- Shopping Bag ( 0 items )
A complete and definitive guide to auditing the security of IT systems for managers, CIOs, controllers, and auditors
This up-to-date resource provides all the tools you need to perform practical security audits on the entire spectrum of a company's IT platforms-from the mainframe to the individual PC-as well as the networks that connect them to each other and to the global marketplace. Auditing and Security: AS/400, NT, Unix, Networks, and Disaster Recovery Plans is the first book on IT security written specifically for the auditor, detailing what controls are necessary to ensure a secure system regardless of the specific hardware, software, or architecture a company runs. The author uses helpful checklists and diagrams and a practical, rather than theoretical, method to understanding and auditing a company's IT security systems and their requirements. This comprehensive volume covers the full range of issues relating to security audits, including:
* Hardware and software
* Operating systems
* Network connections
* The cooperation of logical and physical security systems
* Disaster recovery planning
IBM AS/400 Architecture and Applications.
AS/400 Audit Objectives and Procedures.
Windows NT Server: Security Features.
Disaster Recovery Planning.
Note: The Figures and/or Tables mentioned in this chapter do not appear on the web.
What drives revenue and profit in today's economy is undoubtedly the mix of hardware, software, and services. Often the differentiator for this mix is the highly skilled, motivated, leading-edged employee who determines the company's competitiveness and its growth in the marketplace. Growth is linked to satisfied customers whose loyalty is the foundation for success. Thus, the factor that determines a company's growth and its customer satisfaction is the quality of its employees.
Employees are committed and highly motivated when their work environments enable them to go the extra mile for their customers, their company, and their colleagues. This is what builds a network of dynamic employees who strive to be the best at providing value to their customers. Similarly, what mobilizes the employees to understand the elements of the security culture and to see its relevance to the company's business success as well as their own personal success are the dedicated Information Security (IS) manager—leaders. It takes dedicated IS manager—leaders to guide the transformation to a dynamic security-conscious culture.
Employees continue to be a company's greatest asset, perhaps more so now than ever before. That's why IS manager—leaders must not allow the urgency of their daily workload to take precedence over the important time needed for the employee aspects of their roles. Following are five factors that contribute tocustomer satisfaction:1. Image
Of these, image is considered to be four times more important than any of the other factors. Image is a composite of four employee-related issues:1. Highly skilled employees who are committed to excellence.
Fulfilling customer satisfaction on these four issues, especially the first two, is very dependent on IS manager—leaders being the best at leading employees and managing employee processes. Without highly skilled and motivated employees, the company's image regarding security conscientiousness will be low. IS managers need to ensure that employee management processes are world class. It is not the managers who are more important than nonmanagers, rather it is the employee management process that is more important than ever before. It is important to differentiate the processes from employees, some of whom are managers and some professionals, who share responsibility for their collective success.
INFORMATION SECURITY MANAGER—LEADER ROLES
To define IS manager—leader roles, the following questions need to be addressed:
Answers to these questions lead us into the realm of dynamic culture, the creation of which requires the redefinition of manager—leader roles. Redefinition requires understanding the following terms:
Also, the title of this section refers to "roles" versus "the role" of the information security manager—leader. The plural form suggests that the information security manager—leader job is composed of multiple roles, and that it is the mix of these roles that is changing.
Next, we will redefine the mission and roles of information security manager—leaders, as well as position the "Information Security Manager-Basic" skills template against the expected Information Security manager—leader roles in a dynamic culture.
DYNAMIC CULTURE IS A PREREQUISITE FOR GROWTH
Any successful business strategy is geared toward being the leader in creating value for customers. This is also a competitive imperative. Highly satisfied customers whose loyalty is contagious drive a company's ongoing growth of revenue, profit, and market share. Therefore, it is the loyal customers who drive a company's long-term growth.
Loyal and very satisfied customers are created when they experience world-class technology, integrated solutions, services, and support and above all else, a sense of security and privacy about their personal business. Only dynamic companies that thrive on challenge and change can sustain these customer loyalties. A dynamic company is synonymous with a dynamic culture, symbolized in the starburst of energy in Exhibit 1.1.
Culture is defined as the climate of behaviors, norms and values, and assumptions in which we are immersed and on which we depend. Culture surrounds and permeates our jobs and roles and is embodied in our systems, structures, and processes.
Transformation to a dynamic culture is a "must do" not a "nice to do," driven by the realities of the external environment (competition, regulations, marketplace demands), as Exhibit 1.1 shows. The desire for growth of market share, revenue, and profit provides the "pull" for the dynamic culture. The external environment and the fear of business efforts failing provide the "push." The collective reengineering work, which is the most massive reengineering effort in corporate history, is geared toward business success. The required supporting cultural context is discussed in Exhibit 1.2. The failure rate of reengineering efforts in corporations—attributed to failure to transform cultures in conjunction with reengineering efforts—has been high.
SUSTAINING CULTURE FOR PROCESS IMPROVEMENT
The diamond-shaped chart in Exhibit 1.2 shows the four factors that must be present for reengineered processes to be effectively implemented. It is not enough to only have reengineered processes. The new processes will fail without the accompanying changes in job activities, the management and monitoring methods, and norms and values embedded in the organizational culture—the intangible cultural factors below the surface depicted by the wavy line in Exhibit 1.2.
