Professional Documents
Culture Documents
The Best Security Is A Great Process - Big Sky Guide
The Best Security Is A Great Process - Big Sky Guide
Is A Great Process:
The Executive's Guide To Running
a World-Class Security Program
Table of Contents
I. Introduction ..................................................................................................................................... 1
II. Visualize............................................................................................................................................ 3
SIPOC Exercise ........................................................................................................................................................... 5
Value Stream Mapping ............................................................................................................................................ 7
TIMWOOD .................................................................................................................................................................. 9
V. Conclusion ................................................................................................................................... 24
Comprehensive security now includes protection from cyber threats and insider threats,
among many others. This has necessitated an exponentially more complex approach to
executing your mission. To make matters worse, emerging protection requirements are far
outpacing the dollars allocated to the protection mission.
To put it bluntly: You are constantly asked to do more
with less. Use process
There are many ways to deal with this problem, but only improvement to
one that doesn’t involve adding additional layers of
complexity: use process improvement to untangle existing
untangle your existing
security operations, increase efficiency, and get rid of security operations,
waste.
increase efficiency,
The secret to this approach? Security is a process.
and get rid of waste.
Say you want to keep unauthorized individuals out of your
building - your first thought may be to procure an
automated entry system that will only allow employees access after scanning their ID
badges. No doubt the system can get the job done; folks without a badge are blocked. But
what about the felon who was hired and given a badge because HR forgot to complete his
fingerprint check? How will the system know to stop the woman who stole an employee's
badge out of an unlocked car yesterday? Will the person whose badge was stolen be able to
get into the office to notify security? Adding the automated entry system only addressed
one step of a process that started far before the attempted entry, and could end with a
Strive to use tech solutions the same way you use spellcheck. Both serve a purpose -- but
just as spellcheck comes up with many false positives and doesn't (yet) perfectly understand
the nuances between “there”, “their”, and “they're”, automated security fixes are limited to
their programmed scope. Neither system should be relied on as a comprehensive solution.
Before you invest precious resources in a shiny new database or monitoring tool, consider
the problem you're trying to solve and how it fits into the larger security process; if the
process itself is broken, patching up bits and pieces is a waste of time and money.
This guide will show you how to think about your security challenges as operational
processes and how to solve them using process improvement tactics.
1. Visualize how your security processes work from end-to-end, how practices "on the
ground" differ from policy and procedural documents, and where there are protection
gaps and wasted resources;
2. Prioritize your most valuable assets and opportunities to mitigate risk while using
data and root cause analysis to support your resourcing decisions; and finally,
3. Realize the full potential of your security processes through strategic and cost-
effective process improvement efforts that will both simplify and optimize your
operations.
Fast forward to today: few in the security office have a comprehensive understanding of how
all of the operational processes work together (especially where complex IT systems are
concerned) - and it’s only a matter of time before a critical gap leaves the door open to a
devastating threat. That door may be open already.
Never assume that policy equals practice. Say your standard operating procedures state
that “upon employee termination, badges must be reclaimed by HR within 24 hours and
destroyed”. Maybe your team in the field has devised an unofficial way to run the process
that is more efficient - or maybe badges are only being reclaimed during an exit interview,
but exit interviews are only held for those employees who leave on good terms. Either way,
you must find out the ground truth of what is actually happening - and not just what is
written in policy and procedural guidance.
One of the most effective exercises to understand who you are and what you do is
process mapping.
Process maps can range from high-level to profoundly detailed, depending on your needs.
On the next pages you will find examples of two types of process maps:
In both of these mapping exercises, the objective is to visualize a single process on paper
at the desired level of detail to clarify how it works today from start to finish, who is involved
to make it work, what goes in, and what comes out. During these exercises, it is critical to
involve a variety of stakeholders at all levels and functions to build an accurate
representation of the process in question. Participants typically walk away from these
sessions with a completely new understanding of their program and a better sense of how
their functions fit into the larger scope of operations
To complete a SIPOC with your team, choose the process you want to map out and break it
down into 5-7 main steps that take it from start to finish. Let’s say you are mapping a
personnel vetting process - does it begin when the candidate is hired, when they submit an
application, or when a job notice is posted? Facilitating this discussion among your
stakeholders and reaching a consensus is a crucial part of the exercise.
