Going Back to Basics - Business Information Systems

Organisations are bombarded with a multitude of internal and external threat vectors that could bring their business to its knees. Add the plethora of possible solutions suppliers offer to mitigate these risks, and you have your self a colossal maze of choices to consider to secure your work environment. Business tends to be all too happy to throw copious amounts of money at the problem in the hope that the technology will plug the vulnerable holes in the network.

Here is an idea, what if business takes a step back and look at the basics of proactive security measures? Back to basics begins by understanding the way business is done, which applications are utilised and how data flows throughout the organisation, who can access data and who can share data. But without that foundation of knowledge, organisations can not classify data and know what files, documents, or intellectual property would be at risk if compromised.

The problem starts with Business Information Systems design and implementation. Businesses worldwide adopt technology to address either opportunity or need. The motivational drivers are typically associated with automation which increases levels of productivity and ultimately leads to being more profitable. The fast-paced evolution of this technology has, however, left a trail of widespread system failure, dissatisfaction and ultimately abandonment.

The Standish Group reported that on average, a mere 28% of IS development projects are considered a success, with budget and schedule overruns still being the main factors concerning failed projects. These failures are costly and cause significant risk to business continuity and reputation. Primary reasons for these failures include technical, social and economical, which all align with the so-called iron-triangle that refers to time, cost and quality.

Implementing a strategy that clearly defines the goals of BIS onboarding should address;

Subjectivity - value and usefulness of data are highly subjective from one person to another,

Relevance - information is only useful if it is relevant, which therefore has to be meaningful to decision-makers,

Timeliness - it is essential that the data is up to date and delivered at the right time, in the right place and to the right person,

Accuracy -  the data must be free from errors, and erroneous information can result in poor decision-making,

Clarity and Confidence - the data should be clear, and this is essential in gathering requirements for systems development.

Data is classified as;

Restrictive Data - if released, it could have a long-lasting, damaging outcome to a company,

Confidential Data - it needs to be protected from unauthorised access and contains moderately sensitive information,

Public Data - shared publicly and largely non-sensitive.

Companies should ensure that appropriate security controls are in place on a user level, to safeguard it against theft. Policy controls ensure that data can not be changed, lost, or stolen by malicious, or prone to insider threats. Data is free-flowing and lives on all devices and cloud platforms, and not knowing where data resides can have other consequences, like increased third-party risk, employee data theft, or non-compliance.

Business is geared for profit, whereas projects are geared for end-user satisfaction, delivering a project on time and in budget might seem like a successful project. Still, if it does not provide the forecasted financial profitability, it will be deemed as a failed project, we, therefore, highlight individual perspective and judgement as critical influencing factors. It is therefore unrealistic to class a project failure as white or black only because of a cost or time overrun. In the same way, a successful project can not be classified as such, just because of customer satisfaction—some studies grade project success as either failure, partial success or complete success.

Research has been conducted on the reasons for project failure and refers to the six dimensions of risk being Team, Control, Planning, Organizational Environment, Requirements, User and Complexity. Furthermore, Management buy-in, Allocation of Resources, Team Structure, Communication, and Cohesion are essential factors to take in consideration when initiating such projects. An aspect of the reluctance of business sharing their experiences of IS failures could provide more insight; however, this is not being done due to fear of appearances of failure and making poor and costly decisions.

Factors involving the success of a project include a holistic approach with many parties or stakeholders engaged throughout the project process. The following factors are most influential and critical for the success of IS projects; Top Management Buy-in, Project Team Commitment, Effective Project Management, Project Personnel Knowledge, Skill and Enlisting of External Contractors.

Standards such as Project in Controlled Environments (PRINCE2) and Project Management Body of Knowledge (PMBoK) largely sets the criteria for project success. Various methodologies for managing IS projects are in use, and each has its own strong and weak points. Software Development Lifecycle (SDLC) consists of multiple models including Waterfall, Rational, V-Model, Spiral, Incremental, Stabilise, Synchronise, Rapid and Prototyping. These models adopt a rigorous and systematic approach and make use of a linear sequential phased approach where each next phase depends on the previous phase deliverables and corresponds with associated tasks.

Agile consists of methodologies including Scrum, Crystal, Lean, DSDM and eXtreme Programming (XP) which adopts a more informal and practical approach to communication between smaller cohesive teams. The focus is on the skill of iterative improvements in project implementations. The Agile process may be more acceptable, where frequent change to the scope of projects is required. The manifesto for the Agile methodology aligns with the following four principals;

·        Responding to change rather than following a set plan,

·        Working Software rather than comprehensive documentation,

·        Customer collaboration rather than contract negotiations,

·        Individual interaction rather than tools and processes.

Within Agile SCRUM focusses on a five-step approach being Vision, Speculation, Exploration, Adaptation and Closing, XP shifts the focus from technology to the people and processes and therefore makes every contributor part of the team. Many professionals are leaning towards a hybrid approach that incorporates both Waterfall and Agile due to the increasing complexity of project criteria.

Finally, we centre the attention on soft and hard approach to systems methodology where the soft approach focusses on the human element which includes Rich Picture design and the hard approach which centres on the engineering element and includes Flow Diagrams and Uses Case Modelling. COTWOE an abbreviation for Customer, Actor, Transformation, Worldview, Owner and Environment is one such example of SSM that has been widely adopted that focusses on the human element.

In close, any project must have its Critical Success Factors (CSF) measured against the Functional Failure Identification and Propagation (FFIP) measures. Buy-in from top management down to end-users should be mandatory in all projects as each person plays a vital part in the success of a particular project. Therefore, in essence, the project owner should not be a single person but include all parties that will benefit from the new system. Study after study has shown that without user buy-in, the system is doomed for failure. A project should have clear and SMART goals, with a definite value proposition that will benefit the organisation after implementation. We have seen that support for product rollout ends too soon, and users are left to their own devices. Implementation and follow-on support should be part of the life cycle of the system.

Interesting facts;

Of the total spend on security solutions, 4% is expected to be spent on integrated risk management $4,7bn 2019 growing by 7% in 2020.

100% of CISO’s Leading industries by spend are Government, Banking, Telecoms, and then Manufacturing and Professional Services.

Large Organisations (500-1000 employees) will account for 2/3 of the spend. 100% of these organisations will be expected to report on Cyber Security and Risk in 2020, up from 40% 2019.3

A new report from Juniper Research found that the cost of data breaches will rise from $3 trillion each year to over $5 trillion in 2024, an average annual growth of 11%.4

The ISO Survey has shown that ISO 27001 certifications have grown by 20% year on year.5

1.“IRM 2020: Market Momentum Continues” Gartner, 30th January 2020 2. “Cybersecurity Breaches to Increase Nearly 70% Over the Next 5 years” Juniper Research, 27th August 2019 3. “ISO 27001 certification figures increase by 20%” IT Governance Technology Blog, 27th September 2017