Think of the reengineered processes as the visible tip of the iceberg above the surface. Just dropping new methods and ideas on employees will not work, especially if the processes have been truly reengineered. More than half the reengineered efforts have failed because companies overlooked the crucial importance of the cultural factors below the surface. Companies cannot afford to squander their huge investments in the new processes if the expected return on their investment is dismal. Consequently, attention to cultural underpinnings is becoming mandatory.
The word transforming is intended to capture both the journey and the need for dynamically sustaining the new culture. This requires modeling the new culture in the way one performs ongoing operations, nurtures new relationships, and adds value in the evolving organizational network: Satisfied Employees Satisfied Customers.
While everyone benefits from a dynamic culture—employees, customers, and the share-holders—the focus is now inward; you cannot change the external environment unless you change the internal one first, that is, employees. It is becoming increasingly apparent to the leading companies that the success of employees and the success of the organization are closely intertwined. Thus, ensuring that employees are seen as drivers of the organization, on an equal footing with customers and investors, is pivotal to creating dynamic work environments. Making employee satisfaction a central driver in the organization demands a culture in which employees take responsibility for their own success and the success of the organization. Customer relations mirror employee relations: "Do unto your employees as you would have them do unto your customers."
Employees must be motivated to invest their discretionary effort in goals that both maximize their satisfaction and maximize the company's success. It is this "volunteerism" that is the power source of a dynamic culture.
DYNAMIC CULTURE OVERVIEW
It is important to understand the roles of IS manager—leaders that enable the transformational mission, the skills required to perform these roles, and why attention to employees is more important than ever. Following are five key points that provide the outline of a dynamic culture:
1. A common language to describe a "dynamic culture/ company": The three-layered model of any culture—behaviors, norms and values, and assumptions—provides a framework for describing the desired dynamic culture.
2. Transformation requires IS managers to lead and IS leaders to manage: That's why the term IS manager—leader is used. Terminology such as "IS manager," "IS leader," and "IS manager—leader" will be defined.
3. IS manager—leaders lead, manage, and do: IS manager—leaders accelerate the transformation to the new behaviors of a dynamic culture/ company as they perform five roles that blend leading employees, managing processes, and doing tasks:
4. The IS manager—leaders'skills template is aligned with their roles: The "IS Manager-Basic" skills template in the Skills tool has fifty skills—fifteen of which are key skills—that map to the IS manager—leader roles.
5. Employees are the most important asset: A dynamic company/ culture requires highly skilled and motivated employees, and IS manager—leaders must maintain top priority on creating an environment that attracts and retains dynamic employees.
LEADERSHIP NEEDED FROM IS MANAGER—LEADERS
Ideally, IS manager—leaders have to be impatient with themselves and with the obstacles that inhibit the pace of the transformation. They need to have a sense of urgency, driven by the realization that business results depend on the success of these changes.
First, as implied by the transformation mission, IS manager—leaders need to be change sponsors, change agents, change advocates, and change adopters. They need to embrace these change roles and to be "change shock absorbers" who reduce pain, confusion, and frustration as they "unfreeze" the contemporary culture/ company. Second, they need to collaborate cross-functionally and model teamwork in their network of relationships. Third, IS manager—leaders need to be coaches and facilitators as they engage others in a long-term commitment to the journey. Commitment is not compliance. Commitment requires that the energy and creativity of employees' hearts, minds, and hands be engaged—compliance just requires employees' hands. Commitment requires clarity, relevance, involvement, and meaning, as shown in Exhibit 1.3.
Compliance requires clarity and involvement in executing someone else's idea. IS manager—leaders need to understand the profound difference between commitment and compliance. A dynamic culture/ company unleashes the potential of employees who are committed to clear, relevant, and meaningful purposes that they have helped shape.
Employees will commit to the new dynamic culture when four factors are in place:
1. Clarity: Staff members understand what the new dynamic culture is—the characteristics of the culture are clear to them and they can articulate them to others.
2. Relevance: Staff members see the relevance of the new dynamic culture to the company's business success—they see how it will be good for the company's customers and help the company grow.
3. Meaning: Staff members see the personal meaning of the new dynamic culture--what it means to them personally, and they can get excited about it.
4. Involvement: Staff members want to be, and are, involved in the shaping and deployment of the new dynamic culture—without involvement, no commitment. When it is impractical to involve everyone in shaping a large-scale change, their chosen representatives may be involved. Giving employees the choice to be involved is the key point, even if they choose not to be.
The need should be for everyone, especially IS manager—leaders, to help sustain the journey and not slip back—to be comfortable reinforcing, evolving, and nurturing the dynamic culture/ company. In summary, IS manager—leaders enable the dynamic culture that generates a dynamic company, producing highly satisfied and loyal customers that fuel company growth.
The Change Model
Transformation is about change. There are many models that describe stages of personal change and organizational change. The Change Model in Exhibit 1.4 outlines five phases that are a helpful context for cultural change. This book supports the early phases of cultural change as follows:
Our outline of the roles and skills of IS manager—leaders also touches on the following:
However, given that real culture transformation is an ongoing process, these phases will require much iteration.
DYNAMIC CULTURE TRANSFORMATION
Phase 2 suggests that if we want IS manager—leaders to help accelerate a transformation to a dynamic culture/ company, we need to clarify what exactly this desired dynamic culture would look like.
