Business Operations Management 2019
In this Blog, the emphasis is on those processes that can be used for achieving and sustaining secured business operations management by understanding the top-down requirements of the secured business and operating model.
To create a right culture; to have a disciplined approach; to reduce the cost of development, maintenance, and governance; and to create a rhythm of security-conscious change – there is a need of a management model.
The management model builds upon these general-purpose organizational capabilities for managing information security. The way quality assurance has become a standard goal in every product/service offered by every organization, around the globe, security assurance for securing business operations would become a de facto standard in every company’s operations.
The management model can help organizations create the mindset and culture of security by design.
The secured management model is a business-centric, value- oriented process model, addressing the complete life cycle of the security capabilities from envisioning to operations to ongoing improvements for sustainability.
Beyond achieving mandatory compliance requirements, security assurance is considered a costly affair without realizing its direct and in some scenarios indirect benefits to growing sales, profitability, brand value among other things, such as improving the quality of operations.
To operationalize any process for cost efficiency and broad adoption, it needs a set of practices, a body of knowledge, and an information management solution. The management model incorporates all three design elements for an effective and efficient process.
Components of Secured Management Model
The secured management model is organized into four process domains for holistically achieving and sustaining secure business operations.
Each process domain includes a set of management practices. The figure shows these four process domains in a high-level process flow with their respective underpinning practices.
This process domain can be used for a small context, like for deploying a cloud-based application or for a big context, like overall cloud-based digital transformation.
This process domain includes practices for architecting capabilities, designing solutions, defining key performance indicators with supporting measurements for required capabilities, and creating a change management plan for the broader adoption of capabilities.
The plan may include improvement or change in organizational structure, people skills and readiness, business processes, IT processes, and technologies for properly architecting the capabilities and designing the solutions. The outcome of the planning process provides a well-defined roadmap for implementing the changes needed for the capabilities identified in the assessing process.
This process domain includes practices for managing ongoing operations and governance of the capabilities and solutions. Through ongoing monitoring and oversight, new opportunities are identified and start the new cycle of assessing, plan, improve, and manage.
There is no doubt that a repeatable process requires a range of best practices. Organizations may have many of these practices. These practices tend to use their own tools, templates, and body of knowledge in a disjointed manner resulting in creating discontinuous and inefficient outcomes.
With the goal of achieving and sustaining secured business operations, the authors not only developed the framework shared in this Blog, they have also developed a platform to operationalize the framework.
The platform, called CAMP, includes four pillars of capability-driven, business-centric, and outcome-oriented assessment, planning, and ongoing management.
\ 1.\ Capability Management: addressing business and security capability modeling, assessment and planning.
\ 2.\ Architecture Management: addressing enterprise architecture, including business and technology architecture components, standards, dependencies, life cycles, solution patterns, etc., for each capability or business/IT service in the organization.
\ 3.\ Maturity Value Management: addressing strategic planning, road maps, operational and business performance metrics, maturity, and risk assessment.
\ 4.\ Portfolio Management: addressing organization, management, assessment, and planning of various business and IT portfolios such as services, technologies, assets, projects, people, and relevant details.
We live in an environment of constricting budgets with an increased focus on value and time to delivery. To continuously deliver high value with ever-shrinking resources, it requires an innovative yet predictable approach to perform various activities related to portfolio building, analysis, planning, and monitoring.
CAMP accomplishes this goal without compromising quality and outcomes by effectively combining people, process, information, and technology. Defined use cases with methods and templates leveraging body of knowledge and platform for proactive and efficient enterprise portfolio and architecture management
IT departments have an information security officer who focuses more on a bottom-up approach and technology perspective to determine and resolve security risks. The security risks pose business risks.
The business risk officer, reporting under the business and information security risk officer, reporting under IT, poses risks that can be mitigated by designing the appropriate business organization architecture.
At the start of every initiative, the team should ask the question: In what ways will internal and external people and processes access and interact with systems and information to perform the activities and create the desired outcomes?
The risk posture can be assessed by adopting the 5W1H methodology – Why, What, Where, When, Who, and How – for gathering information for documenting in the risk register for resolving risks.
