Delivery Documentaries are a behind the scenes look at how our Enterprise Architects (EAs) in the field perform Value Realization activities for customers. The documentaries are raw and real, and the purpose is to share what actually happens on the ground. They are always a learning opportunity, and we hope that over time we can help bridge the state of the art with the state of the practice, and continue to move the ball forward.
What steps does a company take after finding out that large amounts of IP have been leaking into the hands of competitors? This example, provided by Sree Sundaram, describes how a Microsoft Architect helped a business create a strategy for protecting information.
This is a Delivery Documentary of an engagement led by the Microsoft Enterprise Strategy Program (ESP), which provides services to help customers realize the most value from their technology investments. In this engagement, an Enterprise Architect helped a client create a strategy for changing employee behavior and business processes to stop IP leakage and support robust IP protection.
Though the IP protection strategy that was developed had technical underpinnings, this engagement was primarily about
Over the years, Contoso has witnessed their IP gradually leaking into the hands of competitors, and management has recently become aware of large releases of confidential material in very short amounts of time. Problems with IP protection have affected customers, partners, employees, and governing agencies on a global scale.
The company was in the process of deploying new productivity software and a collaboration platform, and IT had addressed the technical details of protecting data at rest and in transit. However, because IP leakage had previously occurred in similarly protected environments at the company, the stakeholders began to focus more on people and processes.
Contoso needed a business strategy, not a cyber security solution. Not only was technology maturity required for IP protection, but the business wanted to know how to change people and processes at the company to ensure adoption of new technology, and awareness of and adherence to policies. A strategy, envisioned target state, and a roadmap was necessary.
I did an extensive survey of Contoso, encompassing all global employees in different divisions and different roles.
To begin, I had access to the members of a business liaison committee that had been established for an earlier project. I met with each of the senior directors that made up the committee and described the help I thought was needed, and how I could represent their interests while addressing business goals.
The directors adamantly wanted to work from a business view, not from an IT view. Supporting this, I explained the methodology and strategy I would use to improve IP protection in light of business requirements, employee behavior, and operations.
I met early, and often, with the Chief Security Officer (CSO) of Contoso. I pledged that the conclusions and advice I offered would be rationalized and based on facts, and that I would present all assessments and recommendations to him so he could discuss with his team prior to wider distribution. During the engagement, I was also able to facilitate and improve his access to the IT team regarding the status of the work. As a significant stakeholder in the engagement, it was important to be able to build trust with the CSO and his team.
While independently meeting with stakeholders, I found that many employees were worried about their work being misrepresented by others, especially in regard to responsibilities for protecting information. In my role, I was able to have separate discussions, outside of formal workshops, to effectively gather information from employees who might otherwise have been reluctant to share ideas or point out problems.
Taking a business-focused approach was critical, even though IT was a champion of improving information protection. Prior experience with IT had left many business divisions feeling that their business needs were not being addressed.
I held several workshops, with different groups of stakeholders, to determine their business perspective of information protection. How did information protection and stolen IP affect and expose them? There were many stakeholders with differing views, but after our workshops, all participants were able to more clearly articulate their requirements and better participate in the entire conversation.
The stakeholders responsible for data classification at Contoso were interested in meeting to discuss how Microsoft performed data classification. We held a workshop about our methods, the challenges we faced, outcomes, and our place in the journey.
The legal staff had originally done the data classification work for the business. After I developed a more detailed data assessment survey, the staff was able to enlarge their vision of the work necessary, and requested that I assist them with implementing improved data classification methods.
Given the information that we had gathered, we assessed the maturity of the Contoso information protection maturity when considered against various models.
We assessed using models from Gartner and Forrester, as well as using the Microsoft Enterprise Information Management Architecture, and determined the maturity ranking, and a target ranking their could realistically strive for within a short amount of time.
Bringing in a team of SME’s, we determined how IP and information could be protected on-premises, and as the enterprise moved to the cloud. We created a Proof of Concept (POC) that detailed the target state, including a roadmap, value points, and deliverables.
As part of the POC, we provided insight from experts from MSIT about how Microsoft protects information and IP, and showed how Contoso could adapt our processes given their maturing capabilities.
After the POC was delivered, we held a workshop on the next steps. Participants included senior executives, the CSO, business stakeholders, legal, and IT. We were able to deliver a consistent message about implementing the recommended strategy and meeting requirements for information protection while expanding business operations to the cloud.