What is Business Operations Management
In this Blog, the emphasis is on those processes that can be used for achieving and sustaining secured business operations management by understanding the top-down requirements of the secured business and operating model in 2018.
You can use the body of knowledge in these models to evaluate the current state with goals and objectives, identify the gaps in the existing capabilities, plan the improvements required for achieving the future state, and monitor the progress, as frequently as needed. For achieving and sustaining secured business operations, a security culture is required.
This culture ensures that everyone, by design, considers appropriate information security during planning, design, and delivery of any change in business operations or in underlying solutions.
To create a right culture; to have a disciplined approach; to reduce the cost of development, maintenance, and governance; and to create a rhythm of security-conscious change – there is a need of a management model. This Blog focuses on the methodologies and approaches for operationalizing the models and body of knowledge in the framework for ongoing assessment and improvement of information security capabilities across the organization.
Most organizations have established capabilities of portfolio management, change management, value management, solution development, and project management.
The management model builds upon these general-purpose organizational capabilities for managing information security. The way quality assurance has become a standard goal in every product/service offered by every organization, around the globe, security assurance for securing business operations would become a de facto standard in every company’s operations. The management model can help organizations create the mindset and culture of security by design.
The secured management model is a business-centric, value- oriented process model, addressing the complete life cycle of the security capabilities from envisioning to operations to ongoing improvements for sustainability.
Beyond achieving mandatory compliance requirements, security assurance is considered a costly affair without realizing its direct and in some scenarios indirect benefits to growing sales, profitability, brand value among other things, such as improving the quality of operations.
To operationalize any process for cost efficiency and broad adoption, it needs a set of practices, a body of knowledge, and an information management solution. The management model incorporates all three design elements for an effective and efficient process.
Components of Secured Management Model
The secured management model is organized into four process domains for holistically achieving and sustaining secure business operations.
\ 1.\ Assess
\ 2.\ Plan
\ 3.\ Improve
\ 4.\ Manage
Each process domain includes a set of management practices. The figure shows these four process domains in a high-level process flow with their respective underpinning practices.
This process domain can be used for a small context, like for deploying a cloud-based application or for a big context, like overall cloud-based digital transformation. It is used for understanding the change in the business engagement model, evaluating the information security risk based on the changes in the engagement model, understanding the desired goals and objectives, identifying the gaps in the existing capabilities, and deciding for the required capabilities for closing the gaps.
This process domain includes practices for architecting capabilities, designing solutions, defining key performance indicators with supporting measurements for required capabilities, and creating a change management plan for the broader adoption of capabilities.
The plan may include improvement or change in organizational structure, people skills and readiness, business processes, IT processes, and technologies for properly architecting the capabilities and designing the solutions. The outcome of the planning process provides a well-defined roadmap for implementing the changes needed for the capabilities identified in the assessing process.
This process domain is about action and making things happen. It includes the practices for implementing the solutions for changes planned for the required capabilities, transitioning the solutions into secured business operations, and ensuring the key performance indicators are measurable.
This process domain includes practices for managing ongoing operations and governance of the capabilities and solutions. Through ongoing monitoring and oversight, new opportunities are identified and start the new cycle of assessing, plan, improve, and manage.
There is no doubt that a repeatable process requires a range of best practices. Organizations may have many of these practices. These practices tend to use their own tools, templates, and body of knowledge in a disjointed manner resulting in creating discontinuous and inefficient outcomes. For processes to be sustainable, efficient, and effective, and practices to be adaptable, organizations need a unifying platform for a continuous planning and improvement process.
The platform must provide quick and timely access to the information, and must enable the continuity of information, decisions, and activities across the full life cycle of continuous assessment, planning, and monitoring. With the goal of achieving and sustaining secured business operations, the authors not only developed the framework shared in this Blog, they have also developed a platform to operationalize the framework.
The platform, called CAMP, includes four pillars of capability-driven, business-centric, and outcome-oriented assessment, planning, and ongoing management.
\ 1.\ Capability Management: addressing business and security capability modeling, assessment and planning.
\ 2.\ Architecture Management: addressing enterprise architecture, including business and technology architecture components, standards, dependencies, life cycles, solution patterns, etc., for each capability or business/IT service in the organization.
\ 3.\ Maturity Value Management: addressing strategic planning, road maps, operational and business performance metrics, maturity, and risk assessment.
\ 4.\ Portfolio Management: addressing organization, management, assessment, and planning of various business and IT portfolios such as services, technologies, assets, projects, people, and relevant details.
We live in an environment of constricting budgets with an increased focus on value and time to delivery. To continuously deliver high value with ever-shrinking resources, it requires an innovative yet predictable approach to perform various activities related to portfolio building, analysis, planning, and monitoring.
CAMP accomplishes this goal without compromising quality and outcomes by effectively combining people, process, information, and technology. Defined use cases with methods and templates leveraging body of knowledge and platform for proactive and efficient enterprise portfolio and architecture management
BODY OF KNOWLEDGE
The body of knowledge represents a collective wisdom, experiences, practices, and facts from operations, industry, academia, and subject-matter experts, covering all aspects of enterprise portfolio. As the saying goes, why reinvent the wheel. The body of knowledge includes the models for secured business operations, along with many other sources of information, such as ISO, NIST, ITIL, APQC, Innovation Value Institute, and other relevant sources.
The body of knowledge helps to discover “un-knowns” quickly and accelerate their assessment and planning. This can dramatically increase the mutual understanding of the business and IT capabilities.
Value Management Platform is a technology-based service for planning and managing enterprise capabilities and portfolio. It hosts and leverages body of knowledge to plan, transform, monitor, and manage any portfolio initiative from intent to operations. The information in the platform is accessible to various people in the organization to learn and to make their own informed decisions, at any time.
Accelerators represent the art and science of security capability and portfolio management. One can think of accelerators as a collection of engagements, activities or use cases, such as Business and IT Portfolio Assessment, Portfolio Rationalization, Security readiness, Capability Assessment, and Planning, Cloud Readiness, Technology Risk Assessment, and Planning, etc. Each accelerator includes a defined body of knowledge configured in the value management platform, methods, and templates.
With the body of knowledge, value management platform, and accelerators, organizations can do the following:
\ 1.\ Develop and maintain the knowledge base
\ 2.\ Iterate over Assess-Plan-Improve-Manage cycle
\ 3.\ Empower and enable knowledge transfer
In the next section, we provide additional details on the key management practices in each process domain for achieving and sustaining secured business operations.
Key Management Practices
The secured management model includes 15 key management practices across the four process domains. While the process domains outline the end-to-end lifecycle of continuous improvement, the practices within each domain outline the steps and activities involved to achieve top- down and bottom-up alignment with the business engagement model, secured business model, and secured operating model.
Every process or practice is actionable in a plug-n-play mode with a set of inputs, actions on the inputs, and produce outcomes. In addition, to facilitate and support an end-to-end continuous improvement methodology, the secured management model provides the flexibility with components for planning and managing security capabilities as part of the overall business and IT portfolio or within the context of a project.
As we describe these management practices, we will highlight the key activities and outcomes from the perspective of managing the portfolio and a project.
