Governance 101: The role of effective Service Management governance in an IT services organisation and the key features of a governance framework

Delivering consistent and quality IT services for customers is not easy – and can be even more challenging – if they are not governed effectively. For example, how can an IT organisation look to improve if it doesn’t measure the amount of service-impacting incidents properly?

Take the high profile service outages of several major banks in recent years for example. Their customers were unable to make transactions or access services for periods of time. Even in such a highly regulated environment as financial services, where IT is governance is generally tighter, there are no guarantees that the outages could’ve been prevented by governance alone.

Equally, too much governance could be seen as overly bureaucratic. A complicated – and lengthy – change control process could drive the wrong behaviour from some members of the IT organisation in that they may simply bypass the process.

By order of the management, doesn’t always mean effective governance!
By order of the management, doesn’t always mean effective governance!

In any case, a business is often dependent on its IT services, and as such, there needs to be controls in place to not only protect – but gain value for – their customers. This of course needs to be appropriate as not all businesses are financial service providers needing tight control.

What is governance and why is it important?

Before implementing any type of governance, it is worth understanding what it actually is. According to Wikipedia, “governance refers to all processes of governing undertaken…and relates to the interaction and decision-making among the actors involved in a collective problem”.

The Harvard Business School describe IT governance as “specifying the decision rights and the decision-making mechanics to foster the desired behaviour in the use of IT”.

A key thing to note is that governance is not the same as management. Ultimately, ITSM governance is concerned with control, compliance and performance.

It is important that ITSM governance has effective decision-making in place; drives the right behaviours (and, by implication, discourages the wrong behaviour); and has policy and processes are in place so that it is easier to discover issues and remedy them quicker.

Going back to our banking example earlier, HSBC had an issue with ATMs and Online Banking in 2011 but were able to pinpoint it and restore service within 2-3 hours. If they didn’t have good governance in place, it feasibly could have taken considerably longer to obtain information and decisions.

What are the different aspects of ITSM governance?

In order to understand, design and communicate effective ITSM governance, Harvard Business School suggests “a decision, rights and accountability framework” should be created that covers aspects like:

  • What decisions should be made and what information should be considered
  • Who can make decisions and who is accountable for them
  • How can decisions and governance be measured?

You might also want to consider different aspects like those the in the table below:

Aspects Questions or things to consider
1.      People Communicating with guiding principles that inform and involve all relevant staff; leverage their expertise; and ensure strong input from Senior Management
2.      Process Governance should be controlled and executed through policy, process, ownership and performance
3.      Technology What technology and tools are required to support the process?
4.      Information What data such as measurements and metrics are required to inform decision making?
5.      Services What are they; how much do they cost; and how do they add value to the business?
6.      Suppliers What are their processes and metrics and how are they involved in your governance?
7.      Customers Who are your customers and how do they benefit from your governance?

How can you evidence your governance improves service costs, their perception and value delivery?

8.      Corporate Governance How does your governance align to the corporate governance, strategic objectives and architecture; and are IT involved at the right level within the organisation in this regard?

How is ITSM governance executed?

After considering what aspects to include in ITSM governance, it is equally important to consider how to design and execute it in practice. The following are some suggestions you might want to consider when implementing ITSM governance.

Firstly, identify the types of frameworks and methods to be used – particularly if you are starting from scratch. Whilst not exhaustive, the following are some common methods and how they can be applied:

  • COBIT is an IT governance framework that focuses on what should be covered in processes and procedures and they can be directed and controlled.
  • ISO/IEC standards like 20000 (Service Management), 27000 (Security) and 38500 (IT Governance) are international standards provide specific advice and controls IT can be audited against to gain industry recognised certification
  • TOGAF is a framework for enterprise architecture that provides an approach for designing, planning, implementing, and governing an enterprise and service orientated architecture
  • Other specific best practices for governance such as PRINCE2 for projects; USMBOK and ITIL for service; MoR for risk management; CMMI for benchmarking and maturity.