Below are the sample details that can be maintained in this register:
Risk – Name of the risk, for example, customer data theft
Description – Passing unencrypted data in online transactions
Source – Could be a vulnerability, inter/intra dependency, or an exception, for example, customer data vulnerability
Business Impact – High, can impact brand
Business Scenario – Call center issues escalated to customer service managers for resolution
Location – South East Asia
Identified By – Who identified this vulnerability
Identified Date – The date this vulnerability was identified
Resolution – Accept the risk and encrypt the customer data as soon as it is captured
Approved By – Who approved the resolution Approval Date – The date resolution approved
The risk register should guide the rest of the assessment, planning, and improvement process.
Assess: As-Is Environment
Understand the controls in place for securing business operations. These controls cover all of the compliance in place, policies, and processes in place for managing secured authentication, provisioning, access controls, and authorization management for all types of business operations.
Understand the documentation available for these controls. Understand the governance in place for managing the life cycle of such controls. Determine the mix of decision makers’ cross-functionally represented in the governance committee. Determine the capabilities in place to manage the as-is environment.
All the items described above can be stored as a body of knowledge in the CAMP platform. The as-is environment is dynamic and changes on an ongoing basis. CAMP can be leveraged for keeping the as-is environment current by maintaining it on an ongoing basis. This would enable iterations for Assess-Plan-Improve-Manage and not make this a one-time effort.
Goals and Objectives
Once the outcome of the Assess process domain, which includes the business case, prioritized gaps, and the future-state success factors with KPIs, is produced and finalized, the Plan for achieving and sustaining secured business operations is produced.
This plan includes evaluation of the existing portfolio and prioritization of gaps to determine the new projects; programs are required to mitigate these gaps and a roadmap is developed to sequence these projects and programs.
Plan Process Domain Practices
The Plan process is mainly to develop a design-level plan for the capabilities and changes identified during the assessment process. The assessment outcomes are planned to optimize improvement efforts. The figure provides a high-level view of the inputs, practices, and outputs during the planning phase of the end-to-end continuous improvement process.
• Finalized roadmap with an actionable plan
As success without a plan is not possible, planning security is not a new topic for companies. The question is what is being planned and by whom. The mandate mostly comes from the office of the Chief Information Security Officer, who reports to the CIO. Are those mandates aligning with business objectives?
Are there measurements in place ensuring business success from growth, profitability, and/or a productivity gains perspective? Are such plans ensuring the security of business operations?
How and who from business resources are involved in making such plans? Are these plans documented and audited? Business is changing constantly, so who is responsible for the life-cycle management of these plans?
The point we are making here is that for achieving and maintaining the security of business operations, top-down business alignment is a must, and tight collaboration between IT and cross-functional business functions is required.
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide for here]
Improve Process Domain Practices
The Improve process domain is about implementing what has been planned for improving the current state to the next state of capabilities. The figure provides a high-level view of the inputs, practices, and outputs during the improvement or implementation phase of the end-to-end continuous improvement process.
We assume most organizations have project management and solution delivery disciplines. So, let’s focus on practices that can help produce better outcomes from these disciplines, particularly in the context of securing information in business operations.
We would like the following key principles added and enforced in development and deployment methods, regardless of organizational scope and nature of the solution:
Secured by design, that is, ensuring every choice is reviewed and selected and is the best fit for achieving the stated goals and objectives, and does not introduce unacceptable barriers to innovate for the organization.
Connected by design, that is, no solution can stay in isolation; therefore, even if there are no explicit requirements for interoperability and integration, the solution should not create a constraint and unnecessary complexity for enabling collaborative processes.
Value by design, that is, any trade-offs during the solution development should be mindful of the value promised and expected. Operations ready by design, for example, whatever is deployed, whether processor technology, is supportable, scalable, maintainable, recoverable, upgradable, and measurable.
The following practices are key for developing and deploying capabilities and solutions with the above design principles for achieving the stated goals and objectives for secured business operations.
