 This is Think Tech Hawaii, Community Matters here. Hey Aloha and welcome back to the Think Tech Hawaii studios. This is Security Matters Hawaii and we are blessed today to have Moses Anderson with us. Put on your big thinking cap because we're going to be talking about the process approach. This is something that was adopted by ISO. It's a standard way to work on your management practices and it's seen widespread adoption. Moses is going to talk a little bit about a way he improved upon that force in the second half of our show. Moses, thank you so much for joining us today and taking time out of your busy schedule. I'm so excited to be here. Thanks for the privilege. Thank you. Thank you sir. So this was, I had to go do some reading and a bit of studying for this topic. It's definitely outside of my domain. So maybe can you take us back a little bit? Actually first, give our guests some of your history, I think. Just to kind of get as much as you feel like sharing to kind of give us a feel for how you arrived at this position in the industry. Absolutely. So I actually like to start only from 2013 so people don't know how old I really am. Okay. It's my new strategy. But in reality, for about 20 years, I've been in the field of information security. You know, I started out just like most people. I was a programmer, systems engineer, network administrator. I did all of the techy stuff, hands on. I thought that was life until I figured out that actually managing the processes behind the tools and the people is of more interest to me. And so I went back to school and got a master's or science degree in information security. That's what the degree is. But in reality, the true description for it is a master's or science degree in secure digital business. And so I go to study a lot of intellectual property law, a lot of management system principles, critical thinking, international law around privacy and all what not. And as much as fun as it was being in the academia doing a ton of research in the application of, you know, cryptographic technologies to privacy and video management, I figured I needed to go out to the real world again. And I'm glad that I did. And so I did consulting for Fortune 100 companies in building security management systems. However, as time went on, it became apparent that my forte was actually not just talking cyber security and privacy. It was actually the thinking process behind it, which we call the Celebrated Process Approach. Now the Celebrated Process Approach was what I do to my company around in the year 2013. So I started a company called Shield IS. I had the name before I had the idea. So the name security was already in the name, which is Shield IS for information security. But by the time the company started, I was applying this fundamental principle to management systems that is called the Process Approach. So for those who aren't familiar with that term, it turns out to be that 95% of management systems in the world run on this principle, this way of thinking, this paradigm that is called the Process Approach. And what the Process Approach is really is that whatever business we're running, whatever product we're building, we always have an objective in mind, you know, what we want to accomplish. And in order to accomplish whatever that lofty goal is, we do it by set up processes. And those processes, they look random, they look disconnected, but in reality, if we look well enough, they are all interrelated. And if we can understand the working of their dependencies, doing it, making it about the process, not the ego of the people, making it about the process, not the limitations of the technology, we will build a management system that will outlast the people and see the evolution of technology while always delivering the objective or the purpose for setting up the business or implementing the tool. So that is what Process Approach is. However, the thing about the Process Approach is a lot of us who have taken time to understand it. We understood it because we went to school for it. We understood it because it's largely the way people think in the academia. And when that gets exported into the real world, no one is talking about the theory, people are just talking about the outcomes. And so people are about to be indoctrinated on how paradigms like the PDCA works, you know, plan, do, check and act. People understand such models for continuous improvement without necessarily knowing the process approach behind it. It gets convoluted very easily and already to spend five years or six at the university studying in it. And so what happened to me in the year 2012-2013 was I decided that I was going to simplify the process. The way that I understood it, someone challenged me. He said, whatever you know, if you can't teach it to a five-year-old, you don't know it. That's a good principle, actually. You know, I've heard that before, so it makes sense. Absolutely. So I came up with this visual that I call the PAVE methodology, which stands for the Process Approach Visual Expansion. And so basically it was a way of distilling this amazing mindset, I mean, amazing paradigm into the one-page visual. A one-page visual with three big boxes and six smaller ones with two arrows pointing to each other. And it tells you the story of the process approach from A to Z. And by looking at it, if you look at it with the right kind of explanation, if it's handed to you as a tool, you can go ahead and build a management system, whether for security, whether for service delivery, whether for quality management, whether for business continuity, whatever it is. And that is exactly what ISO has done. ISO being the International Standards Organization and the IEC, which is the counterpart, the partner of ISO that throws out these management systems. That's what they've done. They've taken the process approach and applied it to