Assess Process Domain Practices
Any journey, short or long, starts with knowing where you are and where you want to be. Under the Assess process domain, the emphasis is on assessing the risk posture practice along with the standard practices of understanding goals and objectives and the current state of security. The figure provides the high-level view of the Assess process domain with inputs used by its practices to produce relevant outcomes.
The inputs to the Assess process domain are the drivers for change, organizational scope, and related portfolio information. In the case of portfolio planning, the scope can be all aspects of the organization, whereas, in the case of a specific project, the drivers and scope are determined by the project.
The drivers and scope are not necessarily specific to security capabilities or requirements. The drivers and scope provide the context for understanding risk and identifying required security capabilities.
To evaluate the organizational portfolio and capabilities, organizations need a body of knowledge with a capability maturity model and an assessment framework. In the previous Blogs, we have described the business engagement model, secured business model, and a secured operating model.
These models are used to evaluate various aspects of the organizational scope and organization portfolio of plans, capabilities, processes, people, and technology solutions. These models provide the content, structure, and knowledge for assessing the current state and defining the desired state of the organizational capabilities and competency.
The assessment process is more than finding the gap in the capabilities. The supporting financial business case is required as part of the assessment to justify how by achieving the goals and objectives in a secure manner will produce value and returns on investments. In addition, a value management platform discussed earlier in this Blog, is used to leverage the body of knowledge and to quickly and consistently assess the organization.
Below is the detailed explanation of each of the three Assess practices.
Business Engagement Model helps organizations identify the extent of access and interaction with people, processes, and systems outside the physical boundary of the organization.
Knowing the level of engagement is critical for identifying the acceptable and unacceptable risk exposure, and, in turn, the required information security capabilities. Most businesses have a risk officer at an enterprise level with the focus on business risks. Security risks are generally not under the portfolio of a risk officer.
IT departments have information security officer who focuses more on a bottom-up approach and technology perspective to determine and resolve security risks. The security risks pose business risks.
The business risk officer, reporting under the business and information security risk officer, reporting under IT, poses risks that can be mitigated by designing the appropriate business organization architecture.
At the start of every initiative, the team should ask the question: In what ways will internal and external people and processes access and interact with systems and information to perform the activities and create the desired outcomes? The risk posture can be assessed by adopting the 5W1H methodology – Why, What, Where, When, Who, and How – for gathering information for documenting in the risk register for resolving risks.
Below are the sample details that can be maintained in this register:
Risk – Name of the risk, for example, customer data theft
Description – Passing unencrypted data in online transactions
Source – Could be a vulnerability, inter/intra dependency, or an exception, for example, customer data vulnerability
Business Impact – High, can impact brand
Business Scenario – Call center issues escalated to customer service managers for resolution
Location – South East Asia
Identified By – Who identified this vulnerability
Identified Date – The date this vulnerability was identified
Resolution – Accept the risk and encrypt the customer data as soon as it is captured
Approved By – Who approved the resolution Approval Date – The date resolution approved
The risk register should guide the rest of the assessment, planning, and improvement process.
Assess: As-Is Environment
Understand the controls in place for securing business operations. These controls cover all of the compliance in place, policies, and processes in place for managing secured authentication, provisioning, access controls, and authorization management for all types of business operations.
Understand the documentation available for these controls. Understand the governance in place for managing the life cycle of such controls. Determine the mix of decision makers’ cross-functionally represented in the governance committee. Determine the capabilities in place to manage the as-is environment.
All the items described above can be stored as a body of knowledge in the CAMP platform. The as-is environment is dynamic and changes on an ongoing basis. CAMP can be leveraged for keeping the as-is environment current by maintaining it on an ongoing basis. This would enable iterations for Assess-Plan-Improve-Manage and not make this a one-time effort.
Goals and Objectives
The secured business operations’ goals and objectives are defined in the business engagement model, secured business model, and operating model. Here, in the management model, the goals and objectives of the drivers for change, input into the Assess process domain, are understood.
These goals and objectives are assessed and the security aspects required are aligned with secured business operations goals and objectives. This alignment is done based on understanding the success factors defined by the business and the existing key performance indicators in use.
Based on the understanding of goals and objectives, risk posture, and the as-is environment details, the future-state environment is visualized. Conduct the detailed analysis to determine the gaps in the existing capabilities and as-is environment to achieve the visualized future state. Determine the gaps in the key performance indicators for achieving the success factors.
Once the outcome of the Assess process domain, which includes the business case, prioritized gaps, and the future-state success factors with KPIs, is produced and finalized, the Plan for achieving and sustaining secured business operations is produced. This plan includes evaluation of the existing portfolio and prioritization of gaps to determine the new projects; programs are required to mitigate these gaps and a roadmap is developed to sequence these projects and programs.
Plan Process Domain Practices
The Plan process is mainly to develop a design-level plan for the capabilities and changes identified during the assessment process. The assessment outcomes are planned to optimize the improvement efforts. The figure provides the high-level view of the inputs, practices, and outputs during the planning phase of the end-to-end continuous improvement process.
• Finalized roadmap with an actionable plan
As success without a plan is not possible, planning security is not a new topic for companies. The question is what is being planned and by whom. The mandate mostly comes from the office of the Chief Information Security Officer, who reports to the CIO. Are those mandates aligning with business objectives?
Are there measurements in place ensuring business success from growth, profitability, and/or a productivity gains perspective? Are such plans ensuring the security of business operations?
How and who from business resources are involved in making such plans? Are these plans documented and audited? Business is changing constantly, so who is responsible for the life-cycle management of these plans?
The point we are making here is that for achieving and maintaining the security of business operations, top-down business alignment is a must, and tight collaboration between IT and cross-functional business functions is required.
If the overall mission of the company is to achieve and sustain secured business operations, the planning must include all aspects of the business and technology involved. The following practices are key for creating a detailed plan for achieving the stated goals and objectives for secured business operations.
Most organizations jump to the technology solution as soon as a problem or a requirement is identified and approved. Most of us have seen the statistics suggesting over 70% of the projects fail to deliver on the promise. The real issue is in creating the sustainable value by the capabilities enabled by these projects. To generate sustainable value from the new capabilities, before defining the technology solution, focus on architecting the capabilities.
Capabilities describe what business wants to do safely and securely whereas solutions describe how capabilities are enabled at any given time. One can’t really identify, let alone design, the right solution without first developing the capability architecture. The architecture scope depends upon the organizational scope and dependencies identified in the assessment phase.
Follow the enterprise architecture approach to architect the enhancements required in the existing capabilities and/or to develop the new capabilities by aligning business architecture with technology architecture.
The CAMP platform central repository can be leveraged to maintain these capabilities and associated architect details. This allows you to enable maintaining capabilities architecture details enhancements iteratively that allow tracking of the maturity level of capabilities and measure the results for the desired success factors.
Architecting capabilities include the following outcomes:
Enterprise architecture details for enhancements to existing capabilities and for new capabilities.
Identification of business and IT services required to offer these capabilities.
Identification of projects and programs to develop these capabilities and services.
Developing high-level plan details in the form of a roadmap developed for identified projects and programs, based on the architecture interdependencies and the priority of gaps.