Improve Build and Validate Solutions
Whether developing a process or a technology solution, we always have choices about how we build and deploy. Add objective, measurable criteria for evaluating options and selecting the best fit, balancing current and anticipated needs with by-design principles, organizational constraints, and governance.
Having strong project management organizations that can create, manage, and execute a portfolio of program and projects for building and validating the solutions designed and architected using Plan management practices.
Once the solutions are built and validated, these need to be offered in a way a business can consume these easily. For consumption, the next important step is to transition these new/enhanced capabilities and services into operations.
Transition into Operations
In addition to the functional capabilities, there may be a need to manage information produced or consumed by new capabilities for secure operations. The last mile is as important as the first mile. Anticipate what needs to be implemented to manage ongoing operations of the capabilities and solutions and implement them as part of the deployment.
The goal is to improve the security of business operations. That is possible only if the new/enhanced security capabilities and services can be transitioned into operations. The project plan should cover plans for how to transition these solutions into operations. This may require adding additional resources having required skill sets to operate.
The next step is that the business has visibility of the new/enhanced capabilities and services and can leverage them for securing the business operations. The change management plan is important for making it happen.
Ensure KPIs Are Measurable
To secure business operations, the capabilities or services available need to be managed both by business and IT. Remember, a business needs to define the operational requirements for security policies, procedures, and business services. Based on these, It will offer systems’ corresponding operational policies, procedures, and IT services.
The operational practices need to cover end-to-end life-cycle management of related capabilities and services. When a new capability or service is put in use, there are business expectations to generate value from it and that value is expected to increase with time.
The figure shows the value curve during the life cycle of any capability/ service. As the value starts decreasing, there is a need to enhance the capability/service functionality to optimize the value curve.
The other three management practices under manage, “Measure KPIs,” “Identify Improvements,” and “Develop Action Plan” are leveraged to measure generated value and enhancements required and made for optimizing the value curve of any operational capability and/or service.
The key performance indicators are defined in the Plan phase and ensured these are measurable under the Improve phase. These KPIs measurements provide the value generated. It is important to regularly measure these KPIs. Without measurements, it is not possible to ensure whether the operational solutions are valuable or not anymore.
As in Figure life-cycle management value curve shows, after reaching the peak value, there is degradation in the generated value by the same solutions.
That does not mean that a capability or service has gone bad; rather that means the business conditions have changed and the same capability or service is not as effective in the current business conditions. That leads to the need to identify improvements in the existing solutions.
Without measurements, it is not possible to know or predict the effectiveness of the processes and solutions implemented; their ongoing value to the organization; or when is the right time to retire, replace, or refresh the solutions and decide whether the operational solutions are valuable or not anymore.
With measurement data, machine learning, and predictive algorithms, organizations can develop predictive models and improve both strategic and operational planning of security and other capabilities.
The business goals are always to generate maximum value from the solutions used to manage the business operations. These solutions are offered in the form of capabilities and/or services.
During the life cycle of any capability or service, when the KPIs reflect the target measurements are not achievable, this means that improvement opportunities need to be identified.
The figure shows a pictorial viewpoint of when to focus on improvements for reestablishing target value generation from each capability and/or service. The improvement opportunities can be identified even from the beginning of deploying a capability or a service in production operations.
However, the real need to apply improvements is only after the target value expected to be generated is not achievable. The other reason is for continual improvements to improve value generation.
The other source for considering improvements in existing capabilities and/or services is when a new driver for a change is identified by business. The identification of improvements is critical, but we all understand that without deploying these improvements, it is a futile exercise. The next logical step is to conduct strategic planning to develop an action plan for deploying these identified improvements.
To make sure we are measuring the right thing, we first need to define what do we mean by the term – effectiveness. When is something effective? We consider innovation in medicine to be effective when it eradicates the disease it was targeting.
We view our sales strategy or actions to be successful and effective when we acquire new customers without losing money in the process. We accept and adopt a solution that makes us more productive without any friction or extra effort.
Can we say that over $100 billion spent on IT security is effective when cyber attacks continue to cost businesses over $400 billion a year? Do we consider security control effective if it does not allow employees to work remotely?
