Baxter Thompson Associates
Baxter Thompson Associates
We are specialists in business relationship management. We provide Reconnaissance for IT.
2
Baxter Thompson Associates
HOW INFORMATION SECURITY WON THE HEARTS AND MINDS OF ITS PARTNERS
Jon Baxter, Founder and Managing Associate www.baxterthompson.com
3
Baxter Thompson Associates
We are passionate about enabling the BRM role to achieve its true strategic, value adding potential.
Formed in 2009, Baxter Thompson Associates has always specialised in Information Technology Services. We bring together a blend of experienced, Interim Managers and Consultants who have delivered tangible results while working as Business Relationship Managers.
Our aim is to be an industry innovator, respected as a thought leader by our peers and seen as a strategic partner by our clients. We help clients gain competitive advantage through enabling IT Business Relationship Management. We do this through a framework we call "Reconnaissance for IT”™. This helps us identify the opportunities, plan and deliver with clients the deliverables required to improve the shared value of information technology with business strategy.
We typically help corporate companies on an European basis but are equally at home with smaller growing companies.
15/12/15 © All rights reserved, Baxter Thompson Ltd
4
Baxter Thompson Associates
Case study approach on the application of BRM to InfoSec: The client view – 35 mins
Enable Engage Talk “Risk”
The BRM view – 15 mins Defining clarity of the BRM role Improving Demand Shaping Improving Servicing
Questions – 10 mins
Structure of the talk:
© All rights reserved, Baxter Thompson Ltd 15/12/15
• A lot of information • Fast pace • Questions at the end • Happy to take
questions off line via email or separate phone call
5
Baxter Thompson Associates
KeyaspectsofsuccessfulBusinessRela2onshipManagement Client company (this presentation scope) Defining Clarity of the BRM role Improving Demand Shaping Discipline Improving Servicing Discipline
Key Themes:
15/12/15
House of BRM courtesy of BRMI
7
Baxter Thompson Associates
2) From Awareness to Engagement Focus 3) From Technology to Risk Focus
Enable Focus
1) From a Protect Focus To a Protect AND Enable Focus.
The company The symptom The problem to solve Strategic intent
© All Rights reserved Baxter Thompson Ltd 15/12/15
8
Baxter Thompson Associates
June 2014: IPO And Separation
2000 Merger of 3 exchanges.
2001/2002 2 more exchanges added.
2006 Buyout.
2012 Further buyout.
2014 IPO and separation for the company
Over a decade of IT change, much of it extremely complex, integration and separation work, across 6 different cultures.
15/12/15
9
Baxter Thompson Associates
Business Mix of Client Company
14
46
20
13
7
Business Mix %
Listing
Trading - Cash and Derivatives
Market Data and Indices
Post Trade - Clearing, Settlement and Custody
Market Solutions
15/12/15
10
Baxter Thompson Associates
Organisational Context
© All rights reserved, Baxter Thompson Ltd 15/12/15
IT
ITS
Markets
Business Design
Solutions
InfoSec I&O
Other Service
functions E.g. HR, Finance
Admin
EU Prog. Man.
11
Baxter Thompson Associates
Key Relationships With InfoSec And Sources Of Demand
• Markets • Solutions • Executive level • Head of Department (HoD) HOD
• Product owners • Business Development
managers • Project Managers and
Business Analysts
Key Influencers
• All employees of client company Users
Strategic Governance
Generate demand – new solutions, new markets, new clients, improved services etc. that manifest eventually
as projects.
Engagement activities around controls, risk, best practices, policies,
comms. and training.
