The Path to Creating and Sustaining Value The Scorecard for Selecting, Managing & Leveraging your Services Team: This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
Learnings Identify the key characteristics for choosing a: Risk Consultant Security Process Optimization Consultant Security Information Architect Security Integrator vs. a Security Installation Company Performance Management Services Vendor This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
Learnings Understand the following principles and how they impact security program costs, value and continuous quality improvement: Methodology and Metrics Professional Disciplines: Performing roles within a methodology Program Management vs. Project Management Performance Management: Managing the lifecycle costs and the ilities Managing a Global Security Network: Identifying and Managing the Extended Team This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
Moderated Discussion Followed by Q&A Session Format This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
Introductions William Plante, Director of Professional Services, ASG Benjamin Butchko, President of Butchko Inc. Jeffrey Slotnick: ASIS Regional Vice President and Founder of OR 3 M and Setracon. Ron Worman: Founder and Managing Director, The Sage Group This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
The Voice of the Customer
The Mind of the CSO/CIO Budget Optimization From tools to integrated information management Managed Services: to leverage expertise in key areas of growth To streamline operations *IDG Survey
The Value Stream of Security This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
Our World As-Is Description 1. All Hazards Risk and Situational Awareness 2. Manual Business Process and Information Workflows 3. RFP to Installer 4. Break Fix Performance Management As-Is Deliverable 1. Paper-based, under-leveraged, periodic 2. No info model, no testing, no metrics 3. Silos of human and digital data 4. Metrics illdefined; value unexpressed This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
Lost Value Leverage No Collective Knowledge No Leverage for: Process Improvement Efforts Continuous Compliance Efforts (Realtime) Proactive and Predictive Response to Risks Duplicative Infrastructure and Costs *Estimate: 10-20% of the Security Budget Spend is based on inefficiencies in people, process and/or tools This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
Future Proof Point As-Is 1. Risk & Business Assessment 2. Information Workflows Modelled 3. Measures Documented 4. Programs, Assets &Contractors under Management: Metrics that Matter To Be 1. Digitally collected, communicated & leveraged 2. Modeled, Tested, Implemented & Measured 3. Live Data Streams correlated against assets 4. Continuous Compliance, CQI for program & contractors This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
The New Scorecard for the Risk Consultant Organizational Resilience Management and the Platform This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
Information Management /Business Intersections Risks Threats Vulnerabilities Assess Analyze Measure Rank Benchmark Respond Contain Remediate Implement Mitigate Manage Measure Correlate Prevent Integrate
The Scorecard Organizational Resilience Management (ORM) training Risk Assessment Information Management Platform To digitally capture and communicate information To maintain and sustain captured intelligence Knowledge of the Value Stream to optimize the risk mitigation strategy This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
The New Scorecard for the Security Business Process Consultant People, Process and the Use Patterns of Technology This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
Business Process Assessment: The Key Step Before Technology Selection People Roles with KPIs Process With KPIs Tools Use Patterns Are they capturing and Optimizing People and Process or causing constraints? Reports Critical to CQI and Value
The Scorecard Business Process Methodology Experience performing Business Process Assessments Bridge to Information Management Architecture and Technology Deployment Support Value Stream Communication This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
The New Scorecard for the Security Information Architect Provisioning the Common Operating Picture Designing the Platform before Choosing the Tools This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
Information Model: The Key Step After the Business Model How information is consumed and leveraged Baseline Metrics How information should flow given the business optimization assessment and the measures Architecture dictates roadmap for funding and implementation This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
Information on Tap To bring organized structure and design to security information sources to facilitate effective communications across systems and users.
The Common Operating Picture Create command and decision-making capabilities for the Client across all logical layers. This would include data sources, applications, communications channels. It would be intuitively visual to the end-users platforms (mobile, clients, display walls).
The Great Consultation The Consulting Process Iterate on the client s functional and technical requirements though a variety of modes to develop the Information Architecture Model and help engineer the design to deliver the capabilities.
Security Information Architect Score Card Possess the full set of education, skills and experiences needed to design, develop and execute a security information architecture. Can develop information concepts / models based on Client Use Cases and identify a strategy to implement aligned to the Client s environment. Has deep understanding of manufacturer s product strategies and roadmaps to ensure their recommendations for an information architecture are aligned to the Clients requirements. Can lead security integration teams to deliver the Architecture within the client s environment and ensure it s current and future usefulness. The Information Architect Question Is the Information Architect capableof identifying the Client Experience Needs across the entire spectrum and effectively design to it?
The New Scorecard for the Security Integrator Integration is the Provisioning and Execution of a Well Designed Program This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
Value Orientation WHAT IS THE ROLE OF THE INTEGRATOR?
Trust as a Foundation Trust Agent (ideally an advisor) to Clients on a broad range of technical, operational and risk related issues regarding security systems design and implementation. You must hire and retain the SME needed to earn the trust
Information Integration Optimize the end-toend integration of security systems into the client s domain (The Business, IT, operations and others) from initial concept and strategy to post installation system performance management. Technology Physical Culture Network Application
Be the Info Hub of the Security Value Stream Domain expert within the security industry Manufacturers product strategy/plans and offerings, Consulting vendors, Logistics and Distribution channels, Information Technology Network Architecture and applications Compliance as a Service Business Process Optimization
Integrator Score Card Full complement of disciplines, processes and tools that support delivering all elements of the Integrator s role. Broad ecosystem of vetted strategic partners and a mechanism to maintain the integrity of the ecosystem and the value stream. Investment in training, operational process excellence, learning and management systems, that ensures consistent results and driving innovation. Demonstrate alignment with Client business, security and IT goals, strategies, and performance expectations. Does the Integrator advance the value of the Industry and their clients?
The New Scorecard for the Performance Management Vendor High Availability, Maintainability, Sustainability, Reliability This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
Performance Management Architecture Continuous Quality Improvement (CQI) External Input Performance Plan Performance Managed Goals Plans Operate Monitor Analyze Action Expectations Support Data Change Performance Execution
Elements of Measurement Performance Management Platform to measure: People: measured by their defined roles with key performance measures Process: measured by time to value and the reduction of non-value touch points Tools (Technology) measured by the ilities : Availability (Up Time), Reliability, Sustainability, Maintainability, Usability (See People KPIs) Organization Goals mapped to Security Business Processes and Information Model
Summary This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage
The Keys The Value Stream provides a model that helps optimize how you assess, manage and measure your vendor interactions The scorecard depends on measuring vendors against their capabilities and experience in each domain as well as their knowledge of the value stream This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage Group. Copyright 2014 - The Sage Group
Questions? Email Contact: ron@the-sage-group.com This presentation is only for the private consumption of ISC Session attendees. Any other use must be approved by The Sage