Is a solution acceptable and effective when it is too expensive to afford? Based on the analysis of patterns of effective and noneffective actions, we propose the following definition:
Something is effective when it allows achieving an objective or an outcome at an acceptable cost.
An objective or outcome is associated with an operational or strategic goal of anyone in the organization. It can be financial, risk, performance, skill, process improvement, product innovation, or anything else of value. We also live in a world of constraints. We may be able to achieve an objective, but it may come at a very high cost.
Effectiveness is like a two- sided coin. For a solution or intervention to be effective, it must enable the desired outcome at a cost the organization can afford. We recognize that people are driven by their own needs. In an organization, individual needs must be aligned with or within the context of the organizational objectives.
What Is An Organization Trying to Achieve?
Every organization or business, regardless of industry, profit/nonprofit, or public/private sector is on the mission to achieve the following:
Continuously innovate the business or organization.
Run the business efficiently and predictably.
Drive the business equity in its brand and culture.
Keep the business viable and relevant to its constituents.
No organization can stand still and survive on past successes. Organizations need to continuously innovate products, services, and processes for growth, new business models, digital transformation, or driving customer-centricity. At the same time, organizations cannot ignore what keeps the organization working every day.
Everyday activities need to be operationally predictable, efficient, productive, and governance compliant. In addition to being innovative and operationally excellent, organizations are also interested in continuously building their equity.
Equity provides the sustaining power and organizational ability to transform. Anything that improves profitability, builds the brand, creates the desired culture, drives customer’s confidence, and avoids unnecessary risk will support the equity objectives. Figure list high-level, broad organizational objectives.
As we walk down the organizational structure, these objectives should become the outcomes of various decisions and activities performed at each level of the organization.
Anything and everything anyone is doing in an organization must be aligned and in support of one of these objectives. One side of the effectiveness coin represents producing the desired outcomes as stated or implied by the above objectives.
The other side of the effectiveness coin is about the cost of realizing the outcome. So, anything and everything anyone is doing to produce the desired outcome must be at a cost that the organization can afford.
What Is Effective
Just like buyers see value differently, the measure and magnitude of effectiveness can be different for various stakeholders. Business managers, business users, IT management, customers, and suppliers may expect different outcomes and may accept different costs.
Therefore, the effectiveness must be understood and communicated in the context of a stakeholder. Individual objectives of various stakeholders, although aligned with organizational objectives as in Figure, are specific to their scope of work.
The stakeholders will consider a capability, process, or solution to be effective only if it supports their objectives at the cost they can afford. As much as individual stakeholders are driven by their needs, the person or team responsible for delivering new capabilities must account for the needs of all key stakeholders for overall effectiveness from the organizational perspective.
Later in the Blog, we introduce a value flow map for connecting objectives, KPIs, and capabilities across stakeholders for understanding, communicating, and ensuring effectiveness.
Why Are Security Efforts Perceived as Not Effective or Too Expensive
It would be wrong to suggest that security measures are not effective. Most of the security measures are put in place to avoid the incidents.
When security practices detect and remove spams and malware before reaching their destination, thwart unauthorized attempts to access sensitive information, or ensure all devices are up to date in protecting from viruses, they are achieving the desired objectives of avoiding downtime, leakage of proprietary information, and a public relations a headache.
Like a product warranty, consumers or users don’t think of the product quality as the product continues to work. The day there is an issue with the product, they question the quality of the product.
Similarly, when most of the security efforts are about avoidance, stakeholders may not think of the value of efforts. They question the cost of these efforts when something harmful gets through the door. A flu vaccine does not guarantee that person will not have the flu, but it does reduce the odds, and in most cases, succeeds in avoiding the flu.
Preventive and recovery security efforts may be working but may not be visible to people to realize their effectiveness.
At the same time, there are certain practices that may be creating the perception that security efforts are not effective or too expensive, for example:
Overengineering the process or solution.
Engineering minds tend to drive for perfection. Security is one area where it is very hard to reach perfection. Even if possible, achieving 100% prevention may be too expensive. At some point, engineering prevention may cost more than recovery efforts.