Secondly, ITSM needs to be involved with – or even own – certain internal governing bodies like:

  • IT Pipeline and Portfolio Board to understand the upcoming projects and be ready to design, transition and operate the services being delivered as necessary
  • Architecture Governance Board to influence and ratify all architecture designs and decisions
  • Change Advisory Board to review/approve changes – particularly to the live production environment
  • Other Governance or Steering Groups involving the business to ensure IT is represented appropriately

Thirdly, ITSM Governance needs to ensure key policies, processes and metrics in place. This may vary depending on the needs of the organisation but things like incident, change and release policies should be created to ensure service-related issues or changes are controlled, evaluated, measured and resolved in appropriate way to ensure minimum risk and impact to the business.

Finally, and arguably, the most important thing is to build an improvement culture that involves the support of the whole IT organisation. By establishing quick wins; involving staff in the policy development; and empowering them to take ownership as appropriate; and using improvement techniques Deming’s Plan Do Check Act cycle; ITSM governance is more likely to be established accepted and acted upon by the IT organisation.

Summing Up

The key things to remember when implementing ITSM governance are to:

  • Ensure it is appropriate for your organisation and limit bureaucracy were possible
  • Remember that governance is not management and is primarily about driving effective decision-making and ensuring control and performance of services
  • Make sure it aligns to the strategic and corporate governance and objectives of your organisation
  • Control, improve and mature governance through policy, process, benchmarks and measurements using industry best practice if practicable to do so.
  • Develop and maintain an improvement culture within the IT organisation so that staff understand the value of – and contribute to the success of – ITSM governance

References:

Image Credit

Jon Morley

 

This article was contributed by Jon Morely – Vice-Chair of the itSMF UK Service Transition Special Interest Group and  IT Service Transition Manager at the University of Nottingham.

 

 

Release Management – How To (Part 1)

One of the questions I used to get asked all the time as a consultant was how to get started with Release Management. Most organisations start with Change Management and then as they mature; look to add additional governance and control with Release Management.

7382239368_ba418d5b73_m (1)

Here are some areas to focus on when looking at ways to formalise  your Release Management process:

  • Policy
  • Release Planning
  • Design & Build
  • Acceptance
  • Rollout
  • Communication and training
  • Distribution & installation
  • Early life support
  • Review & close

Release Management Policy

A solid policy is one of the most aspects of a good Release Management process. Put simply, your policy is a list of “thou shalts” and “thou shalt nots” regarding the Release process. No matter who the customer is; whenever I create a Release Management policy, I ensure the following three things are addressed:

  1. Definition of a Release
  2. Release schedule
  3. Governance

Let’s start with the basics. ITIL terms a Release as “One or more changes to an IT service that are built, tested and deployed together. A single release may include changes to hardware, software, documentation, processes and other components.” In practice, every organisation will have a slightly different criteria for selecting the Release route. Some organisations have very defined release criteria, conversely, I’ve worked with organisations where anything touching the code of a transactional website was classed as a Release, everything else was a Change. Whatever your setup, I’d recommend a simple matrix that guides people as to which cycle to follow.

Scheduling needs to be addressed as part of the policy. How many releases do you need to have? Some organisations go for monthly or quarterly Release cycles; at the other end of the scale you have Amazon who deploy a new software release every 11.6 seconds. Make sure  timescales are set in your policy and that it ties in with the related Change Management policy.

Appropriate levels of governance must be in place to support the Release Management process. The policy should set out what Releases can simply be approved at CAB and what Releases need a higher level of approval eg from a Project or a Release Board.

Release Planning

Make sure that the content and scheduling of each release is agreed early on; so regular meetings with both development teams and business representatives is a must. Make sure the Release schedule (documented in your policy) is combined with the Change Schedule. The easiest way to do this is to raise a Change for each Release and then link the information; that way it shows up on the schedule, CAB are aware of the timings and because the Change record contains a link to the Release documentation there’s no duplication of effort.

Effective Release planning means that downtime and  inconvenience to the business is minimised as multiple Changes are packaged into one Release. This approach also saves money as avoiding multiple downtime windows means less overtime, external support call outs and paying out for service credits.

Design & Build

Carry out a review of your supporting players. Work with Configuration Management to ensure that the software in your Definitive Media Library (DML – or DSL; Definitive Software Library if you’re old school) and Hardware Store (HS) are consistent with the Configuration Management System (CMS). Wow – just reading back that sentence; that’s a lot of ITIL terminology – here’s a quick beginners guide if you’ve just read this and wanted to panic and / or cry:

15827471370_fbfedf8785_m

DML: Definitive Media Library – one or more locations in which the definitive, authorised and licenced versions of all software Configuration Items (CIs) are stored. In practice; The DML is your application library or server; it’s there to make sure only authorised and safe software is installed across your company.