© All rights reserved, Baxter Thompson Ltd 15/12/15
Organisational Context: Infosec Capabilities
Training
IT Asset Management
Security Control
Management
Incident & change
Management
Security Architecture Management
Threat Management
Communication Demand
Management
Governance (Tech. change control and business decision making)
Risk Management
Data Classification
Project Management
(Security Inspired)
Proposed New
Capabilities
Impacted Capabilities
(this presentation
scope)
ConsultantIden2fied
ClientIden2fied
© All rights reserved, Baxter Thompson Ltd
13
Baxter Thompson Associates
1. Technology focused – prevent breach and avoid publicity.
Features Of A ‘Protect; Focused Firm’
© All rights reserved, Baxter Thompson Ltd
14
Baxter Thompson Associates
2. Default Message is ‘NO’, or at best ‘Maybe, but, no, er, No’.
Features of a ‘Protect; Focused Firm’
© All rights reserved, Baxter Thompson Ltd 15/12/15
15
Baxter Thompson Associates
‘Protect’ Focused Security Team: Cultural Challenges Limits Enablement
Herman’s Iceberg Model – Issues in ‘Informal’ Areas
© All rights reserved, Baxter Thompson Ltd 15/12/15
16
Baxter Thompson Associates
InfoSec Industry Awareness Approach
16
Risk
• Security risk vector identified through business users e.g. phishing
Control
• Technical and procedural controls put in place
Communicate
• Business users informed and trained where necessary
Expected outcome:
Reduced risk
Other outcome:
Antagonism
Other outcome:
Perception
Other outcome:
Avoidance
© All rights reserved, Baxter Thompson Ltd
17
Baxter Thompson Associates
How to reduce business user risk long term whilst at the same time reducing antagonism, negative
perception and avoidance of controls and procedures?
To Enable Business AND Protect Poses A Problem
© All rights reserved, Baxter Thompson Ltd 15/12/15
18
Baxter Thompson Associates
Problems InfoSec Solutions
1. Improve credibility by Strategy definition and Programme Planning.
2. Improve trust, relationships and communication skills by delivery on principles through an Engagement Manager and deployment of processes
3. Improve way of working by reviewing security architect capacity and processes.
Other outcome: Antagonism
Other outcome: Perception
Other outcome: Avoidance
©AllRightsreservedBaxterThompsonLtd
Enable AND Protect Problems And Solutions
© All rights reserved, Baxter Thompson Ltd 15/12/15
19
Baxter Thompson Associates
Infosec Strategy ‘To Enable and Protect Client Company to efficiently execute its business strategy’
50% Enablement Focus 50% Protect Focus Which Means
Enable working with our partners Identify security options Inform risk based decisions
Protect by monitoring information flows Assess potential and existing threats Manage security incidents
By
Thro ugh
Defensive Strategy (DS)
Projects and Continuous
Improvement (PCI)
InfoSec Engagement Project (IEP)
New Organisation
Structure (NOS)
Technical Risk Management
(TRM)
One PROACTIVE team – security
responsibility of all. Engage Earlier
Security Options instead of ‘No’ where possible
Partner focused Solutions profiled by risk
© All rights reserved, Baxter Thompson Ltd
20
Baxter Thompson Associates
Engagement Focus 1. From a Protect Focus to a Protect AND Enable Focus
3. From Technology to Risk Focus
2. From Awareness to Engagement Engagement Principles Engagement Process Engagement Plan
© All rights reserved, Baxter Thompson Ltd 15/12/15
21
Baxter Thompson Associates
Engagement Principles
Change in business & IT culture from helpdesk to executive. Engagement with HR and business partners to identify:
Desired business values. Desired attitudes. Desired behaviours.
SharedBusiness
andITGoals
Showaninterestinhowthebusinessmakesmoney
Take2metounderstandthe
businessrequirement
Empathy.Walkamileintheirshoes
Jointbusinessdecisiononbenefits
vsrisk
©AllRightsreservedBaxterThompsonLtd
One PROACTIVE team – security responsibility of
all Engage Earlier
Security Options instead of ‘No’ where possible
Partner focused Solutions profiled by risk
Examples
Impact
© All rights reserved, Baxter Thompson Ltd 15/12/15
22
Baxter Thompson Associates
Using and Updating Policy and Procedures
Developing Training
Providing Communication
Discussing with InfoSec Liaisons and Employees
Enforcing Policies
Understanding business
opportunities and threats
Applying InfoSec Principles
Identifying Controls and
mitigating Actions
Engagement Approach It’s not just security awareness!
