An important characteristic of successful businesses is a strong alignment of the efforts between multiple areas of the organization. This arrangement rarely occurs by itself—instead, it requires significant time and effort from organizational leaders. The end result is often the creation of processes that define how all areas of the enterprise should work together to reach common goals.
Business processes are put in place to describe best practices and methods for consistently performing certain tasks. Often, the tasks involved will include input and interaction of individuals from throughout the organization. Before delving into details and examples of processes, let's first look at the value and benefits.
There are several valuable benefits of implementing processes. The first is consistency: by documenting the way in which certain tasks should be completed, you can be assured that all members of the organization will know their roles and how they may need to interact with others. This alone can lead to many benefits. First, when tasks are performed in a consistent manner, they become predictable. For example, if the process of qualifying sales leads is done following the same steps, managers can get a better idea of how much effort will be required to close a sale. If the business needs to react to any changes (for example a new competitive product), the process can be updated and all employees can be instructed of the new steps that need to be carried out.
Another major benefit of defining business processes is related to ensuring best practices. The goal should not be to stifle creativity. Rather, it's often useful to have business leaders from throughout the organization decide upon the best way to accomplish a particular task. When considering the alternative—having every employee accomplish the task a different way— consistency can greatly help improve efficiency. Additionally, when processes are documented, new employees or staff members that need to take on new roles will be able to quickly learn what is required without making a lot of mistakes that others may have had to learn "the hard way."
Once you've decided that your organization can benefit from the implementation of business processes, it's time to get down to the details. You must define business processes and determine how they can best be implemented to meet the company's needs.
An obvious first step related to designing processes is to figure out which sets of tasks to work on. At one extreme, organizations could develop detailed plans for performing just about every business function. However, creating and enforcing business processes requires time and effort, and the value of the process should be considered before getting started. Some characteristics of tasks that might be good candidates for well-defined processes include:
With these aspects in mind, let's look at additional details related to defining business processes.
As it's helpful to have a project plan or mission statement, it's important to define the goals of a process before beginning the work of defining it. Examples of typical process goals include:
Effective goals will usually be concise and will focus on the what and why, instead of how. During the development of processes, organizations should regularly refer back to these goals to ensure that all the steps are working towards the requirements.
When it comes to deciding who should be involved in developing processes, the general rule of thumb is the more, the better. Although it might be tempting for managers to take a top-down approach to defining processes or for a single business manager to document the details, it's much better to solicit the input of all those that are involved. Many operations and tasks have effects that are felt outside of the immediate realm of a single department. Therefore, it's important to ensure coordination with other portions of the business.
Specifically, there are several roles that should be represented during the creation of a process. Business leaders from all areas of the organization should be welcome. Additionally, stakeholders whose jobs will be directly affected by the process should drive the process. This might include employees ranging from hands-on staff members to executive management (depending on the scope of the process). An organized process for implementing ideas and reviewing documentation drafts can go a long way toward keeping the development process humming along. At the risk of sounding like a half-baked management fad, it's often helpful to have a process for creating processes.
Once the key components of a business process have been defined, it's time to commit the details to a document. A best practice is to use a consistent format that includes all the relevant details that might be needed by individuals that are new to the job role. Figure 7.1 provides some examples.
Figure 7.1: Components of a well-defined process.
Specific details include the owner of the document—the individual or group that is responsible for defining and maintaining the process. Other details include who is affected by the process, and the roles that might be required. The actual steps of the process can be defined in a variety of ways. Although text might be useful as a basis, flowcharts and other visual aids can help illustrate and summarize the main points very effectively.
It's important to keep in mind that processes are rarely, if ever, perfect. There is almost always room for improvement, and organizations often have to react to changing business or technical requirements. Instead of looking at processes as fixed, rigid commandments, organizations should see them as guidelines and best practices. Ideally, the group will be able to meet periodically to review the processes and ensure that they are still meeting their goals.
Furthermore, all employees should be encouraged to make suggestions about changes. This open communication can help add a sense of ownership to the process and can help enforce it. It doesn't take much imagination to picture workers grumbling about antiquated systems and steps that make their jobs more difficult and less efficient. Rather than encouraging people to work around the system, they should be encouraged to improve the portions that don't work.