From there, identify the outputs of the process - what is the end result of the process? Once
you have listed some outputs, customers should be easy to identify; they are the people,
departments, or organizations that are on the receiving end of your outputs.
Finally, brainstorm a list of inputs, or "ingredients" that go into the process - what must be
present in order to produce the desired output? You can complete the suppliers section by
considering the origin of each input.
Ask yourself a few key questions as you go through the SIPOC exercise:
Are we facing any significant challenges (time / quality) in our current processes?
Which requirements are we not currently meeting? Can any of our existing processes be
expanded to meet this requirement?
Are we “over delivering” in any areas? Is there anything we are providing to customers
that they don’t actually want, or need, that we can cut back without consequence?
Your team may want to create multiple SIPOC charts to map out key processes within your
purview. This is a useful way to gather the information required to identify the most
challenged processes and the processes with the highest potential to be
combined/expanded.
Once you have settled on one process that has room for improvement, the next step is to
dig deeper by creating a Value Stream Map.
The key to a successful VSM session is to make sure that you and other executive-level
leaders set the tone by assuring all participants that the session is a safe environment to be
completely honest about how processes work today. If even one participant does not feel
comfortable revealing elements of broken, challenging, or non-conforming processes, the
mapping session will be an exercise in wasting time.
Now that you've mapped out a comprehensive picture of your security process, the next step
towards clearly defining the current state is to identify areas of waste that can be eliminated.
This step is generally included as part of a formal VSM session, but it deserves special note
because it’s important for your team to have a baseline understanding of what constitutes
waste in a process and how to address it.
On its face, this process doesn’t sound so bad. It’s only after asking a few questions that the
problems begin to emerge. Ask, for example, how long it takes to review and task out a
product, and the manager will usually give a figure of 30 minutes or less. However, ask how
long it takes him to get around to reviewing the request, and the answer will likely be several
There is a further catch in the example above: The process efficiency of the manager’s
review process is actually zero percent. This is because the manager’s review did not add
any value to the product. By conducting a spot check to make sure the request was properly
formatted, the manager essentially presumed that the request contained an error. A far
better policy would add an error-proofing step into the beginning of the process that would
prevent a document with errors from moving forward at all, eliminating the entire 4.5 hours
that the request spent with the manager.
TIMWOOD
Waste of this sort can be categorized by the acronym TIMWOOD, which stands for
Transport, Inventory, Movement, Waiting, Overproduction, Overprocessing, and Defects. The
most relevant form of waste within security processes are Waiting, such as the queuing time
in the example above; Overprocessing, as in spot-checking of both the request and the
finished product or requiring a host of arbitrary approval steps; and Defects, which can
completely undermine a security process.
Your team can use the value stream map to perform a TIMWOOD analysis, annotating the
areas of the process where waste is identified. Some of these areas can be resolved very
easily by experimenting with creative solutions. These “quick wins” should be implemented
as soon as possible, especially if the risk of failure is low.
Consider looking externally for benchmark data and/or best practices to measure your
processes against. For example, if your value stream map revealed that it takes 30 days on
average to get a new hire set up with a security badge, but the industry standard hovers
somewhere closer to a 10-day flow time, you might set a goal of reducing the time to
complete that workflow by 50%.
The only way to hold your team and other stakeholders accountable for their efforts is to
establish SMART (Specific, Measurable, Achievable, Realistic and Time-bound) goals and
accompanying metrics to track progress towards them. In the early stages of process
improvement, your selected metrics may be educated guesses - and that's OK. The goal at
this point is to set your team's overall direction; as you move through the following Prioritize
and Visualize phases, these metrics can be refined.
You should walk away from the Visualize phase with three main outputs:
2. A list of process steps that have been identified as inefficient or contributing to waste
3. SMART goals and accompanying metrics to guide improvements - these are only the
first draft and will be refined as your efforts move forward.
Document and plan to take action on any quick wins. Quick wins are problems
that can be fixed very easily (by 1-2 people, within one month, and at a low cost). For
instance, co-locating personnel who work on highly interrelated processes could be a
quick win. By placing these personnel near one another in the physical office, it
becomes easier for them to collaborate and share information.
