Process Management

Process Management
How should technology leaders approach compliance when faced with a lack of interoperability?

Top Answer : What we're rolling out now is what I'm calling C-Cubed—consolidated continuous compliance—which is now trademarked. It’s consolidated because I've got two different ecosystems running, and continuous because we'll put in the systems that ingest DevSecOps and can attest to where the sources sample while linking all of the policies and documentation so that they have the right owners. We're going through the reviews and all of the checkpoints. TISAX, ISO, NIST, CIS, and CMCC all need to be pulled into this one system and figure out gaps by cross-walking through the frameworks. The code base and the approach that we take over the next year and all of these efforts need to align. That way we can have enough information to know what we need to scale where we've merged the code bases, data, and everything else. Part of this compliance effort is also educating to create that maturity level as to why we need this. Being a former developer, system admin, DBA, etc., I remember always looking across the fence at compliance, legal, and InfoSec, thinking they were all slowing me down. I’d be thinking, “Why do I need to do this?” But you grow up and realize that you need to do these things because there are financial repercussions.

Related Tags
Can rigid work plans be a detriment to an organization?

Top Answer : I've noticed that even in young organizations I advise, there's an assumption that if my boss and I agree to a work plan for the next year, then when anyone in my department needs something that's not in my work plan, for any reason, I’m not doing it. It doesn't matter if they're drowning in the pool, and the work is to find a rope to get them out. And whether we recognize it or not, if an employee reacts that way it’s because we set that message.

Workflow automationWorkflow automation

Are tech leaders adopting workflow automation?

What are your thoughts on SaaS management platforms (SMP)?

Top Answer :

Related Tags
Business Application Development
Architecture & Strategy
Requirements & Design
Testing, Deployment & QA
Mobile Development
Selection & Implementation
Business Analysis
Applications Vendor Landscapes
Data Center
Public and Hybrid Cloud
Business Applications
Crisis Management
Data & Business Intelligence
Artificial Intelligence
Business Intelligence Strategy
Data Management
Enterprise Integration
Machine Learning
Data Lake
Big Data
Data Warehouse
Disruptive & Emerging Technologies
Virtual Reality
Digital Innovation
Augmented Reality
End-User Services & Collaboration
Collaboration solutions
End User Equipment
End-User Computing Devices
Endpoint management
Productivity tools
Document Management
End-User Computing Applications
End-User Computing Strategy
Voice & Video Management
Continuous Integration
Technical Product Management
Continuous Deployment
Quality Assurance
Customer Relationship Management
Enterprise Content Management
Customer Success
Enterprise Information Management
Enterprise Resource Planning
Marketing Solutions
Human Resource Systems
Product Recommendation
Risk Management
SOX Compliance
Governance, Risk & Compliance
Infrastructure & Operations
Cloud Strategy
I&O Finance & Budgeting
Operations Management
Network Management
DR and Business Continuity
Server Optimization
Attract & Select
Cost & Budget Management
Manage Business Relationships
Organizational Design
Program & Project Management
Train & Develop
Talent management
Performance Measurement
Organization Structure
Manage & Coach
Availability Management
Financial and Vendor Management
Service Desk
Management Tools
Enterprise Service Management
People & Process
Process Management
Asset Management
Project & Portfolio Management
Portfolio Management
Project Management Office
Confidentiality, Integrity, Availability
Secure Cloud & Network Architecture
Endpoint Security
Data Privacy
Identity and Access Management
Security Operations Center
Security Strategy & Budgeting
Security Vendor Landscapes
Threat Intelligence & Incident Response
Threat & Vulnerability Management
Vendor Management
Infrastructure Vendor Landscapes
Strategy & Operating Model
Business Continuity
Architecture Domains
Tool Recommendation
What’s missing from the risk quantification tools and frameworks available now?

Top Answer : As a member of its advisory board, one of the areas that I'm pushing FAIR on is figuring out how to give guidance or direction to developers. How do I link what we're doing in this framework to risk in order to give developers something that's actionable? I'm seeing that disconnect and it's driving me crazy. If FAIR can successfully fix that, it will be the most comprehensive because not only will it give you detailed data, it will also help you do something with that data.

Should businesses adjust their software to fit their processes, or adjust processes to fit the software?

Top Answer : I was on a call recently where we were trying to solve for a selling motion, and the business said, "We're just going to use CPQ for that." And I'm like, "Right, yes, you can. What do you want the process to be? What experience do you want to create for your customer?" And they just looked at me like they expected me to tell them what that is because I'm the technology owner and the technology is supposed to dictate that for them. That's an extreme example, but that's the concern that I have with the fact that there's been this sudden pivot to say, "We need to make this investment in IT and systems because that's going to help us grow faster. It's going to help us accelerate." But it seems to be at the expense of people and the process piece of it.

Do you think the SolarWinds breach will have a significant or lasting impact on how IT approaches supply chain risk management?

Top Answer : I was pulled into a wide variety of peer dialogues from the day that the SolarWinds breach discovery occurred, because of my time at Intel and stuff that I had done there in supply-chain risk. My concern, when I was Chief Security and Privacy Officer at Intel, was always a nation-state actor looking to weaponize the technology that Intel created, to do harm. I always saw information security as inextricably linked to the product security and the technology. I think the SolarWinds issue is a clear example of that linkage. I've been at odds with a number of my peers in the industry who still see them as quite separate, now it's probably a little bit different, but many of them had InfoSec completely separated from product security and they very rarely intertwined themselves. And Intel, as I said, had this in their environment. When you think about that in firmware, Bios, validation engineers doing that type of stuff, it brings into question some aspects of the foundation of computing. Because if they were in Intel's infrastructure, if that report was accurate, and they did have a foothold, if it was that type of nation-state actor, they would be trying to do things more surreptitiously, well below the operating system to keep stronger footholds in other organizations. I think it's a Richter 10 type item but I've always seen this as a Richter 10 type item. I'm just, frankly, surprised that it took this long for this type of thing, at that level of infrastructure, to be found. And I'm sure it's not the first one. I'm sure there's other ones that are there that are yet to be found.

How did the security ecosystem allow for the kind of attack we have seen with SolarWinds?

Top Answer : The SolarWinds component is just yet another aspect of a soft supply-chain piece. I would actually bet, probably almost any amount of money, that if you went to and grabbed any random Fortune 1000 CISO and said, "Hey, tell me who your top 40 suppliers are," they would literally have no clue. They'd be like, "Well..." There's big tech companies they might be able to name but actual software, data flow components, we've just never paid attention and we've continued to not pay attention.