As mentioned earlier, it's common for processes to include steps that require interactions among different individuals and business units. Therefore, it should come as no surprise that organizations can benefit significantly through the use of automated workflow software solutions. These solutions allow managers to define steps that are required and to ensure that they are properly followed.
Approvals processes and workflow often require multiple people to work on the same piece of information. Tasks include reviewing the current state of the information and making comments or modifications. The changes should be visible to everyone involved in the process, and people should be sure to have the latest version of each document. The challenges lie in the ability to coordinate who has access to which pieces of a document, and when.
Many popular software packages and suites offer workflow features. For example, Microsoft's Office system productivity suite and its SharePoint Portal Server product can help make documents and other information available to teams and organizations online. Many enterprises have also invested in the implementation of enterprise resource planning (ERP), customer relationship management (CRM), or custom-built line-of-business applications. And, from an IT standpoint, data center automation tools can be used to ensure that processes related to change and configuration management, security management, deployment, and many other tasks are handled according to the organization's best practices. Regardless of the approach taken, the creation and enforcement of business processes can significantly improve the maturity and efficiency of organizations of any size.
Having already explored the benefit of business processes and characteristics that can make them successful, let's look at a specific example of a business process—the implementation of a service desk workflow. The goal is to help illustrate how organizations can create and document a common business practice to help streamline operations.
Before diving into specific details of a service desk process, let's enumerate a few ideas to keep in mind. First and foremost, the process should be defined well enough so that all reasonable procedures are covered. Examples might include what to do in the case of an emergency, or how after-hours support calls should be handled.
Second, it's important for IT departments to communicate their processes to their users. If the turnaround time to resolve low-priority issues is 2 business days, users should be made aware of this ahead of time. Third, it is very important that at any given point in the process, at least one individual has ownership of an issue. This individual should have the authority to make decisions whenever decisions are required. A common cause of poor customer service is when a call or issue should be transferred but instead ends up in a "black hole" somewhere. (It's tempting to think that there's a place in the Universe where these calls go to commiserate).
Some fundamental rules related to documentation should also apply. Consistent use of particular terminology (along with definitions, wherever appropriate) can be greatly helpful. In the area of service desk support, clear definitions of "Level 2 Emergency" or "minor issue" can help everyone better understand their roles. Even terms such as "regular business hours" could use at least a reference to the company's standard work schedule.
Finally, wherever possible, service desk staff should be empowered to act as advocates for their callers. Although their ultimate loyalty should be to the support organization, they should also represent the needs of those that they support to the best of their abilities. Keeping these things in mind, let's move on to some examples.
Let's start by taking a look at a typical service desk process. For the sake of this example, let's focus on a scenario in which an IT call center is designed to support end users from within the organization. Let's assume that the organization supports approximately 3000 employees spread through numerous sites, and the service desk includes 35 staff members, including management.
Most of the information in this section is adaptable to organizations of just about any size.
The approach we'll take to developing a service desk process is to start with the very basics. You might imagine these first steps as something that might be scribbled in a notebook somewhere. Typical steps in the service desk process can initially be defined by the following high-level steps:
Although text-based descriptions can be helpful, this example leaves much to be desired. First, it's difficult to read—it's not clear whether these steps should be performed in sequence or some decisions are exclusive of each other. Clearly, there is room for improvement. Let's continue on the path to an effective service desk business process by looking at more examples of what might be included.
One important aspect of providing service desk support is the requirement of always tracking all issues. Apart from ensuring that no request is ignored, this information can be vital in identifying, comparing, and reporting on common problems. Service desk staff should be made aware of common categories of problems. Table 7.1 provides basic examples.
Minor computer issue that is not preventing use of the system
Intermittent application problems; non-critical or "annoying" issues
Change to an existing system that is not preventing an employee from working
Addition of a new computer; new hardware request; physical relocation of a computer
A single computer is unavailable for use by an employee
Hard disk or other hardware failure; operating system (OS) issue
Multiple systems are unavailable for use
Department-level server failure; network failure
Table 7.1: Examples of service desk issue categories.
In addition, this table could include details about any service level agreements (SLAs) that the IT department has created as well as target issue resolution times. Of course, manual judgment will always be required on the part of service desk staff. Still, the goal should be to capture and route important information as accurately as possible.
