follow us
beyondprocess
  • Home
  • About
  • Contact
  • Blog

Why it is still difficult to measure the effectiveness of your information security function

20/3/2019

1 Comment

 
Picture
This month I attended the ‘e-Crime and Cyber Security Congress’ in London. Apart from enjoying the company of many distinguished cyber security professionals and product vendors, I came away with a fresh view on what business leaders expect from this community. Faced with increased cyber threats and pressure from regulators, customers and investors, company boards look for clear answers to questions like:

  • Are we doing enough to protect ourselves against a growing threat of cybercrime?
  • What are our competitors doing, in terms of strategy, building capability and related investments in cybersecurity?
  • What threats have been thwarted and can we demonstrate that our (cyber) risk is within an agreed appetite.
 
Many organisations have an array of security tools, ranging from anti-malware and encryption software to more sophisticated intrusion detection, vulnerability scanning, and security information and event management (SIEM) solutions. It has historically been difficult for the average risk manager, let alone business executives to aggregate performance data for a cyber function.  With a wide variety of (reporting) tools Security or Risk Leads have been hampered by an unwieldy set of data points that fail to address the more fundamental questions highlighted above. IT security functions are often ivory towers and in turn they can be divided into control-oriented teams that have their own take on indicators of compromise, risk assessments and reporting logic. It is easy to get lost in the idiosyncrasies of identity & access, network-based, application-based and platform/OS-based controls, each cross-referencing similar, but often not the same (normalised) data. This makes aggregation and effective risk reporting a huge challenge, especially in larger, globally operating companies.
 
For example, monthly vulnerability scans in data centres can detect missing patches on specific operating systems or infrastructure software. These patches could have addressed vulnerabilities picked up by earlier penetration tests and could have been correlated to one or more security incidents captured in a case management tool. Unless these findings are fed through a single analysis and reporting platform the aggregation is more than often impossible due to different data descriptions, attributes, and different reporting lines or cycles. 
 
This lack of governance and control consistency leads to unnecessary complexity in understanding security risk positions across the IT function and diminishes the value CSOs can offer to the wider business community and its Executive.
 
Vendors like Kenna, Gigamon, BlueCube and Digital Shadows have products that aim to streamline and harmonise cyber risk information, but they are also constrained by their own technology stack, APIs and platform choices that make up their ecosystems. Their solutions go a long way in addressing the executive reporting issue, but they will never be successful if there isn’t a top-down interlock of controls that drive a more strategic approach to executive security (risk) reporting. In essence, threat analysis, use cases or (in the cyber context) ‘misuse’ cases will drive the selection of security capabilities and investment with a view to being able to adequately respond to cyberattacks, inform the risk/audit function and the executive.
 
As some vendors highlighted in their presentations: there is an emerging requirement to be able to independently test, rate and benchmark security capabilities, as well as the security posture of an individual organisation. These trends may better support management with standards for assessments of capabilities in the longer term. It will also help efforts to standardise and improve performance reporting, using a more uniform classification of security threats and capabilities. Changes to an independently verified cybersecurity risk score of an organisation would be a welcome conversation starter in any company board room and would lead to a more focused debate around investment priorities for a CSO organisation.
 
Horizon watchers point to the exponential increase of exposure caused by the internet of things (IoT) and Artificial Intelligence (AI) applications. Existing supply chain risks of increased connectivity was demonstrated in an Airport Security case study. Interconnected storage of sensitive documents distributed amongst airport contractors and business partners resulted in an astonishing amount of security data breaches in the aviation industry, widely believed to be on top of managing its security risks.
 