Let us understand the details of these outcomes. As there is the misnomer about the enterprise architecture, the outcome produced is not just a technology solution; it covers business architecture, conceptual technical architecture – ensuring alignment between them.
The business architecture includes business skill sets required, organization structure changes required, if any, and high-level business requirements to eliminate the gaps through enhanced or new identified capabilities. The architecture maps the business requirements to capabilities, and the conceptual technical architecture provides the functionalities required to meet the business requirements for eliminating the gaps.
The business and IT services identification is the expected outcome, but is not generally produced; however, we recommend doing so. The business and IT focus is increasing more toward becoming lean in managing their operations, and shared services is the answer for that, both from the demand and supply perspective: the demand in the form of business services and the supply in the form of IT services.
The identified project, programs, and plan costs are estimated at a high level to ensure the costs estimated to generate the business case during the Assess process still hold true. Otherwise, a corrective appropriate action should be taken to architect the capabilities within the estimated costs. Using these outcomes, ensure design details are developed for achieving the business success that can be measured based on the key performance indicators.
We all recognize that technology is only part of the solution, yet most solution development methodologies are centered on technologies. A good risk management or security solution may be better served by improvement in processes rather than the implementation of a new technology solution. The outcomes from architecture capabilities practice are used to develop the following:
Logical architecture details for the enhancements to the existing capabilities and for new capabilities.
Shared IT services design by consolidating business services requirements.
Validation of the identified projects and programs with scope details for capabilities and services.
Actionable refined plan details for validated projects and programs.
The business logical architecture covers identification of processes required for mitigating the gaps, resources required in the form of numbers and in what business organizations with associated costs detail. The technical logical architecture covers identification of functionalities required to meet business process needs, the number of technical resources required, and in what IT organizations with associated costs detail.
The shared IT services design covers the identification of existing IT services and additional services required and mapped to IT services required to meet business services requirements. Based on the scope identification for different projects and programs, the final project and programs are identified with associated scope details.
These projects and programs could be for business, IT, or combined for execution together by business and IT team members. The cost details are calculated for each project and program. Based on all these scope details, cost details, and design details, the feasible actionable plan is developed for the execution and improving the existing environment for achieving the future-state environment.
This is all part of designing the solutions required for achieving and sustaining the security of business operations. We suggest that designing solutions produce a solution architecture that should be organized into the following dimensions:
Services architecture, providing the outward-facing view of the solution in the form of business and technology services and their building blocks.
Information architecture, addressing the data ownership, classification, sharing, integration, and life- cycle management.
Security architecture, incorporating appropriate controls, procedures, and measures for secured business operations.
Technology architecture, analyzing the technology options, and developing the implementation pattern for the selected option.
Operations architecture, addressing the ongoing operational characteristics, for example, monitoring, business continuity, performance, and support. The logical next step is to ensure relative key performance indicators (KPIs) are defined for the success factors identified in the business case.
Key Performance Indicators are required to measure the effectiveness of the secured business operations in contributions for achieving success factors identified in the business case. What do you mean by effectiveness?
Business operations are comprised of business processes, business applications, or services to execute business processes, technical components or services enabling business applications or services, and supporting technical infrastructure. People with relevant business and technical skills execute these business operations and general business information and business value.
The goal is to secure these business operations and be able to measure the effectiveness. Why do we need to make business operations secure? We need to protect these from the following:
virus, malware, spyware, and other such intrusion elements;
unwanted access control;
violations in the noncompliance of segregation of duties;
delays in granting the right access at the right time.
The above reasons all look important, but the effectiveness will be determined based on whether securing the business operations enables achieving the business goals and objectives or not. The business-related key performance indicators are defined during the business planning. The ones that are defined under this secured management model are to measure the effectiveness of improvements made in securing business operations.
They have a narrow focus on the drivers for change and identify areas for improvement. Still, these KPIs need to be in alignment with the already defined business KPIs. With the detailed understanding and design of capabilities and solutions, the end-to-end value flow map2 can be created. The value flow map ensures alignment of KPIs and capabilities.
Organizations may have the capability to measure and monitor lagging indicators, that is, the KPIs that are impacted only after a process has executed, for example, revenue, inventory, cash flow, etc. Organizations find it difficult to measure and monitor leading indicators, that is, the KPIs which provide us with insight into the future and enable us to course correct the process for the desired outcome.
Instrument these leading KPIs into the solution so that they are collected and predictively monitored. We have dedicated Blog 6 on Security Effectiveness, and there we will further explanation about the associated key performance indicators.
The execution plan is not for just creating new capabilities or enhancing existing capabilities for achieving and maintaining the desired security resilience for your company, but also for ensuring proper adoption and transition into operations of new and enhanced capabilities.
A capability for change management means that the organization has relevant skills in helping project/program teams create and execute change management plans. From the project management office, a template and resources for creating and executing the change management plan can be offered. Still, this template would need to be tailored to a specific project/program needs perspective.
The main thing to remember is that in the scope of a change management plan, there should be a focus on the following two areas:
\ 1.\ Increasing the adoption of new/enhanced capabilities,
\ 2.\ Smooth transition of new/enhanced capabilities into secured business operations.
The change management plan needs to be part of the project plan and it should not be stand alone. The new or enhanced capabilities or services are developed and deployed as part of a project. Their adoption and transition into operations must be the responsibility of a project manager who is accountable for the project.
To summarize, under Plan process domain collectively, the following outcomes are generated with the help of its four management practices to architect capabilities, design solutions, define KPIs, and create change management plan:
Future-state architecture and design,
Identified project and program including change management plan details,
Finalized roadmap with an actionable plan.
Every project makes decisions. The decisions may involve choosing a technology or an architecture approach, changing the priorities and scope of capabilities planned, or assuming things that may have an impact on the organization beyond the project.
These decisions must be aligned with the overall enterprise governance principles, standards, and policies. Define and design the capabilities and solutions aligned with the organizational governance framework. Justify exceptions.
These planning practices produce the desired capability and solution architecture, a project plan with cost estimates and change management, and an updated roadmap incorporating new learnings, decisions, and dependencies. These outcomes are executed with the help of the Improve process domain that we will be explaining next.
Improve Process Domain Practices
The Improve process domain is about implementing what has been planned for improving the current state to the next state of capabilities. Figure provides the high-level view of the inputs, practices, and outputs during the improvement or implementation phase of the end-to-end continuous improvement process.
We assume most organizations have project management and solution delivery disciplines. So, let’s focus on practices that can help produce better outcomes from these disciplines, particularly in the context of securing information in business operations. We would like the following key principles added and enforced in development and deployment methods, regardless of organizational scope and nature of the solution:
Secured by design, that is, ensuring every choice is reviewed and selected and is the best fit for achieving the stated goals and objectives, and does not introduce unacceptable barriers to innovate for the organization. Connected by design, that is, no solution can stay in isolation; therefore, even if there are no explicit requirements for interoperability and integration, the solution should not create a constraint and unnecessary complexity for enabling collaborative processes.
Value by design, that is, any trade-offs during the solution development should be mindful of the value promised and expected. Operations ready by design, for example, whatever is deployed, whether processor technology, is supportable, scalable, maintainable, recoverable, upgradable, and measurable.