HS: Hardware Store – secure storage of definitive hardware spare components and assemblies. In practice this is your store of spare PCs and laptops for spares and “hot swaps”.

CMDB / CMS:  A database used to store configuration records throughout their lifecycle. The configuration management system maintains one or more configuration management databases, and each database stores attributes of configuration items, and relationships with other configuration items. If that’s still making your head hurt, here’s a quick diagram to help explain:

Diagram 1: Scary Terminology Explained

CMS

HS DML

Now that we’ve got the technology squared away; by checking that software from DML and hardware from DHS are consistent with CMS you may find unused, “spare” software licences and you may find hardware that can be used in production.

Look at the environments (if any) you have for testing Release content. If more are needed but money is tight could the cost be shared with other departments initially? A training environment could also double as a pre production environment. Tight management can reduce the need for multiple environments; someone (usually the Release or Test Manager) looks after who is using the environments using a “booking out” process and ensures that the environment is refreshed on a pre agreed regular basis.

Come back soon for Part 2 of this article; where I’ll give further tips on building a Release Management process.

Image Credit

Image Credit 2

 

 

ITSM Evolution – Practical Steps to Stay Current

Using ITSM Tools can be like rummaging through a garage full of old tools that you rarely use in order to find one or two tools that you do
Using ITSM solutions can be like rummaging through a garage full of old tools that you rarely use in order to find one or two tools that you do

ITSM Evolution – Practical Steps to Stay Current is a guest post contributed by Dirk Anderson, Head of Product at RedPixie

 

With the growth in BYOD and the consumerisation of devices, more and more enterprises are adapting the way that they use technology to service the business effectively.   However, many ITSM tools have been designed to give traditional IT teams a way to manage traditional services and processes at a component level only, whether that’s processing tickets or responding to an individual end-user request.  The challenge, however, is whether or not ITSM evolution is possible and demands of the business can be met using the current tools at our disposal.

Today, firms need to ask themselves if this type of service level approach, using legacy methods, can flourish, or even survive in the future. This article will look at the practical steps that we’d recommend IT Service Managers consider, to deliver services that address the needs of the internal ‘business customers’ in a dynamic business environment, where user expectations are more demanding than ever.

 

Step 1: Know your customers

As a matter of course, you should already be undergoing customer satisfaction surveys or have appropriate forums for regular dialogue with your internal business customers. Use these forums to gain an appreciation of how your customers do business today, what IT services they use and what may change in the future. It is likely that:

  • Your business will be using more personal devices and business customers will expect to access corporate applications and data securely from those devices
  • Your business customers will be embarrassed if their business partners and guests cannot easily use your enterprise guest wireless whilst they’re visiting
  • Your business customers will expect to work effectively from wherever they are
  • They will expect to walk to another desk or meeting room and instantly access the IT services, applications and data at those locations

Expectations are changing. It’s important to explore these areas, and never shy away from hearing frustrations. Canvas their views on new service capabilities that would improve their experience and help them be more productive.

 

Step 2: Pay attention to your IT service portfolio

Look at the IT consumer services that you provide, and break them into categories. There is high chance that you will have one category (and call it what you prefer), has a large percentage helpdesk tickets that are similar. This means that “your consumers” repeatedly need to consume these same critical services. These include: resetting passwords or removing software on end user devices. It is important that you automate these services and allow the business to self-serve. This will free your team up to focus on the emerging services that need to become part of your service portfolio. As you add those new services, some may fall into this same category. Consider how automation and self-service capability is applied to those emerging services.

 

Step 3: Evolve ITSM Toolkit to Meet IT Service Goals

As you evolve your service portfolio, how well does your current ITSM toolset fit your strategic needs? It is important to evolve your ITSM toolkit to meet your longer term IT service objectives. Can you easily add common cloud services and can you automate and allow your consumers to self-serve?

