Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
FOCUSED PLANNING FOR IT SECURITY
AT FRE IGHTL INER
“HOSHIN KANRI ”
as part of the
I DENT ITY MANAGEMENT ANALYST AND
SUB JECT MATTER EXPERT ENGAGEMENT
Author: Jeffrey W. Elliott
Version: v3.2b
Date: 2007‐04‐08
Sanitized for Distribution
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 2 of 38 Proprietary
Prepared for:
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
© 2007 Certified Security Solutions, Inc.
Proprietary Material. All rights reserved.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 3 of 38 Proprietary
You say you’ve got a real solution
Well, you know
We’d all love to see the plan.
Revolution, Lennon and McCartney
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 4 of 38 Proprietary
EXECUTIVE SUMMARY
A recent survey of 103 U.S. and European companies found that 34 percent have built a foundation to
automate key business services for core processes. Relative to their competitors, these companies have
higher profitability, experience a faster time to market, and get more value from their IT investments.
They have better access to customer data, lower risk of mission‐critical systems failures, and 80% higher
senior management satisfaction with technology, yet they have 25% lower IT costs. These advantages
are only achieved by developing and exploiting a tight alignment between business objectives and IT
capabilities.
In February 2007, Certified Security Solutions, Inc. (CSS), an information security consulting firm, was
engaged by Freightliner at the Portland Headquarters to apply its Focused Planning methodology to
define , clarify, and communicate Freightliner’s IT Security strategy and its linkage to company business
goals.
The study focused upon, but was not limited to, the ambitious and complex Identity Management
Extranet Project scheduled for pilot implementation in June 2007. This project extends authentication
and authorization responsibility for key services to delegated Security Administrators located within
Customer Dealerships. Implementing an Identity Management system is a major advance in the
evolution and maturity of Freightliner’s IT infrastructure and is a cornerstone in achieving full
compliance of the Sarbanes‐Oxley Act of 2002.
The analysis documented in this report revealed impressive strengths in the critical success factors
associated with project management and significant opportunities in the factors associated with process
management.
Most companies do a poor job of implementing the strategies their leaders document on conference
room walls, and for them, strategic planning promises very little return. The bottom line finding of this
report is that Freightliner’s IT Security Organization executes its initiatives with enthusiasm and world‐
class discipline. Strategic planning is therefore a high‐return investment at Freightliner.
Enterprise Architecture as Strategy: Creating a Foundation for Business Execution by Jeanne W. Ross,
Peter Weill, David C. Robertson, Harvard Business School Press, 2006
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 5 of 38 Proprietary
Contents
Executive Summary ............................................................................................................................4
Introduction: Freightliner Leads With Security ...................................................................................6
Strategy Map .....................................................................................................................................6
Reading the Freightliner Information Security Strategy Map ................................................................... 9
Critical Success Factors ..................................................................................................................... 11
CSF rationale and recommendations ...................................................................................................... 12
Strategic Analysis of the Identity Management Project ..................................................................... 20
Brainstorming Project Issues and Concerns ............................................................................................ 20
1.0 Managing Customer Requirements and Expectations .................................................................... 24
2.0 Creating Strategic Direction for IdM and Deploying Security Policies and Standards ................... 25
3.0 Managing Outside Influences .......................................................................................................... 27
4.0 Current Team Capabilities ................................................................................................................ 27
5.0 Timeline and Resources .................................................................................................................... 30
6.0 Managing the Project ....................................................................................................................... 32
Appendix A: Procedures for Focused Planning Tools ......................................................................... 35
Affinity Diagram ...................................................................................................................................... 35
Relations Diagram ................................................................................................................................... 36
Tree Diagrams ......................................................................................................................................... 37
Appendix B: References .................................................................................................................. 38
Figures
Figure 1: Strategic Project Alignment .......................................................................................................... 7
Figure 2: IT Security Strategy Map ............................................................................................................... 8
Figure 3: IT Security Critical Success Factors and Assessment Score ......................................................... 12
Figure 4: Affinity Diagram for the IdM Project .......................................................................................... 21
Figure 5: 160 Key Issues and Concerns! ..................................................................................................... 22
Figure 6: Sorting the Issues Into Themes ................................................................................................... 22
Figure 7: Relationship Diagram of Key Themes ......................................................................................... 23
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 6 of 38 Proprietary
INTRODUCTION: FREIGHTLINER LEADS WITH SECURITY
Over the last year, Freightliner has made steady progress transitioning from a vulnerability‐based to a
risk‐based approach to security management. An IT security organization is “vulnerability‐based” when
its primary focus is to react to vulnerabilities as they are identified, rather than taking a proactive,
strategy‐driven approach to security. It says much for Freightliner that so many current projects are
business‐enabling and have business partners on the teams. It is no small achievement that a high
percentage of the IT Security team has formal business education or experience.
It’s also not surprising that the IT Security Organization is actively working strategic issues and that
individuals are keenly aware of their priority. The organization reports directly to the Director of IT
Infrastructure and of the five dimensions on every employee’s annual evaluation, first is “Thinks
Strategically and Establishes Direction.”
So when Certified Security Solutions (CSS) was asked to provide subject matter expert oversight on a
major customer‐focused Identity Management (IdM) project, it was a natural step to also provide help
articulating the value proposition of IT Security’s strategic projects with an emphasis on the IdM
Extranet effort. The effort also generated analysis of Critical Success Factors gleaned during a series of
interviews with organizational leaders and team members. Additionally, this report includes specific
recommendations based on detailed analysis of key issues and concerns focused on the IdM
implementation pilot.
This report provides three major artifacts as products of the analysis:
1. A Strategy Map describing the value chain linking projects to Freightliner business strategy
2. A Critical Success Factor (CSF) study with an achievement assessment generating
recommendations to help deploy the strategic vision
3. A Focused Planning study of current IdM project issues that also generated specific
recommendations to help the team achieve its goals on the June pilot implementation.
Note: This document is designed to be viewed in color. Converting this document from MS Word 2007
to older formats may cause layout problems. Sharing this document as a PDF file will preserve its
integrity.
STRATEGY MAP
This section presents the IT Security Strategy Map developed in April 2007 and provides guidance in
reading and interpretation. A follow‐on Communications Plan will suggest venues and formats to
maximize the benefits of achieving an articulated security strategy.
The Strategy Map is a single‐page tool that provides a graphic linkage between organizational
investments, operating missions, and key company business measures. The Strategy Map is a key
communication device to focus the efforts of the project. Since company strategy is cross‐functional
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 7 of 38 Proprietary
and may encompass many different perspectives, the Strategy Map explains management’s rationale in
a single‐page global view to which all can relate.
Based on an IT Security‐centric modification of “Balanced Scorecard,” (familiar to much of the
company’s leadership) the Strategy Map links recent, current, and near‐term strategic projects to the
missions of IT Security (risk management and regulatory compliance) to the level of IT investment
leading to measures of company profitability. When these perspectives are linked, a coherent strategy
emerges that provides a potent focusing power for teams and stakeholders. The Strategy Map
represents a unique perspective on management’s hypothesis of cause and effect relationships leading
to business success. The goal is to share strategic vision and provide a guiding roadmap of the overall
plan.