In even small service desk environments, it's likely that the organization has specialists to handle certain types of issues. In some cases, there might be multiple levels of support staff; in other cases, application experts might be located outside the IT organization. Once the nature and severity of an issue has been determined, service desk representatives should know how they should route and handle these issues. Perhaps the most important aspect is to ensure that the issue always has an owner.
Once you have settled on the features to include in your high-level service desk process, it's time to determine how best to communicate the information. A flowchart is often the best way for people to visualize the steps that might be required to resolve an issue and how the steps are related. Figure 7.2 provides an example.
Figure 7.2: An example of a Help desk issues resolution process flowchart.
Notice that in this document, there are many decision points and branching logic that will affect the path to issue resolution. The major areas of ownership start at the left and begin with the reporting of an issue (which can be from any area of the organization). The Level-1 staff is responsible for categorizing the issues and determining the next steps. The issue may be resolved at this level or it may be moved on to other members of the staff. At all points, the issue is owned by an individual or a group. In this particular flowchart, it is ultimately the responsibility of the Level-1 staff to ensure that an issue is closed.
Although this flowchart may not be perfect, it is easy to read and provides a simple overview of many portions of the process. Most IT organizations will also want to accompany the flowchart with additional details such as definitions of terms and steps involved in procedures.
Service desk workflow is an excellent example of the type of business process that can be greatly improved through the use of automation. It's important to note that there are many approaches to the task of defining service desk workflows. For example, the IT Infrastructure Library (ITIL) defines a Service Desk, and provides best practices for how IT organizations can best implement policies and processes related to issue resolution
Numerous third-party products and software solutions are also available. Some products are very customizable, while others introduce their own suggested workflows, terminology, and best practices.
When evaluating potential service desk solutions, IT organizations should start by looking at their overall needs. For example, some solutions might better lend themselves to the support of customers that are external to an organization (by allowing for fee-based support and related features); others might be more appropriate for internal IT service desks. In some cases, an enterprise might decide to build its own service desk solution. Although doing so can lead to a system that is well-aligned with business goals, the time, cost, and maintenance effort required might not lead to a strong enough business case for this approach.
Regardless of the approach and the technology selected, the implementation of an organized service desk process is an excellent example of how IT organizations can benefit from the implementation of business processes.
A challenge that is common to most IT departments is the goal of meeting organizational requirements while staying within established budgets. In addition to the ever-increasing reliance most organizations put on their IT staff, new initiatives often take up important time and resources. When reacting to demands, it can become difficult for IT management to stay on top of the needs of the entire organization. Instead of working in isolation from the rest of the business, a recommended best practice is to establish an Executive Action Committee.
An Executive Action Committee can help determine the course of the business and can help define the role of the IT organization within it. The purpose of the committee is to evaluate current and future IT initiatives and to make recommendations about which projects should be undertaken. The process might start by evaluating active proposals and requests as collected by the IT department. For example, the Sales and Marketing departments might have requested an upgrade of their current customer relationship management (CRM) application, while the Engineering department is looking for a managed virtualization solution to facilitate testing of a new product.
Given time and budget constraints, it's likely that some projects will either have to be cut from the list or be postponed until resources are available. That raises the question of how to decide which projects are most valuable to the organization. Standard business-related measurements can be helpful. Quantitative estimates such as return on investment (ROI) and total cost of ownership (TCO) are key indicators of the feasibility of a particular project. The quicker the ROI and the lower the TCO, the better. Other factors that might be taken into account include risks (factors that might lead to cost overruns or unsuccessful project completion) as well as available resources (see Figure 7.3).
Figure 7.3: Factors related to prioritizing projects.
An adage related to technical project management specifies that organizations can choose to define two of the following: scope, timeliness, and quality. For example, if the project deadline is most important, followed by quality, then it's quite possible that the scope (the list of included features and functionality) might need to be reduced (see Figure 7.4).
Figure 7.4: Prioritizing the goals of a particular project.
When defining the membership of the Executive Action Committee, it's important to ensure that representation from various areas of the organization is included. Ideally, this will include senior management and executives from various business units. Because investments in IT can affect the organization as a whole, input and comments should be solicited before undertaking major projects. This process can go a long way towards having IT organizations seen as strategic business partners and good team players.
