Process and the Security Organization
Posted on Mon, Jul 25, 2011
We had Ron Worman from The Sage Group interview the Global Security Manager of Mentor Graphics, Robert Klohr, to understand his perspective on ‘The Process Problem’
An Interview with Robert Klohr, Global Security Manager of Mentor Graphics.
Mentor Graphics® is a leader in electronic design automation. They enable companies to develop better electronic products faster and more cost-effectively. Their innovative products and solutions help engineers conquer design challenges in the increasingly complex worlds of board and chip design.
As a result, since 1981, Mentor has built a billion dollar company, with over 70 offices worldwide.
Within Mentor is a security organization that has been transforming itself over the last 10 years. Robert Klohr is a key leader in this organization providing a critical 
role in the security ecosystem both inside Mentor Graphics and within the security industry. Mentor encourages him to work with his service and technology partners to provide them insights into the unique needs of a security organization. By taking the time to do this with partners who want to listen, he has helped improve their responsiveness and their value to Mentor.
One of the first things I did was ask Klohr to define ‘process’. Instead, he helped me understand the place in the security planning architecture where ‘process’ resides.
Klohr would be the first one to underline the need for security to understand the business. So Klohr would stress this alignment as a precondition of the architecture. But after that, he delineates the three ‘P’s that define his security program:
• Policy
• Procedures
• Processes
According to Klohr, Policy is the most authoritative, creating the mandatory and discretionary standards of the program. Procedures are sequential steps to complete a task. And Processes are a set of procedures to accomplish a task.
It is also important to differentiate processes. In most cases, processes exist and, as an executive, you attempt to review how those processes and the people within them are achieving the desired outcome. What Klohr has found to be true is that the processes that seem to be underachieving are the ones that most often need a formal documented process and new KPIs. The key questions around this discernment are:
1. What is happening? (As-Is Baseline)
2. What is supposed to happen?
3. Where is the Gap?
To answer these questions, you start with the stakeholders and the owner of the process outcomes proceeding through the tasks and deliverables (SLA) at each point.
Klohr’s whole point is that you are not creating new processes; you are refining and tweaking existing ones. If your company has been around for awhile, your people are doing work within a process, documented or not.
Klohr has provided his team with a template to take them through the process refinement process from assessing their current process to recognizing the gaps to final documentation. All of Mentor’s processes are digital (Microsoft Word generated). They are stored in an online digital portal using Microsoft’s SharePoint application. So if any group wants to refine or document a process, they can find within the SharePoint libraries a template to walk them through it. Once it is submitted, it goes through a review process which tracks changes in the document and the versions of the document. Any significant changes are communicated back to the team. If the refinement is critical, Klohr may choose to have the process being deployed as it is being refined. This reminded me of a software release process that presupposes frequent iterations with a user community that is receptive to being part of the change process.
Which is a great segue to the term ‘strict process control’ referred to in the last article. Klohr emphasized that every security policy is reviewed annually or as needed. But ‘strict process control’ to him sounded like a manufacturing process within a product division. Inside Mentor, they are attempting to take advantage of the economic, process and technology benefits of shared practices between IT security and physical security. For their group, the term that would apply would be ‘compliance’. Every policy, process and procedure helps Mentor achieve compliance with their goals and their standards. So a process that is not achieving that is not complying with that SLA.
How does he enforce compliance? “I believe the penalty for non-compliance is education to ensure conformance,” said Klohr. “I want to assume that everyone wants to comply and, if they didn’t comply, they either didn’t know the process or they made a mistake.”
At the end of the day, Klohr and Mentor want a “repeatable, sustainable, highly efficient operation”. The more educated and informed and the more easily accessible the critical information needed to perform, the easier it is to support a workforce that is the lifeblood of the company. And the workforce is never static. It shifts with the economy. Security needs to provide highly intuitive ways to get to the information at the time of need, in the context of process, and in the form by which any employee can grasp it and run with it.
When does Klohr provide metrics for a given process? He would say that some processes take more time to document than it is worth. He offered an approach to guide you in making that decision:
1. Capacity?
a. Do we need to measure to understand how much or how little we need to do something? An example would be the badging process. How many badges do we process?
2. Process Efficiency?
a. What is the average time from start to finish and do we believe that understanding that metric might save us money? Using the badge example: What is the average time it takes to go from badge creation to delivery?
3. Quality?
a. Is this costing us? In the badge example, redoing a badge takes time and money.
The answers to these questions may result in you using resources to better understand the process and proceeding through the change process. Or, you simply might postpone or ignore it.
In summary, Klohr would agree, that understanding how to take your security organization to the next level is contingent on many things including how you think about the architecture around your plan including:
• Alignment with the business mission and vision
• Policy
• Procedures and
• Processes