The 3 'C's in Mobile Website Design

One of the key movements in ensuring a consistent, meaningful, and overall enjoyable mobile website user experience is subscribing to the principles developed by the W3C - The World Wide Web Consortium - for mobile application development. The W3C is founded on the principles that the web should be accessible to all and on as many devices as possible. To realize this, the W3C body of knowledge has developed technical standards and best practices for the development, design, and content authoring. These standards are in the spirit of creating a "One Web" environment that is available on any device.

Creating mobile-friendly user experience can be challenging . The hardware and network capabilities of the end-user create constraints that should be considered when creating mobile content. The "One Web" principle attempts to level the playing field for all. Remember the 3 "C"s for mobile web development:

• Content - the page layout and information architecture
  
• Context - the reason a visitor is coming to the mobile site and their environment at the time of visit
  
• Capabilities - the functionality native to the device for viewing the mobile website

Here are a few best practices to consider before building your next mobile website:

The type of content relevant to the desktop user may not be as applicable to the user on-the-go. Visitors on a mobile device aren't interested in browsing. Forget the notion of the "web browser" and think "web finder". Page layout, information architecture, and content syntax are the pillars of keeping a mobile website relevant and accessible for the mobile user.

Minimal navigation (preferably a top nav bar) is a best practice, so is keeping content as accessible with as few clicks as possible. Don't bury content too deep in the site. Keeping in mind that the mobile visitor has a very specific goal (i.e. an address, account information,traffic reports) put that content up front and make it easy to navigate. Less really is more when navigating a mobile website.

What is the mobile site visitor's goal? Understanding who the visitor is, why they are coming to the site, and the context in which they are arriving at the site is critical. Even the best mobile user experience fails if the content and context aren't spot on. For example, a bank cusomter accessing their bank account from a mobile device are probably not interested in learning about new product offerings. But rather, quickly locating a balance, performing a funds transfer, or paying a bill on-line. Keeping the content layout goal oriented and specific to the goals of a mobile user will create a useful web property for your customers.

Keep the site entry point URIs (Universal Resource Identifier) short. Typing a long string can be cumbersome on a mobile device. And it's important to consider that entry points may be from an email or text received on the mobile device.

Device capabilities are a huge consideration in mobile web development. While the W3C guidelines are based on device-neutral practices they also recognize the importance of checking for device capabilities (whenever possible) and fully exploiting them to enhance the end-user experience. Just as in the desktop world where all sites don't function the same in all browsers, the device a mobile site is accessed on can have a huge impact on the quality of the end-user experience if not handled programmatically. A few things to consider:

• Not all devices support style sheets. Organize content so that it can be rendered in a an easy to navigate way without style sheets


• Graphics and scripting capabilities- create text based alternatives for all embedded images and plug-ins


• Color contrasting capabilities- information should be able to be conveyed with or without color.


• Bandwidth is another consideration. The more graphically rich and content intense the longer it may take to render the site (and quite possibly,the more it will cost the end-user).

Limit user input requirements as input mechanisms on mobile devices can be small and cumbersome to use. Tabbing and creating pre-selected values are best. Where possible avoid free-text fields.

I've been in web development for most of my career and though the mobile outlet creates new challenges and opportunities, the basic planning and due dilligence required to make a site successful are the same no matter the outlet. Would love to hear about the challenges you've overcome launching your mobile website. Please add your comments below.

Security sells: leverage your security program to boost sales

In today's competitive environment, with the increasing need to show a unique value proposition, a stellar information security program can offer a company a unique differentiator to discuss with their prospective customers. The information security function (along with IT) is typically viewed as a cost center, not a revenue generating arm of the organization. Security tactics are often viewed as a must-do line item to check off the list, not as a competitive advantage. Well, I'd like to change that mindset.

As an information security professional, it can be frustrating when achievements aren't recognized outside of the immediate team (let alone external to the organization). The problem isn't that security achievements are less important than other project achievements. On the contrary, security projects are often mission critical to helping companies avoid negative press, million dollar fines, and the loss of customers. The problem centers around lack of understanding of the value of security initiatives, and how they tie to servicing customers or generating company revenue.

Here are some thoughts on how information security professionals can shine a light on achievements, and position their work as differentiators a company can use to use to generate more revenue.

Sell Your Strengths: Think about what your company's security strength is and sell it. I'm not talking about giving away the keys to the farm and talking about HOW you are doing things. That would defeat the purpose of having security controls in place. But the basic standard of keeping the bad people out and enabling the authorized users to securely do business has many interesting facets, and there are many ways to achieve this level of security.

