A Process Mindset - A Foundation for Information Security

Situation

The Sarbanes Oxley act gives increased visibility and importance to processes that financial organizations need to develop, roll out and institutionalize to avoid future economic and corporate fiascoes. However, most people do not understand process. An organization will save time and money by providing their employees a foundation in process thinking or a process mindset before rolling out what is required for Sarbanes-Oxley, Basel II, HIPAA, etc. compliance.

Action Plan

1. Obtain Visible Support from Executive Management
If an organization uses a process mindset as it goes about producing the necessary processes and controls for information security compliance, the work will go along relatively smoothly and those needing to follow the processes will be more apt to do so.
For some organizations a culture shift will be required. For others (those already using process) something less formal. But with all, visible and regular support must start from the executive levels - CEO, CIO, CSO (Chief Security Officer). All executives need to be visible and vocal supporters of process and controls.

2. Communications
Communications to ensure a pervasive process mindset throughout the organization include opportunities for dialog as well as information dissemination. These may include: Town halls (formal), Roundtables (informal), Open door (one on one). The organization must know that information security is serious business and compliance to processes supporting information security is very important. This compliance needs to be a component of performance reviews and bonus determinants. Frequent visible rewards should also be provided for compliance and suggested improvements. The rewards can be simple but they need to be regular.

3. Measurements and reporting results
A huge boost to the following of process and process thinking is an indication that things are getting better. This reinforces the belief in the concept. To obtain this indication basic metrics on process compliance (and improvements) must be collected. Process roll out and measurements of process compliance and improvement must go hand in hand. Metrics can actually be a wonderful internal competitive enhancer and add a bit of fun along the way. Once defined and collected, the display, posting, reporting by department (or division) can certainly provide an outlet for creativity and hopefully celebration.

4. Improvements via a Process Improvement Process
In order to ensure rapid, broad acceptance by the organization, it’s very important to include process improvement process. It is this process that captures feedback for needed clarification, efficiencies, and reduction of errors.

As people use a process, ideas for better ways of accomplishing the tasks will begin to percolate. A process improvement process provides a documented way of submitting, evaluating, and either accepting or rejecting the suggested improvements. It is key that an organization have a process improvement process and provide real incentives for submitting improvements. For example, the “Process Improvement of the month” obtains theatre tickets and dinner for two.

Results

The Sarbanes Oxley Act and other key regulatory influences provide opportunity for organizations to gain substantial cost reductions, improve productivity, and significantly reduce risk.

Quality and effective processes are a critical elements needed to meet these important regulations and compliance areas as well as ensure that organizations have accurate and timely data needed for making key business decisions.

Adopting a process mindset and the resulting processes is straightforward. They ensure a proper foundation is set and eliminates the need to fix the same problem(s) and issue(s) over and over again.

People who understand the value and purpose of focused and effective processes (i.e. have a process mindset) will create a well run business complete with the required checks and balances. Inherent in these organizations will be a foundation and culture that will be poised to exponentially grow with the improved productivity, quality, and reduced chaos.