FlowofInforma2onBetweenStakeholders
©AllRightsreservedBaxterThompsonLtd
Existing Activities
New Activities
© All rights reserved, Baxter Thompson Ltd 15/12/15
23
Engagement Plan 2015 How?
HoD Meetings
Engagement Manager
Training
InfoSec Liaisons
Site Visits
Policy Enforcement
Communications
Continuous Improvement
Surveys
Objective: Reduce risk posed by threats to client company by proactively working with InfoSec business partners. Through setting up and running engagement activities on an ongoing basis.
Enablers: Learning Management System. “Version 2” Policies and Procedures.
© All rights reserved, Baxter Thompson Ltd
24
Baxter Thompson Associates
Phase 1 Setup complete
Engagement Manager ready
End Jan
Survey / intranet deployed
Inductions started
Policies approved
End Feb
Policies v2 approved
Training in dev. Site visits in
progress Liaisons ready Newsletter out
End May
LMS available HoD meetings
in progress Liaisons
meeting
End Aug
UK and Holland rolled out LMS
Policies enforced
Engagement activities steady - state
End Oct Training fully deployed to all parts of the company
End Dec
This project has been split into 2 phases: Phase 1 Initiation up to end Jan 2015. Phase 2 Delivery of activities until end 2015.
How to get there
© All rights reserved, Baxter Thompson Ltd 15/12/15
25
Baxter Thompson Associates
Role of Engagement Manager Deploy and manage InfoSec Liaisons Supervise Demand Coordinator role Proactively harvest user issues that impact
security and work with peers to identify solutions
Identify controls and update policy Develop communication and training
material that responds to needs Deploy and administer learning
management system Work with users to identify ways that risks
can be reduced and controlled.
InfoSec Roles
© All rights reserved, Baxter Thompson Ltd
Skills and behaviours required Excellent people focus – collaborative,
friendly, empathetic, communicator Analytical and results oriented
Capabilities Impacted
Communication Training Demand Management
Target Audience Business Users (majority %) Key influencers (minority %)
15/12/15
26
Baxter Thompson Associates
Risk Focus 1. From a Protect Focus to a Protect AND Enable Focus 2. From Awareness to Engagement
3) From Technology to Risk Focus • Risk language • InfoSec Demand • Project Lifecycle • Demand Management Processes
© All rights reserved, Baxter Thompson Ltd 15/12/15
27
Baxter Thompson Associates
?
Threats Reputation Data loss
Exchange & market stability
Information Security Key Engagement Message – Talk “Risk”
Risk Management Governance
Business engagement
Business controls Regulation
Business continuity Legal Requirements
Creativity Competitive advantage
Productivity
Risk is the common language between InfoSec
and Business Partners
Understanding the security risk helps
• Strike a balance between creativity and control
• Prioritise activity
© All rights reserved, Baxter Thompson Ltd 15/12/15
28
Baxter Thompson Associates
Sources Of InfoSec Demand
Operational requirements
Market requirements
Regulatory requirements
Demand generated by “Key Influencers”
© All rights reserved, Baxter Thompson Ltd 15/12/15
IT
ITS
Markets
Business Design
Solutions
InfoSec I&O
Other Service
functions E.g. HR, Finance
Admin
EU Prog. Man.
29
Baxter Thompson Associates
5 sources of Demand and internal projects.
All competing for the same resource. All requests “top priority”. Currently Demand hitting InfoSec
Architects at all stages of the project lifecycle.
Symptom: Architects swamped with work and “unable to prioritise work”.