Transforming any organization to a dynamic culture/ company is a quantum change. Progress can appear to be unattainable—a journey of a thousand miles—yet it can be accomplished a step at a time. The three-layered model of corporate culture suggests that culture is made up of behaviors, norms and values, and assumptions. IS manager—leaders help to bring to the surface norms, values, and assumptions and to translate them into a new dynamic culture/ company. (See Exhibit 1.5.)
The most obvious signals are indicated by the way employees behave. Judgment and experience and valuable thinking are required and there are no clear-cut answers.
From articles on management, executive speeches, and numerous discussions, twenty behaviors in the dynamic security culture were identified. They are a starter set intended to be a catalyst to more specific behaviors agreed to in dialogues throughout dynamic organizations. To help understand these behaviors in the context of an existing framework, they are organized around the three foundational organizational commitments of win, execute, and team.
A dynamic company has six core elements as shown in Exhibit 1.6. The pieces of the dynamic culture/ company puzzle are as follows:1. Company
Ten Attributes of a Dynamic Culture
The following are ten attributes that employees need to demonstrate in a dynamic culture.1. Focus on winning
Fifteen-Point Dynamic Checklist1. Is there a focus on winning?
DESIRED BEHAVIORS: WIN, EXECUTE, TEAM
From the ten attributes and fifteen positive answers to the checklist, the following steps for organizational commitments of win, execute, and team are defined. (Also see Exhibit 1.7.)
Win1. Focusing on winning/ creating the best customer value
Execute6. Showing concern for quality and productivity
Team15. Walking the talk on respect, integrity, teamwork, and excellence
DYNAMIC CULTURE SELF-ASSESSMENT
On a scale of 1 to 5, with 1 being "low-performance" and 5 being "dynamic," assess the environment on each of the following aspects of a dynamic culture/ company.
Win1. Do you focus on winning—on being the leader in creating the best value for your customers, using technology, integrated solutions, and services?
Execute6. Do you show concern for quality and productivity?
Team15a. Do you model respect, integrity, teamwork, and excellence personally?
Ongoing discussions with others in the company are valuable to assess behaviors with the lowest performance and to decide what could be done to improve them.
NORMS AND VALUES
The three commitments of the norm categories are1. Win
The four values are1.Respect
The resulting acronym helps remember that these are the "RlTE" values. Two of them, respect and excellence, may appear to have their origin in the company's basic beliefs, which reinforces the need to engage in dialogue to ensure the current meanings of these values are understood by all.
SYSTEMS, STRUCTURES, AND PROCESSES
Companies require systems, structures, and processes to operate globally. Examples of these include the following:
These are strong levers to affect behavior since they embody the norms and values of the culture, often implicitly. They are powerful catalysts for change or significant inhibitors to it. When systems, structures, and processes are not aligned with desired new values and behaviors, cultural transformation efforts are ultimately futile.
Assumptions are like "givens," and in that respect the following principles could be considered as assumptions:
Some of the principles overlap with norms and values. Some overlap with behaviors. That is to be expected since they are the foundation of the culture and should be reflected in the other two layers.
Other existing assumptions that we hold and operate by are much more difficult to discover and define. These mind sets are so ingrained that we don't even think about them—it's like fish being the last to discover water. These assumptions include our unconscious, built-in mental models—the lens through which we view the world. They include latent biases and insights, which we view as obvious. We consider these paradigms so given that they are treated as normal since they often reflect assumptions held in our surrounding society. For example, "the bigger my team/ unit, the more important/ valuable I am" might be an assumption rooted in a hierarchical mind set, whereas "the more I know, share, facilitate, and lead, the more valuable I am" might be an assumption in a knowledge-based team structure. And "the more I know that no body else knows gives me more power over others and will lead to my upward mobility" might be in a politically motivated environment.
If assumptions are supportive of the norms, values, and behaviors of the dynamic culture, there is consistency. If not, there is an uneasy misalignment that requires revisiting, or perhaps discovering for the first time the fundamental assumptions.
Still to be articulated are fundamental assumptions about human nature, trust, motivation, time frame, and internal competition. The statements/ assumptions in Exhibit 1.8 provide a start to the discussion and offer a few suggestions to spark dialogue and thought. There are many others, and these may not be the right ones yet. The choice of assumptions and meanings behind the terminology has a profound effect on approaches toward team-work, empowerment, and management processes in a dynamic culture. There is a need to find meaningful ways to contribute to the surfacing of these submerged assumptions. This is difficult, important, and urgent work—and it is just starting.
Before outlining the roles through which IS manager—leaders will accomplish the cultural transformation mission, there is a need to agree on terminology such as "IS security manager—leader."
IS MANAGER, LEADER, OR MANAGER—LEADER
In many companies, the terms leader and manager are used interchangeably. "Manager" is more likely to appear on a business card. That is, "manager" is used as part of job titles more often than "leader" and implies accountability for both employees and business processes. Managers get business results.
The "leader" label is often applied to famous leaders like Kennedy or Gandhi and to business leaders like Jack Welch of General Electric or Bill Gates of Microsoft. In organizational hierarchies, the employees at the very top are often referred to as "leaders." In team-based organizations, "leaders" and "leadership" can be applied to anyone—most often to "team leaders," "project leaders," "first-line managers," "senior leaders," or "executives." Leaders set direction.