various disciplines that we go in and out of on a daily basis. You know, every day we're talking about cybersecurity here, privacy there, business continuity, even treasury operations, management and all of these other fancy business areas. And the process approach fits for everything. You know why? As long as you have people who require processes to accomplish their objectives and need tools and technology in the process, you can apply the management system process approach to them and it will fit just right. The advantage that I got out of it immediately was even though my company started only in 2013, before the end of 2015, I received offers to sell the company because of the intellectual property that we had built. And by March of 2016, less than three years after starting the company, just a little less than three years, I sold the company. And that's the beauty of it. The people who bought the company saw an intellectual property that is not only portable, very applicable, and through that they developed other management systems. And one of them I actually championed the development of, which is a management system for IoT, for the Internet of Things. And so the management system principle or the process approach speaks for itself. There is nothing else like it in terms of acceptance, in terms of fruits that have come out of it. Like again, I said 95% of management systems in the world have almost 92% to 93% of international standards are actually built on this process approach. So that's what I've been doing and I want to keep doing this because I see that it helps people and it helps me too. It's amazing. You brought up the human ego component that can get in the way. So was that something that caught your mind whereas if the process is built and adhered to, because it's essentially outputs feeding into inputs which create more outputs and so you're moving sort of in step or linearly through a process, but ego can make someone look at an output and decide, oh, that's not what I thought it was or they interpret it perhaps the wrong way. And then you've got a broken process. Was that something that you saw in this? I mean, I can see the story where the human element is sometimes good, but when you want something's known and how to do it is clear, humans oftentimes should be left out of the way. Oh, absolutely. No, you are absolutely correct. So what I tell people is we don't need people. We need roles and responsibilities. Because if people are not broken down into roles and responsibility with commitment for policymaking and oversight, what we have is chaos. A friend of mine challenged me. Yeah, a friend of mine challenged me. I think it was around 2012. He said that he's understood that what ruins our businesses and our ability to achieve our objectives is an acronym that he calls FEUD, which stands for fear, ego, uncertainty and doubt. Whenever people don't seek clearly, they become afraid. Most of us are afraid in the dark. And when we're constantly in the dark, we don't make the right moves. We make moves that make us look like we know what we're doing when we don't know what we're doing. When somebody calls us out, then we bring out the ego. We keep insisting that we're not going to change our methodology even though it's not delivering the right results. And the way to get fear, ego, uncertainty and doubt out of the way is to introduce such a system of transparency. You see, the paid methodology, pun intended, actually pays the way for the right kind of thinking because it lets people see the reason why they are where they are. And so if I'm in a company and I'm the chief information security officer, I don't have to be threatened by my director of security. I don't have to be threatened by the CIO because I know his roles and responsibilities, he knows mine. We have a risk management process that is well-defined such that each one of us knows the areas of risk that we are owners of, the control owners that we're working with and the process owners that make those controls a reality. Once everybody knows what they're doing and the processes are well-defined, guess what? When they're well-defined, they are well-supported. And when they're well-supported, you enjoy more of what we call consistency in execution. This thing is as simple as ABC. And when people adopt it, the question is always, what took us so long? How come no one is telling us it can be this simple? Can you take this one page, this one visual, and put it on like a pair of glasses and start to look at the development that you've been working in and the products and tools that you've been developing and things which just are becoming more and more apparent? Now, Andrew, let me say this. When I started, I started with one visual. And that visual, I was able to apply it to ISO 27001 because that was what most people needed me to do at the time, cybersecurity. But since then, I've been able to map ISO 27001 to ISO 29100, which is the privacy principles, the international standards for privacy principles. I've also been able to map that to 29101, which is the integration guideline for privacy. So a lot of people build tools like base makers, they make up like watches that are smart watches and smart trainers. And all of these things gather sensitive information that are personally identifiable, personal health information. And you don't even know how to integrate privacy principles into those things. How much information is too much? How much information is too little? So who do we report to that we're collecting this? Those things just become so vague. And when people don't know, they make up stories. Or they make up stories that things fall through the cracks. We call them the bad guys. Well, they're not bad guys. They're just not aware of the real deal. And the real deal is adopting the manager principle that actually guides you. I mean, it can put your business