ID and Access Management

Paraphrasing a friend of mine, it used to be called good business practice. Now it’s called “Sarbanes-Oxley compliance.”

The Sarbanes-Oxley law impacts public companies, companies that want to go public, and companies that have public debt. Basically, it says that the CEOs and CFOs of these companies must vouch for their quarterly financial statements. If the statements happen to be misstatements, these officers can be personally fined, and face jail time in extreme cases.

There’s more. Anything pervasive, that permeates the company and its functions, must be managed to an industry standard. This includes Information Technology (IT) for most companies, because of the prevalence of PCs, laptops, networks, and customer data that must be managed and protected. Unfortunately, Sarbanes-Oxley does not establish the standards. A company has to decide on a standard, such as COBIT, ISO or ITIL. The company then has to figure out what parts of the standard it will adopt, what parts it won’t, and be able to explain why such decisions were made.

When outside auditors look at a company’s IT department, IT’s security stance will be one of the first places they look for a material weakness—a flaw big enough to consider the company to be dangerously out of compliance. One of the easiest places to find a problem is in the area of ID and Access Management.

Many organizations have trouble controlling the development and deployment of ad hoc systems in their departments. It’s often easy for a department manager to decide they have a need, and implement an off the shelf solution—especially if IT has been relegated to merely supporting networks, phone systems, and desktop users.

What happens next is that there is no strong process or follow-up (control) to ensure that when personnel leave, their ID and access will be removed from the various applications they have access to. This leaves a large security risk if they happen to figure out how to get back on an application and create mayhem.

Sometimes there’s a process in place, but no reconciliation effort for when the process breaks down. Let’s imagine that there is some way the word gets around when an individual leaves, and usually their access is shut down. Is there any reconciliation process that compares current personnel with the lists of IDs on various applications on a regular basis? Probably not. It is more complicated by the fact that employees and temporaries may be tracked differently, and therefore there is no comprehensive list to compare to.

As a solution, the standard-bearers advocate a single function—in IT or a related department—to perform ID and Access Management from a central office and computer console. There are a number of consulting companies out there that specialize in helping clients find the right technology fit for the situation. One of the best ways to attack the problem is to use an independent consulting company to help determine the technical solution that fits your particular situation. If you go to Microsoft or Sunn, they'll sell you the Microsoft or Sunn solutions, respectively.

Since this is a relatively new field, don't be afraid to look at small boutique firms that specialize on this niche. Here in Dallas, I'm aware of at least two: Logic Trends and PathMaker.

© 2005 InterDimension Strategies Inc., M. A. “Ryan” Yuhas

The Beatings Will Continue until Morale Improves—the PMO conundrum

Previously I've written about Enterprise-wide Program and Project Management Offices (EPMOs). As I'm sure you know, these corporate entities promote and enforce project methodologies, and provide program and project reporting to C-level management.

Motivating project managers to use best practices and honest reporting represents a huge challenge for most EPMOs. Management often unwittingly sets EPMOs up to fail by fostering an “us versus them” mentality. This unfortunate and unnecessary situation comes from management's need to control a lot of scary stuff: budget/resources, scope, and schedules. Add in the feared “million dollar surprise” and it's no wonder management is running scared.

The challenges compound when the fearful management team then aims scare tactics at the organization's lower echelons to get them to cooperate and conform. The reaction of these lower levels of personnel—the project managers—then becomes counter-productive to what the management team really wants.

I always ask, “what's in it for them?” when those project managers actually have to implement all of the methodology and reporting that the EPMO enforces.

“They get to keep their jobs,” I recently overheard an executive say. That may be true, but if you're going to take that approach to management, it's time to revisit Maslow's Hierarchy of Needs.

Above I've shown one of the many representations of Maslow's famous hierarchical triangle. You remember how it goes. People have to fulfill the requirements of the lower levels of the triangle before they can move toward the top. If they're concerned about air, water and food, they certainly aren't going to be trying to reach “self-actualization.” Their needs are too basic at that point.

Back to the “you get to keep your job” comment. When you say that to project managers, they will immediately adopt a fear posture. Believe me, if you threaten someone with their livelihood, their first reaction is to hide mistakes, problems, issues and risks. They instinctively want to protect any shred of security they think they have left. In order to overcome the instinctive fears that drag them to the bottom of the triangle, your managers will have to expend a tremendous amount of personal energy and exercise a lot of self-discipline. Wouldn't it be better if all that energy went into managing projects and dealing with life's normal ups and downs?