For the purposes of this analysis, the following projects were used to articulate the strategy. This table
compares selected recent, current, and near‐term projects with Freightliner’s espoused statements of
aspirations and strategic direction found on the wall of every conference room.
FTL Aspirations and Strategic Direction
Strategic IT
Security
Projects
Market
Leader
Customer
Reliable
Continuous
Improvement
Strong
Brands and
Value
Proposition
World
Class
Cost
Position
Distinctive
Quality
Smart
Processes
Exceptional
People
Implement ITIL
Disciplines
DCX Integration
IdM Extranet
Deploy New IT
Security Tools
Webnet
Infrastructure
Improvements
Aveksa
Compliance
Assurance
IT Security
Reorganization
FIGURE 1: STRATEGIC PROJECT ALIGNMENT
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 8 of 38 Proprietary
FIGURE 2: IT SECURITY STRATEGY MAP
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 9 of 38 Proprietary
READING THE FREIGHTLINER INFORMATION SECURITY STRATEGY MAP
While the Strategy Map provides a handy reference easily adapted to many purposes, a comprehensive
interpretation is best read from the bottom up – left to right. Here’s one reading:
1. The farthest‐looking strategic initiative is the development of a three‐year vision to implement
selected disciplines from the Information Technology Infrastructure Library (ITIL). ITIL is a
universal framework outlining accepted best practices for IT Service Management. The concepts
within ITIL support the planning and implementation of consistent, documented, and repeatable
processes that directly tie IT service delivery to company business requirements. ITIL
implementation is a major commitment for an organization and demands IT expertise, process
management skills, and continual business interaction. This three‐year vision will focus first on
incident management and will begin the value chain to protect critical information assets.
Because it is a DaimlerChrysler corporate initiative, it also supports efforts to adopt and
integrate DCX security policies.
2. DCX integration is an initiative with the goal of optimizing corporate resources and increasing
the synergy of people, systems, and assets. Among the areas of integration scheduled to be
addressed this year are integrating corporate audit services and standardizing Computer
Incident Response Team (CIRT) activities.
3. Additional initiatives deploy innovative security technologies. New IT Security tools include
deployment of the Qualys network scanning system, an application security assessment tool, an
intrusion protection system, and firewall upgrades. Deployment of VMware will help deliver
provisioning resources by providing flexible capacity management for IT resources. Because IT
support has to adapt new technologies to legacy systems, Webnet infrastructure improvements
will allow needed systems to operate with new architecture.
4. Over the past year, the IT Security Organization has been restructured to achieve the planned
tactical and strategic goals before it. Now formed in three groups, the organization is divided
into Firewall/General Security under Chris Hamilton, Web Security under Jim Beikirch, and
Access Control/IdM under Aaron Radigan.
5. The Identity Management (IdM) Extranet Project leverages security technology to provide
enhanced Dealer‐Customer processes complying with auditing and traceability regulatory
requirements of the Sarbanes‐Oxley Act and DDC security policies.
6. Deployment of the Aveska compliance assurance product provides a comprehensive, scalable,
and cost effective reporting tool describing “who has access to which IT/business resources,” a
key requirement of Sarbanes‐Oxley.
7. Deploying these technology innovations will address three key areas of Information Security
Risk Management: protecting critical information assets, achieving control over authentication
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 10 of 38 Proprietary
(ensuring system users are correctly identified) and authorization (ensuring system users have
access to needed resources), and managing the scarce personnel and funding resources that
characterize “the leanest IT organization in the corporation” (as reported independently in three
different interviews).
8. In 2002, in reaction to the flood of corporate financial scandals across various U.S. corporations,
the Sarbanes‐Oxley Act (SOX) was signed into law implementing the most significant change to
corporate financial responsibility since the New Deal. Among other requirements, the SOX Act
demands documented management practices for key business processes. While widely viewed
in some circles as a burden and cost to corporate operations, it will provide a significant
investment in critical infrastructure through process management disciplines.
9. Protecting critical information assets focuses on a tri‐fold IT strategy commonly referred to as
CIA (confidentiality, integrity, and availability) of information assets.
10. Authentication and authorization supports CIA and is also a major investment in critical IT
infrastructure as it provides a unifying framework for user access to enterprise applications.
11. Managing scarce IT Security resources is both an investment in critical infrastructure and
characterizes the Freightliner approach to lean IT.
12. Maintaining a focus on CIA is a priority for IT because it is key to providing a seamless value
chain for Freightliner customers through access to reliable systems and information.
13. It speaks volumes for Freightliner’s IT and security leadership that the “leanest IT organization in
the Corporation” prioritizes significant investments in critical IT infrastructure which is focused
to address all three key elements of the business strategy: provide a seamless value chain for
customers, provide rapid development of new products and services and to contain costs to
maintain a world class cost position.
Especially promising is the RBAC (Role/Rule‐Based Access) work completed for the IdM Extranet
Project. The RBAC work provides a clean data base of current Customer‐Dealers in the customer
value chain. This will provide an unprecedented reference for the development of products and
services targeted to current customers in well‐defined business roles.
14. The previous thirteen points outline a detailed strategy to ensure that Freightliner maintains
current leadership in the North American commercial vehicle industry.
15. As reported in the December issue of TruckTIMES, the Truck Group uses two key metrics to
measure profitability: RONA (Return on Net Assets) is the ratio between operating profit and
fixed capital, ROS (Return on Sales) is the ratio between earnings and the revenue generated by
sales. It was reported in December that RONA was at thirty percent and ROS was just less than
seven percent.
Put simply, the Strategy Map reveals IT Security as a treasure chest of value‐added efforts.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 11 of 38 Proprietary
CRITICAL SUCCESS FACTORS
Freightliner’s IT Security organization has a clear sense of mission and direction. Both are well reflected
in the relatively recent organizational structure and the choice of strategic projects to pursue. However,
having meaningful projects and goals are not enough. Even organizations of exceptional people must
perform well in key areas on a consistent basis to achieve success and an enjoyable work life. These key
areas – unique to the organization, its challenges, and its abilities – can be defined as the organization’s
Critical Success Factors (CSFs). A highly‐functioning team and its leaders implicitly know and consider
these key areas when they set goals and formulate action plans. However, when these CSFs are made
explicit, they reveal a common pattern of behavior that is highly relevant and meaningful to real project
situations. Strong achievement of a CSF is an indication of a strength that can be leveraged while an
achievement gap presents a major opportunity to operate at a higher level of achievement.