I like to call this the art of information security: What your company is doing + How they are doing it = The differentiator

Is it a sophisticated physical security turnstile badging system leveraging the latest technology to reduce manual intervention? Is it enabling your company's regulatory compliance through cutting edge processes and technology? Whether you are in the business of securing bank account information, human resources files, medical records, or customer credit card information, talk about what you are doing that makes your information security program a key to reducing operational waste and gives employees the time to focus on meeting customer expectations.

Case-in-point, one of my clients, a Fortune 500 bank for high net worth individuals and corporations, has a world class access control program in place. Their information security group designed a set of identity management (IdM) processes based on securely enabling business functions. To gain operational efficiencies in system access request and set up, they customized a leading IdM technology and automated much of their IdM workflows.

Why is this important to a bank customer? The SVP of Information Security can tell you why. He can articulate the value that this brings to a bank customer in terms that are meaningful to a customer -- speed of access to critical account reporting applications AND the reassurance that only those authorized are seeing the account information. He's called on by relationship managers to help sell the value of doing business with this bank and communicate the edge this institution has over another. The SVP has the soft skills necessary to navigate a conversation with clients and prospects. And the instinct to know what aspects of the information security program matter most to each client. These soft skills are really the differentiator for his company's information security organization. It's not just about what a security organization is doing but also about how they tie it back to meeting customer expectations.

Develop Soft Skills: Let's face it, information security is technical, and as a result the people that are really passionate about security tend to be very technical. But when that passion comes out in a way that's easy to understand and meaningful to those on the receiving end, you've got a value proposition worth telling would-be customers. The challenge is developing the soft skills necessary to communicate that value proposition. As an information security manager, it's just as important to develop the communication and soft skills in your staff as it is to keep them technically trained and abreast of the emerging threats. These soft skills also come in handy when communicating to executives the funding required to execute your security program goals and why they are important.

I recently had the pleasure of hearing Sara Santerelli, Chief Network Security Officer at Verizon, speak at a conference in October. Sara spoke about the duty that information security managers have to articulate a security program less in terms of tactics and more in terms of long term strategy. This helps executive management understand the drivers, which in turn gains their support and the funding necessary to execute. She also hit on the importance of alignment of your security plan with business goals and defining the trade-off between the cost associated with your security initiatives and the risk of not doing them. All of this articulation requires soft skills and big picture thinking.

Information security is a compelling value proposition if communicated in meaningful terms to prospective customers. In some situations, the CSO can be viewed as an extended arm of the sales team. Whether the title is CSO or VP of Information Security, the people within an information security organization can really help sell the benefits of doing business with the company. In a climate where standing out in the crowd matters, companies should look to their CSO for the extra push needed to turn a prospect into a customer.

How does your information security program help differentiate your company? Comments welcome!

How Information Security Can Help You Sell More Business

As an IT professional, have you ever thought of the Chief Security Officer function as an extended arm of the sales organization? Maybe you should. Whatever the title - CSO, VP of Information Security - these guys and gals can really help sell the benefits of doing business with your company. The number one value prop they can tell your existing clients and prospects - Here's why your sensitive information is safer with us than the competition. These guys can explain why. In today's competitive environment, with the increasing need to show differentiation and a unique value proposition, information security seems like a no-brainer to talk about. Here are a few tips for developing your Information Security Organization into a key differentiator for your company.

Sell Your Strengths: Think about your company's Security strength and sell it. Now, I'm not talking about giving away the keys the farm and talking about HOW you are doing things. That would defeat the purpose of having security controls in place. But the basic standard of keeping the bad people out and enabling the authorized people to securely do business has many interesting facets and there are many ways to achieve security. I like to call this the "art of information security" - What your company is doing + how they are doing it = differentiator. Is it a sophisticated physical security turnstile badging system leveraging the latest technology to reduce manual intervention? Is it enabling your company's regulatory compliance through cutting edge processes and technology? Whether you are in the business of securing bank account information, human resources files, medical records, or customer credit card information you can talk about what you are doing and how you are doing it that makes your Information Security Program a key in your company's ability to meet customer expectations.

Case-in-point, one of my clients, a Fortune 500 bank for high net worth individuals and corporations, has a world class Access Control program in place. Their Information Security group designed a set of Identity Management processes based on securely enabling business functions. To gain operational efficiencies in system access request and set up, they customized a leading IdM technology and automated much of their IdM workflows. Why is this important to a bank customer? The SVP of Information Security can tell you why. He can articulate the value that this brings to a bank customer in terms that are meaningful to a customer - Speed of access to critical account reporting applications AND the reassurance that only those authorized are seeing the account information. He's called on by relationship managers to help sell the value of doing business with this bank and communicate the edge this institution has over another. The SVP has the soft skills necessary to navigate a conversation with clients and prospects. And the instinct to know what aspects of the Information Security Program matter most to each client. These soft skills are really the differentiator for his company's Information Security organization. It's not just about what a security organization is doing but also about how they tie it back to meeting customer expectations.