Eliminate as many review steps as possible. This might make many managers
nervous, but there are powerful reasons for it. First, eliminating senior reviews gives
the security officers handling requests full responsibility for their work. Eliminating
the safety net should make falls much less common. Second, this step allows
managers to manage and to focus on more productive tasks than checking their
subordinates’ work.
Minimize the number of data “handoffs.” A delay occurs each time a person has to
transmit information to another person. A handoff is also an opportunity for a defect
to occur. Therefore, it’s best to minimize the number of times a request must change
hands. Lightweight IT workflow solutions can be useful in this context.
With the understanding that you cannot fix everything (at least, not all at the same time), the
goal of the prioritize phase is to "rack and stack" the problems that your office is
experiencing and then prioritize solutions accordingly. One way to pinpoint which problems
are most pressing is to investigate the root cause(s) at the source of multiple emergent
challenges. There are various methods of performing root cause analysis, including Five
Whys Analysis, Failure Mode and Effects Analysis, Pareto Analysis, Fault Tree Analysis, and
many others. This guide highlights a straightforward framework for generating answers
called a Fishbone Diagram (also called an Ishikawa Diagram).
Another way of prioritizing your process improvement efforts is to determine the areas of
your process that allow the most unacceptable level of risk, and use those areas as a starting
place. Making that determination can be complex, but it's possible to use data to support
your decision. This section provides an overview of a risk ranking methodology that can be
applied to prioritize efforts based on risk.
Finally, you have a complete understanding of the problems keeping your security processes
from achieving their full potential -- your analysis has led you to the point where you know
exactly what needs to be fixed. There is one more crucial step left in the prioritize phase:
ranking possible solutions to those problems, ensuring the maximum return on the time and
money you decide to invest in process improvement. Big Sky's go-to tool for this analysis is
called a Benefit-Effort Matrix, covered at the end of this section.
Fishbone Diagram
Have you ever had a sticky problem - one that just didn’t seem to go away? You tried several
solutions, but nothing seemed to work? For example, let’s say you are the owner of a
One of the simplest and most effective tools for getting to the root cause of a problem is the
Fishbone Diagram. Executed correctly, this exercise can push you and your team to think
beyond what’s “commonly known” in your office and reveal underlying issues that must be
addressed before any of the symptom issues can be resolved.
Fishbone Diagram:
Read more
Click Here for a step-by-step guide to Uncovering Root Causes Using a Fishbone Diagram
How to use a Pareto Chart to Identify and Solve the 20% of Causes That Result in 80% of Problems
Find the Weakest Link in Your Security Process using a Failure Mode Effects Analysis (FMEA)
1. Identify your key assets - your SIPOC chart is a helpful resource to review, as you may
find that nearly all of the elements listed could be considered assets for your
organization. If the list of assets is lengthy, narrowing it down to a "top ten" list will
make it more manageable.
2. Quantify the damage your organization would incur if these key assets were lost or
compromised. The most accurate approach is to estimate the cost (in dollars). This
may seem like a challenge but is absolutely possible - just ask any insurance actuary. If
that doesn’t work for you, ranking loss of assets on a scale of severity from 1-5
ranging from “insignificant” to “catastrophic impact” can be used to quantify potential
damage.
3. Rank each potential loss according to the likelihood that it will occur on a scale of 1-5
from “rare” to “inevitable”.
4. Plot each risk on a matrix (see example), creating a visual illustration of how your
program’s risks rank from low to extreme.
EXTREME
HIGH
MODERATE
LOW
Just because some of the risks you’ve identified fall into the “extreme” range doesn’t mean
that you should necessarily address them first. Again, this is an opportune time to pause and
look at the big picture in order to make strategic decisions about how to proceed. Once you
understand the assets and risks that you’re contending with, get together with your team
and generate a list of possible solutions to address each risk. It’s possible (even likely) that
some solutions will address multiple risks. The next prioritization exercise is a great way to
test this possibility.
Benefit-Effort Matrix
The next step towards optimizing your security processes is to take your list of solutions and
prioritize it, using a Benefit-Effort Matrix. This tool provides meaningful context for
prioritizing solutions based on the benefit you expect to get out of the fix and the level of
effort required to implement. Just as you did in the risk ranking exercise, go through your list
of solutions and assign a numerical value to each attribute:
Benefit: Rank the level of benefits you can reasonably expect to get out of
implementing each solution on a scale of 1-10. Think in terms of the solution’s
capacity to address the risks you've identified, ranging from “would address a
minor/insignificant risk” to “would prevent multiple extreme risks.”