Leading or Managing
Terminology in the area of leadership and management can be a semantic minefield. Thousands of articles have been written about managers, leaders, and executives. There has been an explosion of books, videos, and speeches about leadership, especially in the last fifteen years. Unfortunately, most authors are less than crisp in defining their terminology. However, drawing from the essence of what the "experts" say, the following list provides some overall distinctions between leading and managing:
Leading, Managing, and Doing
Too easily we start to infer value judgments to these characteristics. We do not need either leading or managing, rather we need both as shown in Exhibit 1.9.
The label "complete leader" for the person that embodies a rich blend of both leading and managing capabilities is preferred. The term complete manager would be equally valid. This desired blend of leading and managing is further reinforced by the quote at the end of Joel Barker Joel Barker's video The Power of Vision:Vision without action is only a dream;
Resulting from the "complete leader" label in Exhibit 1.9, it is noted that the term leadership includes leading, managing, and doing. The working definition of leadership is "the ability to effectively set/ reset direction and model interpersonal behaviors (Leading), align/ manage business and HR/ Employees processes to accomplish desired business results (Managing), and contribute personally to desired business results (Doing)."
Exhibit 1.10 shows that varying degrees of leading, managing, and doing skills are present in any job. That is, leadership is the umbrella term—leading, managing, and doing are subsets of credible leadership. Exhibit 1.10 also indicates that leadership is expected throughout the organization—it is not just the prerogative of senior managers and executives. Some employees may assume the role of a leader temporarily, in a given situation. Others may be more permanent leaders, such as in senior positions or on some teams. In all cases, the leadership elements that will ensure business success are the same.
The conclusion is that "complete managers" are required to lead and "complete leaders" are required to manage. In terms of the typical organization, "manager—leader" applies to employees who are often also called "first-line managers," "second-line managers," "senior leaders," or "executives." Some may also be "team leaders."
Self-Managed/ Self-Led Employees
Employees are assuming more and more responsibility for their own jobs, careers, skills, self-assessments, and so forth. This is healthy and encourages controlling their own destinies, as opposed to more paternalistic approaches.
The increasing empowerment of employees in all areas allows companies to be more responsive to customers and leads to less dependence on manager—leaders to plan, control, and direct employees and business processes. This is a foundational assumption of this chapter and is consistent with the notion of leaders (which all employees are, at least situationally) leading and managing themselves first.
This leads to the question of what the roles are for IS manager—leaders, as they execute their mission of leading and sustaining the change to a dynamic security culture.
TOTAL JOB MODEL
A job is a collection of roles. The job of any professional, first-line manager, team leader, or executive is a combination of varying degrees of the same roles. The "Total Job Model" shows the five basic leading, managing, and doing roles in any job, with a common underpinning of personal traits and attributes.
As shown in Exhibit 1.11, any job includes five roles, to varying degrees. This may not be clear to everyone today, but manager—leaders can help legitimize these roles for everyone within their organizations. Remember, too, that the "organization" could be a team or a department, as well as larger units. The five roles are as follows:
1. Leading the organization/ Setting direction. This role is about setting the direction for change and making it happen. It consists of
2. Leading by example/ Leading day to day. This role consists of displaying interpersonal leadership in hundreds of daily "moments of truth" with individuals and teams.
Note that this touches all other roles and reinforces the interdependencies among the leading, managing, and doing roles. The more senior the leader, the greater the "fishbowl effect"—every action of a CEO is interpreted by the organization as having meaning and intent, whether or not it was intended. This role includes the critical "3 C" descriptors of the manager—leader who is transforming an organization to a dynamic culture:a. Coach (which, in turn, requires Consideration, Courage, Candor, and Character)
3. Managing business processes. This role consists of
There is an acknowledged paradox that reengineering processes require leading, but once major new processes are operational, they need to be managed, which includes implementing continuous improvements and managing the financial aspects of the business.
4. Managing HR/ Employees processes. This role ensures that the five HR/ Employees management processes, described later, are effectively executed.
5. Do specific business tasks. This role consists of performing specific tasks, alone or in teams, to help achieve business results.Key Factors of the "Total Job Model"
There are four critical factors that apply to the Total Job Model.
1. "Lead," "Manage," and "Do" apply to everyone. All employees will find themselves implementing all five roles. The emphasis on each role may vary, based on level of responsibility, but the fundamental ingredients are the same. Styles will be unique, organizations will be at different stages in their evolutions, external environmental factors may change unexpectedly—it will not be a question of whether these roles are performed so much as which of them is appropriately favored and how they are performed.
2. Lead employees; manage employee processes. Employees are being led, and Employee processes are being managed. This is an important distinction. Perhaps manager—leaders should more specifically be referred to as "employees leaders" and "process managers."
3. Manager—leaders "Do." Since units in organizations have downsized, reduced layers of management, and become more team-based, manager—leaders are finding that they are personally performing more work—in some cases, billable work with external customers. Manager—leaders are increasingly encouraged to maintain technical skills that enable them to perform tasks alone or as team members.