Develop Your People: Let's face it, Information Security is technical. The people that are really passionate about security tend to be very technical. But when that passion comes out in a way that's easy to understand and meaningful to those on the receiving end you've got a value proposition worth telling would-be customers. The challenge is developing the soft skills necessary to communicate that value proposition. As an information security manager it's just as important to develop the communication and soft skills in your staff as it is to keep them technically trained and abreast of the emerging threats. These soft skills also come in handy when communicating to executives the funding required to execute your Security program goals and why they are important. I recently had the pleasure of hearing Sara Santerelli, Chief Network Security Officer at Verizon, speak at a conference in October. Sara spoke about the duty that information security managers have to articulate a security program less in terms of tactics and more in terms of long term strategy. This helps executive management understand the drivers, gains their support, and the funding necessary to execute. She also hit on the importance of alignment of your security plan with business goals and defining the trade-off between the cost associated with your security initiatives and the risk of not doing them. All of this articulation requires soft skills and big picture thinking.

Information Security is a compelling value proposition if communicated in meaningful terms to your customers. I would love to know how you are talking about your Information Security program and how it helps differentiate you. Comments welcome!

Business Innovation Blog Tag Cloud

access agile ago application based benefits business change comments company control create customer enterprise function google granted help identity important job kelly level management manthey maturity model others packaged people posted process project provide rbac requirements role saas software someone something start support system talk team technology vendor vision work

created at TagCrowd.com

Google Apps For the Family "Enterprise"

My family runs on the Google platform. The same tools that I use every day at work managing projects have proved very effective at home.

We have a shared family Google calendar through Gmail that contains appointments, birthdays, and weekend plans. Some weeks my husband and I are like two ships passing in the night, if it's not on the calendar , it doesn't happen.

I have a 1 year old with a few different baby sitters and nannies. I quickly realized that it was more effective to publish his developmental milestones and instructions once rather than remember who knew what. I didn't have time in the morning to bring someone up to speed. Babies change too quickly! So I created a Google Group especially for my son. Fondly known as "Jack's" Portal. I invited his caretakers to join and instantly had an group email address I could use to reach them all at once (which comes in handy when I need to send an emergency babysitting request). I use the Discussion Group to store eating habits, nap schedules, and important contact information.

I've also created a shared nanny/babysitting calendar where each person can self manage the dates they are available to watch my son. This gets me out of the business of managing a schedule and acting as middle man when someone needs to change days. It's brilliant! The caretakers just pick the dates that work best and add it to the schedule.

Thank you Google for giving me tools transferable between work and home life, that are practical, and easy to use!

Would love to hear comments on how your family uses technology to make life easier.

How to Improve Your Current Project: Comunicate

How to Deliver Successful Projects: Have a Dialogue

Talk, talk, talk, and then ... talk some more. You cannot talk enough when you're leading any type of change management effort. And that's what a technology project boils down to -- implementing a change to the way things are today. So how do you manage your change efforts? What should you talk about? And to whom should you talk? My company uses John Kotter's Eight Stages of Change as a framework for structuring the conversation with those involved in projects. Here are some guidelines for getting your conversations started.

Do your homework before you start talking ...
Create Urgency: You may have communicated the purpose of your project, but does it have teeth? Paint a picture of what happens if you don't complete the project. What happens if the status quo remains? And what are the benefits that can be realized when the project is done? Often the improvement is crystal clear to technologists, but murky for others. Especially if the project is something ambiguous to a non-technical business counterpart, such as an infrastructure upgrade or an information security tactic.

Create a Vision: Realized benefits are a great way to frame how your project will make the world a better place (at least the world inside the walls of your organization). Give thought to the bigger picture of your project, so that you can paint the "future state" for your stakeholders. Whether your project will result in internal or external customer facing deliverables, painting a picture -- early and often -- is critical for gaining acceptance.

Form a Guiding Coalition: Formally organizing internal support is extremely important, because it helps sow the seeds of change. We've all heard of steering committees. Well, let's put them to work. First, it's important to get the right people on-board -- those who will help you sow the seeds of change. Ask yourself: How can they help spread the message about the project vision? How can they help contribute to defining the vision, so that it speaks to and resonates with the needs of a particular business area or customer segment? A guiding coalition is important, but the team won't work without a sponsor, leader, or visionary enlisted for the long haul. This is the person continuously driving the vision forward and helping the project team stay the course.

