Your “ART-ful” Enterprise: Security and Agility

techart2(own)As explained in “Security and the ‘ART-ful’ Enterprise,” to become more “ART-ful,” your enterprise must become more agile, resilient, and trustworthy. This post digs a bit more deeply into what business agility is, why it matters, and the critical role security must play for your enterprise to achieve and sustain it.

Agility is more than simple, reactive adaptability. It’s even more than what’s usually covered by that discipline many of us know as “change management.” (An aside: to succeed with change management, it is often necessary to…change management.)

So what exactly is agility? In August 2014, The Center for Effective Organizations (CEO) at the University of Southern California (USC) published its first book, “The Agility Factor: Building Adaptable Organizations for Superior Performance.” The Center has conducted its Organization Agility Research Program for more than a decade, and studied more than 230 companies as part of the research that led to the book.

As the Center states in the book, “consistently high performers possess a capability to change their resources and processes repeatedly.” Such enterprises also “have the strategies, structures, resources, processes, and routines that allow them to both sense and adapt to environmental threats and opportunities as well as intentionally execute on strategic initiatives.” This comparatively broad and proactive view of agility all but requires an equally agile IT infrastructure—and to be truly, reliably agile, that infrastructure must be secure.

Agility’s Bottom-Line Benefits

So security obviously matters to those focused on agility. But why should those who focus on security care about agility?

According to the book, “Built to Change: How to Achieve Sustained Organizational Effectiveness,” between 1973 and 1983, 35 percent of the top 20 Fortune 1000 companies were new to that list. That percentage of new top 20 companies grew to 45 percent between 1983 and 1993, and to 60 percent between 1993 and 2003.

Many if not most of the companies displaced by newcomers to the Fortune 1000 top 20 list not only fell to lower positions, but ceased to exist entirely. Why? Because they were not sufficiently agile. So agility can be seen as a type of job security, for security teams and their colleagues across the enterprise.

Agility also has more direct and positive effects on an enterprise’s bottom line, as the Center at USC found in a 2012 study. For that research, the Center evaluated the financial performance of more than 240 large firms across 17 industries and 30 years.

“In every industry we studied, there were two or three ‘outperformers’: companies that achieved above-average industry…performance more than 80 percent of the time. When we compared our survey and interview data with the performance data, we observed a strong relationship between a company’s basic approach to management and its long-term profitability patterns. When markets and technologies changed rapidly and unpredictably—as they did in every industry over these 30 years—the outperformers had the capability to anticipate and respond to events, solve problems, and implement change better than thrashers. They successfully adapted. They were agile.”

How to Achieve and Sustain Secure Agility

Start at the bottom—and at the top. An agile enterprise requires agile, user-centered, comprehensive, integrated security. So if security isn’t already all of these things at your enterprise, start making it all of these things. For most of you reading this, that effort can and should begin with patching your key applications, operating systems, client systems, and servers more consistently and regularly than you are now. And as you and your colleagues get patch management sorted, you should be looking for other opportunities to establish, improve, and extend security policies, practices, and technologies that improve agility across the enterprise.

Secure agility can be built from the ground up, but the will and commitment to become and remain securely agile must come from enterprise leadership. This means that executives, and IT, security, and business unit leaders must be visibly and demonstrably behind security- and agility-enhancing initiatives.

Walk the talk. Declared commitments to secure agility must extend beyond platitudes and media quotes. Every strategic plan, every set of operational practices and principles, and every solution chosen for deployment must reflect and support that commitment for it to mean anything to your enterprise. (This means that every such resource must incorporate processes for regular review and the opportunity for revision in response to corporate, marketplace, or regulatory changes.)

Build it in. Every process and control upon which your enterprise’s competitiveness depends must incorporate security- and agility-enhancing elements. This means that those processes and controls must be driven by and measured against your enterprise’s performance requirements and goals. And they must also incorporate specific features for integration with and support of efforts to achieve and sustain user-centered security. Controls and processes that do not include these characteristics will likely contribute little to your organization’s agility, and might even impede it. (This means that all controls and processes must be reviewed and tested regularly, and designed to be easily modified or retired as changes demand.)

Show your work. It’s not enough to preach the gospel of secure agility. It’s not even enough to achieve a sustainable level of secure agility. For your efforts to have maximum business value, you must show and tell all of your most important stakeholders details of those efforts and their effects. This means that consolidated, integrated, timely, business-driven reporting of all things related to security and agility should be a critical elements of your secure agility efforts. (Speaking of reporting, if you haven’t read about LANDESK’s acquisition of Xtraction Solutions yet, you really should. As you should read what my learned colleague Patricia Adams has to say about business value dashboards (BVDs).) [Insert link to Patricia’s blog post.]

Be securely agile everywhere. Secure agility may be initially fomented in one or more departments or business units. But for maximum business benefit, it must be pervasive. For many enterprises, possibly including yours, the best way to make this happen may be to start with IT. IT powers most of the services that run the enterprise’s business, and IT is already focused on (if not preoccupied with) security. Secure agility initiatives that prove successful within IT can likely therefore be incorporated into the delivery and management of other business services. This means that a single, integrated, process-driven platform for service management and security management can be a powerful enabler of enterprise agility.

Secure agility is an operational and competitive requirement for every successful enterprise. By taking concrete steps toward fomenting a culture that is focused on user-centered security and enterprise agility, you can ease and accelerate your enterprise’s journey to true, sustainable, secure agility.

Oh, and one more thing. If you choose or are forced to remain focused on reactive firefighting as an operational approach to security, neither secure agility nor your career are likely to advance much further at your enterprise. However, moving to a proactive, holistic approach to user-centered security and enterprise agility will have salutary effects on your enterprise and your career.

Next up: resilience. And no, it’s not just about disaster recovery and business continuity. Meanwhile, your thoughts and reactions are welcome!