Products

From the ownership of risk by company directors through management of risk at the source in everyday business operations, this Executive Report brings practical experience to the implementation, management, and benefit realization of a risk-based approach to business (aka enterprise risk management).

Published: July 2010, 28 pages, PDF format

Author: Keith Sherringham and Bhuvan Unhelkar

Online resource center clients: Access this report online

This Executive Report by Dr. Laurence Lock Lee offers a relationship-centered approach to IT governance as a profitable adjunct to traditional approaches.

Published: April 2010, 20 pages, PDF format

Author: Dr. Laurence Lock Lee

Online resource center clients: Access this report online

Council Opinions are prepared by the Cutter Business Technology Council and include the commentary of each Council Fellow and the logic behind his or her concurring or dissenting opinion, as well as the strategic implications of the trend.

DOMAIN

IT Strategy

Assertion #181

Risk management as practiced in the financial sector has now been revealed as a charade. Risk management as practiced in IT is probably little better.

Over the past two decades, the topic of risk management -- explicitly at the systems portfolio and project development levels -- has been hailed as an indication of IT's coming of age. The present economic meltdown has proved that the finance industry's practice of risk management was more about covering up risk than managing it. The factors that made financial managers want to game the system are all too similar to factors working on IT managers. We would be fools indeed to believe that risk management in our organizations is working better than its prototype in banking and insurance.

This Business Technology Trends Council Opinion by Tom DeMarco considers what went wrong with risk management in the financial and insurance industries in recent years, and how a better alignment of an executive's personal risk profile with his/her corporation's risk profile might yield more positive results. You'll learn why employees at lower levels have "other" factors in their individual risk profile -- beyond financial reward -- that can make sound risk management problematic, and how to overcome these challenges. Finally, you'll gain advice on how to avoid flawed risk management approaches and replace them with serious risk management.

Published: April 2009, 17 pages, PDF format

Authors: Tom DeMarco, Lynne Ellyn, Mark Seiden, Ken Orr, Christine Davis, and Tim Lister

Online resource center clients: Access this report online

The new report Corporate Cyber Attacks, Threats and Security by Arun K. Majumdar -- based on facts, evidence, and real-world cases of cyber crime -- reveals how hackers communicate and do business as well as their methods of developing vulnerabilities and attacks.

This gripping, easy-to-read report will help you achieve clear situational awareness of your organization's security risk and equip you to take the steps required to mitigate those risks. You'll learn a host of critical issues you should be aware of to immediately assess your cyber security status.

This report will help you:

• Get insight into a hacker's most popular styles of attack via a 15-point countermeasures checklist
• Architect hard-to-hack corporate infrastructures and mitigate the risk of social engineering techniques used by hackers
• Understand the 5 critical areas that a chief/cyber security officer needs to set up as a baseline for cyber security operations
• Find out if your corporate culture enables cyber threats
• Mitigate cyber threats via easy-to-use executive checklists

You'll also explore executive liabilities and accountabilities, the top eight cyber security cases, and a multitude of need-to-know issues for immediate practical use.

Published: May 2011, 19 pages, PDF format

Author: Arun K. Majumdar

Online resource center clients: Access this report online

There is a growing consensus that today's organizations have an obligation to take reasonable security measures to protect personally identifiable information. The increasing number of security and privacy incidents -- accompanied by expanding fines, penalties, and civil actions -- emphasize the need for information security and privacy programs that effectively safeguard personal data. Has your organization done all it can do to reduce the risk of a security incident or privacy breach?

The new report Ending Security and Privacy Leaks edited by Cutter Senior Consultant Rebecca Herold -- one of Computerworld's "Best Privacy Advisers" of 2008 -- offers expert advice and recommendations that will help your organization create an effective information security and privacy program. You'll get the tools you need to raise the risk-intelligence level of everyone in your company, helping you transform your organization into a privacy-conscious one.

This report will help you:

• Assist business management in understanding and taking ownership of security and privacy issues
• Understand and comply with existing privacy breach notice laws both in the United States and throughout the world
• Overcome the weakest link in information security and privacy assurance -- your own people
• Address the issue of vendor responsibility in the chain of data privacy
• Provide effective, targeted information security and privacy training to your employees, coupled with ongoing awareness communications
• Adopt secure work practices and gain budgetary approvals for security tools, enterprise policies and special information security and privacy initiatives
• Consider whether or not your organization should use managed security services providers to monitor your IT infrastructure
• Avoid wrongful termination lawsuits from disgruntled employees who have engaged in the unauthorized use of your business communications systems

You'll take a look at some real-world costly security and privacy breaches that could likely have been prevented, and you'll discuss more effective ways to motivate your employees and your contractors to support your privacy goals through the use of creative incentives.