Start Talking ...
Communicate the Vision: Talking about your vision isn't a one-time event done via a mass e-mail. You need a plan that identifies who, when, how, and how often they should hear your message. Look for opportunities to get your vision in front of people -- status meetings, town halls, or messages and alerts in an existing system of upcoming milestones. This is not only an opportunity to communicate, but also an opportunity to sell. And like it or not, your vision is for sale. Your buyers are the people impacted by the changes, and also those individuals whose help you need for the project to be a success.

Get others talking (and doing) ...
Empower Others to Act on the Vision: You may be wondering who is the "you" that I keep referring to in this post. It's anyone and everyone who has a role in contributing to the goals of the project. The guiding coalition helps define the vision and pushes it forward. But in order for the vision to be a reality, others need to get on-board. If people feel boxed in, not supported by management or peers, or lacking access to the necessary tools, your project will fail. Make sure the barriers are removed so others can act on your vision.

Plan for and Create Short Term Wins: This is a great way to start showing progress and proving your theories. It also helps everyone realize that their effort is valuable while keeping momentum going. Think about your project plans in terms of, "how quickly can I get something useful out?" "Useful" doesn't have to mean "perfect"; you can always fine tune later. But showing visible progress sooner, even with a few warts, will provide great insights early-on into what is really important to your stakeholders. This allows your team to correct the course sooner, so be sure to create a formal feedback process to capture stakeholder input.

Don't Declare Victory Too Soon, Sustain the Momentum for Change: We've all experienced it – the anticipation of the much celebrated release party. Celebrating milestones is important, but equally as crucial is being cautious to not signify "it's over". The real work begins when the initial visible change is released outside the project team. That's when things really get started and when it's important to keep up the momentum. Change isn't easy and it's not a static, one-time event.

Institutionalize The New Approaches: We call this "business as usual". If you are implementing something new (technology, process or both), you want it to become the new method of operation. Repetition and reinforcement makes something new feel natural, as if it was the way it had always been. So, you haven't talked enough until you feel like a broken record, and others are repeating your messages and finishing your sentences.

As always, looking forward to any comments and knowledge sharing on the topic!

RBAC...Why Bother? 4 Reasons to Start an RBAC Program Today

Role Based Access Control (RBAC) is the process of granting people within similar job functions the same access to resources (systems, data etc..) required to do their job. The concept centers on putting into business friendly terms the logical grouping of resource access. These resource access groupings are called "roles". It's a daunting task when you consider all the various systems that can exist within an enterprise - there are the common applications everyone uses like email, the company portal, conference scheduling systems. And the one-offs that are very specific to performing a job function - HR payroll processing apps, CRM tools for Sales personnel, other business specific applications... So why do it? What are the benefits?

Simplification

The process of ensuring that new hires have access to what they need when they need it on day one is not easy. Often it requires several system set up requests before the right access is granted. Not to mention decomposing what someone else in a similar job function has access to. Wouldn't it be easier to have access automatically granted based on the job function someone is in? It's not an "auto-magic" process. There is upfront work involved in establishing the link between job function and system access needs. But once it's done (and the maintenance process is established) the on-boarding of new hires and department transfers becomes a lot easier and quicker.

Action: Get a sense for how much work you are in for. Look at a slice of the enterprise - one job function within one business unit or department. Analyze the system access granted to a few people within the same job function.

Consistency

Even if you know what access is required to do your job the process for getting that access established may vary. You make a phone call to so-and-so to get access to system A, send an email to a mail group to get access to system B, and submit a request through an intranet based system to get access to system C. Sound familiar? With all of these disconnected and differing processes for granting access, how can an organization know that the appropriate scrutiny is being applied to verifying who SHOULD have access to certain applications and information? Is the same approval required for all resource access? In an RBAC environment the role setup process is defined and can evolve as necessary. Based on the specific requirements of an organization the proper controls required for assigning access by job function area established and consistently applied each time that role is requested for a person. Ensuring the right level of approval is applied.

Action: Pick a set of applications and for each ask the question "Who needs to know who is accessing this application?". If the answer results in a Visio diagram, consistency is important.

Accountability

Central to an RBAC model is the governance. Governance takes the form of placing accountability for role definition with those most appropriate to validate what a role should have access to. For roles mapped to job functions that means accountability is placed within the business unit or department where that job function exists. Using business friendly terminology to link a system access permission to a job function is also key. Those accountable for making sure people in that role have what they need to need to understand what the underlying components of a role are.