The following practices are key for developing and deploying capabilities and solutions with the above design principles for achieving the stated goals and objectives for secured business operations.
Improve Build and Validate Solutions
Whether developing a process or a technology solution, we always have choices how we build and deploy. Add objective, measurable criteria for evaluating options and selecting the best fit, balancing current and anticipated needs with by-design principles, organizational constraints, and governance.
Having strong project management organizations that can create, manage, and execute a portfolio of program and projects for building and validating the solutions designed and architected using Plan management practices. Once the solutions are built and validated, these need to be offered in a way a business can consume these easily. For consumption, the next important step is to transition these new/enhanced capabilities and services into operations.
Transition into Operations
In addition to the functional capabilities, there may be a need to manage information produced or consumed by new capabilities for secure operations. The last mile is as important as the first mile. Anticipate what needs to be implemented to manage ongoing operations of the capabilities and solutions and implement them as part of the deployment.
The goal is to improve the security of business operations. That is possible only if the new/enhanced security capabilities and services can be transitioned into operations. The project plan should cover plans for how to transition these solutions into operations. This may require adding additional resources having required skill sets to operate.
The next step is that the business has visibility of the new/enhanced capabilities and services and can leverage them for securing the business operations. The change management plan is important for making it happen.
Execute Change Plan
Value is created or realized from new capabilities when individuals change their behavior. Even if the solution automates or eliminates activities, people may continue to perform them.
Adopting a change is difficult, as it requires coming out from the comfort zone. Adoption is critical for the success of the project and in achieving the desired outcomes. Execute the change plan developed during the planning phase. This may require appropriate training to increase the awareness and readiness, establishing a community of practice, and monitoring use and experience.
Ensure KPIs Are Measurable
The key performance indicators are effective when they can be measured. The business process and supporting data need to be available for the measurements. During the Plan phase, when the key performance indicators are defined, the plan must include identified measurements along with the requirements for measuring.
The solution must include the required process elements and automation ensuring these measurements can be enabled. Based on the improvements made, the future-state environment is transitioned into operations by producing the following outputs:
Desired capabilities and services,
Operational and KPI monitoring.
The new and enhanced capabilities and services are for creating the future-state envisioned based on the architecting capabilities management practice in Plan process domain.
The purpose of the future- state environment is to make the organization ready for enhancing security capabilities and services offered to secure all business operations. In addition, the operational and KPI monitoring enable the sustainability of the security of the business operations.
Manage Process Domain Practices
The cycle does not end when the solution is transitioned into operations. From the business perspective, it has just begun. During the management process, the organization starts realizing the return on the investment.
Once the capability is achieved, like a secured business operation, there is a need to sustain it. Sustainability requires ongoing monitoring and nurturing of the solutions and capabilities in place, detecting areas of improvements for continuing relevance, and sensing a change in business for the next round of opportunities and value.
Most organizations have been investing in service operations for quite some time with varying degrees of maturity in-service monitoring, life- cycle management, and portfolio management. At the same time, many organizations lack effective business process management and value management, resulting in lower than expected benefit realization, the high cost of risk management, and increased complexity to maintain secured business operations.
Rather than refocusing on what organizations might have, we share and emphasize key practices that organizations need to sustain secured business operations and realize value. The following steps or practices are key for managing and sustaining capabilities and solutions for expected risk resilience and business value.
To secure business operations, the capabilities or services available need to be managed both by business and IT. Remember, business needs to define the operational requirements for security policies, procedures, and business services. Based on these, It will offer systems’ corresponding operational policies, procedures, and IT services.
The operational practices need to cover end-to-end life-cycle management of related capabilities and services. When a new capability or service is put in use, there are business expectations to generate value from it and that value is expected to increase with time.
The figure shows the value curve during the life cycle of any capability/ service. As the value starts decreasing, there is a need to enhance the capability/service functionality to optimize the value curve. The other three management practices under manage, “Measure KPIs,” “Identify Improvements,” and “Develop Action Plan” are leveraged to measure generated value and enhancements required and made for optimizing the value curve of any operational capability and/or service.
The key performance indicators are defined in the Plan phase and ensured these are measurable under the Improve phase. These KPIs measurements provide the value generated. It is important to regularly measure these KPIs. Without measurements, it is not possible to ensure whether the operational solutions are valuable or not anymore.
As in the Figure life-cycle management value curve shows, after reaching the peak value, there is degradation in the generated value by the same solutions.
That does not mean that a capability or service has gone bad; rather that means the business conditions have changed and the same capability or service is not as effective in the current business conditions. That leads to the need to identify improvements in the existing solutions.
Without measurements, it is not possible to know or predict the effectiveness of the processes and solutions implemented; their ongoing value to the organization; or when is the right time to retire, replace, or refresh the solutions and decide whether the operational solutions are valuable or not anymore.
With measurement data, machine learning, and predictive algorithms, organizations can develop predictive models and improve both strategic and operational planning of security and other capabilities.
The business goals are always to generate maximum value from the solutions used to manage the business operations. These solutions are offered in the form of capabilities and/or services. During the life cycle of any capability or service, when the KPIs reflect the target measurements are not achievable, this means that improvement opportunities need to be identified.
Figure shows a pictorial viewpoint of when to focus on improvements for reestablishing target value generation from each capability and/or service. The improvement opportunities can be identified even from the beginning of deploying a capability or a service in production operations. However, the real need to apply improvements is only after the target value expected to be generated is not achievable. The other reason is for continual improvements to improve value generation.
The other source for considering improvements in existing capabilities and/or services is when a new driver for a change is identified by business. The identification of improvements is critical, but we all understand that without deploying these improvements, it is a futile exercise. The next logical step is to conduct strategic planning to develop an action plan for deploying these identified improvements.
Develop an Action Plan
The implementation of identified improvements is a critical step to improve value generation. The implementation is a costly affair. There are always many capabilities and/or services that would need deployment of identified improvements in the portfolio of security capabilities and/ or services. The budgets are always limited.
This gives you the need to prioritize the list of capabilities and/or services as part of strategic planning to develop the action plan. This prioritization is not only required to be done purely based on financial reason. The main criteria to prioritize must always be business damage for not implementing the identified improvements and missing the targeted business value expected.
Once the priority is finalized for each capability or a service in this list, the action plan needs to be developed for implementing the improvements. The Improve: Build and Validate solution management practice is leveraged to execute the developed action plan.
Based on the outputs generated by the Manage process domain, the existing capabilities maturity level may need adjustments to address the new vulnerabilities identified in the new drivers for change and to identify improvement areas.
The opportunities for improvements are strategically prioritized in the action plan for further assessment and analysis. The opportunities are evaluated and prioritized for all things business cares about, such as cost, risk, time to deliver, business growth, cash flow, competitiveness, and customer equity. The strategic action plan is developed for the prioritized list of capabilities.
Measuring effectiveness is fundamental for driving adoption and progress toward goals. Customer-centricity is a prerequisite for defining effectiveness.
