So I've gotten my first spam blog comment, and it reminded me that I've been thinking a lot lately about the connections between BPM and security. In a lot of ways, security is one of the most process-intensive IT-related areas in an enterprise. After all, there are processes, both implicit and explicit, for identifying, then authorizing or denying access to everything in the IT infrastructure, for everyone who tries to gain access.
Another BPM-security connection: both must be woven tightly into IT infrastructures, to be as pervasive and ubiquitous as necessary to provide enterprise-wide coverage. In addition, each needs to be non-disruptive to the point of invisibility.
Of course, security includes many important elements and "moving parts," not all of which are equally well managed by clearly defined and comprehensively enforced processes and policies. For example, spam is a threat to enterprise security, or at least to worker productivity. However, as my ebizQ colleague and "blog buddy" Elizabeth Book wrote a few days ago, truly effective enterprise-wide spam and malware management is, to say the least, a process-intensive set of challenges. Ditto for other security-related issues such as identity and access management (IAM) and network access control (NAC). Add in the triple threats of compliance, governance, and risk, and security becomes even more critical and challenging – as do the processes that define and enable it.
So, how best to address and perhaps take advantage of the various things that connect BPM to security? Here are a few high-level ideas and suggestions.
1. Assess current security practices and solutions for their effectiveness and pervasiveness.
2. Where successful security practices and solutions are identified, ensure that the processes used to define, deploy, and govern those practices and solutions are clearly defined and well documented.
3. Use these as elemental templates and models for other processes, in security and in other business and technology areas.
4. Ensure that all BPM efforts and supporting information are themselves adequately protected from IT and business threats.
Every BPM initiative should include comprehensive and detailed security features. In addition, every security initiative should be based on consistent, enforceable, and well documented processes which are aligned with those that support other critical IT-enabled business initiatives.
Everyone involved in BPM should forge a good working relationship with the chief security officer, chief risk officer, or equivalent person in their enterprise. Good security requires good processes, and good BPM requires good security.
For more, check out "Best Practices for IT Infrastructure Management and Business Alignment," "Managing and Measuring Security in the Enterprise," "The Business Drivers Behind IT Initiatives," and "Top 10 Tips to Minimize Risk" in the RFG section of the ebizQ Analyst Corner. And for goodness' sake, if you don't already, subscribe to the ebizQ weekly security update. And please let me know how BPM and security are aligned – or not – at your enterprise or your customers' sites.
Michael Dortch has been an analyst, 'information entrepreneur,' speaker, and writer about IT and 'the real world" for the past 30 years. After almost 10 years at the Robert Frances Group (RFG), Michael begins a new position with Aberdeen Group in September.
Dennis Byron is an analyst with ebizQ, focusing on Open Source Software as well as Business Process Management technologies.