Action: How easily understood is the system access terminology within your organization? Take one application and create business friendly descriptions to describe the access levels. This will kick start the analysis necessary for establishing a framework to maintain these business friendly descriptions.

Risk Mitigation

If it wasn't apparent already, all the of the above are risk mitigation tactics. The easier and more consistently something can be done, the more predictable the outcome. Predictability helps control risk. An RBAC model reduces the risk that inappropriate access is granted to or retained by someone that shouldn't have it. RBAC is a key control in information protection.

What benefits has your organization seen from an RBAC? implementation?

How Mature Is Your Identity Management Program?

Identity Management maturity can be defined by 4 levels that include aspects of people, process, and technology. Because of this, moving along the continuum requires the commitment of senior leadership to support the organizational changes required. The following presentation summarizes the framework for determining maturity and provides suggestions for advancing between levels.

Identity Managment Maturity Model

View more presentations from kmanthey.

Stop Wasting Money Writing System Requirements

IT has long been looked to as the technical solution providers for business problems. But the assumption that often is made is that the business problem is already well understood and the business processes that drive the technical requirements are known....by someone. I continually run into the situation where a team is beginning the business requirements definition effort and developing system Use Cases only to discover it's not that straightforward. The entire business process that the technology will support has not been thought through and there are gaps in knowledge around some areas of the business process. How can this be addressed before valuable time and money are wasted spinning on requirements? Here are a few suggestions:

Every IT project should start with business process definition. It's no longer IT's responsibility to only handle the system requirements definition side of the equation. Start thinking in terms of process steps, roles, and responsibilities. Once these are defined the role of the system and how it should behave becomes more clear. The same skill set that it takes to identify system requirements is highly transferable to defining business process. Stakeholder engagement, meeting facilitation, communication skills, clear concise documentation abilities are all the qualities of solid business AND process analyst.

Run an agile project. By adopting the basic principles and philosophy of the agile scrum framework your team can get to "doing" faster with "just enough" documentation in place to make it productive. Once the business process is well understood, create a backlog with the goals the system should allow each type of system user to achieve. Define requirements in more detail as part of each development sprint. Start the sprint with a few upfront requirements tasks then continue to refine the requirements as a team through the build-demo-adapt process. The role of the BA in the demo meetings is to capture requirements and decisions made. By the end of each sprint you can have a requirements document that matches exactly what was built. This avoids spending months in lengthy requirements gathering sessions trying to predict in excruciating detail today how you want the system to work a few months from now.

These are a few ideas that have worked well on my projects. Join the conversation! What are you doing that's worked well(or not so well)?

SaaS - Making the Right Choice for Your Company

Software as a Service (SaaS) is gaining more ground as a viable option for addressing IT needs in all sizes of companies. No longer looked at by only SMBs as the low cost alternative to expensive custom software solutions. Before you jump into a SaaS solution, it's important to do your homework, both on the SaaS provider and within your own company. Here are a few things to consider:

Know what SaaS is (and is not)
In basic terms, SaaS is subscription based software accessible over a network (i.e. the Internet). The SaaS vendor assumes maintenance responsible for all hardware and software components. The obvious benefit is that a company or subscriber gets the functionality they need without the IT overhead associated with an in-house application - hardware costs and maintenance, software support. The downside is that the customer does loose some control. As a customer you may be limited to the customization options available within the base software solution. You also need to be aware about how your data is stored and how accessible it is to you.

The SaaS Vendor's Maturity
In a recent Forrester research report, SaaS vendor maturity can be defined as:

• Level 0: Outsourcing is not SaaS. In outsourcing, a service provider operates a major application or a unique application landscape for a large enterprise customer. As the outsourcing company can't leverage this application for a second customer, outsourcing does not qualify as SaaS.


• Level 1: Manual ASP business models target midsize companies. At level 1, a hosting provider runs packaged applications like SAP's ERP 6.0, which require significant IT skills, for multiple midsize enterprises. Usually, each client has a dedicated server running its instance of the application and is able to customize the installation in the same way as self-hosted applications.


• Level 2: Industrial ASPs cut the operating costs of packaged applications to a minimum. At level 2, an ASP uses sophisticated IT management software to provide identical software packages with customer-specific configurations to many SMB customers. However, the software package is still the same software that was originally created for self-hosted deployment.


• Level 3: Single-app SaaS is an alternative to traditional packaged applications. At level 3, software vendors create new generations of business applications that have SaaS capabilities built in. Web-based user interface (UI) concepts and the ability to serve a huge number of tenants with one, scaleable infrastructure are typical characteristics. Customization is restricted to configuration. Single-app SaaS adoption thus focuses on SMBs. Salesforce.com's CRM application initially entered the market at this level.


