Well. It’s been a while. Hope you’re well – you look great!
Anyway, sorry it’s been a while since you’ve heard from me…unless you’re not, in which case, never mind. A new job, several conferences, blah, blah, blah. And now, back to business.
As I’d been ranting previously, best practices argue strongly for starting from a sound set of first principles with BPM – making sure everything’s working, fixing what’s not, trying to figure out what people are actually doing, those sorts of things. The goal is to reach a Nirvana-like state of continuous improvement, but before that can happen, some incredibly important first principles and best practices should be focused on the twin challenges of risk and security.
(At many enterprises I’ve seen, these are taken together with issues related to regulatory compliance, forging what I have called and heard called the “three-headed monster” of compliance, governance, and risk (CGR) management. However, as many of you likely work at enterprises where compliance and governance are not (yet) as immediately pressing as risk and security management, so I will focus here on those two issues.)
It used to be that where IT and, to some extent, business security were concerned, the primary goal was to “keep the bad guys out.” Today, the most consistently bedeviling security challenges are from internal users, many of them authorized and legitimate. Many a virus has been introduced into a company by a legit user bringing in something they got from one of their kids, who got it at school or from YouTube or Facebook – something that turns out to be a carrier of a virus or some other malware.
So security policies and practices must be implemented and/or enhanced to address this reality, as well as striving to forestall threats from without. In some cases, companies implement solutions that prohibit the loading of any and all external media into the network, or the automatic quarantining of such introductions for inspection and validation. If there is insufficient budget and/or bandwidth to explore, select, and deploy such solutions where you work, it’s still a good idea to implement and enforce policies that discourage such introductions among authorized users.
This is only part of the larger security/risk management picture, however. A bigger, more important, and more tricky part is getting users to understand and accept that these are issues that matter to them, and that they can play major roles in addressing effectively. More on this soonest!
Michael Dortch has been an analyst, 'information entrepreneur,' speaker, and writer about IT and 'the real world" for the past 30 years. After almost 10 years at the Robert Frances Group (RFG), Michael begins a new position with Aberdeen Group in September.
Dennis Byron is an analyst with ebizQ, focusing on Open Source Software as well as Business Process Management technologies.