Risk mitigation is the only objective.
No doubt, fear, and risk are the primary drivers for safety and security. Security efforts are perceived as less effective when they take a risk-averse posture rather than being risk aware. We tell people to take measured risk to achieve bigger rewards. Security is no different. Some risks should be accepted as they are manageable.
Trusting prevention and underinvesting in recovery capabilities.
Of course, prevention is a better cure, but at what cost? In most cases, IT is driven by technology solutions, hence the bias toward implementing preventive solutions.
Depending on the total cost of the solution, and the frequency and likelihood of the incidents, it may be prudent to implement appropriate processes and controls for enabling quick detection and recovery.
Measuring and communicating activities, not necessarily the outcomes.
In many cases, security-related metrics are focused on operational activities, such as incident detection, mean time to fix, patch latency, and people awareness and training on security policies.
These metrics are good for the people performing or responsible for the underlying activities; however, they are not enough for the people who are positively impacted by these activities.
If people are left to their own interpretation and justification, most likely they will miss the significance of the metrics to their own activities. Therefore, it is important to relate to how improvements in one’s activities to help improve stakeholders’ activities and their outcomes. Use the value flow map.
Perceived value and effectiveness of security efforts is like an interpretation of a half-filled glass. Whether you look at the glass half full or half empty, business/IT leaders and security professionals need to do a better job in ensuring security efforts are measured and managed for effectiveness in terms of enabling organizational objectives at an acceptable cost.
Principles of Security Effectiveness
Defining, measuring, and communicating security effectiveness is not an art and is not subjective. It simply requires a disciplined approach to identify who the customers are, what do they care about, and how security capabilities can help them achieve what they want at the cost they can afford.
To make it practical and repeatable, we have defined three by- design principles for security effectiveness, leveraging the framework we have described in previous Blogs.
The three by-design principles are the following:
1.\ Start with what and why not how.
We all like to solve problems. It is easy to focus and get caught up in the design of the solution. Before we start thinking about how we are going to solve the problem, we should have a clear understanding who the stakeholders are, what metric they are managing or would like to see improve, and what capabilities will enable them.
This helps formulate the overall picture with dependencies and value for appropriate and effective solution selection. Value flow mapping is a visualization technique for building the roadmap from solution to stakeholder’s value. See the next section for details.
2.\ Do the right things with a customer and a business mindset.
Many times, the solution or process designs are not effective because of the assumptions and ignorance. We assume stakeholders do not want to take the risk.
We ignore other non-security drivers. Recognizing everyone in the organization has internal or external customers and works toward an organizational mission, to be effective, everyone must put themselves in their customer’s shoes and take a holistic view of the customers.
How do we know and plan what we don’t know? We have discussed the Secured Business Operations (SBO) framework. Use the framework to understand, align, and plan security capabilities based on organizational and stakeholders’ objectives.
\ 3.\ Don’t just measure what did or didn’t happen. Measure the change in capabilities and outcomes.
Knowing what happened or didn’t happen is important for any root-cause analysis or immediate impact of an action. It is critical that we measure change.
The new value is created only when there is a change in actions. Measure change in your actions, your customers’ actions; and to be extremely effective, change in customers of your customers. Measuring across a three-degree of separation provides insight into the extent and quality of alignment and effectiveness.
In addition, capability maturity levels are excellent indicators of competency and competitiveness. Use the maturity models included in the framework discussed in this Blog.
These principles are interrelated and interdependent. The body of knowledge in the Secured Business Operations framework can help build the initial value flow map.
The value flow map is used to define the desired state and success factors, and guide the priorities and design options. The following sections in this Blog provide further insight and guidance in driving and ensuring the effectiveness of security efforts.
Doing Right with Business Mindset
The great warranty does not compensate for a bad utility. For a product to be useful, it must be fit for its purpose. For it to be effective, it must be useful and available when needed. In the security domain, because of fear, most professionals are risk-averse, that is, tend to have a mindset of risk avoidance.
