Home

The APQC Blog

Think BPM and Information Security Are Separate? Think Again

I recently chatted with Ken Lobenstein, Senior InfoSec Director for Governance and Policy with Royal Philips about the challenges and threats to information security and how to put security best practices in place without slowing down business operations.

APQC: How do recent security hacks at Sony and the U.S. military's Central Command affect how companies view information security in 2015?

KEN: There is no single, consistent answer. Unfortunately, some organizations still continue business as usual either believing they are not anyone’s target or not understanding the issues well enough to know how to react. Others simple increase their perimeter protection, assuming that if they are protected from the outside, then they are fully protected. The best organizations review their existing programs against new threat vectors and examples of how security has been compromised; everything from workstation and server configurations to border and internal networking defenses or reviewing awareness of security issues in the workforce and enhancing training so everyone sees how internal actions or inactions can add to the risk. The more we see the more we know there is more we can do. But we have to see the issue as a total business responsibility, not just a technology problem; business process and staff behavior need to be recognized as equal parts of the protection mission. 

APQC: What is the biggest challenge to improving and implementing information security enterprise-wide, when different parts of the company have different needs and goals?

KEN: Recognition, or awareness if you prefer, and engaging the entire organization. The larger the organization or the more dispersed the workforce—geographically or culturally—the bigger this challenge becomes. The security office must be integrated to drive the message, but all levels of leadership must recognize their role in making secure thinking part of the culture. Some of the recent, highly-visible breaches have been caused by technology attacks from outside. Protecting against these attacks requires sound investment and solid training, but it also requires acceptance at the highest levels that protections must be uniformly applied and enforced. One Roger Snowden or unthinking employee can open a huge door from the inside. Not all breaches are the result of technology compromise; many are the result of process and behavior compromises. Making the protections portfolio a total organization issue is the biggest challenge.

APQC: What is the most challenging thing for a company like Royal Phillips to identify when it comes to information security risk?

KEN: The biggest challenge is how to put security best practices in place without slowing down business operations. The beginning of the thought process that led me here today was thinking about how to build security as integral part of every relevant business process. Fortunately, we are engaged in a full, enterprise-wide business process redesign, so the opportunity to do this was already there. The challenge was gaining acceptance that security isn’t a checklist for validating results of a process. Instead it’s:

  • examining the business process to see where the process itself might create risk of information misuse or compromise
  • looking at the information moving through and created in a process to understand its sensitivity and value, classification of information (all of it, not just digital data inside IT systems; and
  • thinking about roles and need to know in process design, not in application privileges assignment.

It took us nearly two years to get this understanding and a will to act on it but we are making very good progress as a result of meeting this challenge.

APQC: Why is it important to view security as much a business asset management issue as it is an IT issue?

KEN: Information is an asset. Most management articles today that talk about investment and asset objectively note that it is the largest asset on the books and the most difficult to replace if lost or damaged. But it isn’t an IT asset like a laptop or a WiFi connection; it’s a business asset. IT owns some of those assets, the ones that are needed to run it, but most are owned by R&D, legal, finance and so on. Only they can judge how important these assets are to their mission and the success of the company, only they can determine who needs to see it and when. So if these business asset owners are not engaged in a full partnership, the organization will have breaches. We don’t know when or how serious, but they will happen. The full partnership between business and IT reduces the likelihood of breaches and if done right, reduces the harm if they happen.

APQC: You decided to customize the APQC’s Process Classification Framework (PCF) to help meet your Information security needs, what was the biggest challenge in that process?

KEN: There were two initial challenges. Since I am not a process engineer by training I had to understand the context of PCF as it applied to compliance activities, such as information security. This was a new subject and one where I did not find much preceding knowledge or thought on. We did a lot of concept invention and trial and error of possible approaches.

The second challenge was conducting a comprehensive review of the PCF to see where processes already existed that could be incorporated into an information security approach. Risk and resiliency, for example, 10.1 and 10.2, didn’t need to be duplicated or tailored much even though they are both critically important to a security approach. Others, such as “manage regulatory compliance (10.1.5) didn’t work very well if at all because information security is, for the most part, not based on regulation. We have documented more than 100 frameworks that inform security best practices, ranging from ISO 27002 to the Nevada State Gaming Commission’s security rule.  A regulatory compliance approach that tries to cover them all would be so complex for a global company that it would be unworkable. Instead, we needed a model that is based on a number of difference standards of measure.

This in turn created a third challenge; because security doesn’t appear to have been addressed much in the business process world, there are gaps in the PCF when one begins to think specifically about information security as a process set. It took us a year of working with the process experts, other compliance domains, and taking fresh looks at how we really drive toward inherent security practices (because bolt-on security practices aren’t very effective and they are very disruptive). We think we have solved the matter by thinking about security of information as a part of asset management—which will be described in the upcoming webinar.

APQC: If you could point to the one thing the PCF that helped improve your information security approach what would it be?

KEN: No question, the huge win for me as an Info Sec governance and policy person was what I mentioned in earlier, to figure out what to do with it; I had to think about what needs to be done in business terms. Not “security” terms. What do we have to do and how should we team up to do it together as a matter of course? We knew we had to engage the businesses in a full partnership. But conducting crosswalks in both directions, which of our controls are reflected in processes in 6.0 and which processes need an inherent security dimension, led us to re-think how we think about why we do what we do; ultimately leading us to the asset view.

You can also find Ken Lobenstein on LinkedIn.