In our lives before Alyne, we spent our days designing, implementing and reviewing security, governance and risk management solutions for companies of many sizes and industries across many different countries. We recently got to comparing notes on organisations that were highly successful in this space and others that we felt should have accomplished more and of course the companies that failed miserably.
External circumstances, combinations of decision makers and many other factors obviously have a huge influence on the outcome of projects in the GRC space, however there are some common themes that we came across in high performing organisations.
This may be an inherent weakness in all of us in the tech industry. We love making complex systems do cool things for us. Unfortunately not all minds think alike and the complexity oftentimes makes the solution unusable for less technically inclined users. The security, governance and risk solutions, we have encountered with the highest success and adoption rates, all succeeded in making a complex system a beautifully simple solution.
Every threat analysis we have ever come across tells us people - such as disgruntled employees, ‘fat finger’ traders, and so forth are the biggest threat. This means that influencing behaviour, motivation and culture needs to be our focus, if we are securing or governing information and managing risk. The most effective solutions we have seen, have had a significant people focus, such as cultural change, senior executive leadership, decisive action in implementation, and professional change management ingrained in the program.
3. The 80 - 20 Rule
We have been part of way too many projects that have ended in stalemates after weeks of academic mental arms races between stakeholders. The idea of perfect and unbreakable controls or rules accounting for each possible scenario seems appealing, but ultimately unachievable in most cases. It is therefore of much larger value to have one control that captures, say, 90% of cases now in a system of internal controls than a perfect control later. That still makes me 90% better than I was yesterday with a much better ROI.
4. Business Enablement
Especially when implementing legal or regulatory requirements, it’s easy to focus purely on compliance. However, we have very seldomly seen business users actually adapt a purely compliance driven solution. If you can’t identify value for your business in what you are doing, the cost of non-compliance might end up being cheaper. Finding and focusing on benefit and being compliant in the process should be your approach.
5. Usability of Tool Set
Even with the best of intentions while implementing your solution, users will reject tools with poor user experiences or inconvenient access. We have observed more and more software selection processes focus mainly on UI after two or three failed attempts with unusable solutions. When you are trying to get people to interrupt their day and use your system, you surely should keep the obstacles as low as possible.
This gives you a flavour of what has motivated us to build Alyne. We hope you are as excited as we are to see Alyne face the spotlight in complex organisations. Stay tuned.