Tag Archives: process

RACI WOMBAT Talk

Earlier this month I posted a revelation:

I don’t want to reveal Bredemarket’s secret process, so I’m just going to call it WOMBAT. Not that WOMBAT is unique to Bredemarket; far from it. Many companies use WOMBAT.

And many companies don’t use WOMBAT. In fact, they abhor WOMBAT and call it stifling. (Emotion words. Geddit?)

But I’ve found over the years that if you don’t use WOMBAT, there’s a very good chance that you’ll break things.

And who catches hell? The consultant. “Why did you do what we asked you to do? Now look at the mess you made!”

So out of a sense of fear and self-preservation (geddit?), there are times that I’ve secretly used WOMBAT and not told my clients I’m doing it.

Well, I’m going to reveal one component of WOMBAT in this post because I’m surprised that I haven’t already discussed it.

But there’s a risk involved, because once I discuss this component, there are about five people in the world who will immediately know what my WOMBAT is. But luckily for me, none of them read the Bredemarket blog, so my secret is safe.

(Speaking of risk, the racy—not RACI—wombat image was created by Imagen 3.)

RACI

As some of you undoubtedly figured out, I’m going to discuss RACI: Responsible, Accountable, Consulted, and Informed.

Assume for the moment that Bredemarket grows beyond its sole proprietorship origins and becomes a multinational employing thousands of people. At some point I’ll be sitting in my luxurious executive suite, nibbling on caviar, and I’ll bark out an order:

“Write a blog post about a wildebeest amusement park!”

Now the blog post won’t just magically happen. And because the fictional Bredemarket is a huge enterprise, it will take more than one person to make it so. Perhaps four, perhaps more, perhaps fewer. Here’s how Bob Kantor at CIO defines Responsible, Accountable, Consulted, and Informed:

Responsible: People or stakeholders who do the work. They must complete the task or objective or make the decision. Several people can be jointly Responsible.

Accountable: Person or stakeholder who is the “owner” of the work. He or she must sign off or approve when the task, objective or decision is complete. This person must make sure that responsibilities are assigned in the matrix for all related activities. Success requires that there is only one person Accountable, which means that “the buck stops there.”

Consulted: People or stakeholders who need to give input before the work can be done and signed-off on. These people are “in the loop” and active participants.

Informed: People or stakeholders who need to be kept “in the picture.” They need updates on progress or decisions, but they do not need to be formally consulted, nor do they contribute directly to the task or decision.

Personally, there may be cases when you only want a single person to be responsible for the work. But I agree that only one should be accountable.

Applying RACI

Using my ludicrous example, one (or more) people will be responsible for writing the wildebeest amusement park blog post, a single person (presumably one of my junior vice presidents) will be accountable for approving it, and various entities will be consulted for feedback (and, in the ideal world, may actually provide feedback). Then there are a few people who will be informed about the project, merely to roll their eyes at the whole thing.

Regardless of the process you institute, whether it is my super-secret WOMBAT process or something else, RACI responsibilities will help tremendously. Here’s another quote from Bob Kantor at CIO:

Having managed and rescued dozens of projects, and helped others do so, I’ve noted that there is always one critical success factor (CSF) that has either been effectively addressed or missed/messed up: clarity around the roles and responsibilities for each project participant and key stakeholder. No matter how detailed and complete a project plan may be for any project, confusion or omission of participant roles and responsibilities will cause major problems.

And some Accountable person approved what Kantor said.

Reapplying RACI

And this also affects Bredemarket’s content, proposal, and analysis work. For example, let’s look at the proposal that I recently helped a Bredemarket client win.

  • Two of us were jointly responsible for completing and submitting the proposal: myself, and a person at the client company. Yes, I know what I just said about preferring that only one person be responsible, but the federal agency in question would not let me submit the proposal; someone from the client had to do it.
  • This second person was the one who was accountable for the submission of the proposal.
  • There were several people who were consulted regarding this proposal. I cannot reveal their roles, but let’s just say that all of them were…um…critically important.
  • Then there were a few people here and there who were informed of the proposal progress.

Perhaps Bredemarket can work on a project with you. Let me know. https://bredemarket.com/cpa/

When Can Cybersecurity Professionals “Wing It”?

In my career, I’ve experienced all levels of process maturity, ranging from “process for process’ sake” to “winging it.”

  • Many, many years before Marie Kondo popularized the term “spark joy,” one of my former employers shut down the entire office for the afternoon so that we could spend that time cleaning up. Thankfully this was not instituted (institutionalized?) as a weekly occurrence.
  • On the other extreme, some organizations resist process and just wing it. To the point that I literally hide when I use a process.

Now the ability to “wing it” can be used in some circumstances but not in others. Obviously improvisational comedians “wing it” by definition. But Ike (pre-matrix) couldn’t have used the “wing it” approach on D-Day.

What about cybersecurity? Can you “wing it” when you’re attacked?

