The Connection Between Cybersecurity And Business Process Management – Don’t Forget About The Human Element

The Connection Between Cybersecurity And Business Process Management PART 3.jpg
Edgescan+Podcasts+Series+Sponsor.jpg

This episode of At The Edge is made possible by the generosity of our sponsor, Edgescan.


Part 3 of a 3-part series. Read Part 1 here and Part 2 here.

By Sean Martin, host of At The Edge

Sean Martin is joined by Ryan Duguid, Senior Vice President of Technology Strategy at Nintex, for a conversation connecting cybersecurity with business process management.

In this 3-part series, Sean and Ryan discuss how regardless of the level of formality surrounding business processes, these operational elements are critical to define and determine how well a company can and will run. Most of the time, people think about business processes in terms of reducing waste and driving up efficiencies. Today, however, Ryan and Sean get to talk about some additional value points to help keep things from “going off the rails.”

So just what do cybersecurity and business process management have to do with each other? Read the Q&A below to find out.

 

Sean Martin: We talked about orchestration and about putting processes together that guide employees to do things that are good for the business, and hopefully some of those things can be automated. Where do you see companies urging automation—not just to improve efficiency, but also to erase human error and the risk that's associated with that. 

Ryan Duguid: Probably the easiest way to answer that question is that companies have historically very much been obsessed with efficiency, which is good. In fact, a Navy Seal by the name of Jocko Willink wrote a book called Extreme Ownership, in which he talks about the solution. If you define all of your standard operating procedures, and people understand the mission, then everything gets really, really easy. Under duress and under fire in each situation, people know what to do instinctively.

A lot of companies think there's too much process here, too much bureaucracy. But process, done the right way, frees people up.

A lot of people think great, that means we're more efficient. Yes, but in actual fact, once you deal with the efficiency component—because you can only be so efficient, and you can only cut costs to zero—the real important thing is that it frees you up for higher value and a higher purpose activity. How do you bring in more revenue? How do you make your business more profitable? How do you accelerate base innovation, create new customers and keep them happy, and obtain and retain high-performing employees?

When it comes to where human error plays into all of this, the process might be something that creates higher productivity for half your employees. But nobody likes making mistakes or doing the wrong thing, and then getting told about it during a performance review. The more things you automate, or the more you can assure things are done in the described way, the less likely you are to make mistakes and create issues and get into trouble.

Shadow IT is a great example. You can tell your team to let people use their own applications, but to also ask them to fill in a simple form and wait to get the OK before they use their own applications, so you know it's done right. You won’t create a problem.

Or, if you're onboarding a new partner, you ask them to fill in a form and sign an NDA with DocuSign. Take that contract, put it into your SharePoint enterprise content management repository, and set a retention schedule. Everybody's good; you're all happy.

If you go the route of Wild West file sharing, I think that is one of the biggest challenges in this day and age. If you're working with an external design firm, for example, put in a request for a location to interact with that design agency. What this will do as a result is an inclusion of a box repository for you, and it will invite the various stake holders from either side and ask a couple of questions: Are you going to share confidential information? What's the duration of your project?

Based on that, you can say, we'll keep that space alive, find the right people, and set the right security policies. Maybe you’re watermarking things or applying DLP information rights management, and when it comes to the end of that project lifecycle, you’re going to send you a quick note to ask, “Do you still need this space?” If they say, “Yes,” you can extend it for a month and come back and ask again in a month. If they say “No,” you can archive it, remove peoples’ rights to that information, and then potentially move or archive that content somewhere else so you can keep track of what happened with the project if you need to refer back to it at any time.

 

SM: Taking out just one of those parts can cause the whole process to fall apart, and if you don't have a clear process, like you said, you're holding your fingers crossed, hoping things will happen the way you expect them to, right?

RD: Yes. If you look at those examples I gave, historically, most people would tell you that there’s too much effort to get that out. Why would I bother? I just spent a million dollars on this BPM platform, and I'm going to hire developers to build that thing? Honestly, on our platform, most of those things I just described to you can be implemented in a drag-and-drop form and workflow that take just under an hour to put it into production, and then you’re off to the races.

Historically, people have ignored all that and said something like, “We're an insurance company, and we really need to focus on our claims adjusters and our assessments and looking for fraudulent activity.” That’s good, they need to do all that stuff. It’s going to make sure they don't go bankrupt. But all this other stuff is at real significant risk.

Using the insurance company as an example…if someone's involved in a car crash, how do they upload the pictures? Who's got access to those pictures? Is there any involved person that didn't file information? Was there an injury? Are personal medical records being shared? Do you have access to those medical records? Is there a simpler way to do this that can speed things up? Can you avoid having information bouncing around in e-mail, forwarded to a Gmail account, and taken out of the organization? Again, think on how to start to scope those problems and how you can know that things have been handled in a consistent fashion.