CSFs are easily confused with goals, but they are quite different. A goal is an operational target for
achievement that drives meaningful work. A CSF is an augmenting method of achieving a goal that
drives and enables success. In quality management terms, this is the relationship between targets and
means – the difference between “just do it” and understanding the how and why to achieve an end so it
is effective, efficient, repeatable, and learnable for others. For many teams the translation from goals to
successful action plans is accomplished invisibly and innately. The CSF method attempts to make this
hidden skill explicit so the organization can use it collaboratively as an aid to implementing strategy and
executing projects.
Although irreplaceable, technical acumen is rarely in short supply in IT Security organizations. More
often, skills such as “the ability to formulate and take focusing actions” or “the ability to make work
visible” contribute most to workplace effectiveness for the complex problems of information security.
Such skills are often not apparent and won’t be found on a laundry list of “habits of successful
organizations.” The need for such skills and the value in identifying them comes from actually observing
competent people performing well and identifying specific patterns of improvement. Meaningful CSFs
are derived from analysis of the team working well, rather than having them established upfront as
some kind of vision.
The brainstorming exercise completed for the IdM Extranet project and CSS’s on‐site interviews
provided an excellent opportunity to uncover the critical success factors of a well‐functioning team
working a complex and important project. The richness of the Strength‐Weakness‐Opportunity‐Threat
(SWOT) exercise is that it reveals things working exceptionally well in addition to uncovering problems.
The IdM project team was ideal for this focus because while IdM work is not representative of all the
strategic projects currently underway, it is an example of a high‐functioning team working its way
through complex problems. If a pattern of CSFs prove useful for the IdM project, they are likely to apply
widely to other complex projects as well.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 12 of 38 Proprietary
Figure 3 shows the six distinct CSFs and the assessment scores that were identified by analyzing
recurrent themes in the interviews and project analysis. Please keep in mind that high scores indicate
strength in this area that should be leveraged and low scores indicate opportunities to function at a
significantly higher level.
FIGURE 3: IT SECURITY CRITICAL SUCCESS FACTORS AND ASSESSMENT SCORE
CSF RATIONALE AND RECOMMENDATIONS
The assessment that follows is necessarily subjective and qualitative. Recommendations are based on
my formal training in organizational dynamics, my experiences in industry, and my grounding in the
management principles of Dr. W. Edwards Deming.
Each of the following CSFs has a Problem Statement describing why it is important, an Assessment
rationale that describes criteria relevant to the score, and Recommendations to exploit high scoring
categories and suggestions to improve low scoring categories.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 13 of 38 Proprietary
MANAGING SCARCE RESOURCES – SCORE: 80%
Problem statement: “We’re the leanest IT organization in the corporation.” Of course every IT and IT
Security organization is challenged with staffing a knowledgeable and compatible workforce. The
necessary disciplines are immature, the technology is rapidly changing, and the area is target‐rich. At
the same time, IT organizations are continually challenged to reduce costs in the face of endless serious
threats. The result is often that expensive projects are delayed by multitasking specialists delaying ROI
and burning out in the process.
Assessment: Very high marks in this category. Freightliner is managing lean IT exceptionally well. The
project portfolio is rich with infrastructure investment and a clear value chain. The organization is
structured to focus on mission success. In the words of Susan Moote, Director of IT Infrastructure,
“Security is the foundation of IT infrastructure.” Chris Poorman, IT Security Manager, has recently
reorganized into three focused groups: Firewall/General Security, Web Security, and Access
Control/IdM. Supervisors of each group provided a unified and coherent description of their missions
and responsibilities.
Excellent use is made of both long and short‐term contractor personnel. Highest marks go to the Project
Liaison Office and Richard Guyot’s professional project management. My favorite quote from a tightly‐
run meeting: “We’ve got one minute left, would anyone like to add anything?” Project management is
a specialized and challenging discipline and I’ve rarely seen it practiced better. In addition to skilled
talent, Freightliner has a well‐documented methodology for project development and execution that is a
jewel in the crown.
Selection of team membership is a crucial element of this CSF. A look at the single page Affinity Diagram
(see Figure 4) provides insight: The category “Current Team Capabilities” is overwhelmingly dominated
by Strengths (in blue).
Recommendations:
1) Establish cost benchmarks within the corporation and across the industry to help build the
business case for investment.
2) Invest in formal training for building IT business cases – it is a core competency and will help
security specialists build relationships with business partners.
3) Take advantage of the internal “LEAD” system to build a skills data base across the
corporation. Pool scarce resources at the highest possible level, put them on one project at
a time, and provide them with clear priorities.
4) Involve everyone in the zero‐based budgeting process.
5) Take every advantage of project and organizational milestones, recognize them in public
and formally celebrate achievement.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 14 of 38 Proprietary
CULTIVATING AND COMMUNICATING BUSINESS SAVVY – SCORE: 90%
Problem Statement: As IT Security moves more into a strategy‐driven business‐enabling approach, it
becomes more and more important to develop and maintain a keen sense of business priorities and the
ability to respond meaningfully to them. The risk is to negatively impact the value chain of operations
with an emphasis on technology or compliance. The window for leveraging SOX compliance, for
example, will not remain open long. It will become more and more important to build deep and long‐
lasting partnerships with operations and learn to speak in the language of money and measurement.
Assessment: Highest marks here. In the course of interviewing twelve people for this report, five
mentioned their origins were in business and most demonstrated impressive depth of knowledge about
company operations and priorities. Critical skills are being developed in the areas of RBAC, use case
development, and compliance reporting areas. This work is very well documented. Susan Moote
observed that the business case for the internal IdM work is going to be a major challenge.
Three truths about IT strategy: (1) The demand for existing technology increases as the business grows,
(2) the demand for new technology functionality increases with the technology intensity of the
business, and (3) technology innovation increases the demand for new business skills in IT.
Recommendations:
1) Continue to cultivate business champions like Kimberly Ward and business analysts like
Jonathan Villante. Kimberly’s enthusiasm for the marketing advantages of the Dealer RBAC
work is inspirational. Jonathan’s insights into workflow automation and targeted services for
profitable customers are gospel. Whenever possible, couple a technical person with a business
talent.
2) Share the internal business knowledge and insight with everyone in the organization. Don’t let
business orientation become a specialty of a few.
3) Exercise your evangelists with road shows and presentations at staff meetings and town halls.
4) Move beyond dubious savings like “reduced help desk calls” to richer value‐driven measures
(see “Using Key Performance Indicators” CSF).
5) Attend conferences and build industry alliances with business‐savvy counterparts. Document
and share these resources. Build a corporate and industry champion data base.
6) Seek opportunities to make the company easier to work with (like the effort on 3rd party
contracts).
7) Refine, update, and share the strategy map with all stakeholders. Let’s see an appropriate
version of it in TruckTIMES. The security strategy belongs on the Freightliner web site and in the
annual report. How about adding a spot to the looping television tape overview in the
corporate headquarters lobby? Corporate communications people are always looking for new
features.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 15 of 38 Proprietary
FORMULATING AND FOCUSING ACTIONS – SCORE: 60%
Problem Statement: Many challenges are being faced for the first time. The learning curve is steep and
multidisciplinary. The result is often an over‐emphasis on results with little attention to method. With
no time for experimentation and reflection, the penalty is paid when recurring problems are either
ignored or addressed by reinvention.