In larger enterprises, you should think like a public cloud provider. You provide the capacity and the technologies and your customers help themselves to the most common services, without the IT team’s involvement. You should focus on managing areas such as, overall service capacity, the software license position and the development of your service portfolio. Commonly used or repeatable IT services should be available to your customers to help themselves, in the way customers consume Microsoft cloud services, for example, without the need to involve Microsoft’s Cloud IT support team. If your ITSM toolkit does not support that strategy, then you need to consider replacing or adding to those tools, to support a more strategic focus. That may mean looking at new ITSM capabilities that augment existing processes and tools to deliver “new world” capability within your service portfolio.

 

Step 4: Review and measure

As your service evolves, make sure that you have a continuous review cycle in place with an internal business customer group.  It’s important to measure not only how the service portfolio fits the changing needs of the business but also whether your ITSM “toolkit” allows you to shape your service around your changing business. The following are critical:

  • Know your service portfolio – To measure the services that you provide as an enterprise IT team, be clear on the portfolio of services provided. It starts with a list of those services, typically on a web portal explaining clearly what the services are (and are not). The portfolio needs an overall owner, typically a senior IT head, and the individual services require service owners, such as IT line managers. This list of the services requires ongoing maintenance.
  • Manage the service portfolio – Work with business representatives and senior IT stakeholder to ensure that the portfolio remains manageable. As new services are used, you need to be able to remove other services, unless the business is willing to fund you to support an ever-growing and unsustainable portfolio.
  • Measure the service portfolio – Develop a way to measure your portfolio. This needs to include which services are used by whom, and the level of consumption. Undertake a Service Review, and work with the business to get feedback on the quality of those services. Understand the cost of providing those services, relative to their business value.
  • Build a Governance Function – Be open and discuss the importance of not creating a technical debt because of a “bloated” portfolio. You only have so much capacity as an IT function. Consider building a senior governance function to support the integration of new technology capabilities whilst removing non-strategic services and technologies.

In summary do everything you can to know your customers, understand your changing service portfolio, be aware of current limitations in your ITSM toolkit and evolve it for emerging demands, and lastly, proactively review and measure.

 

Image Credit

ITSM14 Preview: Karen Brusch and Managing Multiple Suppliers from an SLM Perspective

Karen Brusch of Nationwide Building Society and itSMF UK
Karen Brusch of Nationwide Building Society and itSMF UK

In the run up this year’s itSMF UK conference, ITSM14, I chatted with Karen Brusch of Nationwide Building Society and itSMF UK about her upcoming session entitled “Managing Multiple Suppliers from an SLM Perspective”.

Q. Hi Karen, can you give a quick intro to your session at the itSMF UK Conference?

The itSMF UK Service Level Management SIG has always been keen to research and present topics that are identified as problem areas by practitioners in the industry. Supplier Management and how that impacts Service Level Management has been an area of discussion which has gained momentum over the last 18 months. This session takes a look at some key points around the complexities of managing multiple suppliers.

Q. What impact does managing multiple suppliers have on an organisation?

The most obvious impact is the failure to deliver what an organisation’s business needs. It is hard enough to understand and document business requirements when you have one supplier; but when you have a multitude of suppliers, there is a real risk that requirements become diluted, compromised, or more crucially missed. Managing multiple suppliers is a black art, where what works for one set of suppliers will not necessarily work for another; so each combination requires a modified approach. Service Integration specialists (SIAM) have helped to shape some answers, but even here, flexibility is the key. So any organisation embarking on a multi-vendor strategy has to have the knowledge, capability and determination to succeed.

Q. Where should organisations start with managing multiple suppliers?

The most important thing is to understand your business’ end game; where do they want to be in 5 years’ time, for example. Once you have this information you can begin to formulate supporting IT strategies and requirements. Too many organisation write their Invitations to Tender (ITTs) and Request for Proposals (RFPs) without understanding business strategy

Q. What are likely to be the potential pitfalls and/or benefits an organisation may experience with implementing a framework for managing multiple suppliers?

An organisation will derive real benefit for taking the time to develop an appropriate governance framework for the selected preferred suppliers. As I’ve said already, each combination requires a modified approach, so it really pays to invest some time in this activity. The fundamental pitfall that I’ve seen on many occasion is that organisations select the cheapest provider for each area/tower of service, not taking into consideration the overall impact and integration issues. It goes back to having people with the knowledge, capability an determination to succeed.


