Risk Mitigation through Collaborative Innovation

Monday, April 26, 2010

Steven Fox, CISSP, QSA

B09c361cbdc6cf629affdc7db30a186d

Did you innovate today?

Let’s say that you did! Good job! Did you get the idea from a podcast or webinar? Maybe. Odds are that you got wind of an interesting idea when you sat with a different team during lunch. Perhaps you attended a presentation by the business analysis group after the cancellation of an audit meeting. In either case, a synergy occured between new and acquired knowledge – eureka!

Imagine if you could institutionalize this process! Not possible? SAP did it. Their employees were able to create a network of teams focused on the creation of knowledge to drive value for their customers. This innovative approach expanded SAP’s knowledge base and improved the efficiency of business units effected by this information.

How does this connect with the security of the organization? According to Wharton University’s Andrea Matwyshyn, security is no longer sole responsibility of IT. “Security needs to have a process approach, coming from the top layers of a company and a culture of security,” said Matwshyn.  All levels of a company have information assets that are used in the conduct of business.  Collaborating with these groups allows for improved knowledge of operational factors in the environment which in turn enhances the quality of the data used in selecting risk control solutions.

John Hagel and John Seely Brown proposed the idea of “creation spaces” – a system of teams that leverage the power of organizational networks towards the creation of new knowledge. Their article in the Harvard Business Review suggests that this approach value innovation over the cataloging of existing knowledge. Creation spaces have the following three components.

Participants

SAP created “communities of innovation” that were focused on company and individual work-related challenges. This network included not only representatives from these areas, but also those from support functions such as developers and business analysts. It was managed by a single manager, thus reducing the silo effect of political agendas from each participant. According to Zia Yusuf, Executive VP of SAP’s Global Ecosystem & Partner Group, “when individual functions or business groups have responsibility for segments of the ecosystem, these segments tend to become silos and reflect the interests of the groups sponsoring them, rather than serving the needs of customers. By bringing all of the elements together in one place, we can more effectively focus on the customer and mobilize all of the resources relevant to the customer.”

This approach could be leveraged by involving security team members in these networks. They could benefit from the business knowledge shared in these discussion. The network would likewise benefit from the business risk perspective.

Interactions

Having teams is a great start, but interaction between the teams is needed. Additionally, this network model must interact with stakeholders within the company and with its customers in order to stay current on the issues at hand.

A common pattern in my NPO engagements is requests to focus my assessments on network security. While this is an important component to examine, the usual risk factors fall into areas of policy compliance and security awareness. These companies would benefit from the formation of technical, staff, and volunteer teams that would address the business risks from varying perspectives. The end product – a 360 degree view of the organizational risk issues and control strategies that make sense to all the stakeholders.

Environments

Teams need focus of purpose, the tools with which to realize their goals, and an environment that enable their value proposition. SAP’s environment was formed around identifying customer needs and coming up with solutions that met those needs while positioning SAP competitively. This required management to design incentives and forums that supported this objective. Similarly, security leaders must create environments where security and business practitioners can benefit from collaborative information sharing.

Possibly Related Articles:
12538
Enterprise Security
Risk Management
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.