Current State of Measures
Considering that Information Security is, at best, a governance topic in the boardroom and the accountability is assigned to the IT department, the metrics for measuring security effectiveness, if any, are IT-centric and operational in nature in most organizations. Many of these metrics can be categorized into the following:
\ 1.\ Process-based measures, for example, how many or what percentage of assets are regularly patched with the latest software updates, how many intrusion or service denial attempts are detected per month. IT has processes for managing and monitoring infrastructure security. The related metrics measure communicate the organizational coverage and performance of these processes.
\ 2.\ Fear and Compliance measures, that is, the number of audit findings, penalties, fear or risk thermometer. Organizations, where compliance is a prerequisite to be in the business, have control metrics for monitoring and ensuring compliance. These metrics tend to be a count of required practices, procedures, and policies. Typically, these metrics are used in knowing the existence of the compliance controls, rather than measuring the effectiveness of these controls.
Security capabilities and investments are primarily justified based on fear. External news and events create a fear of potential financial and nonfinancial damage, causing management to respond.
Similarly, many other people, particularly in technology groups, consider every vulnerability a risk that must be avoided or eliminated. Certain fear or vulnerabilities are addressed depending upon how loud they are and who is impacted. Fear and risk can be great motivators for analysis and actions, but they are not sufficient to monitor and measure the effectiveness of security practices.
The above measurement practices are a reflection of how security capabilities are planned and managed, and who in the organization are responsible or are concerned about them.
How do we know what is working? How do we know what must be done? How do we know how effective the remedy or solution is? These questions require additional measures to understand, estimate, and monitor the effectiveness of any security improvements in the organization.
To make sure we are measuring the right thing, we first need to define what do we mean by the term – effectiveness. When is something effective? We consider an innovation in medicine to be effective when it eradicates the disease it was targeting.
We view our sales strategy or actions to be successful and effective when we acquire new customers without losing money in the process. We accept and adopt a solution that makes us more productive without any friction or extra effort.
Can we say that over $100 billion spent on IT security is effective when cyber attacks continue to cost businesses over $400 billion a year? Do we consider a security control effective if it does not allow employees to work remotely?
Is a solution acceptable and effective when it is too expensive to afford? Based on the analysis of patterns of effective and noneffective actions, we propose the following definition:
Something is effective when it allows achieving an objective or an outcome at an acceptable cost.
An objective or outcome is associated with an operational or strategic goal of anyone in the organization. It can be financial, risk, performance, skill, process improvement, product innovation, or anything else of value. We also live in the world of constraints. We may be able to achieve an objective, but it may come at a very high cost.
Effectiveness is like a two- sided coin. For a solution or intervention to be effective, it must enable the desired outcome at a cost the organization can afford. We recognize that people are driven by their own needs. In an organization, individual needs must be aligned with or within the context of the organizational objectives.
What Is An Organization Trying to Achieve?
Every organization or business, regardless of industry, profit/nonprofit, or public/private sector is on the mission to achieve the following:
Continuously innovate the business or organization.
Run the business efficiently and predictably.
Drive the business equity in its brand and culture.
Keep the business viable and relevant to its constituents.
No organization can stand still and survive on the past successes. Organizations need to continuously innovate products, services, and processes for growth, new business models, digital transformation, or driving customer-centricity. At the same time, organizations cannot ignore what keeps the organization working every day.
Everyday activities need to be operationally predictable, efficient, productive, and governance compliant. In addition of being innovative and operationally excellent, organizations are also interested in continuously building its equity.
Equity provides the sustaining power and organizational ability to transform. Anything that improves profitability, builds the brand, creates the desired culture, drives customer’s confidence, and avoids unnecessary risk will support the equity objectives. Figure list high-level, broad organizational objectives.
As we walk down the organizational structure, these objectives should become the outcomes of various decisions and activities performed at each level of the organization.
Anything and everything anyone is doing in an organization must be aligned and in support of one of these objectives. One side of the effectiveness coin represents producing the desired outcomes as stated or implied by the above objectives.
The other side of the effectiveness coin is about the cost of realizing the outcome. So, anything and everything anyone is doing to produce the desired outcome must be at a cost that the organization can afford.
What Is An Acceptable Cost for the Organization
To know whether a cost of a capability, operation, or solution is acceptable or not, we need to first define what do we consider a cost. Figure outlines the key cost elements addressing the direct and indirect costs of acquiring, maintaining, and using a capability.
The cost of performance includes the cost of implementing, maintaining, and ensuring availability of the capability, processor solution, and underlying dependencies. This is the cost of performing the capability.
The cost of time includes people’s time in delivering, responding, dealing with any interruption or disruption, and managing the capability. Some organizations may consider this cost as a soft cost or indirect cost.
The opportunity cost represents the missed opportunities in using the investments for some other purpose. With a finite amount of available time and money, to gain something, something else must be sacrificed. To fully comprehend the total cost of a capability, it must include the impact on the organization from missed opportunities due to the resources consumed by the capability in question.
What Is Effective
Just like buyers see value differently, the measure and magnitude of effectiveness can be different for various stakeholders. Business managers, business users, IT management, customers, and suppliers may expect different outcomes and may accept different costs.
Therefore, the effectiveness must be understood and communicated in the context of a stakeholder. Individual objectives of various stakeholders, although aligned with organizational objectives as in Figure, are specific to their scope of work.
The stakeholders will consider a capability, process, or solution to be effective only if it supports their objectives at the cost they can afford. As much as individual stakeholders are driven by their needs, the person or team responsible for delivering new capabilities must account for the needs of all key stakeholders for overall effectiveness from the organizational perspective.
Later in the Blog, we introduce a value flow map for connecting objectives, KPIs, and capabilities across stakeholders for understanding, communicating, and ensuring effectiveness.
Why Are Security Efforts Perceived as Not Effective or Too Expensive
It would be wrong to suggest that security measures are not effective. Most of the security measures are put in place to avoid the incidents. When security practices detect and remove spams and malware before reaching their destination, thwart unauthorized attempts to access sensitive information, or ensure all devices are up to date in protecting from viruses, they are achieving the desired objectives of avoiding downtime, leakage of proprietary information, and a public relations a headache.
Like a product warranty, consumers or users don’t think of the product quality as the product continues to work. The day there is an issue with the product, they question the quality of the product.
Similarly, when most of the security efforts are about avoidance, stakeholders may not think of the value of efforts. They question the cost of these efforts when something harmful gets through the door. A flu vaccine does not guarantee that person will not have the flu, but it does reduce the odds, and in most cases, succeeds in avoiding the flu.
Preventive and recovery security efforts may be working but may not be visible to people to realize their effectiveness.
At the same time, there are certain practices that may be creating the perception that security efforts are not effective or too expensive, for example:
Overengineering the process or solution.
Engineering minds tend to drive for perfection. Security is one area where it is very hard to reach perfection. Even if possible, achieving 100% prevention may be too expensive. At some point, engineering prevention may cost more than recovery efforts.
Risk mitigation is the only objective.
No doubt, fear, and risk are the primary drivers for safety and security. Security efforts are perceived as less effective when they take a risk-averse posture rather than being risk aware. We tell people to take measured risk to achieve bigger rewards. Security is no different. Some risks should be accepted as they are manageable.
Trusting prevention and underinvesting in recovery capabilities.