Root cause: Engagement approach, Lack of Governance, Demand Planning processes, Project Management, Capacity Planning and overall capacity,
Sources Of Demand – Problem Statement
29
ITS
Solutions
Operational
Other Functions
Markets Internal Projects
InfoSec I&O
PM PM BA A
IT
BA
PM
A Architect
Project Management
Business Analysis
© All rights reserved, Baxter Thompson Ltd 15/12/15
30
Baxter Thompson Associates
Significant unfulfilled demand
Security Architect Capacity Planning (Feb)
30
Black line = current capacity Yellow = Ideas, Initiatives, Unprioritised projects (no start date) Other colours = operational commitments and planned projects
FTE
© All rights reserved, Baxter Thompson Ltd 15/12/15
31
Baxter Thompson Associates
Typical Project Lifecycle
Business Case Project Handover Time
“Initiative” “Project” “Service ”
Man
-day
s E
ffort
“BAU”
Feasibility, High Level
Assessment, Supplier
Assessment
Detail Design, Service Design, Develop, Install
Sprint 0,1,2,3…n
Training, Handover
© All rights reserved, Baxter Thompson Ltd 15/12/15
32
Baxter Thompson Associates
A Common Industry Project Lifecycle
Business Case if done
Project Handover If done
Time “Initiative” “Project” “Service ”
Man
-day
s E
ffort
“BAU”
Lack of planning, conception, scope creep, poor
governance, poor alignment to benefits / outcomes and loose risk controls leads to cost and
time over-runs
Past examples: 100%+ variance from initial budget forecast
© All rights reserved, Baxter Thompson Ltd 15/12/15
33
Baxter Thompson Associates
InfoSec Demand Management Vision • To move from a “protect” to a “protect and enable” vision, InfoSec would like to work more upstream in the project lifecycle
and effectively engage with Key Influencers with Architecture and Engagement Manager roles.
• The Benefits are:
1. Identify those initiatives which present a real security risk to the organisation 2. build into the project sufficient resource (budget, mandays) to mitigate project risk and therefore business risk 3. Prioritise effort on those projects with the highest risk
• The Requirement is: • Extra Architects working at the initiative stage of the project lifecycle
Man
day
s ef
fort
Time
“Initiative” Business Case Project Handover
“Project” “Service”
Current Future
Enable Protect
© All rights reserved, Baxter Thompson Ltd
34
Baxter Thompson Associates
The outcome required is information that helps build the business case for the idea – do we proceed or not?
High Level Assessment – Initiative Stage
HLA Document Proposal / idea
Asset value
Attributes of idea
High Level Risk assessment document
InfoSec man-days effort
Decision to continue / next project step IT
InfoSec
15/12/15 © All rights reserved, Baxter Thompson Ltd
35
Baxter Thompson Associates
Is it a standard service?
Is it to participate
in a project?
Is it something
else?
Change Request Management Project Planning Service
Management
Close request
Risk / Issue or further action?
High Level Assessment
Record request in Register
G R RY
Y
InfoSec Demand Management Process
Implementation Status R Y G
Is it a Change request?
15/12/15 © All rights reserved, Baxter Thompson Ltd
36
Baxter Thompson Associates
TACTICAL PROCESS CONSIDERATIONS Demand Coordinator (Under the auspices of the Engagement Manager)
Receives requests and determines type. Tracks request and associated activity in Register. Allocates resource to request. Sets expectations on delivery of request.
Security Architect Delivers project planning, High Level Risk Assessments and Go-Live Risk Assessments. Conducts activities - Identifies Risks, Issues, Solution Design etc. Reports progress and escalates Risks.