Returning to our three exam questions, it would be fair to state that there are tools in the market that can help the cyber professional assemble, assess and report relevant risk data to their stakeholders, but it requires a concerted effort from both security (risk) professionals and tool vendors in a combined effort to normalise and aggregate security risk data to a relevant set of Key Risk Indicators (KRIs), allowing senior management to make informed decisions about levels of protection and acceptable risk in their existing and future operating models. 
1 Comment

Tale of Three Pizzas

8/11/2017

0 Comments

 
Picture
Bonfire Night, not the best time for ordering a pizza on the mobile. A good moment though for stress testing the apps of three competitors to see how they cope and if the experience stands up to scrutiny.
​

I start with Papa Johns, as we liked the last order we placed with them. The app immediately senses I’ve visited before so forces me down the sign-on route. I forgot my password so I try to circumvent the login screen and pick my order.  Do like the fact it pushes the discount options and see that I managed to clock up substantial savings.  When checking out the app forces me back to the login screen. I am not able to check out without password: mission aborted.

Next attempt: PizzaExpress via Deliveroo. This is a complex one, as responsibility for ordering and delivery rests with Deliveroo, but ability to fulfil with the pizza co. Deliveroo lets me order without friction until everything is checked out and paid for. Then, a few seconds later, the payment gets cancelled with a notice that the order was rejected. Surely lack of capacity with Pizza Express should have been picked up earlier in the ordering process. This leaves me with a sense of deep frustration.

Third attempt: Dominos. They have the superior app in terms of ability to fulfil, but at no point am I prompted to use any of their discount promotions. I run out of time to login to their promotions separately so end up paying the full price for two large pizzas and some sides. All for the ridiculous amount of just under £50!

Goes to show that CX maturity of mobile apps, and suspect many online ordering applications is still fairly low. In summary the following features make all the difference:

  1. Flexibility of sign-on, meaning a choice of login or ordering outside account- the auto login Deliveroo (and think Dominos as well) provides is the answer I believe as your payments are protected anyway.
  2. Active prompting of discount codes when checking out is a great CX tool and makes me consider repeat orders.
  3. Order fulfilment is key - if you create an order online and you get as far as making a payment, rejection should not be an option. Better integration of services between partners should root out these type of dealbreakers.

How could these pitfalls have been avoided?  Surely the apps were piloted or tested in a way that would have identified these CX faux pas? I believe that the only app that understands the Customer Journey aspect of the mobile ordering process is the Deliveroo one. The fact that they were let down by their supplier however suggests that their offering is as strong as their API with their own suppliers allows it to be.  If the platform Deliveroo uses (challenged by the likes of Uber these days) becomes the food delivery channel of choice, it will likely put pressure on its suppliers, even market giants like Pizza Express, to become more attuned to the CX aspects of their mobile applications.



0 Comments

Guess what: we are all Service Designers!

20/10/2016

1 Comment

 
PicturePhoto: Rob van Katwijk
​The introduction of Design Thinking in modern business and organisational theory has taken many boardrooms by storm over the past five years. No self respecting company ignores the opportunity of putting customer experience and service innovation at the heart of its strategy. 

For clarity: Service Design (SD) is any activity that takes customer or end user needs and expectations from concept to delivery and adoption of a service.

The field is broad and there appears to be something in it for a wide range of professionals: marketeers, analysts, engineers, artists, anthropologists, to name a few. The richness in literature and case history can be both enthralling and daunting.  So if you are confused about where to start or how to get prepared for your own involvement in SD, here are some suggestions that worked for me and may help you navigate this relatively new area of study and practice:

1. Embrace the diversity and find your own bearings in Service Design before standardisation and codification deal the innovative aspects of SD a blow. SD combines a wealth of experience from industrial design to modern app development and does not easily let itself be confined to a straightjacket approach, but the threat of someone  laying claims to 'best practice' is always around the corner.

2. Decide which strand of SD best suits your professional interest and ways of working. There is enough variety to meet your individual needs and expectations: strategy development, portfolio management, product development, CRM, social media, business transformation, contract law, event management, performance improvement, organisational design, etc.

3. Explore the tools and techniques that best work in your own environment and experiment before your solidify the various components. It is the experience (workshops, interviews, pilots, evaluation with customers) that lays the foundation of a successful SD approach, not necessarily the method or the tools you pick.

