Many a times there are arguments about the best way to go ahead with a plan as to the contents of Policies, Standards and Procedures. The major factor in the successful roll out of such an exercise has been debated and is more cultural and is a product of the person at the helm. However, a good evolution has to have elements that are integral to the success of the endeavour.
Let us look at some of the elements of a policy. The policy is at the highest level and is a statement of the intent from the top management, agreeing to have a clear direction as to the need to protect information assets. Enforcing the policies are the standards, these are directions to achieve the goals enunciated in the policies. Many a times , once the policies are derived, it is that much more difficult to evolve a set of standards in line with what is in vogue in the organization. This is because of the fact that there are processes that have been evolved ad hoc, addressing issues over time and have become the way of doing things at the organization. To ensure that the processes in practice are mined and shaped is a ginormous exercise.
The failure of a system of policies, standards and policies can be attributed to the way they are evolved. Consulting exercises, for example with big four to evolve processes and procedures include emphasis on how the documents look, the formatting, the structure of the document rather than the contents.(Generalization - However, have seen tremendous efforts spent on this) . Agreed that a nice looking document is a prerogative or even an eye candy to push across the agenda, however, the intent is lost and in the name of coverage, the short term goals trump over the long term benefits. Unless the process takes into consideration goals that are in line with long term benefits, it is very difficult to translate processes, procedures and standards into effective tools in enforcing policies.
There are elements that are lacking when one of the top consulting organizations is asked to evolve a set of documents and standards. The major hurdle is that to understand the technology or the elements that build the technology elements are brushed aside and generalizations are pushed to the fore. With generalizations, the need to customize and provide guidance based on the unique requirements of the consulted organization is lost, and at the end of an year of deliberations, what is left is a set of documents that are neither enforceable or provide succour to the organization viz a viz its security posture.
The major difficulty is the cultural chasm that builds a wall between the two sides, communication channels break, and without empowerment to take decisions, there is a tendency to go in circles and much of the talk ends up with the way the document looks, What the font is? the semantics of the document or other aspects that can very well be outsourced if required at 8 USD an hour. The idea to capture the need for the standard, the technicalities thereof and to map the architecture and technology map that is adopted by the organization, and translate those visions into the standards evolved would augur well for the organization. The major advantage of this approach is to have a one to one correspondence with the technologists as well as the operational functions of the organizations and mapping them to organization goals, whereas a disconnected system would need to evolve those sockets to connect as well as shaping the processes and standards to fit the various competing functions. This is a sure fire formula for failure of the exercise as the documents created remain just that, not a set of enforceable practices.
Other major issues as it pertains to the big four consulting organizations include but not limited to their perception of being the best judge and the cultural mismatch of a new member being misconstrued as, inability to perform, rather it is the communication failures and the inability to iterate a task to ensure that ideas are captured and are in line with the requirements. This is lost if the communication channels are clogged with preconceived notions , or the inability to understand in lieu of the fact that the judgement has already been made. In this scenario, even if there are five other persons helping them out, but outside the circle, it is inevitable that the cultural differences will lead to failure to communicate and therefore the notion, that instead of working with an outsider it is cost effective to go with an insider. A very valid selling point to ensure a few more of their ilk can join the bandwagon.
This is not to say that the outsider can and is right, there are elements when certain things needs to be enunciated clearly for efficiency, may be you fail to do so, but as with the policies and procedures if there is no clarity from the stakeholders as well as the consulting organization, unless you have the wherwhithal to survive, or the muscle of a brand, you are just a cog, that can be ignored and tossed away without any reason, or an option to explain positions.
But as all things end well, sometimes it is better off being as they are, immaterial of the fact that there is a budget to burn and the easiest ways is to hire one of the high end organization with a coterie of shenanigans that just vibrate at the same frequency rather than a discordant note that needs to be disposed of, a unwanted, different looking growth to weed out from the garden of roses.
Let us look at some of the elements of a policy. The policy is at the highest level and is a statement of the intent from the top management, agreeing to have a clear direction as to the need to protect information assets. Enforcing the policies are the standards, these are directions to achieve the goals enunciated in the policies. Many a times , once the policies are derived, it is that much more difficult to evolve a set of standards in line with what is in vogue in the organization. This is because of the fact that there are processes that have been evolved ad hoc, addressing issues over time and have become the way of doing things at the organization. To ensure that the processes in practice are mined and shaped is a ginormous exercise.
The failure of a system of policies, standards and policies can be attributed to the way they are evolved. Consulting exercises, for example with big four to evolve processes and procedures include emphasis on how the documents look, the formatting, the structure of the document rather than the contents.(Generalization - However, have seen tremendous efforts spent on this) . Agreed that a nice looking document is a prerogative or even an eye candy to push across the agenda, however, the intent is lost and in the name of coverage, the short term goals trump over the long term benefits. Unless the process takes into consideration goals that are in line with long term benefits, it is very difficult to translate processes, procedures and standards into effective tools in enforcing policies.
There are elements that are lacking when one of the top consulting organizations is asked to evolve a set of documents and standards. The major hurdle is that to understand the technology or the elements that build the technology elements are brushed aside and generalizations are pushed to the fore. With generalizations, the need to customize and provide guidance based on the unique requirements of the consulted organization is lost, and at the end of an year of deliberations, what is left is a set of documents that are neither enforceable or provide succour to the organization viz a viz its security posture.
The major difficulty is the cultural chasm that builds a wall between the two sides, communication channels break, and without empowerment to take decisions, there is a tendency to go in circles and much of the talk ends up with the way the document looks, What the font is? the semantics of the document or other aspects that can very well be outsourced if required at 8 USD an hour. The idea to capture the need for the standard, the technicalities thereof and to map the architecture and technology map that is adopted by the organization, and translate those visions into the standards evolved would augur well for the organization. The major advantage of this approach is to have a one to one correspondence with the technologists as well as the operational functions of the organizations and mapping them to organization goals, whereas a disconnected system would need to evolve those sockets to connect as well as shaping the processes and standards to fit the various competing functions. This is a sure fire formula for failure of the exercise as the documents created remain just that, not a set of enforceable practices.
Other major issues as it pertains to the big four consulting organizations include but not limited to their perception of being the best judge and the cultural mismatch of a new member being misconstrued as, inability to perform, rather it is the communication failures and the inability to iterate a task to ensure that ideas are captured and are in line with the requirements. This is lost if the communication channels are clogged with preconceived notions , or the inability to understand in lieu of the fact that the judgement has already been made. In this scenario, even if there are five other persons helping them out, but outside the circle, it is inevitable that the cultural differences will lead to failure to communicate and therefore the notion, that instead of working with an outsider it is cost effective to go with an insider. A very valid selling point to ensure a few more of their ilk can join the bandwagon.
This is not to say that the outsider can and is right, there are elements when certain things needs to be enunciated clearly for efficiency, may be you fail to do so, but as with the policies and procedures if there is no clarity from the stakeholders as well as the consulting organization, unless you have the wherwhithal to survive, or the muscle of a brand, you are just a cog, that can be ignored and tossed away without any reason, or an option to explain positions.
But as all things end well, sometimes it is better off being as they are, immaterial of the fact that there is a budget to burn and the easiest ways is to hire one of the high end organization with a coterie of shenanigans that just vibrate at the same frequency rather than a discordant note that needs to be disposed of, a unwanted, different looking growth to weed out from the garden of roses.
Comments