4. The whole job is greater than the sum of the roles. Although it is useful to dissect the job of the manager—leader into roles, the job requires a powerful, effective, and unique combination of all roles in each situation. This is graphically acknowledged by showing the "Lead By Example/ Leading Day to Day" role touching all the other roles, however, a case could be made for all of the roles overlapping. Just as the essence of a car as a mode of transportation is more than the sum of its engine, wheels, seats, transmission, and so on, so too is a manager—leader more than the sum of the preceding roles or parts. It is the well-rounded and integrated combination of these roles that makes manager—leaders effective.
Each of us has a unique combination of strengths in the various roles, with compensating competencies in some areas offsetting others. In other words, leadership is an art. Our "scientific" analysis of leadership's component roles is simply intended to highlight aspects that contribute to intuitively effective manager—leaders.
Total Job Model Applied to IS Manager—Leaders
The auditor should ask how the IS manager—leaders spent their time and the focus of their day-to-day attention over the last few months. If they were to arrange the five roles from least dominant to most dominant, what would that sequence be? Sequence the following list from 1 to 5, using 1 to indicate the least-dominant role and 5 the most-dominant role.____ Lead Organization/ Set Direction
List any activities performed by the manager—leaders that do not fit in the above categories. Food for Thought: Would they be more effective in the next six months with a different dominant focus?
The five roles of manager—leaders enable them to accomplish their mission of transforming an organization to a dynamic culture. Exhibit 1.12 shows how the roles contribute to the twenty behaviors of a dynamic culture outlined earlier.
HUMAN RESOURCES/ EMPLOYEES PROCESSES
The Human Resources (HR)/ Employees processes merit more explanation because of their importance. Because they are processes, there are consistent steps that constitute the best way of doing each. Managing the processes, therefore, involves ensuring that the steps are followed properly. (See Exhibit 1.13.)
The quality of execution should live up to the goal of the resulting acronym of which the letters sing the tune, "Nobody does it BEDER" than those who strive to make it Better. The following five people processes are described in more detail:1. Balance resources. This process consists of
2. Engage employees. This process consists of
3. Develop skills. This process consists of
4. Evaluate performance. This process consists of
5. Recognize contribution. This process consists of
Normally, a manager—leader is defined as "a person whose job includes accountability for ensuring effective management of employee processes and/ or business processes" to achieve business results. This accountability is normally accompanied with a shared responsibility for managing these processes.
Each element of the manager—leader definition is important:
So when the term manager is used, it is a shorthand term for a manager—leader whose job includes accountability and shared responsibility for ensuring effective management of employee processes and/ or business processes. The manager—leader could be a first-line manager, a general manager, a senior leader, or senior executive. The accountability is common to all of them. This is basic and is certainly not new. What is new is the fragmentation of the traditional manager's roles among several employees in many cases.
NEW ROLE OF THE MANAGER
What is new is the splitting of the traditional manager roles among several employees. Because of our teaming approach and focus on expertise, what was once done by a single person, "the manager," is now often done by several employees.
A useful phrase to describe this matrix of shared responsibility is "value net." Organizations need to build "network-savvy" IS manager—leaders who are totally in touch with how they create value and with how they create the network of relationships that constitute their value net. This network of employees, partners, and suppliers forms a different organizational construct from the one prevalent in many organizations today:
The fragmentation of the traditional management job among several employees is fundamental to the new construct. Examples of specialized managers include the following:
This phenomenon of splitting management roles is happening in many businesses as they move to a virtual, project-based construct. Since it is important to knit these roles together as seamlessly as possible, let's look at how some of them collectively form a value net for the five HR/ Employees processes. The example is drawn from a Customer Relationship Management (CRM) environment, although it applies generically to others as well.
SHARED RESPONSIBILITY FOR HR/ EMPLOYEES PROCESSES
Some Team Leaders (TLs) and their teams have reached a level of experience and ability in which they share or assume many manager—leader responsibilities. This is especially true when the TL's business and technical expertise allows the TL to lead the team on a day-to-day basis and the manager—leaders span of support is very large. Other TLs may be new and working with a team that is in its early stage of development therefore, the manager—leader may need to be more involved. This spectrum of participation/ empowerment can be seen in Exhibit 1.14.
Exhibit 1.15 shows how the fragmented manager roles come together. The "Specific to Team" statement under the TL role in the chart acknowledges the impossibility of defining a one-size-fits-all role for TLs throughout an organization. There is a wonderfully diverse set of team implementations that should be unconstrained by decreed blueprints. The team leader might be the "Skills/ Competence Manager/ Mentor" described previously or some other "home-based" team which that person returns to between projects.
The role legend at the bottom of Exhibit 1.15 shows that "MGR" refers to the "profile-holding manager." This is the "Personal Development Manager" described previously, who is one of the prime IS manager—leaders described in this chapter.
In cross-functional teams, there may be multiple manager—leaders involved. Also, the leadership of the team will normally be shared among the TLs and the team members.
Are there any powers reserved for manager—leaders related to HR processes that are unlikely to be a shared responsibility with a team leader? Yes. Activities like administering compensation, hiring employees (making the final decision and offer), and managing individual performance issues seem likely to remain as manager—leader responsibilities. Regardless of the level of empowerment, the manager—leader is still accountable for Employees processes working effectively—with more and more shared ownership with others who have been empowered with the responsibility.