If you are looking for a good introduction and grounding in this rapidly evolving area, then there is some recommended reading to get you off to a good start:

- Service Design for business, http://liveworkstudio.com/sdforb/
- The Service Innovation Handbook,  https://serviceinnovationhandbook.org/
- This is Service Design Thinking,  http://thisisservicedesignthinking.com/
- Value Proposition Design,  https://strategyzer.com/books/value-proposition-design

You will most certainly pick up a handful of good ideas or helpful insights from any of these well-researched publications. It is both rewarding and liberating, when you move away from the more rigid frameworks that traditional business modelling and design approaches tend to offer.

Enjoy!

1 Comment

When Service Trumps Process

9/9/2016

1 Comment

 
Picture
Just adding the label 'process' to a series of work steps can be the kiss of death for many well-intended business activities, This is especially true when customers are on the receiving end of that activity. Processes work best in a confined operational environment, where codification and standardisation of work are essential for controlling inputs and maximising output. Less so in in more fluid and open-ended business areas like strategy, marketing or customer service organisations. Any work environment that demands creativity, flexibility and agility is likely to suffer more from a process based approach than they would benefit.

​So how does that manifest itself in business? I argued in my previous blogpost that customers rather stay away from processes if they have a choice. They are more tuned into services that satisfy needs and expectations, presented in an enticing and compelling manner. They have greater flexibility when selecting channels (web, mobile apps) and delivery mechanisms (click-and-collect, packaging, presentation, etc). Business users - who are consumers in the same omni-channel world - now expect similar forms of engagement from their suppliers and colleagues. They have experienced significant progress in the online world (better user interface, simple offering, ease of use, immediacy, portability) and therefore now increasingly demand a similar experience in the workplace, void of redundancy and complexity. This spans the entire business lifecycle, from market research to serving customers

My contention is that:
  • There is no place for process design in business planning and marketing, unless you deal with regulatory and finance functions - formal reporting and resource management systems still require the rigidity and audit trail that ERP and GRC systems offer;
  • There is little value in applying process modelling in product and service development as advances in service design, agile development and prototyping provide better, more holistic and more flexible approaches to productivity - again where regulatory compliance and oversight is necessary, more formal processes may be required;
  • Supply chain and manufacturing still lend themselves better to process-based approaches as standardisation, consistency and a predictable quality of output is key to successful execution; however when engagements with suppliers and customers are required, especially at the start (procurement) and end (fulfilment) of these cycles, there is more to be gained from a service design approach that addresses the varying needs and expectations of those stakeholders;
  • Post sales and customer service activities should have a well-balanced mix of process and service design. The primacy, however, should be service-orientation, supported by streamlined and lean processes. This is where outside-in thinking is particularly helpful: looking at your own operations from a key stakeholder perspective: how do these stakeholders interact with the service and when and where is value created;
  • Other staff activities in organisations, such as HR, Finance, IT and Facilities tend to lean towards a process based approach as they focus on cost reduction more than revenue generation. In regulated industries, these functions experience more oversight and scrutiny - so processes are essential to be able to demonstrate compliance.
In summary, unless the purpose of your activity is cost control, standardisation of output, or satisfying a regulator, it is wise to challenge any initiative to develop business processes. Unchallenged, companies end up with a process infrastructure that fosters bureaucracy and stifles creativity and innovation.


1 Comment

In Pursuit of Value: Process, Service, Capability

24/6/2016

1 Comment

 
Picture
Critical in the analysis of business models in all their richness and diversity is the notion of value. In an ideal scenario business leaders (or business analysts on their behalf) would want to demonstrate how value can be retained, improved and delivered to customers and stakeholders. Classical performance metrics like ROI or EBIT are reasonable indicators of performance and value within organisations, but they are largely based on rigid accounting views that favour company assets and past performance over more dynamic metrics reflecting customer engagement and innovation. There is a notable shift to new indicators of value, illustrated by company valuations that are no longer a reflection of current profitability, but their potential to provide sustained value to large number of customers. Amazon, Linkedin and Facebook are good examples in that respect.