 

SM: I’m not necessarily saying that humans are stupid or malicious, but I'll go out on a limb and say we're lazy for sure. People in the insurance company are paid, reviewed and bonused on how well they sell and how much fraud they eliminate, right? They're not paid to fine-tune their business processes.

RD: Most people aren't negligent, but many are involved in gross misconduct. I think they are trying to get their jobs done the best that they can, are overloaded, and have a lot on their minds, especially in this day and age that we live in. Posts and notifications are always popping up on their screens. New e-mails, new messages, text messages from their family. There's a crisis—my kid's unhappy at school, I've got a dental appointment, and on and on. Things fall through the cracks.

When trying to juggle a whole lot of things, if you can just document, orchestrate, and automate as much as possible, it frees you up to be focused. If you can get on a workflow, you can do the job as best as possible and take the guess work out.

 

SM: Yes…take the guess work out and put your mind to the decisions and problem solving. That can potentially have a bigger impact.

As we wrap up here, let’s bring it back to getting things “on the rails” and keeping people and processes from “going off the rails.” You mentioned companies with thousands of business processes running on your platform. Most companies start with the core business processes but leave the rest to chance. Given those two things that you've mentioned, how would you suggest folks take the first step to look at their business processes, and begin to orchestrate and maybe eventually automate, if it makes sense? Where should they start?

RD: It's the alcoholics anonymous approach. First admit you have a problem. There's a lot of things going on that you likely don't know about that R&D controls. Second, acknowledge there's actually a solution for this. The technology is there to solve these problems, and there's a need to do it at scale. You don't have to buy five million dollars of software and have consultants work years to tackle these problems. In the spirit of shadow IT we talked about, you need to empower the people who understand the processes to deliver solutions to orchestrate or automate this process and then optimize it over time. You can do this because you understand what's going on.

Part of the job here is to get the right tools into the hands of the right people. If a customer has a thousand work flows, who approved the use of a thousand work flows? Who approved the spend for these thousand work flows? Not every process is going to be around forever. Who's reviewing the processes to clean them up and clear them out? At what frequency? Getting the tools in the hands of the people because they mostly know what to do gives us a little governance in getting started.

Then there's prioritization. A large part of my job on a day-to-day basis is to look at all the things we could build as a technology company, and place a value on them to our customers, our partners, and to ourselves. We then prioritize the investments accordingly. Organizations should try to understand the scope of the problem. Then pop that up to the start of the discussion: We've got problems in HR, sales, finance, and R&D. Where should we start? Do we start with one department then expand beyond that? Or do we create champions in each department and have them start in parallel to solve the problems? There's no right or wrong answer; it just depends on the resources you have and the problems you are trying to solve.

We typically encourage people to start in one place and achieve initial success. Based on that success, make the person overseeing the project a champion and then start to build a center of excellence with that example. Once you’re successful in HR, for example, you now have a champion who you can go with to the rest of the company and say, “This is what I helped build cost-effectively.” You automated 30 functions, the rest of the organization can see the benefits that HR is enjoying, and you’ve got clear data and statistics to back that up. Then you can say to other departments, “Here's 10 things I can help you with.”

The luxury we have as a technology partner to our customers is that with 8,000 customers, millions of processes, and another platform, we can actually talk to people and say here's what we've seen in other industries like yours. Or here's what we've seen in other sales organizations that can get our customers the quick wins. When you get quick wins, it's easier to go back and request greater investments into the technology and what you're trying to do with your business functions.

 

SM: That's great advice and guidance. You also mentioned prioritization and value to others, and I'll take this moment to thank you for taking the time and prioritizing this time with us to share your experience. It's been a value to me as a business owner and, hopefully, our listeners found value in what you shared with us today as well.

RD: Thank you for the opportunity, and I hope there's a whole bunch of questions that come in as a result of this. I’m looking forward to engaging with folks as a result.

 

Want to comment on this article? Use Twitter. You can tweet to Ryan (@PvtRD), Sean (@sean_martin), and their companies Nintex (@Nintex) and ITSPmagazine (@ITSPmagazine). Use the hashtag #BPMsecurity to connect this thread together!


About Ryan Duguid

Ryan Duguid is vice president of products at Nintex, where he is responsible for setting product and platform vision, driving continuous innovation, and delivering technology to help everyday people solve their process problems. Ryan joined Nintex from Microsoft where he was responsible for the content management business in the SharePoint Product Group.

More About Ryan