Collaboration: A Risk-based Approach

Dan Stephens and Tim Telkamp
02/05/14 at 01:22 pm

The Risk Based Management framework is well defined by NIST to address securing data within your organization.  It creates a way to quantify intangibles and create a simple checklist for securing your information.  For those unfamiliar with the process it is as follows:  Categorize, Select, Implement, Assess, Authorize and Monitor.  It occurred to me that a similar process should be applied not only to information being communicated, but also to how we communicate information.  If you stop and think about it, the information that you use this approach to protect is only as good as the way in which we use that information to achieve a result.  It is the communication of that information with one another that is the action to achieve the result.  My exploration of the subject follows below.

Categorize

How to communicate?  Nuts and bolts explanation… Person to person, person to group, manager to employee, manager to manager, internal to internal, internal to external, business to business, business to consumer, consumer to business and most likely a thousand other combinations but this will suffice for our test case.  I believe we can create a simple check list to identify how a company views it’s categories of communication and collaboration.  Could this be considered business process analysis?  Conceptually yes, but without the additional depth of determining if it is the correct communication type.  I just want to understand what is in place.

Select

What are we selecting?  In security it would be the proper controls to manage access to the data.  In collaboration it is the enablement of communications based on our categories.  Voice, video, presence, chat, email, blog, web and social applications are all collaboration tools to enable communications.  The proper tool would then need to be applied to a matrix with the proper category to identify the best fit. 

Implement

This one can be challenging, how do you implement without a huge investment?  One option is to find a partner that can help you pilot your “controls”.  Another way is to look at hosted options that allow you to test on a limited subset of people and limiting your investment.  Before you do these things, document your findings into a policy document.  A Collaboration policy should summarize your findings in the first two phases and then document what you are testing and why.  Document how you expect people to use the controls and then train them on the use of those tools.  The goal must be a business outcome, namely the effective use of that important data to make sound business decisions in a timely manner that puts your company at an advantage over the competition.  Is it not worth the time to understand the way you communicate and build a plan to make it better and faster?

Assess

Are people using the tools, if not, then why not?  If you try to change the way people communicate as opposed to augmenting their current methodology then they will work around it or worse ignore it.  Invest the time to determine what works for your team and what does not.  You can then determine is it the tool or the process that is at fault.  If it is the tool, then you should change it.  If it is the process then you should consider the requested outcome and determine if you need to change the training to get there.  Either way you are improving either the tools or the behavior.

Authorize

I had to struggle to fit this one in but then it occurred to me that crowd-sourcing ideas could only be done effectively if the proper context is applied to the data.  Crowd sourcing via social apps can help mine great talent in mesh or horizontal ways, people at all levels in a company can have stellar ideas.  So moving from the small group and expanding the use of the tools to all parts of the organization, thus authorizing everyone to participate and be a part of the collaboration policy and plan is critical.

Monitor

As the last step in our process we need to monitor the tools, processes and plans.  Failure to utilize the tools may mean a waste of funds but more importantly it means a loss of competitive advantage.  Corporations who understand the way they communicate and enhance communication processes will necessarily gain the advantage in the marketplace.  By monitoring, you can recommend tool reallocations, process improvement and additional investment when something works as intended.

In conclusion, it is my assertion that as a company determines what kind of investments they are going to make in collaboration tools, it is imperative that they seriously consider the risks involved with not approaching the process in a deliberative fashion.  As with all risk models, you can choose to accept the risk or mitigate the risk but only if you consider that what you are putting in place is based on risk to begin with.