• Level 4: Business-domain SaaS provides all the applications for an entire business domain. At level 4, an advanced SaaS vendor provides not only a well-defined business application but also a platform for additional business logic. This complements the original single application of the previous level with third-party packaged SaaS solutions and even custom extensions. The model even satisfies the requirements of large enterprises, which can migrate a complete business domain like "customer care" toward SaaS.


• Level 5: Dynamic Business Apps-as-a-service is the visionary target. Forrester's Dynamic Business Application imperative embraces a new paradigm of application development: "design for people, build for change." At level 5, advanced SaaS vendors coming from level 4 will provide a comprehensive application and integration platform on demand, which they will prepopulate with business applications or business services. They can compose tenant-specific and even user-specific business applications on various levels. The resulting process agility will attract everyone, including large enterprise customers.
  

Your Requirements:
How flexible are they? Do you know what your must-haves are? The benefits of many SaaS options can also be a drawback if you haven't taken the time figure out what you are really looking for. There are often limited customization abilities and some of your business processes may require specialized features/functionality. Make sure your business process is well defined and understoond before looking at vendors. Regardless of how flexible your business process is there are always a few requirements that must be met.

Vendor Evaluation Criteria:
Give careful thought to the specifics you will rate a SaaS vendor against. Categories that should be part of any SaaS vendor evaluation include (but are not limited to):

1. Price


2. Alignment with functional requirements and business process requirements


3. Useability


4. Technical Requirements such as
   –Security
   –Data Storage and Accessibility
   –Disaster Recovery
   –Custom Reporting
   –Integration
   –Customization


5. Support SLAs


6. Professional Services


7. Vendor Viability


8. Regulatory Compliance
   

Before you make an investment in a SaaS solution, do your homework and take the time to internally discuss what your must-haves are. Having a clear idea of the business problems a SaaS solution should address will make the selection process more clear.

I'd love to add to this list of SaaS vendor considerations. What was helpful in your SaaS vendor evaluation?

What is a Solstice Consultant?

Identity Management: How to Get Started

We are in a constant state of change. Mergers and acquisitions, re-orgs, new hires, and terminations are creating a lot of change to keep track of. This is creating new opportunities for information security threats. It's difficult to control all the pieces. To further add to the complexity, the workforce is changing. Workers expect remote capabilities, are collaborating in virtual teams, and teams are made up of internal employees, external contract/temporary workers and strategic business partners. Physical walls don't exist anymore making it even more difficult to control things. Identity Management (IdM) solutions can help companies manage change and control the chaos.

What Is Identity Management

View more OpenOffice presentations from kmanthey.

In the simplest terms, Identity Management is the process by which user access is assigned to technology assets (hardware, software, services, files, collections of data etc..). This process can be done manually, automated, or some combination of both.

In environments where the people and technology assets are constantly changing it’s important to have the right controls in place for ensuring that the right people have access to the right information at the right time. So... are you ready to get started? Here are some guidelines to get the ball rolling:

Develop a Business Process Driven Solution
Good Identity Management solutions are business process driven, not IT driven. Meaning, the processes for creating and maintaining identities should align with the on-boarding and off-boarding processes already in place. Or the way you want the processes to work. It should also support the full scope of "people" within your organization i.e. employees, temporary workers, customers, business partners. Different types may require different processes. A well thought through IdM process considers how the following will be executed:

1. Identity creation and maintenance – the creation and assignment of an identity entity to an actual person.
2. Access Request – the information required to determine the access to grant an identity
3. Approvals –those required to approve requests for access to information
4. Provisioning – the actual granting of access to the identity
5. Certification - the periodic review and validation of access granted to an identity

Identify Your Data Sources
The only way to protect the information is to know where the information resides. Identify the critical information, determine ownership, and begin the process of cleaning the data. Start with the highest risk areas first to manage scope. It’s easier said than done but it’s a critical first step.

Secure the Right Support
Identity Management has to be a strategic priority to be successful. It’s going to require funding, at some point, and people’s time – outside their normal day-to-day responsibilities - to make IdM successful. You can’t get buy-in for something that’s not well understood. Educate people on what IdM is and speak in terms that are meaningful to them. How will this make their job easier? How will it make them get from point A to B faster? Don’t expect people to make the leap on their own to connect all the dots. Make sure executives and management understand the benefits and what’s involved. Give them the information they need to evangelize the solution.

Create an Oversight Function
IdM is not something that get's implemented and hums on it's own. Like most processes it takes care and feeding. It takes someone focusing on the big picture and periodically assessing how well all of subprocesses are working together and when changes are needed. This function maintains the requirements of the IdM solution and see that the solution evolves with the needs of the business.