Jack Freund says no:

The evolving threat landscape demands robust governance architectures and well-defined board duties to ensure resilience against cyberthreats. Effective cybergovernance not only protects an organization’s digital assets but also reinforces trust among stakeholders. 

Governance is a critical component of cybersecurity, if for no other reason than to prove that your organization actually HAS cybersecurity. Ideally an organization will govern its cybersecurity by some type of “maturity model.”

And that’s more than refraining from calling someone a poopy head.

(AI image from Imagen 3)

Secretly Using WOMBAT for Positive Impact

We create things for maximum impact. But is the impact positive or negative?

Move fast and break things

In 2019, Hemant Taneja wrote the following in a Harvard Business Review article, “The Era of ‘Move Fast and Break Things’ Is Over”:

“The technologies of tomorrow—genomics, blockchain, drones, AR/VR, 3D printing—will impact lives to an extent that will dwarf that of the technologies of the past ten years.”

Although not mentioned in the sentence above, Taneja subsequently references artificial intelligence—not as a technology, but as an underpinning of the others.

And the overall theme of the piece is a questioning of what all these things DO—and that it may not be good to break things. Destroying society may have an impact, but it’s a negative one. Can anyone think of any recent examples?

Which leads to keeping processes secret. But not all of them.

Bredemarket’s not-so-secret process

If you’ve ever read my CPA page, you may have noticed the phrase “before I write a word.”

Perhaps that’s the point where some people stopped reading the page. After all, Bredemarket provides writing services. Write stuff! Don’t wait.

And I do write stuff, creating a draft 0.5, sleeping on it, and only then creating a draft 1.

But there’s something that I do even before my draft 0.5.

“Before I write a word, I work with you to make sure that I understand your needs. I start by asking seven important questions. This ensures the best possible deliverable.”

In case you’re curious about those seven questions, you can read about them here. These questions certainly aren’t so secret, since I’ve talked about them for a long time. (There used to be six.)

But there’s something I’ve learned not to talk about.

Bredemarket’s secret process

I don’t want to reveal Bredemarket’s secret process, so I’m just going to call it WOMBAT. Not that WOMBAT is unique to Bredemarket; far from it. Many companies use WOMBAT.

And many companies don’t use WOMBAT. In fact, they abhor WOMBAT and call it stifling. (Emotion words. Geddit?)

But I’ve found over the years that if you don’t use WOMBAT, there’s a very good chance that you’ll break things.

And who catches hell? The consultant. “Why did you do what we asked you to do? Now look at the mess you made!”

So out of a sense of fear and self-preservation (geddit?), there are times that I’ve secretly used WOMBAT and not told my clients I’m doing it.

Because it helps my clients make an impact.

A positive one.

(Imagen 3)

21 Days of Bredemarket “CPA” Services

What in the heck does Bredemarket do?

Content, proposal, and analysis (“CPA”) marketing and writing services.

But what in the heck does Bredemarket DO?

During the first 21 days of March, my biometric, identity, and technology clients received blog posts, an ebook, emails, a landing page, slides, a press release, a Request for Information (RFI) response, a process, and other things.

Can I help your firm? Let me know on my “CPA” page.

CPA

Want to know how many blog posts and emails I wrote? Watch the video.

21 days of CPA.

(CPA wildebeest Imagen 3)

This Week’s Acronym is ASOCMM: the MM part should be a giveaway

(AI image from Imagen 3)

I just read a post by SentinelOne, but it’s too early to tell if this is just a string of buzzwords or a legitimate endeavor.

The post about a proposed “Autonomous SOC Maturity Model” (ASOCMM?) includes buzzwords such as “autonomous,” “SOC” (system and organizational controls, or security operations center – take your pick), “agentic AI,” and of course “maturity model.”

Having done my maturity model time during my days at Motorola Solutions predecessor Motorola (although our group stuck with CMM rather then moving on to CMMI), I’ve certainly seen the benefits and drawbacks of maturity models for organizations large and small. Or for organizations large: I shudder at the thought of implementing a maturity model at a startup; the learning curve at the Printrak part of Motorola was bad enough. You need to hit the target between no process, and process for process’ sake.

So what of this autonomous SOC maturity model? Perhaps it can be real.

“At SentinelOne, we see the Autonomous SOC through the lens of a maturity model. We welcome debate on where we, as an industry, are on this evolutionary revolution. We hope most will agree that this is a better way to look at Autonomous SOC innovation and adoption – far better than the binary, all-or-nothing debates that have long fueled analyst, vendor, and industry watcher blogs and keynotes.”

If nothing else, a maturity model approach lends (or can lend) itself to continuous improvement, rather than just checking off a box and saying you’re done. A Level 5 (or Level 4 on a 0-4 scale) organization, if it believes what it’s saying, is ALWAYS going to improve.

Something to watch…and not just with SentinelOne.

(Adapted from original posts on LinkedIn and Facebook)