Karen is an ITIL Expert, recognised as a member of the itSMF UK Expert Faculty, and a Service Design specialist with 12 years’ experience. She chaired the itSMF UK Service Level Management Special Interest Group for several years, and has recently stepped down from this role to support the newly formed Service Design SIG. When not engaged in itSMF activities, she works for Nationwide Building Society as a Service Design Consultant.

medium ITSM14 banner aug 14

Karen’s session is on day two and featured within the Managing Complexity track. To find out more or to book your conference place please visit itSMF UK

Follow Karen on Twitter or connect via LinkedIn

LEADIT Preview: Suresh GP and an introduction to Governance

Suresh GP (bottom row 3rd from right) opening the Chennai chapter of itSMF India on 1st August 2014
Suresh GP (bottom row 3rd from right) opening the Chennai chapter of itSMF India on 1st August 2014. Suresh will present at the LEADIT conference in Melbourne Australia on the 13th to 15th August.

In the run up this year’s itSMF Australia LEADIT14 conference I chatted with Suresh GP about his session entitled “Governance – custodian to changing business trends and IT landscape”.

Q. ITSM Review: Hi Suresh, can you give a quick intro to your session at LEADIT?

Suresh GP: Today we are in an era of rapid technological changes, complex operating environments and demanding consumerization of IT.  Enterprises are forced to change gears to make the paradigm shift imminently not only to be competitive but also to secure their place in business. While organizations are spending time, effort and resources to scale up to new frontiers, there is no blue print to guarantee success in their endeavors.  Over and above, changing regulatory and legal compliance requirements make it a difficult proposition to sail through seamlessly.

Hence it is the need of the hour for enterprises to fall back to a robust Governance and control structure to handhold and guide them during this unpredictable journey.

Companies with effective IT Governance have profits that are 20 % higher than other companies pursuing similar strategies – Weill P& Ross

Q. Where should organizations start on their governance journey?

The fundamental problem of IT is the lack of clarity around IT Management and IT Governance, which is the first thing you need to understand before starting your journey with Governance.

IT governance is primarily concerned with two things: IT’s delivery of value to the business and mitigation of IT risks. On the other hand, Management plans, builds, runs and monitors activities in alignment with the direction set by the governance to achieve the enterprise objectives. Governance involves executive committees and boards that are independent of organizations whereas the Management involves senior management staff within the same organization.

Suresh GP
Suresh GP

simple words, Governance is doing the right things while Management is about doing things right.

Q. So what is Corporate Governance?

Corporate Governance is based on rules laid out by Organization for Economic Cooperation and Development [OECD]. They can be classified as follows

  • a) Ensure Strategic guidance of the company
  • b) Timely and accurate disclosure of Financial situation
  • c) Annual audit by independent, competent and qualified auditors

During my session at LEADIT we look at Corporate Governance requirement and lessons learned using scenarios around Lehman Brothers, Common Wealth Games at London 2012 and the Uttarkhand Disaster of 2013.

Q. What impact does Governance have on the Consumerization of IT?

At the end of 2013, there were more mobile devices than people on earth. IT Service Desk is grappled with a tough task of managing end user devices beyond the standard set.  Shadow IT has become order of the day and is expected to grow in next three years. Heartbleed, cyber threats and much more surprises come every day to add fuel to fire. So what could come to the rescue of the Service Desk?

  • BYOD policies, processes – Refer to Karen Ferris earlier post
  • Becoming aware of different Tools pros and cons and support
  • Governance that could filter quality of inflow for Service Requests and Incidents
  • Manage & Control saving jobs & improving agility

During my session, we will then walk through other IT frontier case studies and see how Governance helps to address risks and provide value delivery.  You can also read about my earlier blog IT Governance : 5 Ingredients to kick start your value delivery.

Finally we talk about key success principles that can be leveraged to make Governance a trusted custodian to changing business and IT Landscapes.

So this is just a teaser of how Governance can become your trusted custodian to changing business and IT Landscape.  If you want to hear how about how Governance plays a pivotal role for Cloud, Mobility, BYOD, Big Data and Social Media, come and listen to my presentation at LEADIT14.  In addition, I also moderate a Panel discussion about Challenges and Pitfalls of Mobility and BYOD. You can find out everything you need to know about the conference here.

