What's the point of a management system?

My blog posting on OODA loops prompted a response from Andrew Yeomans, pointing out that Deming loops and Boyd loops are not mutually exclusive, i.e. you can have a slow moving management system supporting a fast-moving operational cycle. Would that this were true.

Andrew is technically correct. The problem is that you cannot easily divorce the security management system from the countermeasures themselves. ISO 27000 entwines them in a seamless programme of activities, requirements and countermeasures.

One or two operational measures operate in real time. Modern measures such as secure operations centres and intrusion prevention. But in general the pace of change and the application of new controls can be slowed to a snail’s pace by risk assessments, committees, business cases and budget cycles.

A good question is why we actually need management systems, especially if they introduce delay or distraction. It’s a good point. Management systems were the invention/development of quality experts and auditors, and they tend to embody their aspirations. If you don’t employ such people in your organisation (and many SMEs don’t) then it’s not logical to implement a management system.     

Management systems are an option to enforce greater discipline and control over business and functional operations. If your organisation is small or rapidly changing, they may serve to hinder more than help you.

And it’s not logical to introduce heavy governance measures for a single function or subject area unless they are generally practiced across the organisation. Why would you demand a steering committee or a set of KPIs for security management if it’s not done for more important business operations? 

Enhanced by Zemanta

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Heavy governance for a single function might not be logical but then again it might also be a good idea. Security is not like the help desk or the sales department: it's a complex function of the business covering a multitude of disciplines and challenges, not to mention the ever changing regulatory and threat environments. So, KPIs for security management are a good thing even if none of the other business operations have them. The fact that they may not exist elsewhere within the organization may be down to the good management of security and poor governance of others. The problems start when the word of the management systems are used as law rather than as guidance.