Much has been written about the innovative character of these companies, but in the end most of their success and business value are based on three factors:
  1. What capabilities does a company bring together to deliver a unique product or service
  2. How is that service created and delivered to end-customers
  3. How does the company exploit the customer experience and feedback to improve that service
In that context it is insufficient to just think how the business process is designed and used to deliver a service. It is important to understand how services are designed and delivered in a manner that maximises the impact on a customer or other business stakeholders. 

At this point, people tend to get confused. Not long ago processes were all the rage, now it is about services. Are processes no longer required? And what else might be needed to ensure that not only the right services are delivered, but that a business learns from the way their customers interact with their service to achieve maximum value?
I recently created the diagram on the left to illustrate the relationship between three key concepts of a modern business architecture. This allowed me to work with a client to work on service design in what was largely a process-driven organisation. The key differentiator in this paradigm is that processes create value, they use the company assets or capabilities to enable services to deliver value to customers. Value only exists in the eyes of the beholder, so when designing a service much attention needs to be paid to the ability for an organisation to learn from customer feedback and the overall experience. Customers don't do process - in fact they have enough scars to prove that processes alone don't deliver the kind of experience these customers are after.
​



1 Comment

Retail banks create the illusion of security and compliance by relying on paper

7/1/2015

2 Comments

 
One of the barriers to digitisation of banks and other financial institutions is their obsession with paper-based applications, mandates, correspondence and statements. You would have thought that in the age of online and mobile applications, front-to-back electronic processing, account management and archiving, the need for paper-based customer communication and account handling would become less of a feature. Developments in the US, Scandinavia and South-East Asia suggest that digitisation in retail banking is accelerating.

Not in the UK and in some of the bigger European countries. With few exceptions, British retail banks continue their love affair with paper-based banking as if there wasn't an alternative. When I recently opened a new bank account, I was sent 12 pages of application forms. When, due to a clerical error, I was given an outdated form (for the record: only a week out of date), the only option I had was to reapply and fill in 99% of the same information on the slightly modified form before the application could be processed. Subsequently I have been sent at least 8 letters in the post and one of those cardboard welcome packs with at least 40 pages of marketing dribble.

One of the reasons I was given for this avalanche of paperwork, was that many clients (young and old) prefer to keep a solid record of their financial affairs. Digging a bit deeper, I found that the operational departments of these banks have many risk and security policies that are served by paper records in case the regulator, legal enforcement agencies or auditors demand evidence of compliance, something that can be hard to get out of systems due to rapidly ageing legacy IT platforms and insufficient reporting capabilities. Another argument I have heard is the need for a record of a client mandate with original signature which can be referenced when (significant) transactions are made.

This bank - and I won't mention the name - happens to be part of a banking group in the UK that prides itself for its innovative use of technology and omni-channel capabilities. Did they leave this brand operation in the last century in case their digital strategy would backfire?

Whatever motivates these banks, there is growing evidence that:

  • Customers less and less appreciate paper based engagements with their financial institutions; and this is not a generational issue
  • Regulators, law enforcement agencies and auditors are looking for better ways to review compliance than having to rely on paper-based systems
  • Despite known security issues, such as cyber attacks and fraud, the commercial and compliance risks do not outweigh the benefits of digitising retail bank operations with a modern omni-channel customer delivery capability

I am going to watch with keen interest how these legacy banks will compete in the digital era and if they manage to survive the odds.
2 Comments

    Author

    Rob Rensman is a business architect and technology risk consultant with deep knowledge of business transformation, service design and target operating modelling.
    He writes his blogs on personal title.

    Archives

    March 2019
    November 2017
    October 2016
    September 2016
    June 2016
    January 2015

    Categories

    All

    RSS Feed

Build The Future, Don't Fix The Past!
Proudly powered by Weebly