Effort: Rank the level of effort you anticipate in implementing each solution on a
scale of 1-10, where 1 equates “would require no additional funds and less than one
person to implement” and 10 equates “would require significant additional funding
and the full attention of a team of people.”
Many senior executives naturally gravitate towards “shiny” solutions (often technology-
based) that are generally costly and time-consuming to implement. Benefit-Effort Matrices
redirect focus towards more realistic solutions. If you opt for the easiest solutions first and
demonstrate quick wins, positive momentum will build and the shinier solutions become
more realistic to implement, sooner.
1. A list of problems that introduce risk into your security operations. Gather
groups of stakeholders to identify the root causes of the problems you've identified to
avoid solving the wrong issues, then rank your list based on risk.
2. A list of potential solutions that, once implemented, will help you do more with
less. Assess the expected return on investment for each solution before you move
forward with implementation, and prioritize the possible solutions to ensure that
you'll get the biggest bang for your buck.
3. A list of quick wins. Plan to implement these first to see immediate results and gain
momentum.
Click Here to Download The Guide to Successful Project Management for Federal Agencies.
However, even with the best project management tactics, security process improvement
efforts can fail if the environment is not set up for success. To prevent this occurrence (and
to save the cost of repeating the entire project months or years down the road), executives
should focus on three key areas: communication, metrics, and culture.
Communication
Even the most careful planning cannot prevent unexpected variables from cropping up
during the implementation phase and beyond. If communication expectations are not clear
from the start, it can lead to disaster down the road. Here are a few steps you can take to
mitigate this problem:
Metrics
Measurements are an important part of any organization's operations- after all, how can you
monitor progress or know when you've reached the goal if you have no objective knowledge
of the starting point? Measuring process-specific aspects (e.g. lead time, cycle time, queue
time, etc.) may already be part of your plan, but many leaders stop there and forget to
measure the success of the project as a whole. If you're not measuring results, you will never
know if your new process is better (or worse!) than the one you started with, and it is not
possible to justify your investment.
One of the best metrics for overall process improvement is Return on Investment (ROI). The
most basic approach to ROI is to add up the expected benefits (in dollars, if possible),
subtract any upfront costs or fees of implementing the solution, and then divide the new
number by your total costs. The resulting percentage is your total ROI.
Unfortunately, costs and benefits are not always crystal clear, particularly for national
defense and security agencies, where the objective is the prevention of a security incident.
Furthermore, most agencies opt not to publicize savings that will result in a funding cut in
the next budget cycle. Still, it's important to understand the quantifiable results of process
improvement projects.
Direct Cost Benefits: These are the easiest savings to spot. By eliminating or reducing
an obvious cost, these savings go right back into your bottom line. For example,
maybe you realize that eliminating color printing and limiting your office to printing
in black and white will save $5,000/year in ink costs. The savings to your organization
in supplies and even time required to order and install replacement color ink are all
very straightforward, and the saved funds show up clearly in your budget.
Indirect Cost Benefits: These are also known as cost avoidance. Indirect benefits are
downstream results from upstream process improvements. For example, picture one
of your processes getting bogged down by a large number of customer service calls
and complaints. You might implement a fix that addresses an issue early in the
process, resulting in fewer calls and complaints down the line. This will lead to lower
staffing requirements for customer services representatives and thus, lower resource
requirements. These types of benefits are less obvious than direct savings, but just as
valuable.
Intangible Benefits: As you might expect, intangible benefits are the most difficult to
quantify, but are no less important than the other benefit categories. Intangible
benefits include positive effects from your improvement efforts, such as increased
morale, improved customer perception, or enhanced clarity across the organization.
While difficult to measure precisely, even an estimated benefit is better than no
calculated benefit at all.
Culture
Arguably one of the most important guarantors of process improvement success is an
invisible force that leaders may not even be aware of, or may not feel equipped to influence:
office culture.
