Today, Mark Curphey posted about Tenets of Effective BPM. He lays out five high level principles for doing business process management. This is really great stuff. It’s so good, in fact, that I’m going to quote a huge chunk of his post here:

1. Understand and Documenting the Process Effect: Implement a Structured and Effective Information Security Program 2. Understand Metrics and Objectives Effect: Understand Success Criteria and Track Effectiveness 3. Model and Automate Process Effect: Improve Efficiency and Reduce Cost 4. Understand Operations and Implement Controls Effect: Improve Efficiency and Reduce Cost Effect: Fast and Accurate Compliance and Audit Data (Visibility) 5. Optimise and Improvement Effect: Do More With Less Effect: Reduce Cost

Notice that none of the above is specific to security, but if you apply them you do get security and compliance benefits. Also, you recover cash for use with other projects without having to ask for more cash, which always makes you more popular with the CIO and CFO. Perhaps most importantly, this type of behavior enables you to demonstrate that IT Security is taking on a business oriented focus, which is good for your career and for raising the exposure of InfoSec at the executive level. It’s like the old maxim, dress for the job you want to have; you have to act like the executive you want to be treated as.