Demand Management Roles
15/12/15 © All rights reserved, Baxter Thompson Ltd
37
Baxter Thompson Associates
Role of Security Architect Research threats and opportunities that
impact security infrastructure Proactively assess solutions that protect
AND enable company Contribute to the architecture design and
planning of systems Consult with key influencers and assess
security risk of proposed activities Collaboratively consider options that reduce
security risk
Skills and behaviors required Architecture design and planning Strategic oriented, consulting skills Security knowledge Strong, non technical communication skills Proactive and forward thinking; Open
minded Capabilities Impacted
Demand Management Security Architecture
Target Audience Key Influencers
InfoSec Roles
© All rights reserved, Baxter Thompson Ltd 15/12/15
38
Baxter Thompson Associates
InfoSec Enablement In Summary
From Protect
to Enable AND Protect
From Awareness
to Engagement
From Technology focus
to Risk focus
©AllRightsreservedBaxterThompsonLtd15/12/15 © All Rights reserved Baxter Thompson Ltd
40
Baxter Thompson Associates
KeyaspectsofsuccessfulBusinessRela2onshipManagement
Defining Clarity of the BRM role Improving Demand Shaping Discipline Improving Servicing Discipline
Key Themes
© All rights reserved, Baxter Thompson Ltd 15/12/15
House of BRM courtesy of BRMI
41
Baxter Thompson Associates
The disciplines on the previous slide show
how at a high level the BRM competencies interacts with the provider capabilities.
Capabilities relate to the provider organisation – People, Process & Tools.
Competencies relate to the person
Some capabilities of the provider can be the responsibility of the BRM e.g. Demand management
The competency of the person to fulfill the BRM role is a function of personal skills and aptitude. These can be trained and coached.
A note about Competencies and Capabilities…..
© All rights reserved, Baxter Thompson Ltd 15/12/15
BRM Competency
Provider Capability
PersonalSkillsandAp2tude
ProcessesToolsRoles&
Resp.
42
Baxter Thompson Associates
Generic Provider Capability Maturity Model
Level 1 Initial
Level 2 Managed
Level 3 Defined
Level 4 Quantitively Managed
Level 5 Optimising
People working at an administrative level, unclear of role. Processes unpredictable, poorly controlled and reactive. Tools consist of email and phone. No formal management techniques
People operationally focused and silo’d. Processes often reactive. Tools basic and not integrated. Some management techniques applied
People work in teams Processes characterised for the organisation and is proactive. Some cross functional tools integrated. Best practice techniques applied occasionally with some success
People work collaboratively across functions. Processes measured and controlled. Integrated platforms. Best practice techniques generally applied and successful
People work together towards shared goals. Change part of culture Focus on process improvement. Innovative techniques applied. Technology responsive and agile.
Maturity Levels
© All Rights reserved Baxter Thompson Ltd
Evi
denc
e To
ols,
Pro
cess
, Peo
ple
15/12/15
43
Baxter Thompson Associates
Defining Clarity of the BRM Role
© All rights reserved, Baxter Thompson Ltd 15/12/15
House of BRM courtesy of BRMI
Organisa(onalcontextwithinwhichtheproviderworks
DefiningtheProviderStrategyUnderstandingtheProviderOpera(ngModel
ClarifyingtheBRMRole
44
Baxter Thompson Associates
House of BRM courtesy of BRMI
Improving Demand Shaping Discipline
© All rights reserved, Baxter Thompson Ltd 15/12/15
DemandShaping-TheDemandShapingDisciplines(mulates,surfacesandshapesbusinessdemandforProviderservices,capabili(es,andproducts……
….DemandShapingisfocusedonop(mizingthebusinessvaluerealizedthroughProviderservices,capabili(es,andproducts—thatlow-valuedemandissuppressedwhilehigher-valuedemandiss(mulated.
ItensuresthatbusinessstrategiesfullyleverageProvidercapabili(es,andthattheProviderserviceporLolioandcapabili(esenablebusinessstrategies.
