It is natural for the top management of every company to provide different types of resources like human, technical, financial, and information resources to increase the productivity and quality of their products and services. At the same time, risks are increasing in impact and diversity of sources, and this impacts organizations productivity negatively. Here comes my value as a governance, risk, and compliance (GRC) SME providing organizations with services that can increase the success rate and optimize their resources and risks.
I did not have a clear destination in mind at the beginning, but I had a passion. With a little bit of luck, I have found my destination which eventually became a great career.
The beginning with unexpected pleasant changes
Most people would not believe that I majored in English literature at Cairo University more than two decades ago. In addition to my academic background in English literature, I was able to attend a thirteen-month study program hosted by the Egyptian MCIT, Canadian New Brunswick University, IBM, and Microsoft. This scholarship changed my perception, and I made my mind that information technology is the field which I wanted to master.
In 2003, I co-founded EGYBYTE and started a journey, which, until now I have not finished yet. I pursued my postgraduate studies in information systems (IS) followed by a master’s degree in 2021 in the same field by developing an information technology service management (ITSM) implementation methodology based on information technology infrastructure library. Currently, I am about to finish my PhD in IS after developing a new enterprise governance of IT (EGIT) maturity model (MM) which will enable organizations of different sizes to measure their EGIT easily against multi-dimensions which are ITSM, information security management (ISM), business continuity management (BCM), and compliance.
Although my career path was not easy at all, it was full of adventures and achievements which made me ready to go further. I have been interested in gaining more and more knowledge from different sources from the beginning and my main sources of information are academia, market knowledge providers, and hands-on experience. This methodology is not easy because in academia they have scientific theories and methodologies of research while in market, attention is paid to new solutions and technical features. If we have the knowledge-gaining target on one hand, we still have the personal life and interests on the other.
During the first ten years of my career, I have invested so much in technology by learning, implementing, delivering training, and introducing new technologies to the market. I was one of the best certified Microsoft trainers in the region who delivered training to the biggest local and multi-national organization in the MENA region for years. I was selected by Microsoft Egypt to deliver training for the new products to the technical consultants of Gold Partners and most important customers. After being awarded as a Microsoft Technical Reviewer for Microsoft Official Curriculum (MOC), I was selected to introduce new products of Microsoft to the market instead of marketing staff. After reaching that high point in my career and with the appearance of the management consultancy demand in the market, I decided that the time had come to move to management consultancy. This was a smart decision at the right time.
One of the issues I had at that time was to resolve one of the toughest dilemmas I had in my career which is how to combine academia with my everyday work. I had been trying to merge my master and later PhD studies with the services I delivered every day to my customers. I developed the methodologies I used at work based on scientific research.
During the last decade, I delivered assessment, training, consultancy, and audit services to different types of customers in the field of GRC and its pillars, be it ITSM, ISM, BCM, compliance, risk, audit, process engineering, and so on. I have gained recognition and appreciation from many entities, and I was awarded the PECB BCMS auditor of the year in 2019. Although most of my customers are in the MEA region, I have customers in Europe, North America, and Asia.
Currently, I am working on achieving two dreams which are completing, testing, and publishing my enterprise governance of IT (EGIT) maturity model (MM), which will be the first stage-based EGIT MM in the world as far as I know, and I will establish a new entity dedicated to automating the GRC for all organizations of different natures, sizes, and maturity levels. Of all my achievements, if you ask me what the most important one is, I will say my family, and then work.
GRC and more
At the early stages of my career, delivering management training like ITIL, PRINCE2, COBIT5, CPDE and others was enough for me. But later, the market demand for consultancy services increased as organizations started to estimate the ROI of investing in management systems (MS) in addition to other resources like human and technical. In the last five years the customers’ maturity has increased greatly and they have started to target ISO standards certification for many reasons, and this was also followed by the appearance of many regulations like the GDPR in the EU, the Saudi National Cybersecurity Authority (NCA), the Saudi Central Bank (SAMA) (previously known as Saudi Arabian Monetary Authority), the Egyptian PII Law, the Emirati NCEMA, the Central Bank of Jordan (CBJ), among others.
I have developed a framework for GRC over the last fourteen years and I still use it with all my customers, and I always received customers’ appreciation. This framework covers four dimensions which are assessment, training, development, and auditing.
Assessment
In assessment, I try to define two states which are the current state (as-is) and the targeted state (to-be) to be able to guide the customer on the journey from the as-is to to-be. In many cases, I found customers who do not have a targeted state, but they just complain about existing issues while others do not complain but they know where they would like to be. Assessment is the stage at which I get the customers to commit and resolve the resistance to change.
