Business Excellence (Part 4): The art of operationalisation

Edward Farrell

The following “business excellence” series of articles are focused on the day to day operations and non-technical considerations of modern day cyber security practices. I wanted to share my own insights and observations of the cyber security industry away from a facade that is often presented to us in marketing, or from the coalface of day to day activities.

Earlier in the business excellence series I highlighted that a critical flaw with the Australian market is the use of overly structured businesses that focus on growth and process (see part 1) or intermediaries that are often disconnected from technical concepts (See part 2), as well as business models that focus on strategies or cookie cutter “grow and sell” approaches to technology. These Henry Ford models of business work extremely well in productised or commodities businesses such as facebook, Uber, Google and manufacturing lines where the outcomes are known, the approach is finite and outcome predetermined. In the information age this approach can introduce risk or fail to meet the mark, and thus an approach of “operationalisation” is needed.

To us, operationalisation is the process of taking abstract concepts and ideas into specific and measurable events. Within cybersecurity or technology, we can best conceive this as taking user requirements, cybersecurity requirements, contextual influences and “the fog of war” to identify requisite outcomes or effects. In short, it’s about creating art with the limited time and resources we have.

Most of the paradigm or shift we see in cybersecurity is the concept of dropping a product, standard or set of processes in and and hoping that the process will fix everything, but there is a substantial degree of analysis and contextualisation that has been devoid from our activities since Antivirus engines failed to adapt to the complexity of change.

Operaitonalisaiton is important- we need to be able to determine facts and identify solutions that are not driven with an instituted process or through strategic execution, but rather by a person reasonably close to events to make decisions.

So how do we create operational art?

1. Build out over time our own solid set of well grounded skills and constantly reinforce these, from this basic discipline we can build up into complex thinking and problem solving.
2. Develop an understanding or appreciation of contexts, environments and systems outside of this well grounded domain. This is why I always enjoy another random yet relevant analogy at a cyber security conference (the later Kiwicon conferences always had these)
3. Develop human empathy and emotional intelligence. This interconnectivity with our environments is paramount; if you cannot read people or a situation, and just as importantly care, the ability to adapt and solve problems will be unsuccessful. It’s a problem that I constantly see in financially driven individuals. Development takes personal reflection, self analysis and accepting responsibility.
4. Within a business, have a team member “running the line”- Mercury recently instituted a “senior on shift role” to enable a team member to review content, get away from being on the coal face for a bit, consolidate knowledge as well as run in and solve problems. This is about making time to achieve the job at hand, put out fires but the time to think a little differently which can be hard when you’re delivering 150 consulting days a year (and I don’t know how larger firms can facilitate such thinking when they’re billing their consultants at 400 days each a year).
5. Cultivate, mentor and seek mentorship- this idea and process is about building individuals has a threefold impact on shaping operational art. The most obvious is instilling in mentees systems and processes for thinking that cannot be gathered from certification or reading. The less obvious ones are that mentorship forces you to reflect and think through what you’re instilling to a mentee, but the mentee often brings fresh insights gauged from youth and a lack of familiarity.

In part 5 will go through how to generate a pathway to create operationalised cyber security practices, including apprenticeship models and professional development.