Sage Conversations: Putting ORM to Work

Oct. 2, 2012
How Organizational Resilience Management impacts the way you choose and deploy security technology

Executives need a different approach to acquiring and deploying technology toward a common operating picture; and, they need the ability to do that before they purchase and deploy. We seem to be getting closer to that goal.

As I have learned from discussions with the risk community and senior executives, there are some critical steps needed before a technology is identified, tested within a defined solution, and ultimately deployed:

1. Organizational goals and directives are aligned with security. Security executives are ultimately best leveraged as advisors of risk and resilience directives to their executive peers.

2. Standards must be understood within the context of organizational directives and embedded in organizational workflows. This will provide continuous compliance, data for performance analysis and metrics for improvement.

3. Workflows cite use cases in process design. The main characteristic of a use case is that it demonstrates by example how the process works and what appropriate tools are used to exercise it.

4. Integration of controls. This involves effectively measuring and managing alignment of policy and procedures.

5. Gaps, process improvement and roadmaps. Once the four steps above are executed, a baseline measurement and gap analysis occurs to provide a measurable perspective of risk, business process alignment and value against organizational directives. This will provide a roadmap for improvement that bridges time, cost, risk and value.

When you take the time to complete these steps, your ability to ensure that what is deployed meets the organizational directive is more predictable; you have pre-defined how to improve the process through the technology acquisition; and you are better prepared to leverage that success for continuous quality improvement in the future.

At ASIS 2012 in Philadelphia I saw evidence of this deliberate approach, with a continued emphasis on the training of next-generation leaders in Organizational Resilience Management (ORM) and the standards that support it. General Dynamics Information Technology was at ASIS for the first time, and they were emphasizing an ORM approach.

We are also seeing the incursion of non-traditional companies into the integration market as well as the existing integrators accelerating their consultative IT skill sets. As are result we are hearing the term “architecture” more than ever.

And finally, we are seeing a proof point for placing the embedded, standards-based workflows on top of a COTS collaboration platform that already is present — albeit underleveraged — in most organizations.

About the Author

Ronald Worman

Ronald Worman is the founder and managing director of The Sage Group, host of The Great Conversation events, and is a regular contributor to SecurityInfoWatch.com, Security Technology Executive magazine and Security Dealer & Integrator magazine.