At this stage, I assess the customer’s organization from three different perspectives. The first one is assessing the needs of the stakeholders, as I believe that the one who can determine the value of a provided service is the customer and not the service provider. I have meetings with business stakeholders which can be representatives from all internal non-IT departments or external customers, too.
After delivering an awareness session about the project, its objectives, and the importance of their participation, I start a smart and short questionnaire that covers their perception of the IT department, the provided IT services, and their value to the organization.
The second perspective is assessing processes which can be done against different references like best practices frameworks or ISO standards. If a framework is selected by the customer, I will use the framework maturity model (MM) if there is one to measure the processes maturity levels. When an ISO standard is selected, all the requirements of this standard will be assessed using the conformity and non-conformity methodology. The last perspective is assessing the knowledge of respective staff against the selected reference by providing them with an anonymous questionnaire.
At the end of each assessment, there will be a detailed report covering the findings and recommendations of each perspective enabling the organization’s top management to make the right decision for the next step which can be training for staff, starting the development or improvement of the management system they are interested in, or going for the certification audit directly. In some cases, my clients choose two or all the provided options for them while others prefer to do nothing.
Training
Training is one of the fastest rewarding pillars of my methodology, as I can see the achievement of my efforts in the eyes of the trainees. After many years of delivering assessment, consultancy and audit, I still like training as it allows me to transfer my knowledge and experience to many trainees who, in a lot of cases, represent many organizations at the same time without the burden of change resistance that I often encounter in the other three stages.
I see training as a mutual knowledge and experience transfer process because I learn a lot from the trainees’ knowledge and experience. Many trainees call me after years of our first course and thank me for the influence I had in their lives and careers, which makes me so happy! Some of them become consultants and implement what they have learned in many organizations. I have delivered training to more than a thousand people in the last two decades.
Consultancy
One of my main goals is developing the management systems and processes needed to enable my clients to achieve their objectives. In each consultancy project, I have the feeling that the organization is my own and I make it my challenge to improve the organization and make a change continues even after I finish my assignment. I have participated in assessing and developing the management systems (MS) of many customers in various fields like telecommunication, petroleum, government, education, retail, banking, aviation, professional services, etc.
Each client has their own story, and you should be a good listener and observer to understand it and feel the feelings of all stakeholders which can be conflicting in some cases. Consultancy is all about changing people’s thoughts and behavior in the work environment which they have developed for years, which is not an easy task at all. Therefore, there shall be a secret recipe for doing so and my ingredients are good understanding of the organization’s context, and increasing their interest in making change based on their motives. Change resistance is the most common enemy in all projects.
Audit [1]
With the help of PECB and the introduction of their Certified Management System Auditor (CMSA), new opportunities and relationships were made easier. Many customers need certification for many reasons and ISO certification is the best solution for them. Although PECB MS is one of the newcomers as a certification body in comparison with other very old certification bodies, PECB MS is now considered a leader in the market with more than 500 certified auditors and more than 1000 certified organizations.
I have conducted certification audits for more than 30 organizations in less than four years with PECB MS and they are spread over four continents. I have audited SMS, ISMS, BCMS, and QMS management systems separately or integrated. In auditing, my first task is to convince the auditee that my role is a quality searcher and not as a police detector or investigator. This methodology helped a lot in breaking the ice and supporting the auditees in being open about their MS implementations and areas of improvement.
EGYBYTE and more
EGYBYTE has taken the biggest part of my heart and life. It is more than a company for me and almost all our customers have become friends as a result of our friendly way of doing business, which focuses the most on customers’ objectives and satisfaction. Although I have co-founded two other companies which are dedicated to providing GRC services and automated solutions, EGYBYTE is still the source of my inspiration and motivation.
PECB or in other words actual “successful partnership” PECB is one of the best knowledge and service providers in the market for many reasons. They really know what the market needs, how to develop great services, how to build and develop partners, and how to lead the market.
This is why now we have PECB, PECB MS, and PECB University to cover different needs for different professionals. Although I have dealt with many service providers and knowledge providers in the market, I consider PECB the best one and its employees my friends and colleagues due to their continual support and kindness.
Uncompleted journey
In my journey, I have dealt with many organizations ranging from startups, small, medium, and large corporates to central banks and the biggest national organizations in the MENA region. I still believe in new opportunities and regions with no limits.
I believe that new opportunities bring more knowledge and experience hidden in attractive adventures. Therefore, I am open for new opportunities, especially in new regions to discover more cultures.
[1] PECB MS offers certification audits only for those clients who have not previously received assessment or consultancy services.