operations in cruise control because everybody that comes in, comes in and they already see the path that's been set for thinking, for innovation, and as well as maintenance of whatever it is that we create. So this is not just there for creating things. It is also for evolving the maintenance culture that provides the right training and awareness because everyone within your management system then becomes empowered to become a trainer because they understand that process is enough to tell somebody else. Yeah, and that documentation is a piece often, just at my level with security, a physical security facility, you walk in and there are no policies and there are no guidelines. And it's like as if everyone's supposed to know what to do and somehow magically divine it from the ether. And of course there's confusion when something occurs which slows down response times and maybe people get injured or more people get hurt than could then should have. So it's a big piece. This process engineering plays into human lives and human safety and security more so than people probably understand or think about. And I'll tell you what, we'll take a break but it's funny when we come back, I'd like to, we'll talk a little bit about what stops people from doing the planning. So we'll take a break. We're going to take about a one minute break and pay some bills and we'll be back with Moses Anderson in just a minute. Hi, I'm Rusty Komori, host of Beyond the Lines on Think Tech, Hawaii. My show is based on my book also titled Beyond the Lines and it's about creating a superior culture of excellence, leadership and finding greatness. I interview guests who are successful in business, sports and life which is sure to inspire you in finding your greatness. Join me every Monday as we go Beyond the Lines at 11 a.m. Aloha. Aloha, I'm Dave Stevens, host of the Cyber Underground. This is where we discuss everything that relates to computers that just kind of scare you out of your mind. So come join us every week here on thinktechawai.com 1 p.m. on Friday afternoons and then you can go see all our episodes on YouTube. Just look up the Cyber Underground on YouTube. All our shows will show up and please follow us. We're always giving you current, relevant information to protect you. Keepin' you safe. Aloha. Hey, welcome back to Security Matters Hawaii. We're here with Moses Anderson and we're going through... I think he's spoon feeding us the process approach and he's given you what's important about it so I hope you're paying attention out there today. I had a question about this because oftentimes you get with an organization and you find that they haven't done that base work. You know, there are no policies. They haven't approached a business. It's like, let's open the doors and everybody do something. Which is chaos, like you talked about. Maybe it's just a gift for some people and not for others. What is it about the development of process and procedure? I don't want to talk about the following it because that's a discipline issue. Human resource problem. Developing processes, implementing them, testing them and then keeping them updated. You walk in places and they got the process they built 10 years ago sitting on the shelf and no one follows it anyway. It never got updated. What do you see that stops people from doing it the right way? It's written how to do it. It's not that hard. Absolutely. No, no, no. I'm telling you. Clearly, Andrew, you are someone who sees the problems on a daily basis because you just were straight for one of the biggest problems that this process approach has been able to solve. So the reason why we don't take steps when we are in the dark is because we don't see. So when you're in the dark you move very slowly and sometimes you're not even going to take the risk because I don't want to hit the wall. So the reason why people don't create the plans the reason why people don't implement the processes, if I let's even go to the very basic one, the reason why people don't create documents that they can continue to develop, evolve and follow. The reason why is because people don't know what to write. People find it daunting to just create a manual. It's like you're trying to turn everyone into an author of books and not everyone has it within them to just creatively write stories. But when you hand people the process approach then it becomes very easy. Just look at each box within the process approach and write something about it. So go to your people box. So how many people are responsible for maintaining all the IP cameras that we have? Well, then easily we can take it. The people responsible will be the logistics manager, the physical security director, director of IT. These are the people involved. You have about five or six people. You don't have to write them. They just write their roles and responsibilities. And then the next thing you move to, what do they do? Oh, director of facilities is responsible for working with third parties to make sure that the right spec of cameras are implemented. The IT director is responsible for making sure that the right security patches are applied to the cameras and they're behind the right firewall. Before you know what's going on by just looking at the people and their roles and responsibilities you've already gotten 80 to 90 percent of your process spelt out. And then you do what? You extract the processes, you put it in another section and then the question is okay, when we're doing this, what do we use? Or when we're doing this, we use this mobility server. Okay, so this mobility server what are its requirements? Oh, it runs on Windows, it needs patching. Okay, what about the capacity? If we take it like that, we would have gone from identifying the people responsible to what they do and the processes that formulate and how those processes relate with one another and then end up with the