I'm sure you all follow the New School blog and have read Compliance Lessons from Lance. My take on the post is to find a way to position compliance from a necessary evil to a necessary evil to achieve business success. Since we can't directly change compliance standards to focus on just the key controls, some folks define winning as spending as little time as possible across all controls. I think the winning strategy is to invest in controls related to business success, then do the bare minimum on the rest.
One great thing about the New School is problems come with solutions. This time around they reference one of my favorite pieces of research in the IT Controls Benchmark. Ifyou're not familiar with the ITPI's work, please go now. One of the most powerful results in the research is the "three controls that predict 60% of performance."
- Standardized Configuration Strategy
- Controlled Access To Production Systems
- Process Discipline
The first two are pretty straight forward. They're easy to define, develop metrics, and determine how much you need over time. "Process Discipline" is more general and can apply to the whole shop. @RealGeneKim was kind enough to define process discipline in a tweet:
"Culture of controls that are defined, monitored, enforced; especially around chg and configurations"
So what does defined, monitored, and enforced mean? Here's my brief opinion but check out the ITPI's work for more (and better) detail.
- Defined: document what the process does, for who, and why it's important. Create a swim lane and RACI for key steps and stakeholders. Identify key outcomes and an associated metrics. For each metric, draw a line in the sand for acceptable performance with a target value.
- Monitored: allocate sufficient resources to collect and report on the outcome-based metrics.
- Enforced: identify the audience for the metric and schedule appropriate intervals to review actual performance against target.
Obviously it doesn't make sense to mature every process to the same degree. So which processes should we instill some discipline? Gene focuses on the first two, how about a process to stack rank the rest and a plan to knock them off over time?
Perhaps the below to follow the first two:
- Incident Response
- Event Management
- Secure Development
- Vulnerability Management
- Risk and Spend Prioritization
- Asset Management
- Vendor Management
- Continuity Management
I don't think it matters what your list looks like. The fun is in the fact you have one. The obvious criteria to select which processes to improve are:
- Relevance to revenue growth e.g. Vendor Management if you're expanding, Secure Dev if you're improving production apps, Change Control if outages affected revenue.
- Relevance to cost reduction: mature areas associated with incidents and where you spend the most time and money e.g. access control, monitoring
You might have some secondary criteria e.g.
- Past Incidents
- Processes your money-makers hate the most e.g. device management, authentication, access control, training, compliance (wait, that's what we're doing here!).
Now you have a process to prioritize processes... I'm a big fan of gradual plans to improve so you can do your day job. I like the technique to bucket work items into foundation and investment i.e. run vs. improve the business. Allocate a % of your team to improvement and you're on the path of winning the Compliance Game.