Assessment: Very good use is made of subject matter experts and outside talent and the team certainly
seems to collaborate well. Process management disciplines help keep task teams small and maximize
what learning opportunities exist (it’s hard to get left out of a pair). But as the work gets more complex
(e.g., next year’s Intranet IdM) more will depend upon the judgments made by individuals with no
formal method for methodology review and validation. Cultivating a habit of meeting deliverables and
deadlines without sharing the work methods will make success critically dependent upon the continued
performance of individuals, not the team. This is especially critical in the requirements gathering and
validation cycles. Major challenges lie ahead in the internal RBAC and the entire subject of data quality
is a sword of Damocles for the project. (For more information on data quality, see Improving Data
Warehouse and Business Information Quality: Methods for Reducing Costs and Increasing Profits, by
Larry P. English.) An effective strategy for next year depends heavily on preparation this year.
Recommendations:
1) Maintain the search for best methods and practices. Look into building skills in the
requirements disciplines of Quality Function Deployment and other formal approaches to
gathering, validating, and translating requirements into technical specifications.
2) Use corporate resources to build team websites, maintain running records of lessons learned,
and formalize cross‐training whenever possible. Document, publish, and follow an
organizational internal training plan.
3) Investigate and adopt a strategy to deal with data quality to include data base cleanup, process
analysis with robust design, and data quality performance reporting.
4) Establish annual training in the so‐called soft skills of problem formulation and dialogue.
5) Schedule regular meetings to share issues – even without resolution – to increase internal
communication about the challenges being faced and make wider use of your very skilled
individuals. (I know these items take time and people are already very busy, but it will pay off in
the team you build and your ability to quickly marshal problem solving capabilities when critical
problems arise.)
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 16 of 38 Proprietary
ALIGNING AND INTEGRATING MULTIPLE GOAL SETS – SCORE: 80%
Problem Statement: As IT Security projects become more business intense, they will compete more and
more with traditional operations‐focused projects and initiatives both for costs and for talent. The risk
is to miss critical security targets for lack of alignment and integration of business goals with IT security
goals.
Assessment: This value is very well demonstrated in the alignment and synchronization with the OWL
(On‐line Warranty) project. Expect much more like this in future strategic initiatives.
Recommendations:
1) Formalize the relationship with competing projects. Avoid the practice of sending the Project
Manager to deal with scheduling negotiations by dedicating team resources to key opportunities
and building alliances. Ensure stakeholders and partners share goal‐setting and performance
measurement where it makes sense. Share the strategy; share the success!
2) Engage experienced neutral third party facilitators to manage important meetings. Consider
using facilitators to manage the progress of knowledge transfer in meetings like the OWL
synchronization meeting. This can ensure the time is spent productively addressing key issues
definitively so they don’t go unresolved or reappear. It is also a useful way to have a third party
document the progress so team members can participate fully.
3) Practice formal expressions of appreciation like commendations for important contributions.
Always cc the manager as well.
4) Many projects that may appear to compete have a valuable security component that can be
leveraged. Don’t hesitate to take advantage of your marketing insight into the many dimensions
of IT Security.
PRACTICING COLLABORATIVE LEARNING – SCORE: 40%
Problem Statement: It is not collaboration if everyone attends a meeting and cleans email instead of
demanding a rich and productive experience. PowerPoint slides have a place, but the whiteboard is the
place to demonstrate thinking and sequential problem solving. There is no substitute for sitting across a
table, looking each other in the eyes, and engaging fully in meaningful dialogue. Without consideration
and skill in working with the ideas of others, we lose precious synergy and create the self‐fulfilling
prophesy of meetings wasting our time.
Much of the work in IT Security has an abstract dimension that makes it difficult to document how
decisions and judgments are made. Relying on the strength and trust of individuals inhibits the learning
cycle and makes it difficult to repeat success. In order for conscious competence to become routine
unconscious competence, it needs to be documented and shared. There are formal frameworks for
illuminating enterprise architecture that can be very helpful and provide a powerful communications
bridge with the business community.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 17 of 38 Proprietary
Assessment: Many of the challenges team members have met so well have been new exercises or at
least had new scope and complexities. The individual learning has been excellent from my vantage
point and the phased deployment of the extranet project provides the ability to reflect and learn. In the
language of the quality management gurus, you’ve built iterative cycles of Plan‐Do‐Study‐Act into the
deployment that should safeguard the project, provide visibility into unforeseen problems, and generate
even more lessons for your team. At the completion of this first project, you’ll have a very well trained
team that no classroom cycle can produce.
Skillful public reflection is a much neglected success factor. Without a formal method of reflection and
learning, valuable knowledge capital is squandered in the name of meeting immediate goals. The result
is failure to address subtle but expensive problems and an endless cycle of scraping burned toast.
While there were strong presentations made on executive summaries of the IdM project, work was
largely (and perhaps necessarily) done individually and without wide collaboration. Techniques like the
Affinity Diagram can generate valuable insights that build on each other’s ideas. Without collaborative
technology we are only as smart as the smartest powerful person in the room. Excellent work was
demonstrated in documenting project progress but some individuals, even inside the team, complained
about not receiving updates and feedback. Share the strategy; share the work!
Recommendations:
1) Adopt a method of formal reflection and lesson gathering. Consider the work done by the U.S.
Military in building a culture of reflection in their After Action Reviews. Consider scheduling
formal Postmortems and Before Action Reviews.
2) Post findings and insights on a bulletin board, on posters, on the project web site. The schedule
information on the whiteboard in the Data Center is an excellent start once the code is broken.
3) Post work product in public and always sign your work (you’ll join Isaac Newton and Galileo,
both famous for showing and signing their work.) This does much to create tribal knowledge
and increase the likelihood of accidental and beneficial interactions.
4) Consider a method like the Zachman Framework of Enterprise Architecture as an avenue to
illuminate IT security opportunities in IT and business projects. Adopting standards for
graphically illuminating abstract entities can help business people overcome the intimidation of
highly technical concepts.
5) Adopt methods of graphical collaborative problem solving. Two good places to start are
Thinking Visually by Malcolm Craig and Rapid Problem Solving with Post‐It Notes by David
Straker. Both are accessible and rich sources of collaborative technologies.
6) As this project matures, you will find many opportunities to leverage the agility of
standardization, to capture lessons learned, and embed them in the organization. Take
advantage of these.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 18 of 38 Proprietary
USING KEY PERFORMANCE INDICATORS – SCORE: 10%
Problem Statement: Without a small and meaningful set of both leading (predictive) and lagging
(reactive) measures, it’s impossible for people to build meaningful models of cause and effect so success
can be understood and reproduced. The purpose of performance metrics is to reveal the engines of
change that produce your desired results. It’s not necessary to engage a statistician, but some amount
of numeracy will ensure the measures are few, meaningful, and get used.
