BPM in Action

When it comes to risk and security management for BPM and more broadly, users represent both the greatest allies and the largest potential problems. After all, if a business can convince its users that it’s in those users’ best interests to contribute to maximizing security and minimizing risk, everybody wins (except the bad guys.) But this is much easier said than done.

Of course, this is really yet another process problem. Said problem has historically been is exacerbated by solutions and policies that come across more like “Big Brother” than like aids to greater user flexibility and productivity. However, users find themselves increasingly surrounded by and reliant upon technologies to do their jobs (and live their lives outside of work). As this trend continues, they become more receptive to being engaged in the protection and security of the resources they use.

So, how best to take advantage of this? Well, some useful steps include informing users of the risks at which they can place corporate intellectual property out of ignorance or lack of attention. (Remember bringing in that file your kid downloaded I mentioned previously?) Another set of useful steps might focus on communicating regularly to users that protection of corporate information is in their own personal, selfish interests. When information isn’t at risk, it’s more available, accessible, and trustworthy, which makes those using it more productive.

It can also help tremendously if those responsible for managing and overseeing the processes affecting information protection and security communicate more regularly with users. Such communications can combine summaries of relevant external and internal news and events with specific recommendations and tips, all intended to increase user awareness. A weekly e-mail, periodic posts on the company intranet, sessions at company meetings – all of these present opportunities to “market” and “sell” information protection processes.

There are a wide range of tools that can help address the security challenge as well. More to come…

Posted by mdortch in BPM • Business Knowledge Management • Security  |  Permalink  | Comments (0)  | TrackBacks (0)

Well. It’s been a while. Hope you’re well – you look great!

Anyway, sorry it’s been a while since you’ve heard from me…unless you’re not, in which case, never mind. A new job, several conferences, blah, blah, blah. And now, back to business.

As I’d been ranting previously, best practices argue strongly for starting from a sound set of first principles with BPM – making sure everything’s working, fixing what’s not, trying to figure out what people are actually doing, those sorts of things. The goal is to reach a Nirvana-like state of continuous improvement, but before that can happen, some incredibly important first principles and best practices should be focused on the twin challenges of risk and security.

(At many enterprises I’ve seen, these are taken together with issues related to regulatory compliance, forging what I have called and heard called the “three-headed monster” of compliance, governance, and risk (CGR) management. However, as many of you likely work at enterprises where compliance and governance are not (yet) as immediately pressing as risk and security management, so I will focus here on those two issues.)

It used to be that where IT and, to some extent, business security were concerned, the primary goal was to “keep the bad guys out.” Today, the most consistently bedeviling security challenges are from internal users, many of them authorized and legitimate. Many a virus has been introduced into a company by a legit user bringing in something they got from one of their kids, who got it at school or from YouTube or Facebook – something that turns out to be a carrier of a virus or some other malware.

So security policies and practices must be implemented and/or enhanced to address this reality, as well as striving to forestall threats from without. In some cases, companies implement solutions that prohibit the loading of any and all external media into the network, or the automatic quarantining of such introductions for inspection and validation. If there is insufficient budget and/or bandwidth to explore, select, and deploy such solutions where you work, it’s still a good idea to implement and enforce policies that discourage such introductions among authorized users.

This is only part of the larger security/risk management picture, however. A bigger, more important, and more tricky part is getting users to understand and accept that these are issues that matter to them, and that they can play major roles in addressing effectively. More on this soonest!

Posted by mdortch in BPM • Business Knowledge Management • Security  |  Permalink  | Comments (0)  | TrackBacks (0)

Before I being the current tirade, my abject apologies to everyone at ebizQ, especially all of you readers out there – all five of you – who’ve been wondering where I’ve been. (My even more abject apologies to those who didn’t even miss me, for returning.) Let’s just say settling into a new job is challenging and time-consuming, promise it won’t happen again without more warning and faster recovery, and leave it at that. And now, back to business…processes, that is!

So The TJX Companies, owners of TJMaxx and Marshalls, among other retail chains, loses credit card information and other private data for thousands of customers. The company goes to court, and hammers out a settlement that basically offers gift certificates to victims of its failure in multiple business processes, notably those related to IT and intellectual property (IP) protection and security.

So in effect, in exchange for losing my personal data and forcing me to cancel and replace all of my credit and identity cards, I’m welcome to come back to the store with the new ones, and spend more of my time and money? If all of this happens again, am I officially permitted to stop referring to it as isolated incompetence, and to begin instead calling it a business practice?

Wal-Mart, meanwhile, has embarked on a campaign to reduce human-to-human customer interactions, according to reports on National Public Radio and elsewhere. The company has removed from its Web site its former customer service number, saying that answering the volume of calls it was receiving was getting to expensive.

So it’s too expensive to help those people who are unable or unwilling to go online, but who are able and/or willing to make their way down to a Wal-Mart store and spend time and money there. Next, Wal-Mart will be telling those same customers to stop using cash and checks, because those transactions cost too much to process.

Or, maybe both companies will come to their collective managerial senses, and realize that one can squeeze operational costs out of an environment in ways that create costs and risks elsewhere. Like the costs associated with reputational risk, when a retailer is seen as insensitive to the people it depends on for its revenues.

What can we learn? If you’re a business and/or IT decision-maker, don’t summarily change or remove something just because you decide it will make things work better, even if it will. Just because a change makes things work better doesn’t mean it will compel the people using those things to work better, not without clear communication with and inclusion of those affected.

Posted by mdortch in BPM • Business Knowledge Management • Current Events • IT Infrastructure Management  |  Permalink  | Comments (2)  | TrackBacks (0)