Customer focus and collaboration. They are two most critical factors for security strategy approval and flawless implementation. Read on to see how to put them into practice using agile security approach.
Development of a security strategy is an activity where you can put agile principles into practice. It is an exercise which gives us a unique opportunity to figure out what capabilities we plan to build or transform and how.
Many security strategies fail because of the following reasons:
Lack of alignment. Security strategies are not approved when they force solutions which complicate customer experience, contradict business objectives or do not support existing or planned technologies.
Lack of cooperation. Security programs are not implemented when they are born within the boundaries of the security silo. When the strategy surprises everyone, the support for the program is too weak. It makes hard to find change advocates and reach the critical mass required for adoption of proposed recommendations.
Customer collaboration over contract negotiation
Customer collaboration is a value which helps to ensure successful implementation of security strategies, frameworks or transformation of selected security domains. We can divide it into further values:
Customer-centricity. Focusing on needs of internal and external clients,
Collaboration. Team cooperation to ensure we fulfill those needs.
In the security world, customer-centricitity is hard to grasp. First, security teams rarely have to deal with external clients directly. Second, in many organizations they do not take part in product or service design activities. In most of the cases, they are just asked to conduct risk assessments of solutions being developed, tested, or even migrated to production environments.
However, as security officers we have a power and responsibility to change that. Let us have a look at examples on how we can focus more on customers and improve team collaboration in security.
Table of contents
Always start with the customer
Start with the customer in the following situations.
Triggers for customer engagement
- Define a new security strategy or refresh an existing one,
- Implement or change security technology,
- Transform complete security domain,
- Establish or change security services,
- Incorporate security controls into company services or products.
Each time you start something new, think about the impact on the customer experience.
In security, we should consider impacts on internal clients who consume our services or need to follow our policies and procedures. Sometimes, we need to think of ultimate clients – people who use company products or services. This is important when our changes influence company offering.
These concepts are very well described by Matt Lemay. In his book, Agile for Everybody: Creating Fast, Flexible, and Customer-First Organizations, he explains in simple words the approach to adoption of agile mindsets in whole organizations, not only for the software development purposes.
Understand customer needs
Thinking of ultimate clients or internal stakeholders is not enough. Putting our customers in the centre means that we try to understand their needs before we offer them our solutions – new security strategy, service, process or technology solution.
One of the most popular approaches in this area is Value Proposition Design. The authors of this framework offer you a set of questions that help to understand the key components of the Customer Profile.
After you have a good understanding of client needs, you can brainstorm for potential solutions. You can put each of them and their characteristics on a Value Map. The map shows your security services or products, pain relievers and gain creators.
This structured approach can help you see what is the fit between the two – customer expectations and something you try to build, establish or transform. You can use it for internal and ultimate clients, depending on what you are trying to do and whom the change will impact.
Collaborate with your key stakeholders on strategic and tactical levels. Work together when designing new security strategy, process, service or important control. Work together on defining components for new capabilities. Build together requirements for new solutions or technology. Engage people in the planning process.
Collaborate with your internal clients as early as possible. Do not ask them for input when you already made all strategic decisions.
Collaboration changes the group dynamics at the design phase. It is not just you with your team anymore, presenting a new security solution and waiting for a critique from your stakeholders like from judges on a talent show. Your stakeholders are part of this performance. It changes the mindset – from criticizing to looking for opportunities for improvements.
Collaboration impacts the implementation phase. People promote what they built together. They support each other to resolve any issues in case of implementation challenges.
Develop Minimum Viable Products
Sometimes we ask for feedback too late, when we already spent much time on working on a product. Some of us like to share presentations, documentation, capability models, framework designs only when they look good and seem to be complete. But this approach is not the best. In many cases, we lose the opportunity for collaboration, and we lose much more time because of the required rework.
Imagine that you plan to develop a process for managing joiner’s access. You might conduct initial research about best practices in access management, brainstorm for process inputs and outputs, draw a professional map using a selected BPMN tool and describe the activities in the procedure. You can even go further and recommend relevant key performance indicators.
And now imagine that you come to the team meeting to present your procedure. After a while, HR representative says that you missed three important steps that should be in the middle of the map. You have to make sure that steps 12 and 13 are run in parallel. And they are completed by other stakeholders, who are not present in the process map. You have to remove steps number 15 and 20 because the HR system implemented recently makes them irrelevant. And the guy from IT says that you should define your map in a different format because of the workflow tool they use.
So, you have just learned that you spent three days working on a professionally looking procedure, which is not a good fit for your organization and must start from the scratch.
A more agile approach is to use a concept of Minimum Viable Product. It is used within The Lean Startup movement launched by Eric Ries and popularized by Dan Olsen in his Lean Product Playbook approach.
The basic idea here is that you create a prototype of your product necessary for the purpose of testing it with your clients and collecting feedback related to how it serves their needs.
Based on the example with our process, a better approach might be the following – understand the basic needs of your internal stakeholders, see what is missing, do a basic research about the process steps, document them on post-it notes and bring them to the meeting together with a roll of paper.
During the meeting, you might discuss the objective of the process and relevant needs and requirements of your stakeholders. You could discuss its objectives, inputs, outputs and roles involved. With your post-it notes and a sheet of paper you might put required steps in a specific sequence in lines associated with relevant roles, add new activities or get rid of those which are unnecessary.
After the meeting a good tactic is to send a simple summary with a photo of a process map, collect feedback and incorporate it into your sketches. And only after agreement on the process map, you can document it in the form a professional procedure.
Using Minimum Viable Product saves time and fosters collaboration.
Use Fair Process
When we define security strategy, its success does not depend only on its content. What matters more is how you define this strategy and whether you create people’s buy-in already at the design phase.
To amplify the support for changes, I often use the approach called Fair Process. It is one of the tools used in the Blue Ocean Strategy methodology helping to define business strategies. I find multiple concepts from this framework useful for the purpose of security programs.
The Fair Process focuses on three components – Engagement, Explanation and Expectation Clarity. The idea of Engagement is well aligned with an agile mindset. It means involving people in a decision-making process by collecting their input, feedback and ideas related to strategy or implementation roadmap. Working this ways communicates our stakeholders that we value their opinion and it builds shared ownership of the output.
Manage people side of transformation
Our project management methodologies too often focus on technicalities – project charters, business cases and implementation plans. Too often we forget building commitment for the change across our teams.
One method that helps to find a balance here is Tipping Point Leadership, which works well with Blue Ocean Strategy and Fair Process. It helps to execute strategy when you need to fight for scarce resources – people, time and money.
The framework was extended by Andrea Shapiro who wrote a book about ways to Create Contagious Commitment. She presented balanced approach to change, including seven levers of change that create synergy helping to move things forward. Only one of them – Infrastructure – relates to tools and more technical side of change.
7 levers of change
- Mass exposure
- Personal contact
- Hire advocates
- Shift resisters
- Walk the talk
- Reward and recognition
I encourage you to test some of these ideas when starting new security initiatives. If you find this advice useful, please share it with your colleagues using social media buttons. If you would like to become a part of a community of security managers and professionals or people interested in security strategy, governance and transformation, please subscribe to the site using Subscribe option on the right.