Develop an Onboarding Process
Consider how you handle bringing new access permissions and applications into the process on an on-going basis. Define the work required to on-board a new application and the resources required to make it happen.

Evaluate Automation Tools
Based on the needs of your organization, consider the technologies that exisit to automate the access request process and automate the provisioning of access. Or is a custom built solution more fitting? More to come in a future blog on the IdM vendor landscape, how to pick the right tool, and determining buy vs. build.

Identity Management is a growing space that has become even more important in today's regulatory environment. Review these guidelines with your organization in mind. Take what seems appropriate and adapt it to your situation.

Something to think about.....

Managers manage a budget, leaders inspire innovation.

Win an iPod Touch!

Win an iPod Touch!!! Solstice Consulting is conducting a social media experiment and we want your participation. Our goal is to get 500 fans added to the Solstice Consulting Facebook fan page in the next 5 days. What's the hook?? Besides staying in the loop on all the latest and greatest Solstice news and being part of an elite fan club, all those that become a fan are eligible to win one of 3 iPod Touches! The winners will be announced on the Solstice Facebook Fan page on Monday June 8th. Click here to become a fan of Solstice Consulting: http://www.facebook.com/home.php?ref=home#/pages/Chicago-IL/Solstice-Consulting/80947639113

Evolving Your Identity Management Program

Not able to attend my presentation at Financial Information Security Decisions on June 9th in NYC? Check out what I'll be talking about:

Evolving Your Identity Management Program

View more OpenOffice presentations from kmanthey.

Doing More with Less

WITH COST CUTTING EVERYWHERE THESE DAYS, PRIORITIZING IT SPEND HAS BECOME MORE CRITICAL THAN EVER.

To survive, IT managers need to find creative ways to meet customer expectations while keeping an eye on the bottom line. Many companies look at Open Source, SaaS and the Cloud for alternative software/hardware/development solutions to achieve strategic goals.

Yes, there are still some negative perceptions associated with implementing these options within the enterprise. Security, support, and customization capabilities are a few of the concerns that top the list. However, if a thoughtful decision making process is followed when working with these solutions, the perceived risks pale in comparison to the cost-benefit realization.

In a recent blog post my colleague has offered up some great guidelines for choosing the right low-cost or free technology alternative for your enterprise. We are also publishing some guidelines for ensuring that you a thoughtful decision making process is followed. Stay tuned or send me an email (kmanthey@solstice-consulting.com) if you’d like an advance copy.

So while Open Source, SaaS, and Cloud based solutions gain momentum as viable options for the enterprise, no matter the technical solution, the question of business impact and the costs associated with transitioning the enterprise from old to new needs to be considered. What can you do to minimize end-user impact when implementing these technical alternatives? Read on….

First, change the things the end users never see. Dip your toes in the water by transitioning lowest level infrastructure pieces first. Transitioning to an open source database solution or building a testing environment in the cloud are not likely changes that end-users will notice.

Take a lesson from Google…use the beta labeling to your advantage. When introducing a new technology look to your end-users are co-creators. Acknowledge that it’s not perfect yet but with some help from those that use it most it can be. The effect of end-users seeing their suggestions become functionality will be infectious. The positive internal PR generated by these people will help promote the tool, ease it’s adoption by others, and help bring a more intuitive application to the enterprise that in-turn requires less hand-holding and end-user training.

Enlist champions and give them responsibility. You can use beta labeling to organically create product champions or you can identify and enlist people upfront. Whatever your trying to implement –an OSS application server, SaaS CRM tool, or whatever – identify people from the stakeholder community that can help sow the seeds of change within their area of influence. Give the champions the responsibility of helping their functional area/business unit embrace and understand the new technology. You’ve now gained subject matter experts in each area that can lend the personal touch to helping with adoption issues.

Thoughtfully embracing low/no-cost technology alternatives coupled with strategies for leveraging your own resources to minimize end-user impact creates an unbeatable value proposition.

How are you being creative about your IT solutions so that you can achieve your goals while going easy on the budget?