This report also reviews the 14 mistakes organizations consistently make that render training and awareness programs ineffective and often even detrimental to information security and privacy efforts and it provides a list of 9 questions your organization should ask itself to help you determine the amount of training your organization needs to provide its business partners.

Table of Contents

Introduction: The Convergence of Information Security, Privacy, and Compliance by Rebecca Herold.

Chapter 1: Cautionary Tales About Information Security, Privacy, and Compliance -- From the Archives of McCarter & English, LLP by William Zucker, with William Heller, Scott Christie, and John McKelway. Hear four (often rollicking) stories about the costly information security, privacy, and compliance mistakes real-world firms have made.

Chapter 2: All Together Now -- Converging to Build Information Security and Privacy Awareness by Ilene Switalski Klein. Receive proven strategies for creating an effective and thoroughgoing security awareness program.

Chapter 3: Driving the Point Home -- Using Privacy Dashboards to Implement Secure Work Practices by Nandita Jain Mahajan. Gain sage advice on incident reporting, remediation, and prevention.

Chapter 4: Advancing Security and Privacy Through Collaborative Risk Management by Ron Woerner. Discover how collaborative risk management can bring the right groups together to find your organization's privacy and security "sweet spot".

Chapter 5: Identity 3D3C: Confronting the Security and Privacy Challenges in Virtual Worlds by Yesha Sivan. Explore the security and privacy risks that virtual worlds present and discover a systemic approach to "identify" as a means of addressing them.

Chapter 6: Getting Their Act Together -- A Retailer Takes a Cross-Organizational Approach to Information Security and Privacy Compliance by Graydon McKee. Learn how a midsized online retailer, still reeling from lawsuits and a highly public data breach, righted its course by implementing a formal risk management program.

Chapter 7: From Sticks to Carrots -- Creating Business Incentives for Security and Privacy Programs by Lee Imrey. Gain ways to motivate business leaders and the rank and file to support your security and privacy goals through the use of creative incentives.

Chapter 8: Security and Privacy Convergence -- A Global Governance Perspective by Richard Baskerville and Ed McPherson. Explore a host of ways companies can engage outside resources -- professional societies, universities, law enforcement agencies, and others -- to further your security and privacy governance goals with little additional organizational investment.

Chapter 9: Securing the Information Border -- An SDLC Approach to Security and Privacy Protection by Stacey Banks. Discover a six-step process for ensuring that each of your organization's systems is protected according to the needs of the information housed within.

Chapter 10: In Search of Low-Hanging Fruit: Improving Security and Privacy with Penetration Testing by Bryan Miller. Hear from a professional penetration tester, who will tell you why it's in your best interests to have someone like him break into your network.

Chapter 11: Heightening Information Security Along with Privacy Training and Awareness by Rebecca Herold. Learn how to create a more effective information security and privacy defense by building a culture of employee awareness.

Published: October 2009, 170 pages, PDF format

Authors: Stacey Banks, Richard Baskerville, Scott S. Christie, William J. Heller, Rebecca Herold, Lee Imrey, Ilene Switalski Klein, Nandita Jain Mahajan, Graydon McKee, Ed McPherson, John M. McKelway, Jr., Bryan Miller, Yesha Sivan, Ron Woerner, and William A. Zucker

No organization operates in a risk-free environment, and ERM does not create such an environment. The goal of this Executive Report by Ken Doughty is to provide a practical view of ERM and its components in order to gain an understanding of what is required to assist organizations in managing and surviving their risks.

Published: January 2010, 28 pages, PDF format

Author: Ken Doughty

Online resource center clients: Access this report online

In this issue of Cutter Benchmark Review, we focus at the intersection of three topics discussed previously: mobile technology (Vol. 9, No. 3) on the one hand and privacy (Vol. 6, No. 1) and security (Vol. 5, No. 12) on the other. We do so because we feel that these topics, interesting each on its own, take on renewed relevance when combined. It is undeniable that mobile form factors, from the laptop to the smartphone to the iPad and who knows what next, will continue to gain prominence in the personal and organizational technology arsenal. As they do so, the importance of securing the mobile platform while ensuring the privacy of its users will continue to increase commensurably. In short, given the unabated trends toward continued miniaturization, connectivity, and battery longevity, it is undeniable that mobile security and privacy are only going to grow in importance.

Published: June 2010, 20 pages, PDF format

Authors: Gabriele Piccoli, Katia Passerini, Lanse E. LaVoy

Online resource center clients: Access this report online

This report is also available in a print edition.

This in-depth report provides expert, practical advice on how to successfully modernize your legacy applications. You'll expand your knowledge of legacy solutions to include new approaches such as rearchitecting, rewrite methodologies and internal and external rationalization. And you'll benefit from the best practices and lessons learned on real-world modernization projects, helping you develop a "best-fit" modernization strategy for your company.

This report will help you:

• Expand the legacy application modernization discussion beyond choosing between packaged solutions and redesign/rewrite projects
• Grasp new concepts -- semiautomated rearchitecting, agile rewrite with DSL, BRE for packages, and the four types of internal rationalization
• Better understand the underlying problem of project complexity
• Determine the right size team for your project
• Learn why internal rationalization is where some of the most interesting and innovative work is being done
• Avoid the temptation to apply tactical integration approaches with minimal regard for the end-to-end architecture

Table of Contents:

Introduction: Alternative Approaches to Modernizing Legacy Applications by Don Estes.

Chapter 1: Correct and Comprehensive -- Testing Software Rewrites and Redesign/Rewrites by Richard Bender. Explore real-world examples of how to successfully conduct testing in a modernization project.

Chapter 2: Portfolio Management for Legacy Systems by Corby James. Gain a methodology for identifying and prioritizing applications from your portfolio to be modernized -- and determine which applications should be left alone.

Chapter 3: Breaking the Cycle of Failure -- Best Practices to Drive Successful Legacy System Replacement by Lawrence Fitzpatrick. Walk through the ten best practices to drive success in replacing critical legacy systems.

Chapter 4: Agile Legacy Reengineering -- A Repeatable Technique for Managing Modernization Risks by Tom Love and John Wooten. Discover an agile approach to rewriting legacy applications that sharply reduces application complexity and enhances flexibility.

Chapter 5: Contending with Creaky Platforms by Matthew Simons and Jonny LeRoy. Review a number of metrics visualization methods that will help you determine where your problems are, prompt management to take action, and drive your remediation efforts.

Chapter 6: Rewriting and Rearchitecting as Alternatives to Code Translation by Tom Bragg. Compare and contrast the benefits of rearchitecting against code translation or manual rewrites.

Chapter 7: Ontology-Driven Legacy Modernization by Michel Vanden Bossche and Ian MacLarty. Discover a completely different way of conceptualizing applications via the Semantic Web.

Chapter 8: Validating Legacy Code -- Modernizing Strategies Through Technical Debt Assessments by John Heintz. Dive into a case study on the DeLorean project, a project explicitly chartered with cleaning up the architecture of a production system, removing duplication, improving code quality, building in testing, and improving reliability -- in short, to remove technical debt.

Chapter 9: Successful Application Modernization and Rationalization, Part I -- Short-Term Tactical Approaches by Don Estes. Gain a blueprint for successful legacy modernization via an intense program of test-driven modernization.

Chapter 10: Successful Application Modernization and Rationalization, Part II -- Long-Term Strategic Approaches by Don Estes. Examine both the conventional and promising unconventional approaches to legacy application modernization, along with their pros and cons.

Chapter 11: Performing "Heart Surgery During Marathons" -- Core Banking System Modernization by Scott Simmons. Gain recommendations for maintaining and managing current core banking solutions while working to transform the core system functionality.

Chapter 12: Guaranteed Success in Legacy Modernization -- Baby Steps by Don Estes. Examine a project design for a major US federal agency that is undertaking its second attempt to modernize an application.

Published: May 2011, 218 pages, PDF format

Authors: Richard Bender, Tom Bragg, Don Estes, Lawrence Fitzpatrick, John Heintz, Corby James, Jonny LeRoy, Ian MacLarty, Tom Love, Scott Simmons, Matthew Simons, Michel Vanden Bossche, and John Wooten

We are now living in a world, as insurer Lloyd's of London says, where what were previously independent and unrelated risks are now interconnected and interlinked. The intellectual need for enterprise risk management has never been higher; yet, ERM as a relevant and effective organizational practice is seen by many businesses as having no "there" there.

Business is in a situation of not being able to live without ERM, but not being to live with it either.

Presented by: Dr. Robert N. Charette, Enterprise Risk Management & Governance Practice Director

Resource Center clients can Access the webinar here.

This Council Opinion, prepared by the Cutter Business Technology Council includes the commentary of each Council Fellow and the logic behind his or her concurring or dissenting opinion, as well as the strategic implications of the trend.

Published: January 2011, 11 pages, PDF format

Author: Robert Scott, with concurrences and dissents by Lynne Ellyn, Tim Lister, Ron Blitstein, Ken Orr, Israel Gat

Online resource center clients: Access this report online

Both the enterprise risk environment and the IT risk environment are growing in complexity. Factors such as the global financial crisis, an increase in regulation, cloud computing, and the demand for mobile devices are creating new threats. And since isolated silos of protection weaken overall security, companies should do everything humanly possible to unify their risk management strategies under one enterprise risk management (ERM) scheme.