No doubt, the risks that can be avoided must be avoided. At the same time, at best, we can only avoid the risks we know. From the business or customer point of view, it is about having a product that meets their needs with an appropriate operational warranty.
The warranty means that the product works as expected most of the time, and in case something does go wrong, there are procedures in place to recover quickly and safely. It will be a waste of money to buy flood insurance in a non- flood zone.
A B2B manufacturing organization has a different risk profile than a consumer or financial institution. It won’t make sense to implement the same policies and solutions in both types of organizations. So, to be effective, security planning needs to be contextual.
There are two ways to become business aware of security capability planning. The conventional way is by asking people in the business. It relies on the assumption that people know what they need and why. In most cases, what they know and plan is based on the past and present issues. People can only plan what they know.
Therefore, the conventional approach tends to lead to break-fix or incremental improvements. In the age of crowdsourcing and predictive modeling, there is another approach that uses knowledge models to determine where an organization needs to be, what will it take to get there, and then consult with stakeholders to align, prioritize, and plan.
The knowledge-based approach allows us to not assume, but anticipate business needs. With that understanding, we can be effective both in the short and long-term in designing and delivering capabilities. In other words, we are managing risk, not avoiding risk.
In previous Blogs, we introduced the framework for secured business operations. It starts with the business engagement model. Rather than taking the extreme view by avoiding every possible security risk, business and security professionals can identify the right security risk posture and required resilience level by understanding the extent of interaction the organization has with people and processes inside and outside the organization.
Regardless of the scope of the initiative, project, or solution, any security planning and governance can only be productive and effective when the business engagement model is known.
Use the business engagement model to determine what kind of business you are today and what you want it to be. The engagement model drives the maturity in underlying business and operational capabilities.
The framework includes a well-organized body of knowledge in the form of capability maturity models, enabling practices, dependencies, and KPIs for assessing and planning business and operational-level capabilities.
Leverage these models to quickly learn, anticipate, and assess what business might need and what capabilities are already in place. Share the model and assessment with stakeholders for further alignment, prioritization, and planning.
People are risk averse because of fear of the unknowns. The models help convert unknowns into knowns, thereby enabling people to become risk aware. Addressing business needs while managing security risk is the answer to be effective.
Key Measures for Security Effectiveness
Ultimately, security practices are effective when they produce the expected outcomes for the stakeholders. Therefore, the ultimate measures for effectiveness are the outward measures, that is, the performance measures of the stakeholders.
Typically, the outward measures have two or more degrees of separation from where security practices are performed. It is not always easy or it may take some time to see the impact of these outward measures.
Therefore, we must have inward measures or leading indicators, measuring the extent and performance of the security practices and their impact on the immediate customers or users of these practices.
The above table is not an exhaustive list of measures. The framework for secured business operations includes relevant KPIs for specific capabilities in the secured business model and secured operating model. The value flow map discussed earlier in this Blog, is an effective way of identifying and measuring relevant measures for the organization.
Measure to Manage
In previous Blogs, we shared the framework and body of knowledge for planning, designing, and managing secured business operations. In this Blog, we discussed how organizations, particularly security professionals, can articulate and measure the effectiveness of capabilities and practices, thus avoiding overengineering or barriers to business innovation.
The framework with a clear set of measures enables the organization to achieve and sustain secured business operations. while continuously transforming the organization to meet customer expectations. In the next and final Blog, we share use cases and approaches for making it real for your organization.
What Have We Learned?
Seamless connectivity, personalized products, and services, real-time collaboration and transactions, automation, predictive insight and actions, use of public or shared infrastructure – these are some of the transformations many organizations are exploiting or exploring to be competitive, productive, and responsive.
If the security efforts in your organizations are not producing the desired results or increasingly becoming cost prohibitive, something must change the way the organization plans and manages security capabilities.
Security is a business issue, not only a technology issue.
Therefore, business management can’t afford to delegate planning and risk management to technology teams. Whenever there is a security breach or incident, it becomes a business issue and priority. So, why does business management take a passive approach to plan and managing information security?