Assessment: Currently, other than milestones and scheduled deliverables, the only attempt to quantify
project or process performance was nicely carried out in one of the training documents early in the
project. I include it here in its entirety because so few recalled seeing it:
The implementation will be deemed successful if:
The volume of calls to the Dealer Help Desk related to external user security issues immediately
after deployment increases by 20% or less
The volume of calls to the Dealer Help Desk related to external user security issues is reduced
over time after deployment
The forecasted addition of 8,000 to 40,000 new external users does not require additional Dealer
Help Desk personnel to support user security
External end users can successfully log in to AccessFreightliner applications using a single
password
External end users can change and update their own password in real‐time with little to no
support from the Dealer Help Desk
Delegated dealer admins can monitor and maintain logins and access roles for users within their
Dealership
IT Security can analyze and audit ID security activities
Identity and access management capabilities and process comply with SOX and other regulatory
requirements
External end users, dealer admins, and Dealer Help Desk personnel understand their roles in
supporting corporate IT security policies.
It’s a useful set of measures but I don’t believe there’s a data collection and analysis review scheduled.
To be fair, the culture at Freightliner doesn’t seem to actively use many performance metrics so it’s not
surprising to find none. However, it does represent a major step forward in your ability to transition
projects into processes and manage them with a continual improvement emphasis. ITIL will certainly
help in this regard.
Recommendations:
1) The Maturity Model in COBIT 4.0 is an effective way to begin adopting process management
disciplines and I recommend it without hesitation. It does a nice job of presenting a collection of
potentially meaningful metrics – very useful for a start.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 19 of 38 Proprietary
2) Remember that less is more in the performance measurement world. Stay focused on a small
set of balanced leading and lagging key performance indicators and use them to explain
progress in the project.
3) Gently initiate the practice of challenging conclusions with a non‐threatening, “That’s
interesting, how do you know?” Celebrate critical thinking.
4) Take advantage of resources in Freightliner’s Six Sigma program to get expert help developing
and implementing a metrics program for IT security.
5) Build a richly detailed vision of the desired future state of IT and its relation to business
processes. Use collaborative methods to develop metrics and build an executive scorecard for
the key process indicators of your success.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 20 of 38 Proprietary
STRATEGIC ANALYSIS OF THE IDENTITY MANAGEMENT PROJECT
In this section a three‐step method was used to brainstorm issues, prioritize the key themes, and then
derive recommendations to mitigate the specific potential problems and concerns.
Note: The method and descriptions of the Hoshin tools (Affinity Diagram, Relations Diagram, and Tree
Charts) are in Appendix A.
BRAINSTORMING PROJECT ISSUES AND CONCERNS
The Affinity Diagram (Figure 4) is the valuable product of a structured brainstorming session. In this
two‐hour meeting, we surfaced and processed 160 different ideas and concerns about meeting the
project pilot date early in June.
The following pages show the product of the brainstorming exercise (best seen printed tabloid‐size or
electronically in a PDF file) and some photos of the team in action. Each of the team issues is also
printed in color‐coded tables in this chapter.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 21 of 38 Proprietary
FIGURE 4: AFFINITY DIAGRAM FOR THE IDM PROJECT
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 22 of 38 Proprietary
FIGURE 5: 160 KEY ISSUES AND CONCERNS!
FIGURE 6: SORTING THE ISSUES INTO THEMES
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 23 of 38 Proprietary
Once the issues and concerns were brainstormed and sorted into themes, a follow‐up session
established priorities among the themes. Some categories drove others and had to be considered first.
The Relations Diagram in Figure 7 shows the key themes and the driving categories that must be
considered before “effect” categories can be analyzed.
FIGURE 7: RELATIONSHIP DIAGRAM OF KEY THEMES
The diagram guides us to address the themes of “Managing Customer Requirements and Expectations”
first since it drives all the other categories.
The third step was to single out actionable issues, group them, and develop mitigating
recommendations to address the concerns. The method is very powerful and intuitive, but it is a very
comprehensive method that should only be undertaken on important and complex projects.
Following are the details of the brainstorming (team issues organized by SWOT category) and the
analysis leading to recommended mitigating actions.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 24 of 38 Proprietary
1.0 MANAGING CUSTOMER REQUIREMENTS AND EXPECTATIONS
SWOT TEAM ISSUE Strength 1.1. Knowledge of the customer base
1.2. Dealer interests are well represented
1.3. Requirements are clear
1.4. We have business owners who really want these changes and we have support
from the business
Weakness 1.5. No system redundancy
1.6. Can not impact daily workflow
Opportunity 1.7. We have the opportunity to deliver a solid, meaningful product
1.8. We will better understand our customers
1.9. We'll reduce calls to the help desk
1.10. We have the opportunity to receive positive feedback from the Dealers
1.11. Provide external user control
1.12. Because of clearly defined roles, distribution of applications will be simplified
1.13. Key data available on customers
1.14. Links disparate account codes for future use
1.15. Improve dealer relations
1.16. Reduce user account provisioning time
1.17. Improve customer satisfaction
1.18. Fix dealer logon issues: multi‐logons, manual processes
1.19. Efficient user management
1.20. Enhancing user experience
1.21. Provide customers with valuable reporting mechanisms
1.22. Improve dealer user ID management
1.23. Project will simplify Dealership admin process
1.24. Users only need one ID for AFR
Threat 1.25. All users and orgs may be involved
1.26. Dealers are outside of direct control
1.27. Poor dealer receptivity is a threat
1.28. Target audience is vast and diverse
1.29. We might miss the chance to succeed
1.30. Manage a large external user base
1.31. Dealerships fail to communicate down their orgn
1.32. Reduce customer satisfaction with security policies
1.33. Dealers may not fully cooperate in providing necessary information or may
foster ill feelings
1.0 GROUPED ACTIONABLE ISSUES RECOMMENDED MITIGATING ACTIONS
1) Threat: Poor dealer
receptivity; Dealers are outside
direct control; Dealerships may
fail to communicate down their
organization; Dealers may not
1a. Ensure team Dealer Representative (Kimberly Ward) has
dedicated priority and open lines of communication with
Dealers throughout phased deployment.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 25 of 38 Proprietary
fully cooperate in providing
necessary information; target
audience is vast and diverse;
Dealers may foster ill feelings;
deploying new security policies
may reduce customer
satisfaction
1b. Actively solicit feedback on phased deployment through
focus groups of Dealer Security Admins and plan to
implement facilitating suggestions.
1c. Provide clearing house/bulletin board/web site for Dealer
input and problem resolution. Consider automating a
performance dashboard with Pareto analysis.
1d. Compile help desk problem analysis, feedback findings
with Dealer network, and plan to implement mitigating
solutions.
1e. Ensure training program is used to feed suggestions to
team for deployment modification.
1f. Publish regular editions of a Dealer Security Admin
bulletin/newsletter with sections for selected RBAC groups.
