Email This Article
Your Name:
Your Email:
Email To:
10 + 5 = ?: (Required) Please type in the correct answer to the math question.

You are sending a link to...
Lean Security

Earlier this year I published an ISSA Journal article (ISSA Journal, May 2011) advocating the use of lean management techniques to manage security.  This is just an observation that security needs to use business management methods to tie together people, process, technology and partners. 


Recently in the Harvard Business Review of October 2011 a good article appeared on the subject of lean:  "Lean Knowledge Work", by Professors Bradley Staats and David Upton.  They analyzed Wipro's adoption of lean into their software development process.  Here are their main points as applied to lean security:


1.  Eliminate Waste.  In manufacturing we are all familiar with waste:  overproduction;  unnecessary transportation, inventory and worker motion;  defects;  overprocessing;  waiting.  The same issues come up in knowledge work and can be applied to security processes.  For example, errors in implementing software changes will cause production outages.  Errors in implementing firewall rules can add security holes.  Poorly documented access management procedures or lack of automation will cause users to wait for application access.   Review your security processes to see what ideas you can come up with to reduce wasted time or efforts.


2. Specify the Work.  This translates to well documented security policies, procedures and standards.  Most companies have some type of security policy.  Fewer have working procedures or standards that are adhered to.  Absense of good procedures means more time training new employees and higher probability of security gaps being introduced whenever changes are implemented. 


3.  Structure Communications.  Much of security is built on good communications that involves everyone in the organization.  This includes awareness training for employees;  security event reporting from employees, contractors and vendors;  reporting security risks in business terms to management.  With a standard way of communicating for each of these stakeholders, results will be more predictable and security will be seen as a business function, not as an adhoc technical accessory.


4.  Address Problems Quickly.  Security breaches do get addressed quickly.  But too often security events are not analyzed for root cause and the cause eliminated.  Since we are stuck with highly flawed software and systems, it is critical to continually be improving those systems through effective problem resolution.


5.  Plan for an Incremental Journey.  Too often security is driven by compliance and compliance is seen as the end goal.  Real security requires a cultural change and must be put in place over time.  The best way to make this happen is to set up a simple metric that tracks the effectiveness of the security program and set up a plan to improve on that metric quarter over quarter, just as with other business functions.


In summary, manage security as a business process, not a disconnected set of technical controls.  Lean is a set of management tools to help do this.