Chapter 1: A bridge between...

Hello colleagues, This is Shayan on the Mic.

This is a the start of this work to capture my experiences and present them as best practises...The idea being that the final version will be the version that exists when I retire :)

Genuinely, I hope this body of work will help people on their journey to build lean, efficient and secure functions for their principles. For my fellow leaders in these fields, feel free to give me your invaluable thoughts on my path to continuous improvement.

Chapter 1 – Introduction.

For this chapter I am going to present a high-level journey into how People, Process and Technology must work as one service to effectively enable Business Demand to be met within the context of applicable security and governance controls.

My intention is to highlight how these disciplines collectively underpin the business ability to meet its Demand and when thought of and focused on as one, can assist the business to understand what levers it must pull to steer their business towards their key objectives.

Without further delay, let’s begin:

Phase 1: Business Demand to Technology Specification

First came people, who created demand.. then came people, who worked to meet that demand....and then the input from Business Demand was met by an output by people to complete the exchange of value.

Within my context I am framing:?

People, as the front-line roles who engage with the customer through workflows to take the opportunity through to a completed transaction.

In 2024 and there is almost always a need for a layer of Technology to complete transactions.

We understand that technology is an invaluable tool to minimise busy work and allow our people to focus on engaging where their value is most needed. i.e. to achieve the business objectives.? In practice, what is technology doing?? It is automating an otherwise manual process.?

I use my computer to write my document to automate the manual processes in working with physical copies during the creation and distribution phases.?

Within my context I am framing:?

Technology, as both the Tech itself and the roles who perform the tasks needed to provide a curated service cantered on confidentiality, integrity and availability of digital assets and information.

We all know about processes, right?...*deep sigh*

Within my context I am framing:?

Process, as the roles who work to translate workflows into process steps that instruct how technology is specified and built.? I propose we frame Process as that bridge between People and Technology or business and IT.

Where, the (1) People who do the work are jointly responsible to define their workflows to meet Business Demand.?

These workflows are translated into (2) use cases and process steps which then inform requirements for Technology to meet.

A very simple license assignment example of what I mean by translating workflows into requirements:

As a front-line staff, to perform my role, I must attend team and customer meetings, in-person and remotely.? I will need access to the company CRM to process transactions, email and to be able to reference training materials so that I can effectively perform.

…as well as the other parts of the joiner process….

From Technology point of view: There are foundational things this role needs such as a company managed mobile phone, laptop and information security training etc...? But assigning a full enterprise user license pack when a front-line worker pack would do is a waste of resources and we must look to save this OPEX by design.

(3) Technology will then convert these into a specification cantered around capabilities needed by business functions and the roles which ultimately perform the work needed to meet business demand.

For every Front-Line Staff role, assign a company managed laptop, mobile phone with minutes & data and a front-line worker license pack.

(4) Ultimately, it is People who must verify (approve) that this specification is correct.? Once done. It becomes part of the (5) standard configuration.

Phase 2: Confidentiality, Integrity, Availability and Adoption

So we have our standard configuration and our system is ready to onboard People so that information can flow through.

From the moment the configured system is made available to process information Technology need to (1) :

-Secure the information that People use (Information Security)

-Provide Uptime to the underlying systems (IT Operations)

-Manage change on those systems (EveryGreenLCM, Service Request Fulfilment)

-And provide support in case something that worked before, no longer works. (Incident Management / Support)

People:

Need support adopting technology.? One approach that is commonly used is maintaining (2) Learning Paths and mechanisms to socialise them such as remote/recorded sessions, in-person lunch and learns and self-service content distribution.

Because….

People must (3) :

Utilise tech – to meet business demand – our central purpose.

Request Changes / Support – Due to changes in Workflows / Process / Technology

?

Speaking of capturing business requirements, one approach I like is the (4) Adoption: Art of Possible.?

The art of defining how technology can be utilised to meet business demands within the context of Information Security and the Organisational Governance derived from its Risk Appetite and the Compliance framework it must adhere to.

(5) Technology is Accountable for understand, defining and enforcing approved controls.? Through this process they become the SME in knowing what can and cannot be done.? This knowledge when combined with business analysis becomes the source material to create content when inspiring adoption (6) .

Technology further supports value through standardisation of best practices so that future investment can be focused on development which add value instead of re-creating ‘good enough’ implementations or cosmetic preferences.

Building further, Introducing: (7) Adoption: Community.

A big discipline.? I will say here. If supported correctly, It has the potential to help the business continually solve problems, highlight problems which did not previously have the correct attention, generate innovative ideas which may help transform the business and could even contribute to lowering support requests.

?

Phase 3: Steering the curated service

Now we have something that looks a little more like a:

(1) Adoption: Curated Services

But it is incomplete until we consider Strategy and Architecture.

who (2) Continually review service performance, (3) understanding how technology enables people to meet Business Demand and then steers ongoing development in preparation to meet expected demand.

This effort manifests as Technology (4) informing of changes in Strategy and Architecture which must be (5) assessed to inform process & technology changes, that then must be adopted.

Phase 4: FinOps

As we know, everything in Technology has a cost (Introducing FinOps) and (1) eliminating wasted cost in Technology to be re-assigned/removed where it can add most strategic value must always remain a business priority.?

All the cost technology generates directly enables:

-The business with baseline capabilities (Information Security and Productivity Solutions with process automation…etc) – Centrally Managed IT Costs.

-Business Units who consume technology beyond the baseline to achieve its objective (Curated application suite to fulfil a specific business plan) – Cost created beyond baseline capabilities (A custom application or additional features…for example)

(2) To enabled the business to fully understand their cost for Technology; the Process of assigning resource utilisation to respective business units becomes part of demonstrating Technology Service Value.?

?

Phase 5: Process Automation

Talking back of house:

All these services create workload which sparks the need for (1) Adoption: Process Automation.

(2) This is the continuous effort to find process candidates for standardisation and automation.? In my humble opinion, effort here is what will give the IT Function agility to cope with scale and maintain itself as lean.

(3) Although the path to process standardisation directly helps maintain the service to people at scale, this effort is in the ‘back of house’ with your infrastructure/platform/application teams.

?

Phase 6: Governance, Risk and Compliance

Now…. I have intentionally left Governance, Risk and Compliance (GRC) to the end. ?Another large discipline.? GRC and Information Security apply across the whole business and when combined create the business specific path on top of which Technology builds its guard rails to help maintain the strongest security posture as the business changes.

?

Phase 7: an Operating Model

Lastly, I must call out this living document which gets built along with the service and represents a current view of how the service runs.? We can call this our Operating Model:? An agreed collection of processes needed to be performed to deliver the service and the respective roles/functions which will take Responsibility, Accountability, must be Consulted and whom must be informed to ensure they are performed consistently.

Along with giving Service/Product/Business Owners a top-down view of the service.? The processes inside the operating model operate as the foundation material to shorten the time needed for new team members to Norm and be setup to Perform.

?

Conclusions through the phases:

Efforts to introduce new or implementing changes to technology must be cantered around the People that use it to meet business demand and, as I have attempted to show in this chapter, it takes roles from People, Process and Technology within the context of Information Security and GRC to make the dream team work.

?

Hence, my call to action is: Lets really get into this as a business.?

?

I hope this has helped in some way.?

This has been Shayan on the Mic.

IT Management Executive with over 20 years of expertise in driving secure technology adoption and digital transformation initiatives. CISSP, ITIL4 Managing Professional, Prince2 Agile Practitioner, Prince 2 Practitioner

Feel free to reach out to discuss opportunities to work together.

[email protected]