As with TLs, the implementation of new roles with processes such as CRM in the Sales and Services (S& S) organization leads to more sharing of the manager's—leader's re-sponsibilities. The manager—leader is still accountable to ensure that new processes are working—there will be multiple employees working with manager—leaders to accomplish the business results, but the process manager—leaders retain accountability for the processes driving those results. This partnering with others who share the responsibility for the Employees management processes is the essence of the change in the IS manager—leader's roles in the team-based and process-managed matrix of the newer organizations.
The five roles are built on a foundation of Traits and Attributes that are sought and expected in all manager—leaders including the IS manager—leader.
FOUNDATIONAL TRAITS AND ATTRIBUTES
As shown in Exhibit 1.11, the underpinning of any job is the personal traits/ attributes of the employee. Examples of leadership/ management traits include integrity, business judgment, courage, achievement orientation, and energy. These are attributes that a dynamic organization looks for in all employees. The following list elaborates these traits:
2. Business Judgment (" Smarts")
4. Achievement Orientation
These traits are important in everyone. Consider them as "gating factors"—employees must have them to be IS manager—leaders.
Dynamic companies look for the desired traits when employees are hired, since employees often exhibit them by the time they join organizations—think of them as a starter set of "givens" from some blend of prehiring nature or nurture. The desired traits need to be explicit, refreshed, celebrated, and valued in a reinforcing cultural environment.
Ways to Improve Traits/ Attributes
If traits and attributes are important, how can they be developed and improved? To answer this, Exhibit 1.16 compares ways on how both skills and traits/ attributes might be improved.
We should hasten to acknowledge that ways to improve both skills and traits/ attributes are very similar. Selection is important to both. Fundamental to both is some form of unbiased feedback and interpersonal guidance. Experience is perhaps the major contributor in both arenas, given high-quality feedback and a climate that motivates one to change and improve. The personal desire to change and continuously improve oneself is essential for lasting learning to occur.
SPECIFIC SKILLS REQUIRED BY IS MANAGER—LEADERS
What skills do IS manager—leaders need to develop to accomplish their roles? The "Manager-Basic" skills template addresses the skills and behaviors primarily for the four "lead" and "manage" roles. Other skills templates more completely describe the skills needed for the "Do specific business tasks" role, so that role is not the prime focus of the Manager-Basic skills template. The fifty skills in the "Manager-Basic" skills template are listed within the manager—leader roles as indicated in Exhibit 1.17. At a minimum, manager—leaders must assess themselves against at least those skills identified as "key," which are capitalized in boldface.
Exhibit 1.17 is called a "Manager-Basic" template to acknowledge that it is a starting level. As stated in the Guidelines for Usage that are built into the online template, different organizations may elect to modify the required proficiency levels to reflect the expectations and requirements of their environments. Level 3 expects more proficiency than in the past and is an acceptable standard for most skills.
PERSONAL LEARNING SPARKS ORGANIZATIONAL LEARNING
It is in the customer's interests, company's interests, and the personal interests of IS manager—leaders to ensure their customer-valued skills are current. This ensures their per-sonal mobility/ employability since the ongoing rate of change impacts long-term careers in any one position. In addition, the credibility of IS manager—leaders is greatly enhanced by their professional competence.
Modeling lifelong learning is a corollary of this. IS manager—leaders benefit from self-examination, reflection on their personal purposes, and learning what gives meaning to their lives. On that foundation of inner strength, they build knowledge and skills that enable them to fulfill their personal vision/ mission and associated roles, including those that are business related. This "inside-out" approach to leadership can be very powerful.
Finally, IS manager—leaders need to encourage the sharing of knowledge, expertise, and "lessons learned" from successes and failures. Only then will they have progressed from personal mastery and team learning to the organizational learning that raises the level of our combined pool of knowledge and experience, improving our competitive advantage in a dynamic company.
EXECUTIVE SKILLS VERSUS MANAGER-BASIC SKILLS
The Total Job Model shows executives' jobs with a wider band of "lead" and "manage" skills than for first-line managers. The skill templates for first-line managers and executives use the same foundational skills model. However, the executives' skill template has a higher proportion of "lead" and "manage" skills for the following three reasons:1. The expected level of proficiency for an executive is higher on some skills.
Why would IS manager—leaders be involved in conflict resolution?
Because conflict in any endeavor that requires the interaction of two or more disciplines or, for that matter, minds is inevitable. As the complexity of security increases, the likelihood of differences in opinion and approach increases as a function of the number of variables involved and the amount of time required by the employees in their involvement during or after implementation of projects. Normally, these conflicts arise during implementation because of people's natural resistance to change, scheduling pressures, or initial perceived difficulty of the system to support existing reporting criteria or functionality.
What should the IS manager—leaders look for in conflict resolution strategies? The following answers this important question.
CHARACTERISTICS OF FORMAL CONFLICT RESOLUTION PLANS
Ignoring the inevitable means that manager—leaders will not spend invaluable time and energy dealing with emotions but will keep their focus on finding optimum solutions for the roadblocks. This is so because conflicts in an implementation can be opportunities to hold back, regroup, rethink, reevaluate, and take positive steps including the following:
These are important components in ensuring loyal, productive employees during the project and beyond.