Where do you want people's heads to be? For my money, I want my people up in the white-zone of self-actualization: solving problems, collaborating with peers and superiors. To achieve that result, they have to be secure in the knowledge that everyone is there to assess the dangers, share the decisions, make adjustments, and help to keep projects from failing.

So how do you motivate project managers to cooperate with an EPMO? You work to convince them that the benefit is mutual to the company and the project manager.

When a project manager hides their project status and risks from their bosses, they're simply saying “trust me. ” Management will hold that same project manager completely responsible if the project fails.

If, however, the project manager complies with the typical methodologies of an EPMO, everything is out in the open. Upper-level management stays aware of what occurs inside the project, and helps make the go/no go decisions. It's hard to blame just the project manager when things go wrong in this kind of environment. Since everyone up to the C-level helps make the decisions and manage the risks, they share in the blame when things go wrong. At this point, the project manager knows there is “safety in numbers.” We can all expend our energies on removing roadblocks, problem solving, and collaborating instead of hiding all of the problems and hoping they go away.

We have even more reasons to seek a collaborative atmosphere in our organizations. We're quickly approaching a period when, once again, there won't be enough people to do the work—including project managers. This time, however, it's serious. Baby-boomers are already going into various stages of retirement, and we will soon have a very small labor pool. It's already happening in Europe, where experts say there is a worker shortage of 10%. We'll have no option other than to adopt a kinder, gentler approach.

In the short run, if the “beatings continue,” morale won't improve; it will crater and we'll get the worst out of everyone. If the job market behaves as expected, people will ultimately have the option to leave. “We're in this together” works better on so many levels. Maybe we can stop the beatings all together.

© 2003 M. A. “Ryan” Yuhas
InterDimension Strategies Inc.

Replicating the Magic—over and over again

I am currently consulting with two very different organizations that have similar agendas. One is a restaurant, the other a statewide nonprofit. Both are classic examples of how processes-once proven and documented-can be used successfully again and again.

You can call this approach “The Franchise Model,” even if the organizations aren't franchising in any way, shape or form. Think of McDonald's old concept. The company devised a system to start a location, a system to run a location, and a system to constantly update a location. There is nothing particularly high-tech about these systems, they're mostly on paper. But, they set the framework for how things will work and they support the never-wavering delivery of consistent goods and services. The “quality” of the goods and services may not be particularly high. It's the quality of the process and the consistency of the product that breeds success-the customer always knows what to expect. The fact is that each site is fairly similar in quality from one to the next, with only an occasional exception.

So what does a nonprofit and a fledgling restaurant chain have in common? The desire to support consistent implementation of their organization.

The nonprofit has hundreds of chapters throughout the state of Texas. Volunteers lead the chapters, rotating out every one or two years (depending on what they can stand). Training hundreds of new chapter leaders every year is completely cost prohibitive. So is receiving hundreds of calls to support those leaders on a regular basis.

The restaurant has one smooth-running location that is making money. The owners have a desire to open up more locations. The General Manager fears that multiple locations will result in a reduction in quality-he'll have to be in two places at once to teach and mentor staff, and to make sure each location maintains its look and feel. How will the staff implement his vision of how the food and drinks look and feel?

The nonprofit will solve the problem by creating an operations handbook. They actually have most of the information compiled, but it's impossible to find anything. We will exponentially improve the usability of the document by cutting down the number of pages (tighter writing; use of decision tables), and devising a comprehensive document structure (table of contents, index, logical division of information). Finally, when it's all said and done, we will automate the document and place it on a CD, complete with keyword search. We'll give users a choice of paper, disk or both-meeting the needs of the technologically advanced volunteers, while still addressing those that want a book to hold onto.

The restaurant will also create an operations manual, but with a difference. This will be a paper document, also impeccably organized. Tabs will separate food prep, accounting, bar set-up, customer service, open and close procedures, etc., along with daily checklists for maintaining stock and a clean environment. The book will be printed on sturdy paper that resists the destructive forces of the kitchen. The manager will be able to separate the book, so the kitchen and bar staff can have their own references. Much of the kitchen staff is only semi-literate, so pictures and numbers will be used to show “how-to” information, and the sequence of the processes. Kitchen and bar staff will also have photographic examples of food and drink presentation, so the products look good every time.