45
Baxter Thompson Associates
House of BRM courtesy of BRMI
Improving Servicing Discipline
© All rights reserved, Baxter Thompson Ltd 15/12/15
Servicing-TheServicingDisciplinecoordinatesresources,managesBusinessPartnerexpecta(ons,andintegratesac(vi(esinaccordancewiththeBusinessPartner-Providerpartnership.ItensuresthatBusinessPartner-Providerengagementtranslatesdemandintoeffec(vesupplyrequirements.
….coordinatesresources…….translatesdemandintoeffec(vesupplyrequirements…..
…integratesac(vi(es….
…managesBusinessPartnerexpecta(ons….
46
Baxter Thompson Associates
• Focus front and centre on strategy and business value. Not the technology solutions nor the operational issues
• Subsequent outcomes driven to key focus areas or problem statements.
Strategic Analysis
• Answer what competencies and capabilities are required to resolve problem
• Identify gap between current and future level of competence and capability
Functional Analysis
• Allocate competencies and responsibilities to roles • Document roles, processes, training and procedures • Fund, recruit and deploy roles • Train and coach
Define and deploy to achieve outcomes
Steps Taken
© All rights reserved, Baxter Thompson Ltd 15/12/15
47
Baxter Thompson Associates
Enlightened client identified problem to solve: - The business case had already been made for the client project. - Strategic intent of the project drove custom, context specific outcomes
Build not Buy. - Client company’s case wasn’t to implement BRM per se – more implement the capabilities and competencies derived from BRM. - A lot of effort was spent defining the approach, tools, techniques and roles.
A “lite” & “undercover” BRM: - Only some of the disciplines and competencies were focused on. - The role effectively managed between Architect and Engagement Manager – Security architecture expertise complimenting training / liaison. Both are “relationship” roles but manifest in different contexts.
This starts the journey on BRM. - The benefits have started: Clear strategic intent, communication approach, demand management
Observations
© All rights reserved, Baxter Thompson Ltd 15/12/15
48
Baxter Thompson Associates
1. This specific implementation requires: A framework – cross referencing the problem statement to potential solutions. Not copy / pasting. Significant understanding of the organisational context –in the first month of work this was organic and achieved only after
relationships were established. Tailoring solutions and make it “theirs”
2. Benefits of the above approach: Addresses business needs / concerns and therefore adds most value at the given point in the client journey. Demonstrates the flexibility of Business Relationship Management in any context …but requires significant effort to tailor.
3. Benefits of Business Relationship Management in general: Strategic Alignment Focus activity on the right priorities – reduces risk and maximises value Increases collaboration across the company – maximises value
4. Strategic BRM requires stability and competence in the delivery of core services
Application of BRM to Provider Functions
© All rights reserved, Baxter Thompson Ltd 15/12/15
50
Baxter Thompson Associates
Phone + 44 20 33 84 94 63 Email: [email protected]
www.baxterthompson.com
Baxter Thompson Ltd Dalton House 60 Windsor Avenue London SW19 2RR United Kingdom
To find out more….
© All rights reserved, Baxter Thompson Ltd 15/12/15
51
Baxter Thompson Associates
The content of this slide deck is for information purposes only and does not constitute any advice. The information and materials contained in this presentation are provided ‘as is’ and Baxter Thompson Associates does not warrant the accuracy, adequacy or completeness of the information and materials and expressly disclaims liability for any errors, omissions or for any consequential loss or damage of any nature . This presentation is not intended to be, and shall not constitute in any way a binding or legal agreement, or impose any legal obligation on Baxter Thompson Associates. Except as described, all proprietary rights and interest in or connected with this publication shall vest in Baxter Thompson Ltd. No part of it may be redistributed or reproduced without the prior written permission of Baxter Thompson Associates. Portions of this presentation contain materials or information copyrighted, trademarked or otherwise owned by a third party. No permission to use these third party materials should be inferred from this presentation. Baxter Thompson Associates refers to Baxter Thompson Ltd.
Legal Notice
© All rights reserved, Baxter Thompson Ltd 15/12/15