie. De slechtste projecten gingen zo maar eventjes 300% over het oorspronkelijke budget. De auteur stelt zich terecht de vraag hoe het beheer van deze projecten werd aangepakt. Antwoord: veel te veel overkoepelend en met te weinig oog voor detail.

Vrij zelden, maar de laatste tijd meer en meer, zoekt men naar andere methoden om aan beheer (lees controle) te doen. Deze methoden gaan weg van het controleparadigma dat duidelijk sterk overheerst, en streven meer naar zingeving, zgn. ‘management of meaning’ en leiderschap. IT-projecten zijn grotendeels organisatorische projecten die steeds een organisatorische verandering, gewenst of niet gewenst veroorzaken. Het veranderingproces stroomlijnen en in goede banen leiden is niet echt gemakkelijk en vereist competenties die een projectmanager en bij uitbreiding de organisatie vaak niet bezit.

Een ander perspectief dat kan worden ingenomen ten aanzien van IT-projecten is dat van een alternatieve financiële controle. IT-projecten zijn hoog risicovol en bieden weinig zekerheid nopens de te realiseren voordelen. De klassieke budgetteringtechnieken (ROI, payback, NPV…) geven in zo’n situaties weinig hoopgevende resultaten. Bovendien, eens gestart met een IT-project is een terugweg vaak duur (hoge ‘switching costs’). Vanuit de research in innovatie leren we dat innovaties zeer moeilijk te budgetteren zijn. IT-projecten zijn daarmee zeer vergelijkbaar.

Een idee dat reeds meermalen werd gelanceerd dat ‘real options’  om IT-projecten te begroten.  Een optie verleent het recht en zeker niet de verplichting om voordelen te halen uit toekomstig gebruik van technologie. Dit is volledig te vergelijken met financiële call options. Het idee erachter is gebaseerd op het feit dat IT-investeringen de nodige tijd vergen om hun voordelen prijs te geven. Een onmiddellijke return nadat een IT-project werd opgeleverd is meestal niet realistisch, dus waarom niet mikken op een verdere horizon? Een bedrijf dat gisteren al geïnvesteerd heeft in een ERP-systeem kan morgen misschien de vruchten beginnen plukken en haalt daar een voordeel bij ten opzichte van deze bedrijven die de investering nog moeten aangaan.

Toepassing van de ‘real options’-methode in de begrotingsoefening biedt een aantal voordelen. Vooreest wordt de begroting totaal anders benaderd. De klassieke begroting gaat uit van zeer statische ramingen van kosten en opbrengsten die gepaard gaan met technologische investeringen. Nu wordt dit proces dynamisch bekeken, waarbij er flexibiliteit geboden wordt aan het management om bij te sturen.

Daarnaast kunnen de investeringen anders gemanaged worden. Door real options toe te passen krijgen risicovolle projecten een grotere kans te worden geselecteerd. Deze projecten zijn, hoe paradoxaal ook, vaak de meest lucratieve projecten maar dat zal niet blijken door toepassing van een klassieke en statische NPV-methode.

Tenslotte kan door real options toe te passen het hinderkijk verschijnsel van ‘runaway’ projecten vermeden worden. Als gevolg van het ‘sunk cost’ verschijnsel zijn managers wel eens geneigd om een escalerende engagement te vertonen in projecten die eigenlijk al verloren zijn.

Real Options dus?

jan devos

Call for Chapters

Call for Chapters for the book

Information Systems and Small and Medium-sized Enterprises (SMEs)

State of art of IS research in SMEs

Editors:

Jan Devos, PhD, Ghent University, Belgium

Hendrik Van Landeghem, PhD, Ghent University, Belgium

Dirk Deschoolmeester, PhD, Ghent University, Belgium

Introduction

Small and Medium-sized Enterprises (SMEs) are of crucial importance to most economies all over the globe. Although there is no single generalized definition for a SME, they are most widely seen as companies with less than 500 (US & Canada) or 250 (Europe and elsewhere) employees. SMEs provide since 2000 everywhere more than 50% of all employment (or 67% of employment outside the financial industry). A number that is continuous growing. Entrepreneurial SMEs are also seen as principal drivers for innovativeness and economic growth. However SMEs are more confronted than large companies by resource constraints such as access to financial capital, IT expertise, knowledge and skills. For SMEs, a vital source for competitive advantage is the ability to remain agile and responsive to the business environment. The adoption of IT is therefore paramount for SMEs. Unfortunately SMEs face numerous challenges in implementing information systems (IS). The lack of human and financial resources in SMEs often lead to a slower IT adoption process and to a lot of IS failures. Although literature points out significant differences between SMEs and large companies, IS research has dominantly focused on large companies but often brings conclusions that are supposed applicable to SMEs. Recently, research on SMEs and IS has proliferated and has nearly become a standalone stream within the IS research field. This research stream is considered one of the top ten issues of information systems management. However, more research is needed to identify factors that contribute to IS effectiveness.

Objectives of the Book

This book will establish and explore existing and emerging theories on SMEs and the adoption of IT/IS, present the latest empirical research findings in that area of IS research, and explore new technologies and practices in this area. The purpose of this book is to expand the knowledge and understanding of SMEs and the adoption of IT/IS.

Target Audience

The target audience of this book will be composed of professionals and researchers working in the field of IS research or the research of SMEs. Moreover, the book will also be a reference for researchers, professionals and students in management information systems science and related fields. The book will also be useful for practitioners, information systems managers, CEOs, CIOs who are responsible for implementing various information systems in their businesses and organizations.