If you can't be two (or more) places at once, perhaps your influence can be. It doesn't take a time machine or a worm-hole in the space-time continuum. Get what's in your brain-your vision, your processes, and your rules-into a reference-able form. Train your people how to implement, and train them how to look up what they forget. Consistency will abound-life and profits will be good.

© 2003 M. A. “Ryan” Yuhas
InterDimension Strategies Inc.

Innovation and processes

What happens when you believe in processes, but you don't want to stifle innovation? When you're in search of excellence and thriving on chaos, where do processes fit in?
I often work with people who fear that establishing and measuring processes will quash their ability to invent, discover and grow. We usually think that we'll establish our processes and then execute them like robots until the end of time.

But in favor of processes, I ask you: how much time do you have to innovate when your business is running amok?

Do you have 15 fires to put out today? Are your subordinates, co-workers, and managers experiencing the same problem? How much time did you spend today on real innovation, exploiting new markets, developing new products and services, finding better ways of doing things? If you had better processes, you'd likely find that the fires don't happen as much. A smooth running organization is like money in the bank—or at least an investment in the future—because you can devote more energy to developing the next great idea or improving the old ones.

In actuality, good process allows innovation, by including components that actually increase the probability of innovation. How can that be?

Processes provide a way to do the mundane things without having to think so much about them. Processes provide a consistent activity and a consistent result. They also give you the opportunity to see how you're doing, by measuring their results. When you perform the activity the same each time, you get consistently good, bad or indifferent results. In looking at the results of a process-driven chain of events, you will compare apples-to-apples when looking at one result to the next. This means that problem analysis will almost always point to the same weak spots over-and-over. You can then fix those weak spots and greatly enhance the chance that you will improve results. That approach in itself spurs creativity and innovation—to fix the problems and make things better.

Establishing processes also saves an incredible amount of time. When the mundane day-to-day production of your business is "handled" and everyone knows how to do it, it frees up massive mindshare to work on growth and not just maintenance.

We are at a difficult time in our planet's development. We're having to do more with less. Those who will survive and thrive will find the time innovate and do the work better, faster and cheaper. Computing can help us with some of that productivity, but we often forget the businesses and people who use the computers. A business process is a business process, whether you involve a computer or not. The processes matter, and if we don't pay attention to that fact, our businesses will never fully reap the rewards—more revenue, lower costs, and the time and energy to innovate yet again.

© 2003 M. A. “Ryan” Yuhas
InterDimension Strategies Inc.

Process Mapping Tactics— Secrets to supporting the strategy

A friend of mine has a growing recruiting company. A few weeks ago, he asked his Office Manager to call and ask me for some help.

“I've been asked to find a tool to map our processes with,” she said, “but Visio and ABC Flowcharter look like overkill.”

I offered to show her how to use PowerPoint for simple flowcharting, and we met the next day to go over it. My secret agenda was to find out what the real process mapping need was, because she let slip that they were having all kinds of confusion.

I took a look at an example of what they'd been using, and I knew instantly what the problem was. There before me was a simple flowchart. It was frightening enough that it didn't have any decision-points, which we usually represent as diamonds. It also had a key at the bottom that contained a big clue to what was going wrong. Green boxes represented tasks that were performed by Sales, blue boxes were performed by Recruiting, and yellow boxes were performed by both.

I had a real problem with that key, so I decided to show her how “swim-lane” or “river-channel” flowcharts work. I drew a column for each of the entities (Sales and Recruiting) and then added two more: Customer and Management. I started to draw the same flowchart, but put the process box for each task under the column of who was responsible for getting it done. Her eyes lit up at the simplicity of how it showed both process and responsibility without having to refer to a key. Then she asked the payoff question that I was leading her to: What happens when two different groups are responsible for the same task?

“That,” I said, “is your real problem.” I went on to explain that whenever you make two groups responsible for completing a task, there will always be a problem getting it done. No one will feel like they “own” it.
“But Sales and Recruiting meet together to help make their decisions,” she said. “How can we show that process?”
“Well,” I said, “are both entities doing the same thing in those meetings?”