Of course, prevention is a better cure, but at what cost? In most cases, IT is driven by technology solutions, hence the bias toward implementing preventive solutions. Depending on the total cost of the solution, and the frequency and likelihood of the incidents, it may be prudent to implement appropriate processes and controls for enabling quick detection and recovery.
Measuring and communicating activities, not necessarily the outcomes.
In many cases, security-related metrics are focused on operational activities, such as incident detection, mean time to fix, patch latency, and people awareness and training on security policies. These metrics are good for the people performing or responsible for the underlying activities; however, they are not enough for the people who are positively impacted by these activities.
If people are left to their own interpretation and justification, most likely they will miss the significance of the metrics to their own activities. Therefore, it is important to relate how improvements in one’s activities to help improve stakeholders’ activities and their outcomes. Use the value flow map.
Perceived value and effectiveness of security efforts is like an interpretation of a half-filled glass. Whether you look at the glass half full or half empty, business/IT leaders and security professionals need to do a better job in ensuring security efforts are measured and managed for effectiveness in terms of enabling organizational objectives at an acceptable cost.
Principles of Security Effectiveness
Defining, measuring, and communicating security effectiveness is not an art and is not subjective. It simply requires a disciplined approach to identify who the customers are, what do they care about, and how security capabilities can help them achieve what they want at the cost they can afford. To make it practical and repeatable, we have defined three by- design principles for security effectiveness, leveraging the framework we have described in previous Blogs.
The three by-design principles are the following:
1.\ Start with what and why, not how.
We all like to solve problems. It is easy to focus and get caught up in the design of the solution. Before we start thinking about how we are going to solve the problem, we should have a clear understanding who the stakeholders are, what metric they are managing or would like to see improve, and what capabilities will enable them.
This helps formulate the overall picture with dependencies and value for appropriate and effective solution selection. Value flow mapping is a visualization technique for building the roadmap from solution to stakeholder’s value. See the next section for details.
2.\ Do the right things with a customer and business mindset.
Many times, the solution or process designs are not effective because of the assumptions and ignorance. We assume stakeholders do not want to take risk.
We ignore other non-security drivers. Recognizing everyone in the organization has internal or external customers and works toward an organizational mission, to be effective, everyone must put themselves in their customer’s shoes and take a holistic view of the customers.
How do we know and plan what we don’t know? We have discussed the Secured Business Operations (SBO) framework. Use the framework to understand, align, and plan security capabilities based on organizational and stakeholders’ objectives.
\ 3.\ Don’t just measure what did or didn’t happen. Measure the change in capabilities and outcomes.
Knowing what happened or didn’t happen is important for any root-cause analysis or immediate impact of an action. It is critical that we measure change.
The new value is created only when there is a change in actions. Measure change in your actions, your customers’ actions; and to be extremely effective, change in customers of your customers. Measuring across a three-degree of separation provides the insight into the extent and quality of alignment and effectiveness.
In addition, capability maturity levels are excellent indicators of competency and competitiveness. Use the maturity models included in the framework discussed in this Blog.
These principles are interrelated and interdependent. The body of knowledge in the Secured Business Operations framework can help build the initial value flow map. The value flow map is used to define the desired state and success factors, and guide the priorities and design options. The following sections in this Blog provide further insight and guidance in driving and ensuring the effectiveness of security efforts.
Becoming Effective with Value Flow Map
To be effective in clapping, that is, to be loud and clap longer, we need both hands. In an organization to be effective in producing the desired outcomes, it requires many hands. Resources, activities, and information must be competent, connected, and coordinated for creating outcomes. When an outcome leads to the next outcome, and so on, we have an effective organizational value flow map.
There are three distinct components in the value flow map, addressing why, what and how.
\ 1.\ Detect and influence the upstream outcomes. These outcomes are generally stated in the form of financial or operational measures. These measures represent the destinations.
\ 2.\ Articulate both upstream enabling and their own capabilities. These capabilities represent what is needed, that is, the competency in producing the desired outcomes.
\ 3.\ Identify underpinning solutions or practices required to improve individual or organizational capabilities. These solutions and practices represent how the organization will build the competency, that is, the ingredients for getting there.
To be predictive in ensuring effectiveness and proactive in communicating value, the value flow map for any organizational, functional, or solution scope must include all three components. The figure provides an example of a value flow map for security-related capabilities.
On one hand, depending upon the point of view, the value flow map can be traveled in either direction. On the other hand, building the map is not always linear. As it is about learning, alignment, and ensuring flow, it takes a number of iterations to build the map.
At the top or far left of the map are strategic and financial measures. These are the outcomes that the organization and management leadership are seeking. To reach strategic or financial outcomes, many times improvements in operational measures are required. Therefore, we identify enabling operational measures on the map.
The other half of the map defines what and how we could achieve the desired outcomes. The capabilities are the organizational, business, or functional activities required to achieve and maintain operational, financial, or strategic measures.
Innovative solutions or practices such as new technologies, new methods, new skills, and new thinking help organizations improve, automate, eliminate, or transform day-to-day activities. In isolation, every solution may be right and worthy of investment.
In terms of being relevant and effective, there must be a clear line of sight between measures and solutions. In the value flow map, it is accomplished through capabilities. Once the various organizational measures, enabling capabilities, and solution options are plotted on the map, they are connected to create and communicate the road map to value. Figure 6-4 highlights a road map to value using a value flow map.
A clear path to value from solution to capabilities to measures, or the other way around, allows everyone in the organization to make the right decisions and avoid chasing shiny objects.
When developing a value flow map, people generally ask, what should be the granularity of measures, capabilities, and solution characteristics? Our typical response is to go wide and deep until you have what you need to know to make an informed decision. The higher the unknowns and complexity, the greater the effort required in developing the value flow map.
If you have customers, internal or external, you can use a value flow map for your services to clearly understand what your customers want to accomplish and how your services can help them. If you are dependent on others, you can use a value flow map to define the requirements and to ensure your suppliers are providing the solution you need. You are effective when value is flowing across the map.
Doing Right with Business Mindset
The great warranty does not compensate for a bad utility. For a product to be useful, it must be fit for its purpose. For it to be effective, it must be useful and available when needed. In the security domain, because of fear, most professionals are risk-averse, that is, tend to have the mindset of risk avoidance.
No doubt, the risks that can be avoided must be avoided. At the same time, at best, we can only avoid the risks we know. From the business or customer point of view, it is about having a product that meets their needs with an appropriate operational warranty.
The warranty means that the product works as expected most of the time, and in case something does go wrong, there are procedures in place to recover quickly and safely. It will be a waste of money to buy flood insurance in a non- flood zone.
A B2B manufacturing organization has a different risk profile than a consumer or financial institution. It won’t make sense to implement the same policies and solutions in both types of organizations. So, to be effective, security planning needs to be contextual.
There are two ways to become business aware in security capability planning. The conventional way is by asking people in the business. It relies on the assumption that people know what they need and why. In most cases, what they know and plan is based on the past and present issues. People can only plan what they know.
Therefore, the conventional approach tends to lead to break-fix or incremental improvements. In the age of crowdsourcing and predictive modeling, there is another approach that uses knowledge models to determine where an organization needs to be, what will it take to get there, and then consult with stakeholders to align, prioritize, and plan.