2) Opportunity: We will better
understand our customers; we
have the opportunity to receive
positive feedback from the
Dealers; provide customers
with valuable reporting
mechanisms; Improve dealer
user ID management; simplify
Dealership admin process
2a. Adopt a formal method to gather, translate, and validate
the Voice of the Customer, e.g., Quality Function
Deployment.
2b. Document Dealer Security Admin Communications Plan.
2c. Ensure communication strategy addresses reporting
needs and changes.
2d. Verify reporting strategy supports SOX compliance
requirements and company and corporate security policies.
3) Opportunity: Because of
clearly defined roles,
distribution of applications will
be simplified
3a. Involve relevant application development
representatives in IdM project deployment to spot early
opportunities and expose potential problems.
3b. Optimize RBAC categories for application development
where practical.
2.0 CREATING STRATEGIC DIRECTION FOR IDM AND DEPLOYING SECURITY
POLICIES AND STANDARDS
SWOT TEAM ISSUE Strength 2.1. Looking toward the future in how this app can be leveraged
Opportunity 2.2. Establish future base for IAM
2.3. Create a solid IAM cornerstone
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 26 of 38 Proprietary
2.4. We have an opportunity to fix business processes internally ‐ business owners
and app development
2.5. Ability to expand workflow to other parts of the business
2.6. Automate manual workflow
2.7. Provide a foundation for delivery of a portal
2.8. Will put well‐defined business processes in place
2.9. Enables better web‐trends data
2.10. Provides a good roadmap for future IT security plans
2.11. Contribute to company profit line
2.12. Gain economic benefit of project
2.13. Enables future app development by detailed roles
2.14. Provides structure for all apps who require dealer family info
Threat 2.15. Causes a change to how future apps are built
Opportunity
(Security
Policies and
Standards)
2.16. Adherence to policy/standards/best practices
2.17. Set security policies
2.18 . Meet SOX compliance
2.19. Security will comply with SOX
2.20 Tightening Security Controls
2.21. Much more secure environment
2.22. Security will become strengthened
2.0 GROUPED ACTIONABLE ISSUES RECOMMENDED MITIGATING ACTIONS
1) Threat: Causes a change in
how future applications are
built; enables future
application development by
detailed roles
1a. Review actions taken in Managing IdM Project Customer
Requirements and Expectations above.
2) Opportunity: Meet SOX
compliance
2a. Review actions taken in Managing IdM Project Customer
Requirements and Expectations above.
3) Opportunity: Establish future
base for IdM; provides a good
roadmap for future IT Security
plans; create a solid IdM
cornerstone
3a. Document Freightliner IdM strategy beyond Burton
Group suggestions to capture lessons learned and maintain
actual IdM implementation details.
4) Opportunity: Contribute to
company profit line; gain
economic benefit of project
4a. Publish IdM/Security Strategy Map linking project details
to IT infrastructure and company business goals.
4b. Ensure project benefits are quantified and validated by
Company finance representative. Communicate results to
stakeholders.
5) Opportunity: Fix business
processes internally; expand
workflow to other parts of the
5a. Draft and implement automated workflow management
strategy.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 27 of 38 Proprietary
company; automate manual
workflows
5b. Provide internal training on workflow management
opportunities, tools, and methods.
3.0 MANAGING OUTSIDE INFLUENCES
SWOT TEAM ISSUE Strength 3.1. Top management visibility
3.2. Visibility at high level
Weakness 3.3. Visibility at high level
Opportunity 3.4. OWL Support
Threat 3.5. Forced compression of project timeline
3.6. Pressure from OWL on project timeline
3.7. OWL dependencies
3.8. Increased visibility from being tied to the OWL project
3.9. 2007 business uncertainty
3.0 GROUPED ACTIONABLE ISSUES RECOMMENDED MITIGATING ACTIONS
1) Threat: OWL dependencies;
Forced compression of project
timeline; pressure from OWL
on project timeline; increased
visibility from being tied to the
OWL project
1a. Dedicate team resources to continually manage OWL
synchronization.
2) Opportunity: Top
management visibility
2a. Ensure management briefings on project status, goals,
and results are included in documented project
communications plan.
4.0 CURRENT TEAM CAPABILITIES
SWOT TEAM ISSUE Strength 4.1. Our team is
experienced
4.2. We've learned
from past mistakes
4.3. Experience of
project members is a
strength
4.4. Good partner
who fully
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 28 of 38 Proprietary
understands this
technology
4.5. Project team has
strong advocates for
the concerns of the
end users
4.6. Project team has
solid understanding
of affected systems
4.7. Big picture view
from team members
4.8. We have a
dedicated team
4.9. Project team
support & objectives ‐
‐ "Buy‐in"
4.10. Diverse project
team that cares about
our success
4.11. We have a
wealth of experience
4.12. Strong
background with
Dealers on the team
4.13. Dealer JAD fully
supports the project
4.14. Project team
dedication to the
project
4.15. Strong
individual
organizational skills
4.16. Team works
well together
4.17. Developers that
have deployed this
application before
4.18. Good vendors
with lots of
experience and
knowledge
4.19. Competent
people
4.20. Productive
conflicting
approaches
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 29 of 38 Proprietary
Opportunity 4.21. Unproductive
conflicting
approaches
4.22. Knowledge of
non‐project
application
requirements
4.23. We have limited
experience in some
areas
4.24. Chance to learn
skills from other team
members
4.25. Chance to shine!
4.26. We have an
opportunity to
demonstrate the
ability to succeed at a
complex project
Threat 4.27. It's a threat that
we might do it the
same way as CCI‐
Phase II
4.0 GROUPED ACTIONABLE ISSUES
RECOMMENDED
MITIGATING
ACTIONS
1) Threat: We might do it the same way as CCI‐Phase II 1a. Dedicate project
team agenda item to
review CCI‐Phase II
issues and remedial
actions.
1b. Schedule formal
project After‐Action
Review/postmortem
to document lessons
learned.
1c. Maintain running
lessons learned data
base throughout
project.
2) Opportunity: Our team is experienced; we’ve learned from past
mistakes; project team has strong advocated for the concerns of the
end users; project team has solid understanding of affected systems;
2b. Develop internal
project team IdM
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 30 of 38 Proprietary
big picture view from the team members; team works well together;
diverse project team that cares about our success; productive diverse
and conflicting approaches
Training Plan.
2c. Establish
dedicated IT Security
resource library.
2d. Build alliances
with other
Corporate/industry
partner IT Security
organizations to
document and
exchange best
practices.
2e. Ensure team
achievements are
formally recognized
and celebrated.
3) Good partner who fully understands this technology; developers who
have deployed this application before; good vendors with lots of
experience and knowledge
3a. Involve
partner/vendor
representatives in
project reviews and
document lessons
learned.
