Tuesday, September 15, 2009

How to Deliver Successful Projects: Have a Dialogue

Talk, talk, talk, and then ... talk some more. You cannot talk enough when you're leading any type of change management effort. And that's what a technology project boils down to -- implementing a change to the way things are today. So how do you manage your change efforts? What should you talk about? And to whom should you talk? My company uses John Kotter's Eight Stages of Change as a framework for structuring the conversation with those involved in projects. Here are some guidelines for getting your conversations started.

Do your homework before you start talking ...
Create Urgency: You may have communicated the purpose of your project, but does it have teeth? Paint a picture of what happens if you don't complete the project. What happens if the status quo remains? And what are the benefits that can be realized when the project is done? Often the improvement is crystal clear to technologists, but murky for others. Especially if the project is something ambiguous to a non-technical business counterpart, such as an infrastructure upgrade or an information security tactic.

Create a Vision: Realized benefits are a great way to frame how your project will make the world a better place (at least the world inside the walls of your organization). Give thought to the bigger picture of your project, so that you can paint the "future state" for your stakeholders. Whether your project will result in internal or external customer facing deliverables, painting a picture -- early and often -- is critical for gaining acceptance.

Form a Guiding Coalition: Formally organizing internal support is extremely important, because it helps sow the seeds of change. We've all heard of steering committees. Well, let's put them to work. First, it's important to get the right people on-board -- those who will help you sow the seeds of change. Ask yourself: How can they help spread the message about the project vision? How can they help contribute to defining the vision, so that it speaks to and resonates with the needs of a particular business area or customer segment? A guiding coalition is important, but the team won't work without a sponsor, leader, or visionary enlisted for the long haul. This is the person continuously driving the vision forward and helping the project team stay the course.

Start Talking ...
Communicate the Vision: Talking about your vision isn't a one-time event done via a mass e-mail. You need a plan that identifies who, when, how, and how often they should hear your message. Look for opportunities to get your vision in front of people -- status meetings, town halls, or messages and alerts in an existing system of upcoming milestones. This is not only an opportunity to communicate, but also an opportunity to sell. And like it or not, your vision is for sale. Your buyers are the people impacted by the changes, and also those individuals whose help you need for the project to be a success.

Get others talking (and doing) ...
Empower Others to Act on the Vision: You may be wondering who is the "you" that I keep referring to in this post. It's anyone and everyone who has a role in contributing to the goals of the project. The guiding coalition helps define the vision and pushes it forward. But in order for the vision to be a reality, others need to get on-board. If people feel boxed in, not supported by management or peers, or lacking access to the necessary tools, your project will fail. Make sure the barriers are removed so others can act on your vision.

Plan for and Create Short Term Wins: This is a great way to start showing progress and proving your theories. It also helps everyone realize that their effort is valuable while keeping momentum going. Think about your project plans in terms of, "how quickly can I get something useful out?" "Useful" doesn't have to mean "perfect"; you can always fine tune later. But showing visible progress sooner, even with a few warts, will provide great insights early-on into what is really important to your stakeholders. This allows your team to correct the course sooner, so be sure to create a formal feedback process to capture stakeholder input.

Don't Declare Victory Too Soon, Sustain the Momentum for Change: We've all experienced it – the anticipation of the much celebrated release party. Celebrating milestones is important, but equally as crucial is being cautious to not signify "it's over". The real work begins when the initial visible change is released outside the project team. That's when things really get started and when it's important to keep up the momentum. Change isn't easy and it's not a static, one-time event.

Institutionalize The New Approaches: We call this "business as usual". If you are implementing something new (technology, process or both), you want it to become the new method of operation. Repetition and reinforcement makes something new feel natural, as if it was the way it had always been. So, you haven't talked enough until you feel like a broken record, and others are repeating your messages and finishing your sentences.

As always, looking forward to any comments and knowledge sharing on the topic!

Wednesday, September 2, 2009

RBAC...Why Bother? 4 Reasons to Start an RBAC Program Today

Role Based Access Control (RBAC) is the process of granting people within similar job functions the same access to resources (systems, data etc..) required to do their job. The concept centers on putting into business friendly terms the logical grouping of resource access. These resource access groupings are called "roles". It's a daunting task when you consider all the various systems that can exist within an enterprise - there are the common applications everyone uses like email, the company portal, conference scheduling systems. And the one-offs that are very specific to performing a job function - HR payroll processing apps, CRM tools for Sales personnel, other business specific applications... So why do it? What are the benefits?

The process of ensuring that new hires have access to what they need when they need it on day one is not easy. Often it requires several system set up requests before the right access is granted. Not to mention decomposing what someone else in a similar job function has access to. Wouldn't it be easier to have access automatically granted based on the job function someone is in? It's not an "auto-magic" process. There is upfront work involved in establishing the link between job function and system access needs. But once it's done (and the maintenance process is established) the on-boarding of new hires and department transfers becomes a lot easier and quicker.
Action: Get a sense for how much work you are in for. Look at a slice of the enterprise - one job function within one business unit or department. Analyze the system access granted to a few people within the same job function.

Even if you know what access is required to do your job the process for getting that access established may vary. You make a phone call to so-and-so to get access to system A, send an email to a mail group to get access to system B, and submit a request through an intranet based system to get access to system C. Sound familiar? With all of these disconnected and differing processes for granting access, how can an organization know that the appropriate scrutiny is being applied to verifying who SHOULD have access to certain applications and information? Is the same approval required for all resource access? In an RBAC environment the role setup process is defined and can evolve as necessary. Based on the specific requirements of an organization the proper controls required for assigning access by job function area established and consistently applied each time that role is requested for a person. Ensuring the right level of approval is applied.
Action: Pick a set of applications and for each ask the question "Who needs to know who is accessing this application?". If the answer results in a Visio diagram, consistency is important.

Central to an RBAC model is the governance. Governance takes the form of placing accountability for role definition with those most appropriate to validate what a role should have access to. For roles mapped to job functions that means accountability is placed within the business unit or department where that job function exists. Using business friendly terminology to link a system access permission to a job function is also key. Those accountable for making sure people in that role have what they need to need to understand what the underlying components of a role are.
Action: How easily understood is the system access terminology within your organization? Take one application and create business friendly descriptions to describe the access levels. This will kick start the analysis necessary for establishing a framework to maintain these business friendly descriptions.

Risk Mitigation
If it wasn't apparent already, all the of the above are risk mitigation tactics. The easier and more consistently something can be done, the more predictable the outcome. Predictability helps control risk. An RBAC model reduces the risk that inappropriate access is granted to or retained by someone that shouldn't have it. RBAC is a key control in information protection.

What benefits has your organization seen from an RBAC? implementation?