The knowledge-based approach allows us to not assume, but anticipate business needs. With that understanding, we can be effective both in the short and long-term in designing and delivering capabilities. In other words, we are managing risk, not avoiding risk.
In previous Blogs, we introduced the framework for secured business operations. It starts with the business engagement model. Rather than taking the extreme view by avoiding every possible security risk, business and security professionals can identify the right security risk posture and required resilience level by understanding the extent of interaction the organization has with people and processes inside and outside the organization.
Regardless of the scope of the initiative, project, or solution, any security planning and governance can only be productive and effective when the business engagement model is known. Use the business engagement model to determine what kind of business you are today and what you want it to be. The engagement model drives the maturity in underlying business and operational capabilities.
The framework includes a well-organized body of knowledge in the form of capability maturity models, enabling practices, dependencies, and KPIs for assessing and planning business and operational-level capabilities. Leverage these models to quickly learn, anticipate, and assess what business might need and what capabilities are already in place. Share the model and assessment with stakeholders for further alignment, prioritization, and planning.
People are risk averse because of fear of the unknowns. The models help convert unknowns into knowns, thereby enabling people to become risk aware. Addressing business needs while managing security risk is the answer to be effective.
Measuring Change and Outcomes
Change is a leading indicator of value. If you are a solution provider in the value flow map, the change enabled by the solution is the change in capabilities. Therefore, if you want to assess how your efforts or solutions are or might be creating value, monitor the change in business activities caused by adopting the solution.
If you are performing a business activity, up-stream change will be the change in business outcomes. So, to know how effective the business activities or capabilities are, measure and monitor the expected outcomes.
The value flow map provides the continuum from solution to capabilities to outcomes. The value contribution or effectiveness can be measured and articulated by tracing the flow map.
Key Measures for Security Effectiveness
Ultimately, the security practices are effective when they produce the expected outcomes for the stakeholders. Therefore, the ultimate measures for effectiveness are the outward measures, that is, the performance measures of the stakeholders.
Typically, the outward measures have two or more degrees of separation from where security practices are performed. It is not always easy or it may take some time to see the impact of these outward measures.
Therefore, we must have inward measures or leading indicators, measuring the extent and performance of the security practices and their impact on the immediate customers or users of these practices.
The above table is not an exhaustive list of measures. The framework for secured business operations includes relevant KPIs for specific capabilities in the secured business model and secured operating model. The value flow map discussed earlier in this Blog, is an effective way for identifying and measuring relevant measures for the organization.
Measure to Manage
In previous Blogs, we shared the framework and body of knowledge for planning, designing, and managing secured business operations. In this Blog, we discussed how organizations, particularly security professionals, can articulate and measure the effectiveness of capabilities and practices, thus avoiding overengineering or barriers to business innovation.
The framework with a clear set of measures enables the organization to achieve and sustain secured business operations. while continuously transforming the organization to meet customer expectations. In the next and final Blog, we share use cases and approaches for making it real for your organization.
What Have We Learned?
Seamless connectivity, personalized products, and services, real-time collaboration and transactions, automation, predictive insight and actions, use of public or shared infrastructure – these are some of the transformations many organizations are exploiting or exploring to be competitive, productive, and responsive.
No doubt, these transformations are making organizations open and easy to do business with. These transformations are also making organizations more vulnerable and exposed to information thefts and cybercrime threats.
If the security efforts in your organizations are not producing the desired results or increasingly becoming cost prohibitive, something must change the way the organization plans and manages security capabilities.
Security is a business issue, not only a technology issue.
Therefore, business management can’t afford to delegate planning and risk management to technology teams. Whenever there is a security breach or incident, it becomes a business issue and priority. So, why does business management take a passive approach for planning and managing information security?
Just like quality and safety, information security can’t be achieved just with better technology. It is an organizational capability and therefore it must be planned and managed along with other business capabilities.
Fear and compliance are not the way to address, plan, and fund security capabilities. It is understandable that compliance may be a prerequisite for the business. Compliance requirements are there for reasons. Addressing the underlying reasons should be the driver for planning security capabilities.
The organization will not only achieve compliance but also create an empowered, security-aware culture. Addressing the compliance requirements without focusing on the underlying reasons will only ensure a forced and compliant mindset.
The planning based on fear of the unknown generally results in overengineering or overspending – we either stop thinking rationally or end up spending an unreasonable amount of money on something. A better understanding of risk, impact, holistic view of the required capabilities, and solution options reduce the degree of unknowns and the magnitude of the fear. Use the capability models and value flow maps to translate unknowns into knowns and fund the right capabilities and solutions.
Security is a competitive advantage, not just a cost of doing business.
Something is a competitive advantage if it is difficult for the competition to imitate. Something is required for competitive parity when others have or can acquire that capability. The industry is spending lots of money with an average return on investment at best. Most business leaders are concerned about the security capabilities and cost.
It means it has not been easy for organizations to achieve and sustain secured business operations with the level of investments they made. The organizations, which have been able to advance maturity in organizational capabilities, such as quality, seamless ecosystem, service orientation, digital, and others, have created and sustained competitive differentiation.
Security is one of the illusive organizational capabilities, which everyone wants, but only a few have been able to realize in alignment with their level of business operating model. Current practices in security planning and management continue to promote security as cost of doing business.
We believe the framework for secured business operations, discussed in previous Blogs, provides organizations the knowledge and tools necessary for embedding security in their operations and offerings for a sustainable competitive advantage.
In many cases, processes are more effective than technologies in preventing and recovering from incidents.
One cannot achieve a high quality or safety just by acquiring better tools, machinery, or instructions. In many cases, it also requires improvement in processes and skills. In fact, we have learned that many times, the processes are more effective, less costly, and disruptive than using technologies to solve a business problem.
Security is no different. Organizations can’t afford to manage security risk with one tool, that is, technologies. Organizations may reduce the number of incidents with the use of technologies, but when an incident does happen, it is the processes and people skills that allow organizations to avoid customer distrust and negative publicity.
Therefore, any capacity planning must take a holistic view of people, process, information, and technologies, to determine the appropriate and effective approach to address risk. The capability assessment using the secured business model and secured operating model exposes the gap and opportunity in leveraging people and processes for improving security posture.
Avoid over-or underinvesting by aligning investments to business engagement level.
Security is not a “one size fits all” solution. Information risk is proportional to the type and level of access and interactions outside the organization’s direct control, that is, the extent of business engagement with customers, partners, and employees.
The organization that is open for business by providing remote access to its employees and sharing information in real time with customers and partners is going to be more vulnerable than the organization that does not provide remote access.
The scope and investment in security capabilities must be consistent with the risk level carried by the organization based on its business engagement model. If an organization doesn’t know its engagement level, most likely, it is either overinvesting or underinvesting in security capabilities.
The business engagement model articulates four distinct types of engagements or interactions, starting with a self-contained organization with no outside access and collaboration to a digital organization.
Assess and management capabilities for achieving and sustaining secured business operations.