The Art of Software Development

My company and our consultants have been using Scrum and Agile techniques on both internal and client projects for years. Our adoption has been in an ad-hoc manner and often times behind the scenes without anyone knowing that's what we were doing. Things just got done. I have had the pleasure of taking 2 days to formally learn the Scrum framework and become a certified scrum master. I am using the training to pull all the techniques together and gain a better understanding of how to best use the Scrum theory of delivery with my client projects. During the training I had an "AH HA" moment (as Oprah puts it) - software/product development is an art NOT a science! The principles of scrum center on communication, collaboration, and using a feedback loop with stakeholders to produce a quality product in a short period of time. Notice I didn't mention anything about stages, gates, documentation, or sign-off. Not that a paper trail can't be produced along the way but Scrum is more about focusing team energy on getting a usable product out the door than hashing through getting the right requirements in a document. With Waterfall there is a certain amount of risk mitigation built into the formality of the sign-off process. If the requirements are written down and stakeholders sign-off, the risk of not getting requirements right shifts from the development team to the stakeholders. From the development team's perspective "They (the stakeholders) told us what they wanted and here's the proof". In Scrum people collaborate and come up with the requirements together. The stakeholders provide some high-level product requirements/priorities to set the direction and the team uses demos and stakeholder feedback to make sure they get it right. It's so simple and uncomplicated! The Scrum Master is really more team psychologist than Project Manager. Tasked with enabling each individual team member to speak his mind and foster a sense of shared ownership to complete the team's goal. Not pouring over the Help documentation in MS Project to figure out how to do resource leveling. Team members and stakeholders (via the Product Owner) get to communicate directly instead of through the formality of requirements documents and change requests. Imagine what is possible when everyone is collaborating and developing solutions together. All the innovation that the different perspectives can bring! I'll admit, I may be a little drunk on the Scrum kool-aid right now, but what were thinking taking the human element out of software development and communicating through documentation that quickly gets outdated?

Agile or Waterfall - What is your company doing?

Take my LinkedIn Poll and let me know your thoughts:
http://polls.linkedin.com/p/30879/kgncy

What I've Learned

So I've been talking to thought leaders, technologists, and subject matter experts in Identity and Access Management for a little over a month now. I wanted to share some of what people are telling me. In researching the answer to how IT can help the business embrace IAM and sell the value, a few common themes have emerged. Here's a sneak peak:

• IT should lead and wants to lead - no one denies IAM projects are technically complex and, frankly, not that interesting to the business. Most folks I talked to agreed that it's the role of IT, more specifically Information Security teams, to explain the risks of not doing the work and talk about the benefits in terms of value to the customer


• Technology doesn't solve problems...people do - business process drives what IAM technology supports. If your identity administration processes were unclear and lacking accountability prior to implementing a new technology, your process gaps will only become more painful rolled into a slicker workflow technology. Devote the time to define processes, include the right people in process design, and establish process ownership.


• Perception is reality - if people don't see the value right out of the gate, IAM initiatives can can be viewed as just another "IT project" guzzling capital dollars. Involve those impacted right from the start, give them a voice in how the solution evolves, ask them to get others on board by helping to sell the value within their own functional areas.

More to come.....it's getting interesting........

IDENTITIES ARE PEOPLE TOO

There’s a people side of the equation that’s all too often overlooked when companies implement a new IT solution and expect it to be embraced. The people impacted may not want to use it because they don’t know how or they don’t fully understand the value. Sound familiar?

I have spent the past two years working in the Identity and Access Management (IAM) space – more specifically the user Administration and Auditing aspects of IAM. These areas of IAM allow for the requesting, approval, granting or provisioning, and verification of system access for an identity. When you consider that these aspects of IAM are the most visible to the organization and have a direct impact on the ability to carry out day-to-day responsibilities, it seems that any improvements to these processes and technologies would be embraced. However, this isn’t always the case.

How many business folks really understand IAM and how these concepts impact them? IAM can be very ambiguous to those on the business side, and therefore just not that easily embraced.

Identity and Access Management projects are most often driven by technology departments. Business sponsorship may be weak or completely non-existent. Business drivers aren’t always well communicated. The actual "people" impacted by IAM initiatives are often forgotten as the concepts and terminology of IAM are more technology focused. The constant reference to “identities” instead of “people” can further de-humanize the IAM effort.

The outcome of an IAM project should be viewed as a win-win for both the IT and business sides of an organization. Information Security has a centralized point for maintaining the "keys to the kingdom" and the business users are provided with a slick web interface and processes for requesting system access, as well as ensuring access remains current.

But when and how should the "win-wins" be communicated? And, am I accurate in suggesting that this communication will make or break the success of an IAM implementation?

To support an article on this topic I am writing for industry publications, I'd like to solicit your comments and help me to find answers to these questions:

1. What role does the IT organization play in breaking down the techie speak and ambiguity associated with IAM?
2. How can IT help sell the value of IAM to the business users?
3. How can business engagement be secured and maintained throughout an IAM effort?

The goal of my research is to define best practices for overcoming these implementation issues, helping to make IAM initiatives successfully deployed across the enterprise.

Looking forward to hearing your thoughts!