Deming's principles applied to IT security programs
Last week I sat on a panel discussing “Moving from Security to Risk Management” at the Ziff Davis 2007 Fall Security Summit in Palo Alto
California
. During
the course of the day I encountered many people who had not really
considered Risk Management, and were having trouble with the concept or
how it applied to them. I realize I have a tough
time describing what it is as there are not many similar reference
points to exemplify how to think about Risk Management in context to
security programs.
I first encountered Risk Management about 5 years ago and saw it initially as an efficient way to implement a security program. What
struck me after a few months, having studied Kaizen, Deming and
participated in a number of different Total Quality Management programs
earlier in my career, that there were tremendous similarities in the
motivation and processes common to both Risk Management and these
quality driven programs. Both security and quality are difficult to quantify and measure internally, but metrics need to be applied. Both are often treated as a ‘thing’ or a destination, when they are in fact a cyclic process. Both are as much about people and process as they are technology, but seldom treated that way. Both need to be systemic to an organization to be effective. Both
need to be implemented across the entire process lifecycle. Both are
focused on efficiency in their approach to solving problems.
Just
as a mental exercise, in 2003 I took Deming’s 14 points and converted
these concepts to security, leaving the language and intention largely
unchanged. I whittled down what I felt were some
redundancies, but I thought I could make similar statements for a Risk
Management approach. Take a look at Deming’s original 14 points below, substitute words like ‘productivity’ with ‘security’, ‘materials’ with ‘appliance’ or ‘software’ and see if you agree.
1. Create consistency of purpose toward improvement improving security of product and service, with a plan to become competitive and to stay in business. Decide whom top management is responsible to.
2.
Adopt the new philosophy. We are in a new economic age. We can no
longer live with commonly accepted levels of delays, mistakes,
defective materialssoftware, and defective workmanship.
3.
Cease dependence on mass inspection. Require, instead, statistical
evidence that quality is built in, to eliminate need for inspection on
a mass basis. IT Ppurchasing managers have a new job, and must learn it.
4. End the practice of awarding business on the basis of price tag. Instead, depend on meaningful measures of qualitysecurity, along with price. Eliminate suppliers that can not qualify with statistical evidence of quality security.
5. Find problems. It is management's job to work continually on the system (design, incoming materials software, composition of material system integration, maintenance, improvement of machine hardware migration, training, supervision, retraining).
6. Institute modern methods of training on the job.
7: Institute modern methods of supervision of production workers IT Staff. The responsibility of foremen managers must be changed from sheer numbers functionality to quality security. Improvement of quality process will
automatically improve productivity. Management must prepare to take
immediate action on reports from foremen concerning harriers such as
inherited defects, machines not maintained, poor tools, fuzzy
operational definitions.
8. Drive out fear, so that everyone may work effectively for the company.
9.
Break down barriers between departments. People in research, design,
sales, and production must work as a team, to foresee problems of
production that may be encountered with various materials software/tools and specifications.
10. Eliminate numerical goals, posters, and slogans for the work force, asking for new levels of productivity compliance without providing methods.
11. Eliminate work standards that prescribe numerical quotas.
12. Remove barriers that stand between the hourly worker and his right to pride of workmanship.
13. Institute a vigorous program of education and retraining.
14. Create a structure in top management that will push every day on the above 13 points
Granted I am leaving out a lot of Risk Management tenets and focusing more on a conceptual model. Do you agree or disagree? Does it look like overkill? Is security another ‘type’ of quality? Do we treat security statistics as ‘numerical quotas’ and not focus on what is materially relevant? Are we in fact taking a bottom’s up approach to security, when it should be top down? Does your company have management ‘buy in’ on security, or is that something for the IT department to worry about? Who
get’s blamed if there is a security breach? A controversial question;
can improved security process result in higher productivity? Perhaps
most importantly, as empowerment was fundamental to Kaizen and Deming,
is there a ‘pride of workmanship’ factor within IT for security?
Just some things to consider.
Recent Comments