5.0 TIMELINE AND RESOURCES
SWOT TEAM ISSUE Strength 5.1. Adequate staff
5.2. Project is supported by upper management
5.3. Funded project
5.4. Adequate budget
5.5. Proper funding
5.6. Adequate timeline
Weakness 5.7. Subject to CIRT interrupts
5.8. Team is allocated to competing projects
5.9. Steve Sawrey availability
5.10. There are scarce resources
5.11. Subject to priority threats
5.12. Cross‐functional project staffing
5.13. Unidentified (or uncommunicated) high executive sponsor
5.14. Tight fiscal environment
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 31 of 38 Proprietary
5.15. Other projects affecting our timelines
5.16. Ability to get resources in a timely manner
5.17. Single point of failure regarding web methods development
5.18. Limited personnel resources
5.19. Critical scarce resource ‐ web methods
Threat 5.20. Funding shortfall
5.21. Cost constraints
5.22. Freightliner may have to add staff
5.23. Schedule constraints
5.24. Long deployment schedule
5.25. Other projects impacting our timelines and deliverables
5.26. Resource constraints
5.27. Kimberley's availability
5.28. Key owners' availability
5.29. External projects may create surprises (unknown risks)
5.0 GROUPED ACTIONABLE ISSUES RECOMMENDED MITIGATING ACTIONS
1) Threat: Funding shortfall; cost
constraints; resource
constraints
1a. Monitor and report upon project costs and resource
requirements.
1b. Ensure IT Security is formally involved in IT infrastructure
investment strategy process.
1c. Establish cost benchmarks to compare with other
Corporate initiatives.
1d. Standardize organizational methodology for making
business case for initiatives
1e. Involve more IT Security organization in zero‐based
budgeting
2) Threat: Key owner’s
availability; Kimberly’s
availability; Steve Sawrey
availability; key resources
availability; limited personnel
resources; cross‐functional
process staffing is limited;
team is allocated to competing
projects
2a. Ensure project team members document methods of
achieving deliverables to enable replication.
2b. Schedule agenda item to review detailed project plan to
identify potential resource vulnerabilities.
2c. Provide training and backup plan for key scarce
resources.
2d. Build alliances with competing company initiatives to
share key resources.
2e. Consider establishing corporate‐level key resource pool
for complex projects.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 32 of 38 Proprietary
3) Threat: Long deployment
schedule; other projects
impacting our timelines and
deliverables; subject to priority
threats
3a. Maintain dedicated PMI‐certified project management
disciplines.
3b. Use experienced neutral facilitators for important
coordination meetings
3c. Selectively implement innovative project management
practices, e.g., Critical Chain Project Management.
6.0 MANAGING THE PROJECT
SWOT TEAM ISSUE Strength 6.1. Proper scope
6.2. System (IdM) may provide opportunities
for automated operations
6.3. Project involvement from PMLL
6.4. Clear need
6.5. Understanding that this has to get done
Weakness 6.6. Lack of authoritative data
6.7. So much missing data
6.8. Other app development happening
concurrently ‐‐ difficult to stay in synch
6.9. Project methodology falls between
infrastructure and app development
6.10. Poor data quality in current LDAP
6.11. So much bad data
6.12. RBAC ‐‐ moving the business away from
managing by exception
6.13. Eclipse may not fully deliver
6.14. Cross‐functional coordination is required
6.15. Extremely vast scope of deliverables
6.16. Project team may not have identified
and quantified all the stimulus‐response
(statistical thinking)
6.17. Deliverables are very confusing to
outside viewers
6.18. We must implement "all or nothing" in
production
6.19. Fractured internal communications
6.20. Complex and long deployment plan not
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 33 of 38 Proprietary
6.0 MANAGING THE PROJECT
fully defined yet
6.21. Communication flows are disjointed
6.22. RBAC ‐‐ this is the first time we've
tackled it
Opportunity 6.23. We have the opportunity to clean up bad
data
6.24. Basis for good data ‐ detailed data
6.25. Establish a valid move forward point for
active users/orgns
6.26. Build great SCS and IDS communication
paths for the future
Threat 6.27. Years of bad data
6.28. Managing the massive data volumes
6.29. Communication breakdowns
6.30. RBAC scope change
6.31. Miscommunication
6.32. Development failures
6.33. Disruption of customer business
activities during deployment
6.34. If system isn't released working well, we
may not get buyoff from our external
customers
6.35. Vendor control
6.36. Years of bad processes
6.37. Possible application limitations may
impact our deliverables
6.38. Our project forces changes to other
business processes like DWC Sign‐up
6.0 GROUPED ACTIONABLE ISSUES RECOMMENDED MITIGATING ACTIONS
1) Threat: Years of bad data; years of bad
processes; so much missing data; poor data
quality in current LDAP; lack of authoritative
data so much bad data; opportunity to clean
up bad data; opportunity to establish good
data – detailed data
1a. Develop and implement company data
quality strategy (reference: Improving Data
Warehouse and Business Information Quality
by Larry P. English, Wiley and Sons, 1999) to
include data cleanup, process improvement,
and data quality performance reporting.
2) RBAC scope change; RBAC – this is the first
time we’ve done it; RBAC – moving the
business away from managing by exception
2a. Document RBAC development methods
and lessons learned.
2b. Involve experienced external expertise on
RBAC development, optimization, and lessons
learned.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 34 of 38 Proprietary
6.0 MANAGING THE PROJECT
2c. Document Use Case development,
validation methods and lessons learned.
3) Communication breakdowns;
miscommunication; fractured internal
communications; cross‐functional
communication is required; communication
flows are disjointed
3a. Conduct periodic review and validation of
Project Communications Plan.
3b. Leverage company web site development
resources to establish dedicated
communication channels for complex projects.
3c. Look for opportunities to use visual
artifacts (e.g., posters) to communicate project
vision, mission, values.
4) Eclipse may not fully deliver; extremely vast
scope of deliverables; deliverables are very
confusing to outside viewers; difficulty with
vendor control is a threat
4a. Document formal project deliverables
specification.
4b. Map deliverables to project and company
benefits.
4c. Maintain selective use of experienced
external oversight for key deliverables and
complex projects.
4d. Establish alliances with other Corporate
initiatives to establish pool of qualified external
expertise.
5) We must implement “all or nothing in
production;” complex and long deployment
plan not fully defined yet; project
methodology falls between infrastructure and
app development
5a. Adopt a formal Plan‐Do‐Study‐Act
discipline for phased deployment.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 35 of 38 Proprietary
APPENDIX A: PROCEDURES FOR FOCUSED PLANNING TOOLS
The following tools are singled out of the very large CSS Focused Planning toolkit for their suitability and
usefulness in the Freightliner IdM project. Tools are presented in a standardized format called a POPE.
The POPE is a statement of the Purpose – Outcome – Process – and Evaluation method for a meeting,
working session, or application of a process management tool. It is intended to provide context and set
expectations for productive collaboration.