A crucial first step in implementing an Executive Action Process is to gather buy-in from throughout the organization. Often, the potential benefit—better prioritization of IT projects—is enough to gain support for the process. In other cases, IT managers might have to start the process by calling meetings to evaluate specific projects.
The roles of committee members may vary based on business needs and particular projects that are underway. For example, if an organization is planning to invest significant resources in a new Web-based service offering, leaders from the Engineering department might be most interested in helping to prioritize projects. Figure 7.5 provides some steps that might be involved in regular Executive Action Committee meetings.
Figure 7.5: Parts of the of the Executive Action Committee process.
Overall, the goal of the Executive Action Committee is to better align IT with the needs of the organization. By ensuring that input is gained from throughout the organization and by prioritizing the projects that can provide the most "bang for the buck," enterprises can be sure to maximize the value of their IT investments.
Taken literally, the concept of authentication refers to establishing that something is genuine or valid. In the "real world," this is often easy enough—unless you have reason to believe that you're involved in a complex international plot. Basic physical appearance can help you identify individuals with little room for error. Add in an individual's voice, and it's pretty easy to distinguish your manager from other coworkers (perhaps by identifying the tell-tale pointy hair from the Dilbert comic strips). The process of authentication in the technical world is significantly more complex.
From the standpoint of an IT department, the primary goal of authentication is to positively identify users or computing devices and to ensure that they are who they claim to be. Based on their validated identities, systems can determine which permissions to grant (a process known as authorization). Although the primary goal is easily stated, there is a lot more to it.
Other goals of the authentication process involve minimizing the hassle and intrusiveness of security methods. If you required your users to provide authentication information every time they tried to open a file, for example, it's likely that the reduction in productivity (not to mention the negative effects on your own life expectancy) might not make it a worthwhile implementation. With strong but user-friendly and easy-to-maintain authentication mechanisms, organizations can gain the advantages of increased security without the potential downsides. With this goal in mind, let's look at ways in which IT departments can implement authentication.
By far, the most commonly used method of computer-based authentication is through the use of a login and password combination. Although this method is relatively easy to implement, it comes with significant burdens. Users are responsible for generating and remembering their own passwords. They should choose strong passwords, but they're often required to enter them multiple times per day.
From an IT standpoint, devices such as routers and security accounts for use by applications and services also often have passwords. Creating and maintaining these passwords can be a difficult and time-consuming process. From a security standpoint, it can also be difficult to determine whether a password has been shared, compromised, or used in an authorized way. All too often, "secrets" are shared. Considering that organizations often have many thousands of passwords and accounts, this can be a major security-related liability.
An old adage states that a chain is only as strong as its weakest link—should even one component fail, the strength and integrity of the entire chain is compromised. From an IT standpoint, this means that security staff must ensure that authentication credentials are properly maintained. Some general best practices related to managing password-based environments include the following:
It's also important to note that IT departments can easily go overboard in implementing security measures. Such Draconian tactics as requiring extremely long passwords or forcing very frequent password changes can often work against the goal of security. Users will often choose the path of least resistance, and may feel the need to write down their passwords in multiple places or to use easy-to-guess phrases. As mentioned earlier, all security implementations should also take into account usability and productivity issues. Perhaps most importantly, all of an IT environment's authentication policies and procedures should be documented and should be made available to members of the organization.
Although password-based authentication is the most ubiquitous method, other methods are also available. The field of biometrics focuses on the task of identifying individuals based on biological mechanisms. Fingerprint-based identification is now available at a reasonable cost and even consumer-focused devices are available. In order for this method to work in a corporate environment, the fingerprint readers must be readily available wherever authentication takes place. Often, users will have to fall-back to "old-fashioned" username and password combinations, at least occasionally. Other biometric methods range from the use of voice-print analysis to retinal scans. The major barriers to the adoption of these methods include cost and compatibility with existing systems.
Still more authentication mechanisms involve the use of a small device that can generate regularly changing cryptographic values known as secure tokens. This mechanism adds another layer of security by ensuring that a potential user of a system is in possession of the device.
Should it be misplaced or stolen, IT departments can find out quickly and cancel old credentials.
So far, we've looked at several authentication mechanisms (with a focus on password-based authentication). Let's explore the process of creating and managing security credentials in a network environment. We'll focus on the importance of implementing a centralized user authentication system, but first let's look at an alternative (and the many problems it can cause).
Most new computers, operating systems (OSs), applications, and network devices have mechanisms for maintaining their own security. For example, most switches, routers, and firewalls can be protected through the use of a password. Applications might use their own set of logins and permissions, and even individual computers might have their own security settings. Figure 7.6 provides an overview of this security approach.
Figure 7.6: A logical overview of decentralized security.
The most important aspect of decentralized security is that there are many security databases within the organization. Each one is independent of the others and contains its own authentication information. For example, every computer might have a separate account named "SysAdmin." Although it's technically possible to manually synchronize the login information (that is, to ensure that the same usernames and passwords are used on each machine), the process is tedious and error-prone. Furthermore, maintaining even a few of these systems can quickly become difficult and time consuming. The end result is often that security is not maintained: Simple passwords are used, login information is changed infrequently, and passwords are often written down or recorded in some other way.
Although simply setting up a decentralized security environment can be painful, the real risks are in the areas of manageability. For example, what will happen if a password is compromised? Even if IT staff can scramble to update the passwords on multiple devices, there is still a large window of vulnerability. The new password also has to be communicated to the users that need it—an inherently risky proposition. What if one or more devices are overlooked and continue to run with the exposed authentication information? And this doesn't even take into account the effort that might be required to ensure that other computers and services that rely upon the login are properly updated.
In case all of this isn't incentive enough to see the drawbacks of decentralized security, let's look at one more motivator before moving on: Imagine the difficulty that end users will experience if they must manually log on to each device or application on the network. The decrease in productivity and frustration might be tantamount to not having a network at all. By now, it's probably obvious that decentralized security is not a very effective approach—even for the smallest of IT organizations.
In a centralized security model, all security principles (such as users and computers) are stored in a single repository. All the devices in the environment rely upon this security database to provide authentication services. All accounts are created and maintained once (although many different devices might be able to perform the function). Figure 7.7 provides a visualization of this approach.
Figure 7.7: A centralized security implementation.
It's easy to see how this method can alleviate much of the pain of maintaining many separate security databases. IT administrators that are responsible for maintaining security can create accounts in the security database. And, if a password or other user setting must be changed, it can be done centrally.
Although the benefits of centralized security management are compelling by themselves, so far we've only scratched the surface. Several vendors offer unified directory services solutions that provide numerous additional advantages. One of the most popular solutions is Microsoft's Active Directory (AD—see Figure 7.8).
Figure 7.8: A logical overview of a Microsoft AD domain.
AD is designed to be an enterprise-wide centralized security structure that is hosted by Windows Server-based domain controllers. Although built-in authentication mechanisms can differ, practically all enterprise-based hardware, software, and network solutions can leverage AD for verifying user credentials and evaluating permissions. Microsoft's directory services solution is based on a variety of standards and technologies, including the Lightweight Directory Access Protocol (LDAP), Kerberos (for managing authentication tokens), and Domain Name System (DNS).
Setting up a complete directory services infrastructure involves many components and services, so vendors have gone to great lengths to make these systems easy to configure, deploy, and manage. In addition to AD, other vendors offer LDAP-compliant directory services solutions. One example is the Remote Authentication Dial-In User Services (RADIUS) standard that was originally intended for verifying credentials for remote users. Most of these directory services solutions can work in conjunction with AD or by themselves.
In addition to the important feature of providing a single central security repository, centralized authentication solutions include many features that help simplify the management of user authentication. Some of the features include:
Though this basic list of features of directory service solutions is a long one, it only scratches the surface of the full potential.
Taking advantage of directory services solutions is usually a straightforward process. There are, however, some important aspects to keep in mind. First and foremost, enterprise IT staff should look for management solutions, software, and hardware that work with the directory solution that they have implemented. By leveraging the advantages of the directory, IT organizations can lower costs and improve security. The same applies for custom software development: Internal developers should ensure that line-of-business applications adhere to corporate IT standards and that they work with the directory services solution.
Finally, it's important for IT departments to develop, document, and enforce policies related to their security implementations. Processes for creating new user accounts, handling employees that are leaving, and performing periodic security checks are vital to ensuring the overall health and benefit of the directory service.
Overall, directory services solutions can dramatically improve security and reduce administration related to a difficult technical and organizational challenge—managing user authentication. This should make them a vital part of the core infrastructure of all IT departments of any size.