An architect’s blueprints show how a building is constructed. In a similar way, Piping and Instrumentation diagrams (P&IDs) are schematic diagrams showing how a process plant is put together.

P&IDs are usually print-outs from a computer model. The model might be of a simple process plant. Or it might be of a large petrochemical complex. The computer model lets the industry see clearly how individual assets interact – things like pipes, valves, pumps, meters and sensors.

Here is a great example of a P&ID.

The computer model and P&IDs display and communicate how assets are connected and how flows of oil and gas products through a business unit are measured and valued.

Assets that do not add value to or support a business can be easily identified and removed or reassigned. Also, the cost to the business of failure of an asset (and interruption of flow) can be evaluated and steps taken to mitigate that risk.

In process industries like Oil & Gas, over decades P&IDs have become the standard ‘map’ of the business. They show how the business works and act as a common means of communication between engineers and business managers. More often than not a meeting will begin with someone saying something like, “Okay, roll-out the P&IDs and let’s get started.”

P&IDs provided the inspiration for the Business and IT diagrams (B&ITs) we invented here at OBASHI, so that similar principles could be applied to portraying flows of data through people, process and technology in any business sector.

Reading through some of the reports from the recent RSA Europe 2010 conference on IT Security I believe our B&ITs (and our DAVs – Dataflow Analysis Views) are the answer to many of the issues raised.

For example, promoted at the conference was a report, “Speaking the same language: Five key steps for the business, IT and security leaders”. In the report, PricewaterhouseCoopers (PwC) warns that poor communication within businesses has increased the chances of data breaches – breaches which carry high reputational and legal risks. PwC thinks that IT, security and business managers need to communicate in a language that all can understand, so as to minimise danger. Also, business leaders should recognise data as a strategic business asset and manage it as such, instead of criticising information security managers for their “obscure policies and complex restrictions.”

OBASHI B&ITs are the answer to the communication issue – simple maps of the business that are easy to understand. And with this ‘big picture’ vulnerabilities in the flow of data can be anticipated and risk minimised. DAV’s, meanwhile, show the financial value of each individual flow of data, proving to the business that data is a valuable asset. Taken together, B&ITs and DAVs allow you to manage IT and data more strategically.

To take another example, The Security for Business Innovation Council (SBIC) published “A New Era of Compliance: Raising the Bar for Organisation’s Worldwide”. The study notes that data breach notification laws are spreading round the world.

SBIC member Professor Paul Dorey suggests that “standards are becoming increasingly important in the field of regulatory compliance, mainly because there is an increasing dependency on third parties.” As things stand, outsourcing IT functions can cause problems for IT managers as they are responsible for third-party accountability, yet they have few controls over the third-party company. As Dorey says,

“The problem is that few organisations have the required expertise to get ‘under the covers’ and find out what’s really going on. This is despite the fact that, if they are accountable, they need to do this.”

As business becomes increasingly reliant on flows of data, getting ‘under the covers’ is exactly what IT needs to do. And that applies in-house as well as to third parties.

We need a standard way of being able to see and communicate how the modern business works. In a security context that will help us minimise risk.

Here at OBASHI, we think that 10 years from now people will begin meetings by saying something like, “Okay, roll-out the B&ITs and let’s get started.”