“I guess,” she replied, “that Sales is really there to make sure the candidate is right for the client, and Recruiting is there to make sure the client is right for the candidate.”

“Then you can show these as simultaneous actions in different boxes under different swim-lanes,” I said.

As we worked through a little more of the flow, it quickly became obvious that there were a number of processes that had shared responsibility. The process-mapping tool was a very small issue in a much bigger problem.

I haven't checked back to find out how things are progressing, but I can guarantee that things have improved if she took my advice. What is the motivation for someone implementing a process when they won't be held accountable for getting it done?

Professionalism aside, we're all human, and as humans we tend to raise the priority of activities that our bosses' will “call us on.” Assign tasks and processes to one entity (if it is a department, then make the manager accountable). If you find yourself having to assign them to two entities at once, think a little harder. You will be able to break the task or process into the appropriate number of subtasks to get the responsibilities pinned down, and you'll find it a lot easier to manage.

© 2003 M. A. “Ryan” Yuhas
InterDimension Strategies Inc.

Step Six: Communication

NOTE: And now, the final step in the Six Steps to High Performance.

—M. A. “Ryan” Yuhas, Process Effectiveness Consultant

“More than merely a step, it is really an all-encompassing function…”

—Skip Kapur

RY: Skip, you say that this is “more than merely a step.” Can you explain?

SK: Yes, communication begins in earnest toward the end of Step 1, which you may remember is to establish a management team. It continues as an all-encompassing function in parallel with the remaining steps.

RY: You might say that communication is the method for bringing about the changes created through the other five steps.

SK: Yes, that's part of it. The key thing to remember is that straightforward and consistent communication will develop the trust required to make everything work together. Most people will respond to being treated as adults. You involve them in figuring out what you're trying to do, enlist their help in doing it, get their commitment for specific contributions, and hold them responsible for their commitments.

RY: Actually, communication can be shown as a component of every one of the steps when you get right down to it.

SK: Yes, but it is so absolutely critical that you must single it out.

RY: What are there characteristics that apply to this kind of communication?

SK: Well, I can think of at least four:

• Foremost, the communication has to be open and honest
  
• It has to flow all directions, not just from the top down
  
• Everyone must initiate it proactivelyIt must happen quickly
  
• Relevant information must be captured and acted upon
  

RY: Why is open and honest communication so important?

SK: It is almost impossible to maintain silos in an organization if you are doing the communication piece well. I know this may be threatening to some, but a siloed organization can only reach a state of high performance by sheer luck. With everyone's goals aligned and their compensation tied together to reflect the team's success, openness and honesty are absolutely required to make the method work.

RY: How do you mean the communication must “flow in all directions”?

SK: Communication is both telling and hearing. There is an old saying that we were given one mouth and two ears. That was so we could listen twice as much as we talked. Yes, we must communicate downward through the organization, and outward to the customer, but we must have communication coming in from the customer and up through the organization as well. How else will the organization and the upper echelons know what the customer needs and how well we're doing?

RY: What do you mean that everyone must “initiate communication proactively”?

SK: Everyone in the organization is both empowered and required to communicate. Several things could trigger communication:

• Formation or initiation of a plan
  
• Discovery of a problem
  
• Receiving complaints or determining dissatisfaction of a customer
  
• Receiving ideas from a customer or an employee
  

The Six Steps methodology places mechanisms throughout the organization that support a communication-based response to each of these triggers. It is up to the leadership on all levels to further reinforce and reward proactive communication within the culture of the company.

RY: Why must communication happen quickly?

SK: Obviously, you don't want delay your response to a problem. Your customer needs it addressed, yesterday. In other areas it's a little more subtle. Why, for instance, would you want to respond quickly to an employee's idea? At least three reasons: 1) to take advantage of that good idea faster, 2) to reinforce that employee's enthusiasm, and 3) to encourage more ideas to come forth.

RY: Explain what you mean by “relevant information must be captured and acted upon.”

SK: It's one thing to hear a customer's complaint or an employee's idea. It is quite another to respond to it effectively. We need to hear the information, understand it from their point of view, know what would address the issue, see if we can improve on it, and take action.

RY: Anything you'd like to add?

