Anda di halaman 1dari 6

The Value Stream of Security

A Value Stream is a collection of processes that are designed to achieve a result for an internal or external customer.

A White Paper Published by Sage Conversations

Executive Overview
We all have roles inside our organizations. Our roles are joined with other roles inside a process. Processes are designed to produce outcomes. They usually have steps or activities that are triggered by inputs or outputs. We call these processes Value Streams1. What is a Value Stream? The term has been around for awhile in business process disciplines. Generically, a Value Stream is a collection of processes that are designed to achieve a result for an internal or external customer. It contains everything that supports the Value Stream steps including: The organization The organizations ecosystem of suppliers, partners and employees The people who are defined by roles in a process The process itself The technology or tools that the people and processes use to accomplish their tasks The campus, facility, or environment in which they operate The communication platforms and cultural mores of the organization2 The standards expressed through people, processes and tools that provide context, metrics and governance to the processes

A Value Stream must have executive direction and focus at a leadership and functional management level. The future of the organization depends on this. So alignment is essential to the eventual outcomes that determine that success. A Value Stream assessment, therefore, is strategically oriented. The objectives are tied to those of the organization. These, in turn, affect long term business strategies, practices and outcomes. As we overlay the Value Stream approach to the way in which risk and security are typically conducted inside an organization, we see tremendous opportunity to address the key issues facing CIOs, CSOs and CFOs. We are also creating an opportunity to create a collaborative environment and an opportunity to find value in shared services.

Budget Pressures: with 70% or more of their budgets applied to keeping the lights on Risk Pressures: mounting risks with less money to address or mitigate them

The Society of Manufacturing Engineers helps define this term on their website: 2 Word English Dictionary: Mores represent the customs and conventions embodying the fundamental values of a group or society

Copyright February 2012 The Sage Group All Rights Reserved.

Value Pressures: the pressure by the operating groups to see security as more of a value contributor

The inefficiencies that may be addressed for cost reduction as well as for the generation of value with and through the organizations functional groups such as Human Resources, Supply Chain, Research and Development or Information Technology, become evident through a Value Stream analysis. An understanding of the essential processes and critical dependencies between these operating groups allows a resilient organization to effectively weather business interruption (continuity) and crises more effectively by seamlessly switching to critical functionality when the circumstances warrant it. With that said, lets walk through some of the key steps in the Value Stream for security. Risk and Resilience Risk and resilience includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. Depending on the goals of the company and the sponsoring executives intent, this can involve identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. This can also be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, SarbanesOxley Act, and strategic planning. This is evolving to address the needs of various stakeholders who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies. The outcome from this approach uncovers critical information needed to drive appropriate response as well as the appropriate roles (identities) inside and outside the organization that need access to that information Information, Intelligence, and Response One way to think about a Value Stream for information within an organization is to think of it as a cascading waterfall moving from data aggregation derived from process outputs, devices, software, databases, human and other organizational assets. This data must then be synthesized and organized through forms so that it can be consumed as information. Information must be organized into classification structures to be easily searched and found. Analytics must be applied within the context of time, metrics, and comparative sources to create the opportunity to drive intelligence. Intelligence drives strategic and tactical responses.
Copyright February 2012 The Sage Group All Rights Reserved.

As well, the proper definition and management of Identity is critical; it is the linkage between information and intelligence and performance baselines and optimization. The outcome from this drives an appropriate organizational methodology and information technology architecture: the Response. It can drive efficiencies after an appropriate business process model is designed. Performance Baseline and Optimization To be able to understand how to extend the capabilities of your people, process or tools (technology) you must first understand how they are performing individually and together. You need to understand the current performance baseline. A review of the technology architecture in a risk context, its alignment with IT goals and metrics, and its ability to enable the mission of the risk and security organization must be understood. Efficiency programs can be implemented once the core processes and technology contributions are understood. (Secure and Optimize the Core) From there, extending the core to drive the next level of value through a predictive and systematic approach in the context of the organizations operational goals can be achieved (Strategic, Financial, Operational). This results in a Strategic Roadmap that can be communicated throughout the organization as well as to its strategic service and product vendors. Design, Build, Implement and Maintain Once a roadmap is in place, teams can be provisioned which can drive the design and building of the solutions that have been prioritized. This must be delivered through a process methodology and standards-based approach that started at the beginning of the Value Stream. Operate, Improve and Innovate Following the Value Stream with a deliberate collaborative team approach allows for the appropriate roles, processes, metrics and analytics that will create a true Continuous Quality and Compliance Improvement (CQCI) organization that leverages, manages, measures the balance between risk and opportunity.

The Next Generation Integrator Scorecard

To implement this requires a new definition of integration. As well, the ability to assess service providers against that definition will be necessary. We believe the Next Generation Integrator has the following attributes: 1. An Understanding of and a Competency within the Value Stream 2. Collaborative Subject Matter Experts (SME) that can impact the value at each stage
Copyright February 2012 The Sage Group All Rights Reserved.

3. A Methodology for Managing the Value Stream Process with and through the SMEs 4. A Methodology for Managing the Strategic Roadmap 5. A Methodology for Driving the Data Waterfall to Strategic Advantage

Copyright February 2012 The Sage Group All Rights Reserved.

About the Author

Ron Worman
After 30 years designing, managing and executing highly successful business models for startups as well as Fortune 1000 companies, Worman founded The Sage Group in 2002. Leading the development of the Path to Value methodology that would be the signature of The Sage Groups identity, Worman has delivered highly predictive strategies and outcomes to executives and their teams ever since. Within the security market, Worman has helped design and implement collaborative platforms between customers, consultants, integrators and technology vendors that have increased their ability to generate value and mitigate risk across their Value Stream.

About the Contributors to this Great Conversation

William Plante, ASP
Plante has been involved with risk and security as an owner, consultant and senior executive. At Intuit, a leading software vendor in the consumer and small business owner market, Plante drove the development and execution of Intuits Small Business Division and Information Technology Business Continuity programs. This included business resumption planning, incident management, and information technology disaster recovery. Today, Plante is the executive leading a global professional services discipline inside Aronson Security Group (ASG) that includes the development of internal and external teams that drive Value Stream outcomes for organizations around the world.

Jeffrey A. Slotnick, PSP, CPP

Slotnick is a highly regarded security consultant, with more than 28 years of experience specializing in Organizational Resilience Management and Homeland Security. Peer recognized as one of the critical architects in the Homeland Security Enterprise, he is responsible for some of the latest advancements in All Hazards Disaster Resilience, Organizational Resilience Management, and Standards Development. He has founded two companies: Setracon, Inc, a risk and resilience training company, and OR3M, a security information management product and services company.

Copyright February 2012 The Sage Group All Rights Reserved.