Oversight or Out-of-sight

How many of us enjoy having someone look over our shoulder as we do something? It’s like having a back-seat driver. In one of my favorite Dilbert cartoons, the pointy-haired boss looks over Dilbert’s shoulder and commands “Move the mouse… up … over … more … now click it! Click it! NO!!! YOU FOOL!!!” to which Dilbert says “This has ‘long day’ written all over it”.

“Go away!” That’s a fairly common theme in IT projects: just let us do our stuff and we’ll get back to you. What can happen as a result? A deliverable that doesn’t meet the needs of the business partners, runs over budget, comes in late, or some combination.

An effective oversight or governance process can help avoid or at least minimize these pitfalls. This is especially true for RBAC. What kind of structure works best? It depends on your organization, but here’s a fairly basic example that you may be able to work with.

Steering Committee – This group of high-level managers and thought-leaders should represent every business unit your RBAC effort will cover. They should make the ultimate decisions regarding the scope, direction, cost and timing of your project. However, that doesn’t mean you let them do all the work. They should expect that your project team will present recommendations to them. These are the approvers, not do’ers.

Working Group – A group of leaders at a lower level than their Steering Committee counterparts. These are the do’ers that your project will need when it comes to getting work done with business representation. If they can’t do the work themselves, the Working Group members should point you in the right direction. This may be a slightly larger group than the Steering Committee as some business areas may not be large enough to have their own Steering Committee representative. You should get representation for them on this level.

In addition to the usual project management benefits, here are some reasons having a governance process in place for your RBAC project will help.

• Your project immediately gets visibility in the business. Without so much as lifting a finger, you’ve created one component of a communication plan to your business partners. For a security project, that’s pure gold. Your project is no longer ‘off the radar’ or out of sight.
• There’s always a lot of scrutiny on security projects. A strong and effective governance model is a key part of the overall SDLC. It will show that the project has adequate management control. It also minimizes the impact of Monday Morning Quarterbacks who want to go in after the battle and shoot the wounded.
• Having a “seal of approval” from your Steering Committee goes a long way with the people that control funding. Benefits of security projects are usually soft (e.g. “better security”) and more difficult to justify. When it comes to a choice between your project and another for those precious capital funds, every edge you can get is critical. A visible and effective governance model can show that there is wide support for your efforts and that the project is more likely to make its budget and time constraints. This can help the money brokers justify their investment in your project.
• You are going to need knowledge experts within the business units for role mining, role creation, ongoing maintenance and general support. A well-formed governance model can readily identify the most appropriate people in the business to assist your efforts. This group can also help prioritize the implementation, getting the maximum political and economic bang for the buck.
• Your governance team will turn into evangelists for your project. They can assist in your communication plan, often paving the way with the ongoing passage of information about the project to those in their business areas. Use this benefit in creating your team. Select or suggest participants who can leverage their communication skills and position within the business to further the project.

For bad spellers and IT projects, ‘governance’ and ‘oversight’ are often four letter words. Don’t let your RBAC project fall victim. Embrace governance and oversight and leverage the benefits for a healthy return on your RBAC investment.