Just like quality and safety, information security can’t be achieved just with better technology. It is an organizational capability and therefore it must be planned and managed along with other business capabilities.
Fear and compliance are not the way to address, plan, and fund security capabilities. It is understandable that compliance may be a prerequisite for the business. Compliance requirements are there for reasons. Addressing the underlying reasons should be the driver for planning security capabilities.
The organization will not only achieve compliance but also create an empowered, security-aware culture. Addressing the compliance requirements without focusing on the underlying reasons will only ensure a forced and compliant mindset.
The planning based on fear of the unknown generally results in overengineering or overspending – we either stop thinking rationally or end up spending an unreasonable amount of money on something.
A better understanding of risk, impact, holistic view of the required capabilities, and solution options reduce the degree of unknowns and the magnitude of the fear. Use the capability models and value flow maps to translate unknowns into knowns and fund the right capabilities and solutions.
Assess and management capabilities for achieving
Security is not something you implement and forget. With continuous change in business, people, information, technologies, customer expectations, or relationships, organizations cannot just deploy a solution, implement a process, or establish a policy and expect to mitigate the risks forever.
Did you ever notice that military leaders always talk about capabilities to accomplish the mission? They don’t start the conversation with processes, ammunition, fighter jets, etc.
They are focused on acquiring and maintaining the capability to fight any mission now and in the future. They understand the dependencies and make sure they have what is needed to sustain the capability.
We propose the same mindset and approach to achieving and sustaining the mission of secured business operations. We also recognize that people can only plan what they know. Therefore, we created a body of knowledge and capability management framework for secured business operations.
Embed security in every role, process and project planning, by design.
Just like customer-centricity, quality or cost-efficiency, security must be planned and planted in every other planning and design activities. Without the security-conscious culture, risk management is too expensive and porous to be effective and sustainable.
Organizations can start by asking a few simple questions during planning, approval, and oversight activities in making sure the teams are considering the security implications of whatever they are doing or proposing.
For example, if the role, process, or project changes the way or the extent of interactions with other people and processes, we need to ask how we are preventing and protecting unauthorized access to sensitive information.
The model provides the structure and steps for incorporating security assurance through the assess-plan-improve-manage phases of any initiative or change execution.
In every planning and design effort, people have choices. Organizations can avoid rework and avoidable risk by ensuring that people are making the right choices with security in mind.
Measure effectiveness, not just operational or process metrics
Activity-based measurements are primarily good at measuring process efficiency and operations, such as time and effort involved, a number of people trained, or a number of viruses detected. These measures are required but not sufficient to comprehend the overall effectiveness and value of the security-related activities and solutions.
The security efforts should not be just about prevention and protection; they should also enable business innovation and transformation. To clearly articulate, measure and communicate the effectiveness of security capabilities; it requires identifying and measuring up-stream activities and outcomes. On the flip side, the same measures can also help in identifying and prioritizing the required security capabilities.
What Has Been Done
The framework for secured business operations is the result of many years of direct work with various organizations across industries and sectors, and the observations on success and challenges with many existing practices. Looking back, we can summarize our journey in three steps.
Building the various aspects of the framework as we were delivering the engagements.
Formalizing the body of knowledge with a value management platform and applying the framework as designed.
Sharing the framework.
Although there have been variations in the starting point and roadmap for driving security capabilities and culture, broadly speaking, the use cases can be categorized into three areas.
Using the body of knowledge in the framework, for example, the business engagement model and capability maturity models to enhance existing methods and templates for better outcomes.
Performing portfolio assessment and planning in support of organization initiatives, such as merger and acquisitions, digital transformation, leveraging the cloud services, and strategic or budget planning.
Driving and ensuring appropriate risk posture and security governance in business and IT projects
The following four use cases show how organizations started addressing the challenges and opportunities at the time. All these organizations understood and expected the broader change in the way they think, plan. and manage security capabilities.
They also realized that it will take multiple years as they work on initiatives and opportunities over time across the organization.
A technology manufacturing global Fortune 500 company, improving the security posture of its products, services, and operations.
One of the top health-care services providers in the United States, expanding its operations globally.