tools and the operating environment that we've created and then it becomes all inclusive. Everyone participates and when everyone participates like that it becomes like a team building exercise when you tell people after six months, hey how about if we review that document that we created together, it's always like yeah, because it's a time for them to engage together again and it's their child. They created it. Most of us, in our right minds, when we have a baby, we don't leave them in the hospital, right? We bring it home, we want to rock it every time and that is exactly what happens when you give people an opportunity to create documents that describe what they committed to that also helps them for continuity so that when they're not there, others can look at it and see clearly what's been going on and so you hire someone and in a matter of weeks they're already doing the job as well as she would want anybody to do it and so the reason why people don't plan the reason why people don't write is because if you just put them in the talk room nothing's going to happen change the life, let them see the simplicity of it. Once it's simplified everybody becomes a champion. I was wondering if it was maybe just a throwback to not giving them enough writing assignments in school, when they're grown up they let you write a page or write two paragraphs when you lay the steps out, you know filling that with words you start with words or bullets and that can become sentences, it's pretty straightforward I'm overly verbose, my problem is I write too much stuff in there and everybody's like oh my gosh, we need to thin this down but it's okay to have too much and you can always edit some out, I don't mind having ego in and I just write it it's interesting I've witnessed this in team members before that and I don't know that they're always in the dark but definitely there's a bit of a pushback for the writing piece, especially what about salespeople, they never want to write a sales plan, why you think that's because we're going to stick them to it so the thing is, the thing about the process approach is as structured as it might be it also leaves room for lots and lots of creativity and it leaves room for creativity, it leaves room for what we call brilliant, for being able to borrow what other people have done you see, because the process approach is a very defined process it's a paradigm I can actually go online and download a template that was written following an international standard built on the process approach and tweeted just a little bit and then it becomes speak for my purpose, you know why the guys who built it, their problems or the problems they were trying to solve is not unique to them it's just that now they've created a solution in the language that I speak if we all speak the process approach language we never have to reinvent the wheel I can take the documents that you have written around configurations management take configurations that you have written around the improvement of performance within sales cycle I can take that which you have written and then apply to my environment simply because I start with what you've defined and I look at the several roles that are within your sales cycle and I'm like no we don't have two of those roles, we only have five but their responsibility is I can distribute it over these other people now these people try to review their script every six months, why are they doing that and then when you look at the reason why they're doing that, they're like oh wow that's why they're doing it every six months we need to review our scripts every three months you see, when you give people building blocks, even little children you give them little Legos and they'll build your house so when you give people building blocks which is what process approach force them that they continue to build now one of the things that came out of this is, you know there is this thing that is called the documentation pyramid that starts, it's a triangle of the pyramid that starts with policy procedure and then what instructions some people call it policy guidelines and procedure, whatever I'll ever grant you like you want to go you see the first time we used that before applying the process approach methodology it was always daunting to people because people are like can't I just write one document, do I have to say this one is policy, do I have to say that one is procedural, do I have to say one is work instruction but guess what by the time we applied the process approach to it we came up with something that is called the EDHP which is the Enterprise Documentation Hierarchical Pyramid which allows for you as an individual within an enterprise to see your roles, your responsibilities and the tools you need the people who depend on you and the people that you depend on in one visual Wow, and that makes it understanding your role and how it contributes, we're big on that in our organization you know, Christine is very process oriented and she writes everything and makes process a bit along the way and she actually has the team responsible do the writing as you've thought about because she wants them to understand how their role plays into the greater role of the company and how each person's role benefits the other department perhaps or the efforts of the other department or whatever it may be and it's been very powerful to watch I didn't lead like that I was the sort of top down guy and nobody leads like that anymore that didn't work so it was great when Christine took over and actually brought in a methodology called traction I don't know if you've seen Gino Wickman but it's a very structured way to do what you're doing, it's not the writing of the process but managing with a process in and of itself that everyone understands and contributes to the organization it's been going on for years now and everybody depends on it it's amazing when you it's like you said when you come out of the darkness and you're in the light it's like wow, this is so simple why didn't we do this forever exactly, no absolutely that's exactly what value we get out of it now since you're talking about performance you see when it comes to performance improvement people have always relied on disciplines like you know 6 Sigma and then you have people bringing in 6 Sigma, Black Belt do you know that at the very core of those disciplines, at the very core of those products they are process approach methodologies about five or six years ago I onboarded a 6 Sigma Green Belt she came and within six months worked on two projects for me one of them was the quality management system and the other one was an integrated implementation of security and service delivery and by the time she was done at the end of the six months she said to me everything that I've learned in my 6 Sigma Green Belt now makes sense and you know what my response to her is I said to her that I will give you the permission to use the outcome of our project, these two projects that you've worked on and the project plan to submit a proposal to Georgia Tech for them to give you Black Belt, she thought I was kidding she did it, the very first submission she made within a matter of days she got her Black Belt because everything that we talk about when it comes to process improvement, performance improvement, quality improvement any one of those things that has got to do with improvement, what you need is a good understanding of management system with a tool like PACE and standards like you know the myriad of ISO standards that we have out there see, be short cut to it I tell people you don't have to reinvent the wheel whatever discipline within your organization that you're trying to improve find an international standard that is built on process approach and they'll spell it out for you, all you have to do is look and implement Wow so these are great gifts that you're sharing with our audience Moses, so I know you've been at this for quite a while what are you doing in your future, where are you headed now giving and sharing and I've seen some of your presentations and you know, thank you for sharing this today as well what's um where are you going next cause we all want to follow by the way, you're going to need a big bus oh yeah, thank you for that appreciate that, thank you Andrew so I've come to this now where I've actually accepted my role my role in all of these things is kind of a solutions architect you know, I've been a solutions architect for several years and every time I try to be more than a solutions architect I try to be something else but now that I've come to actually embrace that and to accept that, I am partnering with another company here in Atlanta called JetPro Partners we'll start another company and we're starting a company that we'll launch in next month and it's called Teneros and that is T-E-N-R-U-S it's like Teneros yeah, so it's called Teneros and what Teneros does is go into management consulting standing on the three pillars of compliance assurance and performance and so those are the areas that we see people struggling compliance, assurance, performance compliance has to do with making sure that the best practices that have been standardized and tried and tested by other people you can adopt that to your business without you learning the hard way that's really the value of compliance assurance is no matter what you're doing and no matter how good you are at it you need to be able to tell other people about what you're doing you need to be able to equip your salespeople as to the security of your product they need to know how to communicate the kind of encryption technology that is within your IP cameras or your video recorders or your VMSs you need to be able to equip your salespeople to tell the world why their data should be running out of your data center and so that is where assurance comes in assurance is a way of communicating with your partners and your clients and the world around you the truth about your security posture is such a way that they're ready to grow with you that's assurance and then the third one is performance people are very happy when they're doing well but no matter how happy you are when you're doing well if you don't find a way to do better you're not going to be happy for long and that is the reason why we want to apply this fundamental principle for creating management systems for designing implementing and managing management systems we want to apply that to these three areas of compliance assurance and performance and that is what Panoros is about and so I'm happy to fully step into my position as a solutions architect helping organizations people who design and develop products people who have products that they're trying to sell or just people who want to see the future because there's not a new one and so if you want to see the future you just have to put a different spin on the past okay and you put a different spin on the past by being able to anticipate the evolving threats that are out there and the degenerating vulnerabilities that we have in our businesses and whoever can do that best tells the future and after we do that we subject everything that we know and everything that we assume through these pipes of the eight blocks and what comes out of it what comes out of it is a solution that no one's seen before but then at the end of the day it's not new it's just a different application let me give you a good example actually hold on Moses, sorry we are out of time already but what I'm going to do is invite you back maybe in Q3 if you've done some time with Tenorus and we'll get an update from you on how things are going over there oh that's fantastic I appreciate it thank you so much and thank to our audience for joining us today what matters, aloha