Recommended topics include, but are not limited to, the following:

  • Behavioral and social studies of the impact of IT/IS on SMEs
  • IT/IS adoption in SMEs: determinants, enablers, barriers, and inhibitors: adoption of social media, e-business, e-commerce, e-SCM, and CRM
  • Evaluation of IS in SMEs: benefits, costs and risks, productivity studies, impact on organizational and personal performance
  • IT/IS capabilities, knowledge and practices in SMEs
  • SMEs and IT/IS outsourcing
  • Literature analyses and studies on IS research in SMEs
  • The role of IT/IS for innovation in SMEs
  • SMEs and Open Source Software
  • IS success, IS failures in SMEs
  • IT Governance in SMEs: Risk Management, Strategic Information Systems, IT/IS security, Performance Management, IS project/program/portfolio management SMEs
  • Business Process Management (BPM) and EA/BP modelling in SMEs
  • ERP implementation and integration in SMEs
  • Cloud Computing in SMEs: Software as a Service (SaaS), software on demand, Software Oriented Architectures, Web Services, …
  • Researching IT/IS in SMEs: research methodologies and paradigms, best practices, case studies, use cases, action research, design science, …
  • IT/IS and SMEs in developing countries.

To ensure this publication presents the most comprehensive current and relevant coverage of theories and models in IS research, we invite researchers and leading experts in their particular areas to contribute chapters of between 4000–8000 words.  Chapters should ideally address all the objectives above, although chapters beyond the key objectives will also be considered.

Important Dates:  

Deadline for submission of full chapters: Augustus 1, 2012
Notification of review results: October 30, 2012

Revised chapters due: December 15, 2012
Final notification of chapter acceptance (revised chapters): January 30, 2012 

Submission Details:

Individuals interested in submitting chapters (4,000-8,000 words) on the above or related topics should send an e-mail declaring your interest in submitting—including your name, affiliation, and proposed topic area to Jan G. Devos, editor, at jan.devos@howest.be no later than May 15, 2012.  Deadline for submission of full chapter(s) is Augustus 1, 2012.  

This book is scheduled for publishing by Springer, in 2013 (www.springer.com)

Vertrouwen: sleutel tot geslaagde IT projecten

KMO-IT Leveranciersevenement – dd 15-03-2012

Keynote presentation:

Vertrouwen: sleutel tot geslaagde IT projecten.

 

jan devos

SMEs and ERP (Extreme Risky Projects)

We have been building information systems (IS) for more than 50 years now and still have not learned to do it successfully. Business literature as well as academic literature is full of cases reporting and explaining what when wrong. It is reported by the Standish Group that almost 70% of the IT project is not successful, meaning that they went over budget, over time, did not met with the initial requirements or were simply canceled. Although research on the phenomenon of IS failures  has evolved enormously it looks like not a lot has been learned. In the early days of the computer era, most IT failures where noticeable in the development of bespoke applications. Nowadays we see IT failures in ERP implementations.

IT failures can be classified in correspondence, process and interaction failures (Lyytinen et al., 1987). Correspondence failures occur when the outcome of the developed and implemented information systems does not match with the design.  Process failures are errors in the development or implementation process. Examples here are running over time or over budget. Interaction failures occur when the users refuse to use the system for all sort of reasons (resistance, not useful, no ease of use, …). Most IT failures however show a combination of all aforementioned characteristics. The occurrence of these characteristics is in no way logical. One characteristic can provoke another.

The most frequent failure factors found in 2011 for software development projects are: ‘delivery date impacted the implementation/development process’, ‘project was underestimated’, ‘risks were not re-assessed, controlled or managed’ and ‘staff were not rewarded for working long hours’ (Cerpa and Verner, 2011).  We see these factors also in ERP projects. Additional For ERP projects Kim (2011) found that user resistance is also critical for the high failure rate. Kreps and Richardson (2007) state that large-scale IS projects suffer from recognized and well-documented problems including: ‘scope creep’, ‘escalation of costs’, ‘failure to meet the expectations of the stakeholders, who persistently overestimate the capacity of IT to solve operational problems’, ‘failure of the technicians in the project to engage with all stakeholders in the project, resulting in solutions that baffle the end-users and sometimes miss the point completely’.

What can we learn from all these findings?

I think that everything points towards an alternative approach of bringing IT into organizations. Small, discrete projects that are well manageable seems to be of key importance. ERP projects are by definition large projects with long implementation times. Is this really the solution for SMEs? We should adopt a less imperative view of technology and how information systems are socially as well as technically constructed. ERP systems are not born out of our theoretical insights in information systems, but were build by large enterprises and implemented manu military. It should be clear that ERP systems will not install themselves in organizations, nor can its use be taken for granted.

For SMEs, Snider et al (2009) found six critical success factors for successfully implementing ERP: 1) operational process discipline, 2) small teams (less than 5), 3) sufficient project management capabilities (with strong leadership), 4) external end-user training, 5) management support (commitment), and 6) a qualified external consultant.

ERP projects are indeed extremely risky projects and before starting one, an SME should contemplate if the internal organization is really ready to take the challenge. In that process an independent software vendor should be as honest as possible and not hide away the real risks of an ERP project and even be brave enough to advise his SME prospect to waive an ERP project when the risks are not taken seriously.

jan devos

All you need is trust? A critical review of the trust and entrepreneurship literature

Latest research on trust and entrepreneurs

 

All you need is trust? A critical review of the trust and entrepreneurship literature.

%d bloggers like this: