Information Capabilities Framework (ICF)

Credits: Albert Santiago, Alex, Arsalan Khan, Guneet Gill, and Maryam Moussavi

ICF 1 - Introduction
ICF 2 - Abstract
ICF 3 - Key Findings
ICF 4 - Recommendations
ICF 5 - Overview
ICF 6 -.Market Maturity
ICF 7 - Technology in Depth
ICF 8 - What ICF aims to do
ICF 9 - How NOT to use ICF
ICF 10 - Market Clock
ICF 11 - Hype Cycle
ICF 12 - Implementation Approach
ICF 13 - Adoption
ICF 14 - Magic Quadrant
ICF 15 - Deployment Risks
ICF 16 - Competitive Advantage
ICF 17 - Implementation Timeline
ICF 18 - Bottom Line
ICF 19 - Recommended Reading

Success! You're on the list.

Standing Up an Enterprise Architecture Center of Excellence and a Certification Program at Your University


This article proposes the establishment of a Center for Operations, Research, and Education (CORE) at your university. CORE would be a team of people that proactively and holistically help achieve the university’s business outcomes. Its mission would be to provide comprehensive educational programs in Enterprise Architecture, conduct research and use this research to help transform the university.

For this article, the strategic direction and cultural factors in relation to operations, research and education in Enterprise Architecture are considered. We assume the status quo in regards to your university’s culture for this assessment, specifically the perception of Information Technology. The following table shows what we considered:

Current State (Observations)
  • No one is responsible for Enterprise Architecture
  • No research is being conducted in this field
  • No comprehensive program in Enterprise Architecture
Future State (Recommendations)
  • CORE would be independent of your university’s President
  • Rotating leadership where every school, department and division has the opportunity to lead CORE
  • Conduct research by partnering with other elite institutions
  • Begin by providing a graduate certification program
  • Aim for providing Bachelor’s, Master’s and executive programs in the future

This assessment reveals that currently where Enterprise Architecture is placed in the organization, it will not be able to provide the organizational transformational value that aspires to provide. Additionally, your university should start providing comprehensive programs in this field otherwise they would be left behind other educational institutions that are already moving in this direction.


This section provides an analysis of standing up CORE from an operational, research and educational perspective.


  1. Your university’s executive management would support this effort
  2. All university communities would help transform it to achieve operational excellence
  3. Perception of IT would not change instantly

1.1 What is the Center of Excellence?

According to Tarek M. Khalil et al. (2001), within an organization, a Center of Excellence may refer to a group of people, a department or a shared facility. It may also be known as a Competency Center or a Capability Center. The term may also refer to a network of institutions collaborating with each other to pursue excellence in a particular area.

1.2 What is Enterprise Architecture?

Due to the evolving nature of this field, there are many academic and practitioner definitions of what is Enterprise Architecture. For our purposes, we will use the one definition from the glossary on Gartner’s website that states Enterprise Architecture as a discipline for proactively and holistically leading enterprise responses to disruptive forces by identifying and analyzing the execution of change toward desired business vision and outcomes. Enterprise Architecture delivers value by presenting business and Information Technology (IT) leaders with signature-ready recommendations for adjusting policies and projects to achieve target business outcomes that capitalize on relevant business disruptions. Enterprise Architecture is used to steer decision-making toward the evolution of future state architecture.

In a nutshell, “Enterprise Architecture bridges the Business and Information Technology via enterprise integration/standardization resulting in people becoming more efficient and effective in achieving their objectives.” Kevin Smith (2010)

It should be noted that Enterprise Architecture is not an Information Technology endeavor but in fact, it sits in between Business and IT and works across organizational silos.

1.3 What is CORE?

If we combine the two definitions above then a definition for the center of excellence in enterprise architecture emerges which is a team of people that proactively and holistically help achieve business outcomes. For your university and breadth of this center’s agenda, it would be called Center for Operations, Research, and Education (CORE).

1.4 What are the Operational Perspectives?

1.4.1 Why should Your University Pay Attention to Enterprise Architecture?

One of the biggest proponents and users of Enterprise Architecture is the most powerful office in the world – The White House. The United States Federal Government has been using Enterprise Architecture for more than a decade and continues to see it as a way to look across organizational silos.

What this means for your university is that huge organizations are trying to improve their operations and they are turning towards Enterprise Architecture to help them do that. Your university can tap into this, apply Enterprise Architecture effectively and perhaps get involved in Enterprise Architecture discussions for organizational improvements. This involvement could also translate into future research grants and job opportunities for students.

1.4.2 Why putting Enterprise Architecture under Information Technology is Not a Good Idea?

All organizations are a composition of many cultures and subcultures. Some of these cultures develop over time and then become part of the routine mentality of an organization. Your university is not immune to this. In order to understand the perception of Information Technology at your university, look at how the university’s strategic plans were developed. Was Information Technology involved/invited to help in the development of your university’s strategic plan?

If not, then this is a cultural issue and often the cause of misalignments within organizations. Whenever Information Technology is not involved in strategic planning, it gives the perception that Information Technology is not important, it is just a commodity and it is just back-office activities. This lack of involvement is the reason that according to the 2013 Chief Information Officer ‘State of the CIO’ survey, “63% [of the respondents] say the majority of their time and focus is spent on aligning Information Technology initiatives with business goals.” This shows there are gaps in aligning Business and Information Technology. This alignment can be achieved through Enterprise Architecture. According to a Gartner study (G00146809), Business-Information Technology alignment is the primary driver for Enterprise Architecture as shown below:

Primary Driver for Enterprise Architecture

Taking into consideration the current culture at your university, placing Enterprise Architecture under Information Technology would not make sense. If Enterprise Architecture continues to be placed under Information Technology then at your university Enterprise Architecture would be perceived as an “Information Technology thing”. This perception would defeat the overarching purpose of Enterprise Architecture. Enterprise Architecture needs to have a holistic understanding of your university going beyond Information Technology. A Gartner study (G00245986) supports this thought of Enterprise Architecture going beyond Information Technology as shown below:

Enterprise Architecture beyond IT

From the above figure, we can learn that while technology is a consideration in Enterprise Architecture but it is certainly not the only aspect that needs to be considered. A well-run CORE at your university would consistently produce qualitative and quantitative for both Business and IT. Some of the examples of these are:

  • Qualitative Benefits
    • Improved Communications Across Organizational Silos
    • Increased Productivity
    • Efficient Portfolio Management
    • Effective Business Intelligence
  • Quantitative Benefits
    • Reduced Costs
    • Revenue Generation

1.4.3 What are the Maturity Levels for Enterprise Architecture?

According to a Gartner study (G00252206), it outlines the five levels of Enterprise Architecture maturity shown below:

Enterprise Architecture Levels of Maturity.png

What this means is that a lot of work needs to be done in this area and your entire university has to be involved in it so that it can be used effectively across organizational boundaries.

1.4.4 How will CORE Measure its Success?

From an operational perspective, a Gartner study (G00247593) indicates the following ways to align Enterprise Architecture to strategic business initiatives:

Align Enterprise Architecture to Strategic Business Objectives

At your university, the success of Enterprise Architecture would depend upon how it can help your university transform itself to achieve its strategic visions.

1.5 What are the Educational and Research Perspectives?

1.5.1 Is Enterprise Architecture Taught at Your University?

Are Enterprise Architecture courses taught at your university in various schools (e.g., business school, engineering school, professional studies school, etc.)? If yes, do you know if these schools at your university are talking to each other about Enterprise Architecture? If not, then there is no comprehensive Enterprise Architecture program at your university. From this observation, we can decipher that although Enterprise Architecture might be part of certain programs but overall it is fragmented at your university.

1.5.2 Why Should Your University Teach or Do Research in Enterprise Architecture?

In order to be an elite institution, your university needs to look at what other elite institutions are doing, assess what programs they offer and what kinds of research they are pursuing. Your university should then look at how these programs can be stood up.

For the purpose of this article, we will only focus on the institutions that teach, conduct research and/or have comprehensive programs in Enterprise Architecture. These include:

 Institutions NameCountry
1Harvard UniversityUSA
2Massachusetts Institute of TechnologyUSA
3Dartmouth CollegeUSA
4Carnegie MellonUSA
5Pennsylvania State UniversityUSA

2. Recommendations

Due to the importance of Enterprise Architecture as a catalyst in organizational transformation, in the current culture at your university, CORE should not be under IT. CORE’s mission is to help your university continuously evolve, conduct/use research and provide comprehensive educational programs. It should be an interdisciplinary entity whose members include all schools, divisions, and departments of your university. Thus, it should be placed where it has the most influence as shown below:

CORE at your university.png

CORE should start as a chartered center initially led by the School of Business and in collaboration with Engineering School, Professional Studies School and IT. Within the first year, this would develop relationships across all the universities.

CORE’s leadership should be on a rotating basis where each school, department, and division of your university has the opportunity to lead CORE for at least 1 year. This will create an atmosphere of collaboration and help break down organizational silos. This governance structure would also encourage participants to be actively involved in CORE’s advancement and they can use it to also enhance their own schools, divisions, and departments.

In regards to education and research, CORE should develop a graduate certificate program with the goal of creating a Bachelor’s, Masters and executive programs in the future.


  1. Tarek M. Khalil; L.A. Lefebvre; Robert McSpadden Mason (2001). Management of Technology: The Key to Prosperity in the Third millennium: Selected Papers from Ninth International Conference on Management of Technology, Emerald Group Publishing, pp.164
  2. IT Glossary, Enterprise Architecture,
  3. Kevin Smith (2010), Pragmatic EA: The 160 Character Challenge, Version 1.3, pp.12
  4. White House (2012),
  5. CIO Magazine (2013), ‘State of the CIO’ Survey, pp.4
  6. Robert A. Handler (2007). Key Issues for Enterprise Architecture. Retrieved from Gartner database.
  7. Julie Short (2013). Agenda Overview for Enterprise Architecture. Retrieved from Gartner database.
  8. Chris Wilson (2013). ITScore Overview for Enterprise Architecture. Retrieved from Gartner database.
  9. Betsy Burton (2013). EA Business Value Metrics You Must Have Today . Retrieved from Gartner database.
  10. Harvard University, IT for Management,
  11. Massachusetts Institute of Technology, Center for Information Systems Research,
  12. Dartmouth College, Auburn Cyber Research Center,
  13. Carnegie Mellon, Institute for Software Research,
  14. Pennsylvania State University, Center for Enterprise Architecture,

Success! You're on the list.

5 Questions to Ask About Prescriptive Analytics

Prescriptive analytics is used for performance optimization. This optimization is accomplished by using a variety of statistical and analytical techniques to identify the decisions that need to be taken in order to achieve the desired outcomes. The data sources used for the determination of outcomes can range from structured data (e.g., numbers, price points, etc.), semi-structured data (e.g., email, XML, etc.) and unstructured data (e.g., images, videos, texts, etc.).

If done correctly, Prescriptive Analytics is the Holy Grail of analytics. However, if done incorrectly, it can result in misinformed decisions that can be outright dangerous. Individuals and organizations have to understand that even if the data is correlated that does not mean that there is some sort of causation. A general example of this is when in a news report, the host(s) says that the survey has shown that x is correlated with y but then they go on how y was caused due to x. This is simply what I call “jumping the data gun” and organizations that are not aware of this can fall into this trap.

Another thing to be aware of is that after the Prescriptive Analytics gives you certain courses of action and you apply those actions, keep track of how well your Prescriptive Analytics is performing as well. In other words, you have to measure the performance of your performance optimization ways. The reason to do this is that over time you can see if the models presented by your Prescriptive Analytics engine are worth following, re-doing or dumping.

To get you started, here are a few questions to ask:



Who uses prescriptive analytics within, across and outside your organization?Who should be using prescriptive analytics within, across and outside your organization?
What outcomes do prescriptive analytics tell you?What outcomes prescriptive analytics should tell you?
Where is the data coming from for prescriptive analytics?Where should the data become from for prescriptive analytics?
When prescriptive analytics is used?When prescriptive analytics should be used?
Why prescriptive analytics matter?Why prescriptive analytics should matter?

When you are asking the above questions, keep in mind that Prescriptive Analytics uses data to create a model (aka a data version of the world) that is used by individuals and organizations to make real-world decisions. But if the model itself is flawed then you are bound to get answers that although might look visually appealing are completely wrong. It is not all doom and gloom though. In fact, Prescriptive Analytics is used in determining price points, expediting drug development and even finding the best locations for your physical stores. Companies like Starbucks have been using Prescriptive Analytics in the last few years to determine the best locations for their next coffee stores. Interestingly, some have claimed that wherever Starbucks goes, the real-estate prices also increase. While there is some correlation between a Starbucks coffee store opening with increased real-estate prices but this does not mean that because of Starbucks coffee stores the real-estate prices increase.

Analytics Trophies


  1. 5 Questions to Ask About Business Transformation
  2. 5 Questions to Ask About Your Information
  3. Starbucks Tries New Location Analytics Brew

Success! You're on the list.

5 Questions to Ask About Your Information Security

The term information security is used to describe the practices, methodologies, and technologies that are used to protect information physically (e.g., locked doors, security guards, etc.) and in cyberspace (e.g., firewalls, anti-viruses, etc.). In order to accomplish this, we determine information confidentiality (e.g., who can access the information), information integrity (e.g., is the information from a reliable source) and information availability (e.g., would the information be available in time to people who are authorized to use/see it).

According to Gartner, by 2015 the spending on information security around the globe would reach $76.9 billion. To put this number into perspective, this amount of money is close to what the US Federal government spends on technology in one year. By looking at this, in the near future, more money would be spent on securing personal and organizational information than actually creating information systems. But despite the importance of information security and its effects on individuals and organizations, very few people understand the kinds of threats that are out there. Security threats are always evolving and in the digital century, geography is not a limitation. Individual and organizational information can be potentially compromised from a local intruder to someone sitting on the other side of the globe. Thus, before you can mitigate information security risks, understand what is out there. Here is a non-exhaustive list of how information security can be compromised:

  • Adware – Pay to remove advertisements.
  • Bacteria – Overwhelms computer resources by making copies.
  • Botnets – A network of compromised systems.
  • Bots – Derived from robots and refers to automated processes.
  • Buffer Overflow – A program goes beyond the boundary of the buffer.
  • Clone Phishing – Legitimate email resent with malicious link/attachment.
  • DDoS – Multiple systems attack a single target.
  • DNS Attacks – Determine types of devices in the network.
  • Easter Eggs – Hidden code in the software to show control.
  • Emerging Technologies –Security is not considered in new technologies.
  • Evil-Twin Wi-Fi – Impersonates an access point (e.g., router).
  • Exploits – Vulnerabilities in scripts, servers, browsers, routers, computer networks, devices, software, and hardware.
  • Hardware Attacks – Exploits system bus, a peripheral bus, chips, power/timing, interrupts and RAM.
  • Human Error – Unintentional legitimate errors caused by people.
  • ICMP Scanning – Identify open ports (e.g., port 81).
  • Keylogger – Track keystrokes when logging on to legitimate sites.
  • Link Manipulation – The destination link is different than what is displayed.
  • Logic Bombs – Performs some action when certain conditions are met.
  • Malware – Malicious code.
  • Masquerading – Pretends to be authorized access.
  • Metamorphic – Code that modifies itself.
  • Network QoS – Service interruptions and performance issues.
  • Old technology – Outdated technology that is too costly to replace.
  • Pharming – Redirecting web traffic to a fake site and more sophisticated.
  • Phishing – Emails/instant messages asking to click a link/attachment, sign up for some kind of service and/or take you to a site that looks legitimate.
  • Phone Phishing – Call to ask for information.
  • Polymorphic – The same underlying code used for multiple purposes.
  • Rogue Wi-Fi – Compromised wireless access points (e.g., routers).
  • Script Kiddies – Amateur use of scripts developed by professionals.
  • Social Engineering – Psychologically manipulating people.
  • Spear Phishing – Directed toward specific individuals or organizations.
  • Spyware – Typically free software that collects information about you.
  • SQL Injection – SQL code is entered into the input fields of a database.
  • Trapdoors – Secrets in the code that allow access to the system.
  • Trojan Horses – Impersonates another software, prompts to install software and prompts to go to a certain site.
  • Viruses – Adds code to an uninfected copy of the host program in the network and then replicates itself.
  • VoIP Attacks – Software and hardware exploit in Internet telephony.
  • VPN – Only as secure as the most unsecure system in both ends of the network.
  • Weather – Mother Nature and lack of disaster recovery.
  • Whaling – Attacks directed at high profile individuals and organizations.
  • Worms – Copies itself across the network, runs by itself and does not need a host.
  • Zero-Day Exploits – Vulnerabilities in software unknown to anyone.

Now that we understand the potential risks that are out there, let’s look at what motivates people to do this. While there are many theories in what drives human motivation, for our purposes we look at the following two frameworks used by the top clandestine organization in the world. These frameworks are:

  • MICE looks at human motivation in terms of Money (e.g., cash, stocks, insider information, etc.), Ideology (e.g., religion, patriotism), Coercion or Compromise (e.g., blackmail) and Ego or Excitement.
  • RASCLS looks at human motivation in terms of Reciprocation (e.g., feel obligation to repay), Authority (e.g., prestige), Scarcity (e.g., supply vs. demand), Commitment and Consistency (e.g., trustworthy flip-flopper vs. untrustworthy but consistent), Liking (e.g., share same attributes) and Social Proof (e.g., correct behavior).

In order to understand the complexities of information security and motivations behind it, let’s ask the following questions:



Who is responsible for information security?Who should be responsible for information security?
What happens when information is compromised?What should happen when information is compromised?
Where is information security a priority?Where should information security be a priority?
When is information security thoroughly reviewed?When should information security be thoroughly reviewed?
Why information security was compromised in the first place?Why information security would continue to be compromised in the future?

When you are asking the above questions across all levels of the organization, keep in mind that information security is not something that you just “bolt-on” at the end but in fact, it should be a top priority at every juncture of your organizations. Thus, information security spans across people, processes and technologies and simply paying lip service do not help anyone in the long run.

While there are many laws, regulations, and guidelines to safeguard information but they do not mean much if you cannot apply them across and within your ecosystem of vendors, partners, suppliers and any external entities. In short, information security is a collective effort that requires organizations to be self-aware from the lowest ranks to the highest executives.

Information Security Views
Information Security Views



Success! You're on the list.

5 Questions to Ask About Predictive Analytics

Predictive Analytics is a branch of data mining that uses a variety of statistical and analytical techniques to develop models that help predict future events and/or behaviors. It helps find patterns in recruitment, hiring, sales, customer attrition, optimization, business models, crime prevention and supply chain management to name a few. As we move to self-learning organizations, it is imperative that we understand the value of Business Analytics in general and Predictive Analytics in particular.

It turns out that Predictive Analytics is about Business Transformation.  But in order for this Business Transformation to take place, you have to take into account the organizational contexts in the following ways:

  1. Strategic Perspectives: Not all organizations are the same and thus what works in one organization might not work in yours. Based on the knowledge of your organization’s maturity, you have to decide if Predictive Analytics is going to be a top-down, bottom-up, cross-functional or a hybrid approach. Additionally, take into account what should be measured and for how long but be flexible in understanding those insights might be gained from data that might initially seem unrelated.
  2. Tactical Perspectives: One of the key factors in Business Transformation is change management. You need to understand how a change would affect your organization in terms of people, processes, and technologies. You have to take into account the practical implications of this change and what kind of training is needed within your organization.
  3. Operational Perspectives: It is all about how the execution of Predictive Analytics is done within your organization. To fully integrate Predictive Analytics into your organization, you have to learn from best practices, learn the pros and cons of your technology infrastructure and determine if the necessary tools are intuitive enough for people to make use of them.

Now that you understand the different organizational perspectives, it is time to ask the following:




Who uses Predictive Analytics to make decisions? Who should use Predictive Analytics to make decisions?
What happens to decisions when Predictive Analytics is used? What would happen to decisions if Predictive Analytics will be used?
Where does the data for Predictive Analytics come from? Where should the data for Predictive Analytics come from?
When is Predictive Analytics relevant? When should Predictive Analytics be relevant?
Why Predictive Analytics is being used? Why Predictive Analytics should be used?

When you ask the above questions, keep in mind that the reliability of the information and how it is used within the organization is paramount. A pretty picture does not guarantee that the insights you get are correct but you can reduce decision-making errors by having people who understand what the data actually means and what it does not.



%d bloggers like this: