The need of optimized and secure processes

In times of ongoing digitization and digitalization

The need of more efficient and secure processes is growing steadily, both in present times and for the future. No kind of digitization, or even digitalization, can successfully be performed if processes are not defined. But why is the optimization of processes so critical, and why are we in need of secure processes for information security? The following article will give you a short overview on the most used process model used for the description of companies. You will further get a quick explanation on the difference between digitization and digitalization, and why we need optimized and information secure processes respectively, the way in which these two focuses complement each other and why they should always be respected in any cloud application.

To begin, let’s start with what is called a process. A process is “a series of actions that you take in order to achieve a result” or “a series of changes that happen naturally”(1) or “a set of recurrent or periodic activities that interact to produce a result(2). A business process is defined as “activities that produce a specific service or product for customers”(2).

So, regarding these definitions, what are the main processes driven by our company? To be true, there are several models on what types of processes are driven by a company. In the following, we will refer to the most com­ mon models. If we take a look at the definition of a business process, we will likely see what kind of processes there are. The core processes of our company are the processes that produce our special service or product for our customers. But if we only look for processes corresponding with this definition, we will quickly find out that several processes that our company operates are missing.

What are those other processes? All other process­ es that do not directly lead to that product or service are management or support processes (figure 1).

Only if we have defined which processes we operate and what we do while performing them, will we be able to optimize them and see what kind of information we are processing in them.

 

Fig. 1: Standard Top-Level-Process Map

 

Digitization and Processes

Digitization, as per definition, is the step from analog to digital processes. It can only be performed if we know exactly what the process to be digitized does. But what does that mean? In order to digitize any kind of process or, to be more granular, any kind of work step, we must know what each single step does. What limits must be met, what out­ puts are expected and what input do we need for the process to work properly?

For this step we will approach the process as some sort of black box. First, we define the inputs and the outputs. Then, we look at what happens with the inputs, in order to generate the expected output (figure 2). But what are the major challenges during this step of definition? To be honest, the major challenge is to find the intersection of all the different perceptions of all involved individuals that finally describes the process in the most realistic way. Every per­ son involved in operating a process has their own personal view on what are the most relevant steps and doings in a process. So, to properly define a process, all the perceptions must be merged and broken down to the core of what the process is really meant to do.

 

Fig. 2: Simplified Process

 

Digitalization and Processes

The next evolutionary step of digitization is digitalization. But what does digitalization mean?

Other than digitization, digitalization needs digitized processes to be performed. It enables the company to find further business opportunities hidden in their own structure/data.

An example: You used to have to go to the video store to rent a video on video cassette/DVD/Blu­ray/etc. The next step were online video stores where you were able to rent a video without any physical access to a cassette, DVD, Blu­ ray or any other medium > Digitization (the same business but digital). Nowadays you can buy a subscription on one of the several streaming platforms which allows you to have an own digital video library, with further products on the streaming platforms to buy etc. > Digitalization (the business has changed and was adapted to the opportunities given by the digitized data. Guess what’s next to come…).

What digitized data or processes do you have in your company that might enable you to further grow your business, or even to open up new business cases?

Why we need to optimize our processes and how we do it

To be true, your company will also run without any optimization of its processes. But is this the best, or most eco­ nomic, strategy? Not even close. Optimized processes lead to more efficiency, and more efficient processes lead to better business profits. And that’s not all the benefits you can get by optimizing your processes:

Optimized processes have shorter processing times.

They are more structured.

Existing resources can be better distributed.

Planned automatization can be implemented easier.

You’ll get a better transparency.

You may change the way your employees think by breaking up old ways of thinking.

Etc.

Let us have a look on the process of optimizing your processes. We will do this without paying attention to establishing the mindset of optimization in your corporate culture or defining responsible employees.

To begin with, start identifying your core processes. This may be the processes giving the best result once optimized. Having identified the first process you want to optimize, start describing the process. When you have a complete description of the process, you move on to the visualization of it. To make the process transferable you can use the Business Process Modelling Notation (BPMN).

The next step is to define key performance indicators (KPI) in order to be able to make process improvements measurable. That means that you will start installing points of measurement to get a feel for if the process is running properly or not.

Then you define goals to be reached, or values that shall not bet be exceeded, for proper function of the process. In this way you make your processes measurable, and you will be able to see if they are running properly or if they contain any misleading workflows. Goals can be a shorter processing time or less resources needed for the process. With your set goals in mind, you can start modifying your process to meet the set goals. Do this without changing the defined process results.