Follow Suresh on Twitter or LinkedIn.

Image Source Facebook

Security after Snowden – what do I need to do?

securityThe implications of the revelations of ex-NSA employee Edward Snowden have been much discussed and many people who were not previously concerned with cyber-security are now wondering what they should be doing. This is a good thing – but the danger has not changed, only the perception of it. Most of the ideas outlined here were well known, at least in broad terms, before this, but those who argued for them were considered paranoid.

If you’ve been asked to put a presentation together; maybe your Board is suddenly wanting to know what can be done. Then this, I hope, will be just the article for you. It is intended to be a quick, high-level guide to exactly that. The solution is not all, or even mainly, technical, the solution is actually a matter of sound service governance, as I’ll describe. So, what to do?

First; don’t panic! There is not very much that can be done in the short term – rushing about trying to fix firewalls is likely to make things worse, a worthwhile solution must be thought out properly.

Secondly; do you need to do anything at all? Maybe not. It is only worth spending money to address a risk if the risk is credible and, if it happens, will have a large impact. If the worst happened and your most important competitor and all your customers and suppliers, were to see all your corporate information, in detail, would your business suffer? For a good many businesses, the answer is ‘no, not really, not much’. If that is the genuine answer, then there is no need to waste money on expensive security measures. Many companies, on the other hand, would go out of business quite quickly in this situation – for them, it is essential, for good governance, to be certain that a proper cyber-security policy is in place, and then put into action.

What is the threat? Exactly the scenario outlined above. If somebody can access your information through a secret trapdoor in your firewalls, your applications, or your operating systems, then, in principle, anybody can.

Governance and Cyber-Security

The biggest risk to security isn’t technical at all. Anybody in your organisation can, if disgruntled, take what they’re allowed to have access to and share it with your competitor, the regulators or a foreign government. This is always the biggest risk.

How do you mitigate this one? Staff Satisfaction. If you have good governance, so that, as an organisation, you have fair policies, you are a good corporate citizen, so you help your community and you look after your staff by treating them fairly, giving them opportunities for advancement and training them, then you will have satisfied staff who will be loyal to you and won’t wish to let you down by revealing your corporate secrets to competitors.

So the first firewall you need to build is a wall of trust between your organisation and your staff – the same applies to suppliers and customers, you need to make sure that they also are part of your circle of trust so they don’t reveal things that could damage the organisation.

It helps too, because good governance ensures that the organisation is behaving ethically, so there are no skeletons in the cupboard waiting to be revealed by whistle-blowers.

Beyond that, you can make sure that your infrastructure is safe from cyber-criminals, spies (both genuine spies and industrial spies), hackers and so forth. This is not as easy as it seems, so it is worth considering technical solutions to cyber-security in a bit more detail.

Firewalls

The most obvious danger highlighted by the Snowdon’s revelations was how vulnerable organisations are to closed source solutions. In the past the simple-minded solution many people saw to security was to put everything behind a firewall. This has three problems:

  1. The firewall can be breached through any trap doors in its firmware and this breach will be undetectable
  2. Even if the firewall isn’t breached, closed-source operating systems can communicate back to the ‘mother ship’ through the firewall through their trap doors
  3. Even if your closed operating systems and closed firewalls are not letting anybody in, your closed applications can be.

On that last point, if you’re running Microsoft Office products on your computer, have a look at the activity monitor. Even if you’ve not used word, say, for many hours, you’ll see it has clocked up lots of activity. What is it doing? It’s connecting back to Microsoft to check that your license is OK – that’s it, you’re paying for it to do this several times a day, on your CPU. If Microsoft wanted it to send other information back, would you have any way of knowing?

Can you trust any closed-source firewalls, Operating Systems or Applications? Snowdon has shown that you can’t. It makes sense for anybody wanting to spy to put their bugs (in the sense of listening devices) as close to you as they can – and putting secret trapdoors into these devices simply makes sense (to a spy).

Why is open source any different?

It is still possible to put trapdoors into open source software. The difference is that you can get somebody to check the software and cut out anything in it that you don’t need, or looks suspicious – and you can get open source software to log what it is doing honestly. Closed source software can put what it wants to into a log, if it leaves out certain things it doesn’t want you to see it is doing, you can’t even know that they are missing.