AFFINITY DIAGRAM
Purpose: The Affinity Diagram gathers large amounts of language data (ideas, opinions, issues, etc.) and
organizes it into groupings based on the natural relationships between each item. It is an excellent
brainstorming technique and may be a lead‐in to further tools such as tree charts (for refining logical
relationships) or interrelationship diagrams (for separating drivers from effects and establishing
priorities).
Outcome: Logical categories of ideas grouped into manageable “buckets” to reveal themes and key
issue categories. All raw material is maintained and is accessible.
Process: Frame a large and open‐ended question along the lines of “What
are all the issues and elements related to x?”
Conduct a brainstorming session to generate a large quantity of ideas.
Resist the temptation to analyze the inputs, but ensure they are
descriptive and well‐understood. Maintain a written record of inputs in
front of the group to stimulate building upon one another’s ideas and also
record each input onto separate cards. All comments should be written in
the same hand to remove any sense of ownership of the idea.
When ideas have been exhausted (generally after 30‐50 inputs), arbitrarily
arrange post‐its on wall and have the group silently organize the cards into natural groupings. Avoid the
temptation to prearrange the categories – let them develop naturally. The rule of silence is to ensure
every perspective is given equal value in the grouping process.
When the cards are clearly organized in five to seven categories, develop header cards to name the
theme of the category.
Evaluation: The usefulness of this process will be immediately obvious as the themes can be driven into
a number of additional refinement tools. As with any brainstorming activity, this method only makes
use of the ideas in the room, so selecting the right participants is key.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 36 of 38 Proprietary
RELATIONS DIAGRAM
Purpose: The Relations Diagram analyzes the relationship between each element in a group of entities
clarifying “drivers” from “effects.” While largely a creative effort, the cognitive dynamic is convergent as
logical connections are clarified.
Outcome: The Relations Diagram results in a clear priority of drivers and effects. What is essential to
understand is that you cannot go “do” an effect. Drivers must be considered first. Priority is given the
driver with the highest number of arrows headed “out.”
Process: This process works well with the output of an Affinity
Diagram. Place the names of the headers in a circle (like the
numbers on a clock).
Ask for each relationship, “Does x element drive y or is it driven
by y?” The answer is recorded in the form of a single headed
arrow indicating the direction of the driver.
When all possible relationships have been evaluated, count the
number of arrows headed out and prioritize the elements from
highest to lowest.
There will come early in the process the question of which is really the driver and which is really the
effect. Avoid the temptation to use double‐headed arrows and ask, “Which way of looking at the
relationship provides the strongest bias for action at this point in time?”
Evaluation: Beware of categories changing meaning in the middle of the analysis. Ensure internal logic
is not circular, e.g., if A drives B and B drives C, then C cannot drive A. The diagram is complete when
the team agrees that clear priorities have been identified and the way forward is clear.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 37 of 38 Proprietary
TREE DIAGRAMS
Purpose: Tree diagrams are used to answer “how to” questions after key issues have been identified
and prioritized. This tool systematically maps out in increasing detail the full range of paths and tasks
that need to be accomplished in order to achieve a primary goal and every related sub goal.
Outcome: A completed tree diagram provides a hierarchical breakdown of goals and means. It gathers
and organizes actions suggested to address key issues. It ensures the team develops actionable plans
tied directly to important goals.
Process: Identify a theme and review key issues.
Working in small groups, team members brainstorm actions and record each action on a single card.
Action cards take the form, “subject – verb – object.” No reference to the purpose of the action should
be recorded on the card. As much as possible, statements should be as concrete and actionable as
possible.
Once completed, the entire team evaluates each card to clarify meaning.
Next, cards are grouped according to the issue they are designed to address.
Group by group, the team considers each card and declares it either
“general” or “specific.” General cards are placed to the left side of the
board and specific cards are placed to the right side.
It should now be apparent which cards are connected by causal links.
Lines are drawn from the general cards to the specific cards forming a
tree chart.
Top down review: The cards are now studied to ensure the linkages are
rational and any new cards needed can be added. The review takes the form, “If we want to accomplish
x (general card) and we do y (specific card), will we have achieved our goal?”
Bottom up review: Next the tree is studied from the specific to the general, “If we do “a, b, c” (specific
cards) will we have achieved our goal? Additional cards may be added.
Evaluation and Next Steps: Team review may include an analysis of effectiveness and feasibility which
will establish priority actions. High priority actions are integrated the project plan and become
scheduled tasks.
For More Information on the Tools
The definitive reference on these tools and four additional ones completing a collaborative strategic
system is The Memory Jogger Plus+: The Seven Management and Planning Tools by Michael Brassard,
published by GOAL/QPC, 1996.
Freightliner: Focused Planning for IT Security
Certified Security Solutions, Inc Page 38 of 38 Proprietary
APPENDIX B: REFERENCES
The following references were consulted while preparing this report and can be recommended:
2006 Workflow Handbook Edited by Layna Fischer with the Workflow Management Coalition, Future
Strategies, Inc., 2006
A Practical Guide to Enterprise Architecture by James McGovern, Scott W. Ambler, Michael E. Stevens,
James Linn, Vikas Sharan, Elias K. Jo, Pearson Education, 2004
Advanced Project Portfolio Management and the PMO by Gerald I. Kendall and Steven C. Rollins,
International Institute for Learning, 2004
Building a Project‐Driven Enterprise: How to Slash Waste and Boost Profits Through Lean Project
Management by Ronald Mascitelli, Technology Perspectives, 2002
Business Process Management with a Business Rules Approach by Tom Debevoise, Business Knowledge
Architects, 2005
Data Quality: The Field Guide by Thomas C. Redman, Ph.D., Digital Press, 2001
Enterprise Architecture as Strategy: Creating a Foundation for Business Execution by Jeanne W. Ross,
Peter Weill, David C. Robertson, Harvard Business School Press, 2006
Enterprise Dashboards: Design and Best Practices for IT by Shadan Malik, John Wiley and Sons, 2005
Improving Data Warehouse and Business Information Quality: Methods for Reducing Costs and
Increasing Profits by Larry P. English, John Wiley and Sons, 1999
IT Portfolio Management Step‐by‐Step: Unlocking the Business Value of Technology by Bryan Maizlish
and Robert Handler, John Wiley and Sons, 2005
Mastering the Requirements Process, Second Edition by Suzanne Robertson and James Robertson,
Addison‐Wesley, 2006
Project Management Maturity Model, Second Edition by J. Kent Crawford, Auerbach Publications, 2007
Strategy Maps: Converting Intangible Assets into Tangible Outcomes by Robert S. Kaplan and David P.
Norton, Harvard Business School Publishing, 2004
Using the Project Management Maturity Model: Strategic Planning for Project Management, Second
Edition by Harold Kerzner, Ph.D., John Wiley and Sons, 2005
Workflow Management: Models, Methods, and Systems by Wil van der Aalst and Kees van Hee, The MIT
Press, 2004
Writing Effective Use Cases by Alistair Cockburn, Addison‐Wesley, 2001