As a “final” step you will have to implement a workflow that will keep improving your processes even further. Process optimization can be a one­time task, but should really be an all­time task, in order for you to keep up with other competitors and to survive on the market.

The best practice of implementing a periodical improvement workflow is to use the PDCA­cycle (Plan­Do­Check­Act, figure 3). It defines the way you proceed in taking changes and how you keep improving what you focus on. Just keep in mind to steadily keep an eye on you KPI.

 

Fig. 3.: PDCA-cycle

 

Why information security is a task that should be inherent to all business processes

To understand this statement, we have to take a look at which information can be highly valuable for your company. An example: A big company known for its refreshing beverage, that used to be made from the leaves of the coca plant and cola nut. Its most precious information kept was the recipe for the beverage. No more than two people have known it simultaneously. These two people shall never meet. They have to keep a defined minimum distance.

They shall not be in the air at the same time or on a ship in the same time etc. In that way the recipe is kept safe from loss.

Just think about how disastrous it would be if the recipe for that beverage would lie around somewhere in the factory where the beverage is mixed, and somebody would just take it and sell it to a competitor. But that’s just an ex­ ample to show how important it can be to know what kind of information is processed at which point of your every process, and to protect this information.

So, what does information security mean? The basics of Information security, and thereby information secure processes, are defined by three main characteristics. These are confidentiality, availability and integrity. These three characteristics are defined as followed:

Confidentiality is a set of rules that limit access to information.

Availability guarantees the reliable access to the information.

Integrity defines the information as trustworthy and accurate.

The more important and/or critical the information ina process, the more you will be interested in protecting it by means of the aforementioned three characteristics. To be able to do this, you will need to identify all information processed in your process, and where this information is processed and eventually stored.

But first let us find out which information we want to protect. Let’s take a risk­based approach to find out which information should be especially protected, and how this should be done.

The easiest approach is to define the value of the processed information. Think about how big the impact could be if the information was stolen, lost or corrupted.

Then, think about the possibility of an incident to take place. Combine these two values and you will have a reliable value of your information. Now that you have identified the information you want to protect, you will need to find out where exactly the information is processed an stored.

Once you know where in your process the information you want to protect is being processed, you are able to define and take measures that will increase the protection level of the information and secure your process.

Always keep in mind to regularly check if your assessments of the risk have changed. This is the only way to keep your processes safe in the long run.

How more efficient and information-secure processes complement each other

Last but not least let’s see how these both approaches complement each other.

To properly capture a process, you need to know the way the information it contains takes. If you want to figure out the way the information takes, you must first know which information you are looking for.

So, if you want to design a more efficient process, you simultaneously get the opportunity to secure the information treated by the process.

Furthermore, during optimization, you might be able to design the process in a way that no information worth protecting will be processed. Or at least you might be able to reduce the amount of information worth protecting.

Another benefit of combined efficient and information secure processes is, that you are creating a high automation potential because you create processes that are de­ fined, optimized and already information secure. Which means, that you have done all needed preparations for being able to automatize your processes, since it is obligatory to make all to be automatized processes information secure. Optimization will reduce the work that will have to be invested in automatization.

Optimized processes may also reduce interfaces, which increases the information security, because less information will be processed or transferred. This especially applies for purposes in the cloud, where smaller amounts of transferred data will increase the performance of each of your applications. Nevertheless, the fact that your processes will keep processed data secure will also be a point that your customers will appreciate.

Conclusion

In conclusion, we can see that we definitely need better described processes that can be optimized, and be made information secure, because the optimized and secured processes make us able to digitize our processes, not just digitize. Through optimized and secured processes, we are able to automatize in a simpler way and to finally find better and easier ways of digitalization, which helps us to maintain a competitive edge on the market.

 

Sources:

1. Cambridge Dictionary. (2019).

2. Wikipedia. (2019)

 

Author:

Alexander R. S. Jaber

is the CEO of J-TEC GmbH in Germany localized near Frankfurt a. M. He also works as an IRCA certified lead auditor, implementer and trainer for information security management systems (ISO 27001) and is an Expert for GDPR national and international.

Alexander Jaber

J-TEC GmbH

Carl-Zeiss-Straße 2

63755 Alzenau

+496023 / 320 90 00

Alexander.Jaber@j-technologies.de