The report The Emerging Risk Environment and What You Need to Know About It by Brian J. Dooley explores the increasing demand for centralized ERM systems and considers how IT risks and IT processes are contributing to current risks, as well as providing the tools for a solution.

This report will help you:

• Get up to speed on the evolving enterprise threat environment
• Understand the growing relationship between enterprise risk and IT
• Explore how new threats are intertwined with risk elements affecting other areas of the business
• Review some of the frameworks that aid risk management consolidation across the enterprise
• Address new threats to the enterprise that do not originate in IT, but will create IT concerns

Published: October 2010, 16 pages, PDF format

Author: Brian J. Dooley

Online resource center clients: Access this report online

This report from Cutter Consortium explores the latest innovations in environmentally sustainable IT and provides expert recommendations that will help your company define its green IT strategy and create realistic guidelines for its implementation.

You'll receive 155 pages chock-full of tips and advice on how your company can decrease its energy consumption and increase its organizational efficiency.

Some actions your organization can take now to decrease its environmental footprint include:

You'll learn of policy modifications you can make immediately to reduce the environmental impact of IT's use in the company, as well as cultural changes that take longer to enact. And you'll learn how you can make the best use of your existing resources and plan for growth accordingly.

Table of Contents

Introduction: Can IT Go Green? by San Murugesan.

Chapter 1: Building Sustainable IT by Emily Jane Ryan. Gain strategies for mobilizing a sustainable IT movement within your organization.

Chapter 2: Understanding the Linkages Between IT, Global Supply Chains, and the Environment by Joseph Sarkis and Jacob Park. Discover the profound -- and often hidden -- environmental impacts of the different stages of a typical IT supply chain.

Chapter 3: The Greening of the IT Sector: Problems and Solutions in Managing Environmental Compliance by Tom Butler and Damien McGovern. Examine the design and features of an ideal environmental compliance management system.

Chapter 4: The Perceived Dichotomy Between Current Green IT Initiatives and Information Security by David Biros, David Sikolia, and Michael Hass. Learn how to meet the seemingly conflicting demands of both energy efficiency and security.

Chapter 5: Lessons in Implementing "Green" Business Strategies with ICT by Bhuvan Unhelkar and Annukka Dickens. Receive advice on how to leverage information and communications technology to minimize the effect of enterprise business activities on the environment.

Chapter 6: Being Green -- A Duty and an Opportunity by Marie-Claude Boudreau, Adela Chen, Gabriele Piccoli, Emily Ryan, and Richard T. Watson. Benchmark current practices in green IT and receive guidelines on what you can do tomorrow in your organization.

Chapter 7: CIO Eyes Only -- One More Case for Green IT by Deborah Grove. Discover a three-week approach for establishing a strategy for solving data center energy emergencies.

Chapter 8: The Green Data Center -- Taking the First Steps Toward Green IT? by Ian Osborne. Explore the developments in grid computing underway in the UK and European Commission.

Chapter 9: Green Requirements for IT and Telecom by Brian J. Dooley. Gain strategies for treating green issues as part of your overall risk management program.

Order your copy of The Organizational Benefits of Green IT today!

Published: September 2008, 155 pages, delivered electronically as a PDF.

Authors: David Biros, Marie-Claude Boudreau, Tom Butler, Adela J.W. Chen, Annukka Dickens, Brian J. Dooley, Deborah Grove, Michael Hass, Damien McGovern, San Murugesan, Ian Osborne, Jacob Park, Gabriele Piccoli, Emily Jane Ryan, Joseph Sarkis, David Sikolia, Bhuvan Unhelkar, and Richard T. Watson

Table of Contents:

• Opening Statement
• Reacting to a Crisis: The Role of Planning and Technology in Crisis Communication
• The Multifaceted Role of IT in Crisis Response: Lessons from the Asian Tsunami Disaster
• Managing Information Flow Challenges in the Supply Chain
• Emergency Management Task Complexity and Knowledge-Sharing Strategies
• Toward a Framework for Crisis Decision Support Systems: Information Requirements for Contextual Team Situation Awareness

Published: January 2011, 33 pages, PDF format

Authors: Dorothy E. Leidner, Catherine Szpindor, Gary Pan, Jamison Day, Leiser Silva, Weidong Xia, Irma Becerra-Fernandez, Jose Rocha, Yasir Javed, Tony Norris, David Johnston, and Emma Hudson-Doyle

Online resource center clients: Access this report online