If you look on the market, you will find that there are no open source firewalls, at least not hardware boxes. There is an open source operating system, though, Linux (let’s hope that in future there will be more, and better ones), open source word processing and spreadsheet software and other open source applications.

To reduce the risk, where possible, remove proprietary closed-source devices and replace them with open source ones. It would be expensive overkill to throw out everything proprietary at once. Rather, produce a service portfolio and concentrate on the services that are most important to the organisation and replace them with open source solutions first.

If you have a firewall made in China, and a firewall made in the US, you could try putting one firewall inside the other – that way you’re banking on the Chinese firewall blocking the US secret trapdoor and vice versa. Even if this worked, though, you still have the problem with operating system and application trapdoors.

A better solution is to shut down your firewalls. That seems a bit extreme, but, if you have physical boxes as firewalls, you can’t do anything about the firmware they are running, so don’t. Make a Linux box your firewall with a software firewall. It might be a bit slower, but it will be safer.

What can be done in the long term?

If you have closed source solutions, see if your supplier can give you, or sell you, the source code. Then you can check that for trap doors and remove anything you think suspicious or unnecessary.

Invest in open source development. There is no reason why an ‘open source’ router or firewall can’t be developed, where the hardware and firmware are all revealed and can be tested to see they have no trapdoors. This takes money, so organisations interested in long-term solutions need to invest in such efforts.

If you are going to have firewalls, make sure that they are governed properly. Do you actually know what the rules are on your firewalls at the moment? Probably not. Usually the rules are written in ‘techie-speak’ and only a few experts know what they are. This is bad governance. Invest in rule-based firewalls where the rules can be set by the policy you have for each service in a way that is understandable to non-technical people.

If you do invest in open source development, the most promising area for fast, easily configured and effective cyber-security is using the same machines that are currently being used for bit-coin mining. They are getting cheaper all the time and are very, very fast. They are seen to be difficult to programme though, and, again, only experts know what they are doing.

There is a solution, though, which is to invest in open source development in Ada for these boxes (FPGA, or field-programmable gate arrays – to give the jargon). Ada is a language invented by the US DoD to be reliable. It is very fast, it is proven to be faster to write and faster to execute than assembler. It is possible to produce secure routers and firewalls with no trapdoors that can be configured at the service level (so the rules are understandable in business terms) using Ada – but a number of companies need to put up the investment capital to achieve this.

What can I do about it now?

Here is a short checklist of actions that should lead towards a more secure organisation. Not every organisation will need to do all of them, and not all will need to start with them at once, but this is the basis:

Short Term:

  • Audit your staff satisfaction
  • Audit your customer satisfaction
  • Audit your business and technical infrastructure
  • Identify the greatest risks from weaknesses in the above
  • Produce a plan to address these

Medium & Long Term:

  • Fund a programme to govern services.
  • Establish a service portfolio to enable the board to understand which business services deliver most value, what they cost, what risks they are exposed to and how to mitigate those risks.
  • Use this portfolio to prioritise the requirements for the organisation into a corporate requirements register.
  • Design a set of solutions to address these requirements
  • Build business cases for these solutions
  • Execute the plans from the most appropriate business cases

Conclusion

Security has never been a truly technical matter. The best security in the world can be circumvented in a few seconds by a whistle-blower. The correct response is not to panic, but to put in place a set of well thought-out policies and then, through well-designed procedures and processes, make sure that these policies are complied with. It takes time and money, but it is the only route to reaching a tolerable level of security. If you use a modern governance framework, such as that proposed by the King III commission, it will ensure that you act to be a good corporate citizen – which will reduce the risk of whistle-blowers by achieving satisfied staff, customers and suppliers.

It is worthwhile establishing service governance as the organisation’s main governance tool because it enables and improves all business processes, delivering value to stakeholders by ensuring, along with many other things, a proper balance between risk and investment in cyber-security. Decisions to invest in an aspect of security should be based on the appropriate requirements of each particular service and its stakeholders.

Much needs to be done to develop the secure infrastructure that can be used to implement the cyber-security policy. In an ideal world, companies exposed to the risk would invest collaboratively in producing components for secure infrastructure.

Why not suggest to your board, as part of good corporate citizenship (an important part of governance) investing in a secure open source project?

Image Credit