The only way to protect your organization from security threats is to create a culture
that focuses relentlessly on continuous improvement. Regardless of their efforts, top
executives can't be expected to achieve this target alone. Every employee must be
responsible for generating innovative solutions to keep their processes lean and as secure as
possible. When organizational culture demands that employees at all levels search for ways
to improve collective efficiency, continuous improvement becomes as natural as breathing.
1. Define your values and continue to reinforce them. Values set the stage for every
organizational culture, so attempting culture change without first defining your values
is analogous to setting sail without a compass. If you don't have clear parameters to
guide you, it's very difficult to find your way, even when everyone agrees on the
destination. Once your values are defined, it's crucial that you directly address the
aspects of your organization that don't align today. Actions speak louder than words,
and if the values are not clearly visible in the day-to-day operations, they won't be
taken seriously, and they simply won't stick.
2. Get rid of the fluff. Some security tasks can be mundane and repetitive - not unlike
work performed on a manufacturing line. When employees become bored with these
tasks, they are less attuned to red flags, loopholes, and inefficiencies within the
system, opening up the door to destructive security breaches. By eliminating arbitrary
tasks that take up time but don't add value, personnel can direct their focus towards
crucial areas that are both interesting and mentally stimulating. Engaged employees
take ownership of their work and are intrinsically motivated to improve their
operational environments.
3. Honestly assess your organizational maturity. Don't pay lip service to the idea of
culture. Make world-class, continuous improvement culture a goal for your
organization, and measure progress towards that goal on a regular basis.
Organizational culture will develop regardless of whether it's monitored or not, so it's
best to take an intentional approach.
4. Incentivize new ways of thinking. Taiichi Ohno, father of the renowned Toyota
Production System, articulated the chief role of forward-thinking in Toyota’s
organizational culture: “The Toyota style is not to create results by working hard. It is a
system that says there is no limit to people's creativity. People don't go to Toyota to
'work' they go there to 'think.'”
5. Practice Constant Learning. Any security department that says it has a 100%
complete understanding of its organization’s threat environment is lying. The tools at
the disposal of malicious attackers are constantly evolving – and at such a rapid pace
– that it’s nearly impossible to be up-to-date at all times. In today's environment,
security personnel should constantly strive to learn about new aspects of their
processes. In fact, members at all levels of the organization should adopt this mindset
and be on the perpetual lookout for new developments and relevant implications in
their knowledge space. Rather than taking a passive approach, employees should use
regular data collection and analysis to continuously uncover new insights about their
organization's operations.
It is much more efficient to empower all personnel to take note of problem areas and
recommend solutions than to wait for higher-ups to discover these problems. Many
problems can lie hidden for years because they are simply not visible to those who are
not involved in the process at the field level.
Create an Insider Threat Working Group. The group should be cross-functional, and serve
as a governance structure to facilitate sharing, analyzing, and responding to warning signs
that may emerge from multiple streams of data inputs. The working group must have senior
leadership buy-in and include members from functions not traditionally aligned with
security, such as Legal and Personnel.
Whether you are struggling to meet unfunded requirements, run programs with less
manpower than you think you need, protect your data from cyber threats, or develop a team
of world-class security practitioners, the first requirement is to step back and envision all of
your discrete functions working together as a comprehensive protection process. In this
process, one input (such as an adjudicated background investigation) feeds the next
(granting access to a network) and results in a certain level of protection for your
organization's assets.
Once the ins and outs of your operations have been investigated and validated with
quantitative data, strategic decisions like prioritizing the protection of your assets, ranking
your most pressing risks, and choosing a path for implementation will become much easier
and more defensible. Getting to the ground truth of your existing processes can be complex
and challenging, but absolutely worth it.
IT solutions have their place, particularly when it comes to automation and error proofing.
But a database full of information will not solve your underlying operational inefficiencies,
and more likely will only complicate the existing problems. At their core, security problems
are process problems and the only effective way to address them is through process
improvement efforts.
Contact us today to discuss how Big Sky can help you succeed.
Contact us:
2101 L St NW #800
Washington, DC 20037
P (202) 903-0790
bigskyassociates.com
Copyright © 2015
Published by: Big Sky Associates
All rights reserved. Except as permitted under U.S. Copyright Act of 1976, no part of
this publication may be reproduced, distributed, or transmitted in any form or by
any means, or stored in a database or retrieval system, without the prior written
permission of the publisher.