SK: I'd just like to summarize that effective communication is what makes the Six Steps methodology work so well. This is a program that could be implemented by any organization, but it takes a leader with exceptional confidence and even-handedness to pull it off. Reaching organizational High Performance doesn't require advanced math or innovative logic. It does require the implementation of steps that reinforce the psychology of how people work in an origination. We've seen it work, haven't we?

RY: Yes we have, which leads me to something I'd like to share with our audience.

I have worked with Skip to implement the Six Steps methodology within several organizations since 1998, and have become completely convinced that the approach achieves remarkable results. Over that time, we have often talked about one of Skip's dreams, to write a book detailing the Six Steps methodology. Because I have actually helped to implement the methodology and seen the results, I was compelled to offer my collaboration to Skip to make his dream a reality.

Over the next two years, we will expand on these initial interviews. The end result may take several forms, perhaps a primer, a consulting service offering, a full-blown book, or all of the aforementioned. In all cases, I expect my association with Skip will continue to be rich and fulfilling. I invite you to travel with us on our journey.

© 2002 M. A. “Ryan” Yuhas and Sunil “Skip” Kapur
InterDimension Strategies Inc.

The Scoop on Network Security: EcoNet.com launches effective new weapon

NOTE: If you thought your network was “secure,” you'd better learn what that doesn't mean. This one is a little techie in nature, but worth plowing through for what you'll learn. To my knowledge, this story hasn't broken in the general or industry press. I'm claiming a “scoop,” whether I can prove it or not.

—M. A. “Ryan” Yuhas, Process Effectiveness Consultant

EcoNet.com in Dallas, Texas, has launched a highly cost-effective intrusion prevention system/subscription service that detects and stops network intruders in their tracks, and doesn't let them back in for another try. It's called EcoNet Sentinel, and it is a new invention that actually looks at an incoming cyber-attack and shuts it off at the same time.

Fears about the safety of our networks have likely contributed to the stale economy. Money that would be directed toward better utilization of the technology, has instead been diverted to beefing up security in an atmosphere of vulnerability. Many of us are spending a tremendous amount of energy and dollars to develop and implement Internet security solutions. For a mere two-hundred dollars a month, Sentinel offers a way to free that energy and money up-and use it to grow an organization and supporting infrastructure, instead of building fortifications.

Ask any CEO if their network is secure and they'll probably say, “Sure, my CIO has assured me we are secure.” What they don't know is that “secure” is a relative term, and that the average network is full of exploitable holes when it's hooked up to the Internet via a T1 line or other connection. Most networks have blocked outside traffic only later to find they must allow the traffic back in. If the network is connected to an Internet email server (port 25), allows the public access to webpages (port 80), allows FTP transactions (port 21), etc., those open ports mean it's no longer secure. In order for an organization to take advantage of the value of the Internet, it most certainly has to compromise security.

A hacker or cyber-terrorist can scan a system to see what ports are available to exploit, then take action to attack the network by either finding and downloading sensitive information, or by uploading and implanting viruses or Trojan code, among many other options. Other attacks can be made through email by individuals purposely or unwittingly sending Trojans and viruses via attachments.

Sentinel monitors the behavior of incoming traffic (e.g., someone conducting a scan for open ports), as well as looking for all known virus and Trojan code. In the event it detects abnormal traffic or hostile code, it will cut all current and future contact with that offending TCP/IP address. Should it be a false alarm, or a “friendly” inadvertently sending hostile code, it is easy enough to open their connection again, once you've pinpointed the problem and resolved it.

I know there are other companies who are developing systems similar to Sentinel, especially on the high end. Right now it's the only game in town, and holds a great deal of promise. It has the added advantage of being developed and marketed by a “dot com” that has handily survived the downturn. This is a profitable and stable company, with a product that should have some legs. With a price tag of two hundred dollars a month, the typical T1 user should consider this kind of protection to be a steal.

In the U.S. economy, we aren't about making widgets anymore. Our money will be made in the management of information-developing, warehousing, and maintaining data. When we're forced to spend money on security, it takes away from the money we should be spending to grow our economy. Sentinel represents a smart and cost-effective way to get more of our investment pointed in the right direction-forward.

© 2002 M. A. “Ryan” Yuhas
InterDimension Strategies Inc.