How conflicts are resolved will bear on the relationships among employees and also impact the success of th e implementation. Therefore, effective steps need to be taken to manage confrontations and ensure that only positive results are obtained as a result of them. Steps for effective resolution involve establishing approaches specifically geared toward the ac-knowledgment of differences between project team members and striving for these differences to complement each other by enabling or facilitating the team members to work interdependently instead of independently.
The foundation for building a strong conflict awareness strategy is acknowledgment by the project-managing principals (team leader, coordinator, executive sponsor) that conflicts will arise, but they have to be utilized as positive building blocks instead of letting them be negative energy that will debilitate the spirit and the success of the project.
The second premise is an understanding of the reasons that precipitate conflicts. These can range from the following:
Paradigm shift—Setting the right attitude for addressing conflicts in an equitable and humane manner will ensure that the benefits received are the benefits required. Recognition and acceptance of the opportunities inherent in conflict resolution will set the tone for the approach to be undertaken and allow for the free exchange of opinions and ideas that are necessary to ensure success in resolution.
A critical step in building conflict resolution strategies is a formal declaration to the team members of the probability of conflict, management's attitude toward it, and the mechanisms being established to cope effectively with the issues as they arise. This step amounts to "flushing out" a potential difficulty before it precipitates and eliminates the pos-sibility of hidden agendas or token acceptance of the team activities or decisions. By declaring that conflict is inevitable and that expectations are set for positive and harmonious resolution, the employees involved in the projects will be less tempted to allow a question or concern to remain buried, which often allows difficulties to ferment and blow out of proportion.
The last and single most important step in building conflict resolution strategies is supplying the "why" in the desire for effective, timely, and complete issue resolution. This personal "why" may be supplied to the team members through:1. A discussion of the quality-oriented benefits of conflict resolution.
FORMAT FOR POSITIVE RESOLUTION
First, establish the attitude and approach that both the team leaders and members are required to take. Then, present the structured plan for enactment of conflict resolution and the communication guidelines to be followed during all conflict resolutions to the entire team.
To validate the importance of the resolution tasks, the plan should be presented at the beginning of the project as a formal, written structure. People normally operate comfortably when the ground rules are clearly defined and understood by all players at the outset. By providing written guidelines, the misconception of different standards for different people is eliminated, putting all team members on comfortable communication ground with each other. This is a difficult task and is dependent on the quality and integrity of leadership at play because past experience has always indicated that lip service is usually the case. When people speak up, there can be repercussions, which is the main reason why conflict resolution may appear ideal in theory but improbable in practice and why it fails to secure the desired results.
In the verbal component of the conflict plan, the team leader should pay special attention to the use of "I" statements as a positive tool for clarification of the concept of organized, structured conflict resolution. Conflict is always integrated with emotionality, even if it is couched in totally professional, business-directed terms. By saying, "I believe," "I feel," or "I'm confident that our approach to resolutions will be positive," the leader is recognizing and affirming a personal emotional connection.
In a large team formation (e. g., twelve or more participants), it is more beneficial to use an Issue Coordinator than to have the project team leader assume the duties of logging, monitoring, and documenting each issue that arises. Although the team leader is the appropriate individual to present the issue resolution structure, the issue coordinator should then explain the mechanics and steps being used to ensure complete resolution. The ideal issue coordinator should be a team member with high company visibility and credibility with the other team members.
Using an issue log that adequately defines and categorizes each particular concern is absolutely necessary for organization of conflict resolution. These logs should be provided for all team members so that they have a tool at hand to address their concerns as they arise. The log, stating the description of the problem with the date and name, should be submitted to the issue coordinator who is responsible for the monitoring and follow-up of each particular issue.
The issue coordinator will want to create a summary log that becomes the "tote sheet" for all issues addressed during the implementation. This will become the final tool for the summary and tracking of all concerns that have been successfully satisfied throughout the project period.
When the coordinator has received an issue from a team member, the determination must be made relative to the "ownership" of the particular concern (e. g., if the concern is of a policy nature, the resolution would be referred to decision-making individuals within or outside of the team; if the concern is procedural or system based, then resolution is "owned" by the project team members themselves).
The issue coordinator assigns team members to the task of examining, discussing, and offering viable, mutually agreed-upon suggestions for the resolution. The members selected for the resolution should be composed of representatives from the departments or functions directly impacted by the issue raised. As an example, consider a system-use issue. This would be the responsibility for the creation of product masters. The issue could be, "the input data for the creation of the Master—should it be accounting, purchasing, or engineering?" Only the representatives from each of the applicable departments (i. e., accounting, purchasing, and engineering) would be ideal and therefore should be empowered to examine, discuss, and make a preliminary resolution.
During implementation, conflict also surfaces that involves business practices currently in use, either between or within departments. An example could be a case in which a production manager is concerned about the time it takes purchasing to cut a purchase order after the request has been made. The purchasing manager may be concerned about the increase in costs that results by reducing time. Each party is trying to serve individual department objectives at the expense of the overall company objective for the delivery of the required product in time to meet company requirements of being reliable and competitive in the marketplace.
This is an example of a common issue that, while not necessarily system related, might surface during system implementation and is therefore appropriate to address during the project. In this case, the issue coordinator would assign the two persons most closely affected by the issue to effect the resolution. In cases in which the issues to be addressed do not have the appropriate department representatives, the issue coordinator should solicit the appropriate department management to provide the appropriate human resources to complete an adequate resolution.