Security is not something you implement and forget. With continuous change in business, people, information, technologies, customer expectations, or relationships, organizations cannot just deploy a solution, implement a process, or establish a policy and expect to mitigate the risks forever. Did you ever notice that military leaders always talk about capabilities to accomplish the mission? They don’t start the conversation with processes, ammunition, fighter jets, etc.
They are focused on acquiring and maintaining the capability to fight any mission now and in the future. They understand the dependencies and make sure they have what is needed to sustain the capability.
We propose the same mindset and approach to achieving and sustaining the mission of secured business operations. We also recognize that people can only plan what they know. Therefore, we created a body of knowledge and capability management framework for secured business operations.
Embed security in every role, process and project planning, by design.
Just like customer-centricity, quality or cost-efficiency, security must be planned and planted in every other planning and design activities. Without the security-conscious culture, risk management is too expensive and porous to be effective and sustainable.
Organizations can start by asking a few simple questions during planning, approval, and oversight activities in making sure the teams are considering security implications of whatever they are doing or proposing.
For example, if the role, process, or project changes the way or the extent of interactions with other people and processes, we need to ask how we are preventing and protecting unauthorized access to sensitive information.
The model provides the structure and steps for incorporating security assurance through the assess-plan-improve-manage phases of any initiative or change execution. In every planning and design effort, people have choices. Organizations can avoid rework and avoidable risk by ensuring that people are making the right choices with security in mind.
Measure effectiveness, not just operational or process metrics
Activity-based measurements are primarily good at measuring process efficiency and operations, such as time and effort involved, a number of people trained, or a number of viruses detected. These measures are required but not sufficient to comprehend the overall effectiveness and value of the security-related activities and solutions.
The security efforts should not be just about prevention and protection; they should also enable business innovation and transformation. To clearly articulate, measure and communicate the effectiveness of security capabilities; it requires identifying and measuring up-stream activities and outcomes. On the flip side, the same measures can also help in identifying and prioritizing the required security capabilities.
What Has Been Done
The framework for secured business operations is the result of many years of direct work with various organizations across industries and sectors, and the observations on success and challenges with many existing practices. Looking back, we can summarize our journey in three steps.
\ 1.\ Building the various aspects of the framework as we were delivering the engagements.
\ 2.\ Formalizing the body of knowledge with a value management platform and applying the framework as designed.
\ 3.\ Sharing the framework.
Although there have been variations in the starting point and roadmap for driving security capabilities and culture, broadly speaking, the use cases can be categorized into three areas.
Using the body of knowledge in the framework, for example, the business engagement model and capability maturity models to enhance existing methods and templates for better outcomes. Performing portfolio assessment and planning in support of organization initiatives, such as merger and acquisitions, digital transformation, leveraging the cloud services, and strategic or budget planning.
Driving and ensuring appropriate risk posture and security governance in business and IT projects
The following four use cases show how organizations started addressing the challenges and opportunities at the time. All these organizations understood and expected the broader change in the way they think, plan. and manage security capabilities. They also realized that it will take multiple years as they work on initiatives and opportunities over time across the organization.
\ 1.\ A technology manufacturing global Fortune 500 company, improving the security posture of its products, services, and operations.
\ 2.\ One of the top health-care services providers in the United States, expanding its operations globally.
\ 3.\ A national service provider with an extensive partner network, going through a merger with another service provider.
\ 4.\ A hospital network with distributed facilities, evaluating and planning information and infrastructure services for improving cost, care, and communication.
Technology Manufacturing Company Open for Business
The company has been using an Internet commerce platform with its customers, partners, and suppliers. The company was growing through mergers and acquisitions. As the commerce platform was becoming central to the business strategy and operations, the organization was challenged with scalability, adaptability, and information security.
In spite of the commerce platform being critical to the business, like most technology-based issues, the problem and therefore solution was originally left up to the technology teams to address. The bottom-up approach led to plumbing gaps and adding infrastructure resources. No one was satisfied with the outcomes. The organization decided to take a top-down approach, establishing it as a business-driven initiative with cross-functional leadership sponsorship and support.
Using the business engagement model, it was quickly determined and agreed by the leadership team that the organization wants to be a connected business (level 4) with the eventual goal to be a digital business (level 5).
The current practices and solution were operating at level 3, that is, designed for business-to-business operations. Knowing the engagement level, management started asking the question of what do we need to get there. It was no longer a technology issue. The functional, operational, and risk resilience capabilities must support the organization to be a connected business.
Recognizing that organization needed to be at level 4 in the capability model, at a minimum, the key stakeholders across business functions such as manufacturing, sales and marketing, customer service, legal, HR, finance, and IT were surveyed for determining organizational priorities, focusing on the five Ps: Prevent, Protect, Policy, Profile, and People aspects of the secured business model. A risk register and 3-year roadmap were developed, initially focusing on the capabilities needed for the internal workforce.
Identity and access management (IAM) was one of the first rounds of operational capabilities to be further analyzed and developed. Using the IAM capability maturity model from the secured operating model, the current and target states were defined, and the underlying dependencies and practices were identified. A project plan was developed, addressing the required capabilities and dependencies.
As the program progressed through the phases, additional capabilities such as policy management, role management, and resource management were addressed.
Overall, it took over three years in addressing people, process, policies, platforms, and performance capabilities for secure, scalable, and flexible business operations. The top-down planning and iterative execution ensured alignment and value delivery.
Since then, the organization has added security as a track in every project and as part of governance, ensuring every delivered product and service is designed for secured business operations.
Leading Health-Care Provider Expanding Globally
A U.S.-based leading health-care provider wanted to extend its reach by collaborating with other providers and research organizations around the world. It also wanted to make sure patient privacy is preserved and regulatory requirements such as HIPAA and PCI are met while it communicates and connects with other organizations.
The organization conducted a holistic assessment of business and technical capabilities needed to support the collaborative yet secured environment. The top-down, process capability assessment focused on business needs, business operations, and security risks. The bottom-up, technical capability assessment evaluated the current state of various management, operational, and infrastructure practices and technology solutions. The assessment included identification of the following:
Outdated network infrastructure elements, unsuitable to manage cybersecurity threats.
Web-based applications with insufficient security architecture.
Policies and procedures for end-to-end access control and life-cycle management.
The organization used components of the secured business operations framework to assess, and more importantly, to establish a target state and developed a multiyear roadmap.
A Service Provider Merging with Another Service Provider
A membership-based consumer service provider has been expanding its member base through value-add information services and acquisition of other service providers. In the past, like most M&A, the portfolio rationalization and consolidation activities were primarily focused on application and infrastructure technologies. Information security capabilities were not considered during the portfolio rationalization, resulting in many surprises and unnecessary remediation costs.
The organization decided to improve its due diligence and portfolio rationalization process by including security assessment of the business and IT processes, and technology portfolio. It used the maturity model of twenty-one capabilities in the secured operating model to assess the organizational and operational capabilities of the acquired organization.
Using the 5 Ps of the secured business model, it developed criteria for assessing the security posture of each application under consideration for rationalization. The enhanced approach has helped the organization with a better understanding of respective strengths and weaknesses of their security capabilities. The organization is able to make informed decisions to prioritize and plan based on cost, risk and value to avoid budget surprises.