A national service provider with an extensive partner network, going through a merger with another service provider.
A hospital network with distributed facilities, evaluating and planning information and infrastructure services for improving cost, care, and communication.
Technology Manufacturing Company Open for Business
The company has been using an Internet commerce platform with its customers, partners, and suppliers. The company was growing through mergers and acquisitions. As the commerce platform was becoming central to the business strategy and operations, the organization was challenged with scalability, adaptability, and information security.
In spite of the commerce platform being critical to the business, like most technology-based issues, the problem and therefore solution was originally left up to the technology teams to address.
The bottom-up approach led to plumbing gaps and adding infrastructure resources. No one was satisfied with the outcomes. The organization decided to take a top-down approach, establishing it as a business-driven initiative with cross-functional leadership sponsorship and support.
Using the business engagement model, it was quickly determined and agreed by the leadership team that the organization wants to be a connected business (level 4) with the eventual goal to be a digital business (level 5).
The current practices and solution were operating at level 3, that is, designed for business-to-business operations. Knowing the engagement level, management started asking the question of what do we need to get there. It was no longer a technology issue. The functional, operational, and risk resilience capabilities must support the organization to be a connected business.
Recognizing that organization needed to be at level 4 in the capability model, at a minimum, the key stakeholders across business functions such as manufacturing, sales and marketing, customer service, legal, HR, finance, and IT were surveyed for determining organizational priorities, focusing on the five Ps: Prevent, Protect, Policy, Profile, and People aspects of the secured business model.
A risk register and 3-year roadmap were developed, initially focusing on the capabilities needed for the internal workforce.
Identity and access management (IAM) was one of the first rounds of operational capabilities to be further analyzed and developed. Using the IAM capability maturity model from the secured operating model, the current and target states were defined, and the underlying dependencies and practices were identified. A project plan was developed, addressing the required capabilities and dependencies.
As the program progressed through the phases, additional capabilities such as policy management, role management, and resource management were addressed.
Overall, it took over three years in addressing people, process, policies, platforms, and performance capabilities for secure, scalable, and flexible business operations. The top-down planning and iterative execution ensured alignment and value delivery.
Since then, the organization has added security as a track in every project and as part of governance, ensuring every delivered product and service is designed for secured business operations.
Leading Health-Care Provider Expanding Globally
A U.S.-based leading health-care provider wanted to extend its reach by collaborating with other providers and research organizations around the world. It also wanted to make sure patient privacy is preserved and regulatory requirements such as HIPAA and PCI are met while it communicates and connects with other organizations.
The organization conducted a holistic assessment of business and technical capabilities needed to support the collaborative yet secured environment. The top-down, process capability assessment focused on business needs, business operations, and security risks.
The bottom-up, technical capability assessment evaluated the current state of various management, operational, and infrastructure practices and technology solutions. The assessment included the identification of the following:
Outdated network infrastructure elements, unsuitable to manage cybersecurity threats.
Web-based applications with insufficient security architecture.
Policies and procedures for end-to-end access control and life-cycle management.
The organization used components of the secured business operations framework to assess, and more importantly, to establish a target state and developed a multiyear roadmap.
A Service Provider Merging with Another Service Provider
A membership-based consumer service provider has been expanding its member base through value-add information services and acquisition of other service providers.
In the past, like most M&A, the portfolio rationalization and consolidation activities were primarily focused on application and infrastructure technologies. Information security capabilities were not considered during the portfolio rationalization, resulting in many surprises and unnecessary remediation costs.
The organization decided to improve its due diligence and portfolio rationalization process by including security assessment of the business and IT processes, and technology portfolio.
It used the maturity model of twenty-one capabilities in the secured operating model to assess the organizational and operational capabilities of the acquired organization.
Using the 5 Ps of the secured business model, it developed criteria for assessing the security posture of each application under consideration for rationalization.
The enhanced approach has helped the organization with a better understanding of the respective strengths and weaknesses of their security capabilities. The organization is able to make informed decisions to prioritize and plan based on cost, risk and value to avoid budget surprises.