After assignment for the discussion of every significant issue has been made, time frames should be developed for discussion and brainstorming, if necessary, and resolution suggestions. The time frame must be pragmatic with reference to the workload of the other team members but should establish a sense of urgency and progress in the timely resolution of all issues.
Once the team members have been assigned to each issue, their preliminary resolution should be brought back to the team for review and acceptance. To explain the mechanics involved in the decision-making process, the team should provide the "what-if" scenarios to assure team members that realistic expectations are being sought. These review periods can be at the start or end of the day, during a reinforcement session, or during regular-scheduled project team meetings. However, the consistency and the seriousness with which they are held are what determines the confidence and respect that they instill within the project. Moreover, the benefits derived from bringing the preliminary resolutions back to the team for their review and acceptance range from the possibility of resolving latent conflicts unenvisaged previously, such as internal departmental problems no one could address previously because of the political nature of the beast; the support and validation to those involved including important feedback to their efforts; and an example of the value of "growing up pains" to the rest of the team. This awareness of "growing up pains" is especially important because it creates a culture of objectivity and reality that issues and conflicts, which are either system or business related, can and will be resolved many times with persistence and patience. A journey of many steps, one forward and three backward, is the prerequisite for accepting small failures in pursuit of continuous improvement strategy, which is the most, if not the only, important strategy for conflict resolution.
If a conflict or issue has not reached a satisfactory, preliminary resolution in the initial discussion between the assigned team members, it is important to reach a tentative compromise while attempts to try to develop a resolution satisfactory to all continue to be synthesized. During this process, the environment should be expanded to include additional input and monitoring by other persons who may provide valuable insight. This may include technical support, management representation, or input from the issue coordinator. However, it is still important to have the original team members lead the discussion, thereby reinforcing the intent and value of the original assignment.
When the resolution strategy is initially outlined to all the team members, particular considerations in conflict examination and resolution should be presented, and any adequate explaining should be done at the onset. By providing a set of ground rules to be followed in their meetings, the participating team members will be more apt to stay on task, and the time spent will allow resolution to be reached more quickly and completely.
The rules for effective conflict resolution address behavioral styles in all possible emotional interchanges and provide a self-monitoring check to ensure the open and free exchange of ideas without having the problem of lingering negative repositories.
The rules for effective resolution are as follows:
1. Discuss for resolution, not for the intellectual exercise or just for the meeting. This is an insidious, covert practice that sometimes develops when team members seek attention or attempt to regain control that they may feel is being lost because of the system changes. The issue coordinator should verify the existence and validity of the concern in question through thorough questioning techniques before accepting the assignment. By ensuring that this is the first rule for resolution, petty issues are more likely to disappear.
2. Discussions should concentrate on one specific topic at a time, without floundering and straying into other areas. During the discussion, if other concerns surface or are highlighted that may have a bearing on the original issues, they should be brought to the coordinator's attention, logged, and assigned as a separate issue or concern for resolution. Limiting the scope of each discussion prevents issues from being resolved adequately and in a timely manner. It also causes interference with the specific goals of the meetings.
3. The technique of aggressive silence should be employed. This ensures that each person concentrates on listening to the viewpoint and input of the others involved. No "overtalking" or interrupting should be allowed, so that each participant gets an equal opportunity to state their viewpoint openly. A good rule of thumb is that the number of questions asked by each person should be equal to the number of statements each is making. The questions should help to gain clear understanding of the other person's point of view and to elicit and examine all aspects of the situation surrounding the issue. The objective is to avoid presenting only one side of an issue and not "digging in" for an understanding of the other person's perspective. This increases the chances for positive and complete resolution of the underlying issues.
4. Only positive-response body language should be employed because normally potentially high-quality communication is reserved more by what is seen than by what is heard. Employing positive-response body language means using open, receptive posture and presenting to the other person( s) a face that is free from judgmental expressions. It is also helpful to review the following considerations to keep a conflict discussion focused on the goal of resolution that is in line with the company's operational and managerial framework. The questions to be addressed in effective conflict discussion are as follows:
The exercise of examination and discussion, when focused completely on resolution, may contribute to the company not only by facilitating system integration but also by improving the efficiency of business practices, raising the levels of communication, and increasing the level of company loyalty and employee commitment.
Please bear in mind that this is a review for the auditor. Depending on the nature of the conflict, the resolution process may require far more sophisticated procedures such as diffusion before conflict resolution can be addressed. In such a case, it becomes the auditor's responsibility to communicate the existence of such tension in the workplace. In all cases, evaluating how conflicts are managed and resolved adds value to the client's management function.
Dynamic companies need IS manager—leaders. They need IS manager—leaders who are change agents committed to their transformation to a dynamic culture and who inspire that commitment in others. They need IS manager—leaders who collaborate with their global colleagues as they pursue their customers' long-term loyalty and the attainment of their short-term business results. They need IS manager—leaders who understand the big picture, see their roles within it, continuously improve their skills, and coach and mentor others' learning. They need dynamic IS manager—leaders who know how and when to lead, manage, and do and are role models for a dynamic company's core values. Dynamic IS manager—leaders enable dynamic organizations! See Exhibit 1.19 for a summary of the IS management process.