Driving Excellence in Enterprise Security
Created by George Campbell, Security Executive Council Emeritus Faculty member.
There was agreement that the group could fairly easily "get into the weeds" and miss the big picture. Participants acknowledged a need to find an approach to discussions that would help build real, actionable tools. These practitioners are too busy for academic discussions that don’t contribute to something useful in security practice management.
Conclusions. There were a few key conclusions from these discussions, none of which should be surprising to experienced security practitioners.
Implications for building a model approach.This document reflects these conclusions and attempts to establish a foundation from which we may attempt to engage interested parties in a structured approach to operations excellence, at least at a trial level. In practice, the various disciplines are so specifically defined that it seems logical to build a model that encompasses a generic process that could feed into more or less mature approaches.
The Process Landscape. Even the most cursory review of the literature reveals the potential appeal to those who find this focus on business excellence enticing. Consider the following table that summarizes key elements of four of the frameworks that may be applied. (There are other disciplines that could be included, but these few appear to contain the common process components.) Note the consistent themes of requirements analysis, innovation, process improvement, quality management, leadership and team involvement, measurement, and a total engagement with the customer. All of these are obvious program management objectives. But as we launch a more defined and deeper dive into individual security tasks wherein we seek measurably improved service levels and outcomes, we need a significantly more structured plan of attack.
Setting the Stage: Security’s Balanced Scorecard. The balanced scorecard was introduced in 1992 by Kaplan and Norton in a Harvard Business Review article. The authors believed that the excessive use of financial scorecards in business failed to encompass the full scope of performance measurement. For our purposes, the four perspectives they introduced are seen here along with a translation that emphasizes the connection to our security mission.
These four perspectives effectively summarize the concepts in the various business excellence disciplines noted above. Importantly, they provide a significantly more comprehensive view of an organization’s performance and, in this framework, force a critical assessment of security’s value. Answering these few questions can kick start the quest for excellence in enterprise security.
Then, we can follow up with another series of questions that can help establish a baseline for our specific approach to security excellence.
What is “excellence”? As professionals, we can all agree that achieving excellence in our work is our goal. And it goes without saying that excellence is an expectation of those we serve. But how should we—our stakeholders and ourselves—define excellence in our suite of services? Is it in the quality of security program results and, if so, where are the established standards to measure a requisite degree of quality? At the end of the day, customers define quality and value. The “owner” of the security process cannot be the sole arbiter of its level of quality and excellence. But the security function is also not the sole contributor to a secure business process. Security is a shared accountability with degrees of contribution linked to the requirements of protection. Clearly, engaging stakeholders and customers in analysis of our activities is an essential ingredient in the process. Our customers do not typically understand security activities, and a well-planned examination of what service excellence means to them will make activity analysis and measurement more effective and more valuable.
Is the security program effectively aligned with its customers? Every business excellence discipline shares a singular focus on the customer. Ask every member of the security team, “Who is your customer?” This may be a multiple choice question:
It’s likely that all of these are Security’s customers. Each group likely brings its own definition of excellence and perception of value. And few or none of these have the requisite information to know the intricacies of what we do. But whoever the customer is for a given transaction, he or she has a critical opinion of the quality and responsiveness of what you have delivered and whether it is worth the price. Therein lies the challenge in this process of analyzing, defining and delivering excellence through best-in-class security services.
Is a “best practice” equal to excellence in that practice? Where a security practice can be shown to deliver results consistently superior to an alternative process that has been applied and tested by others, it should be advertised as having achieved a level of excellence. The key is measuring the “superior results,” and that requires detailed task and process analyses, which are consistent elements in virtually all business excellence disciplines.
What is the relationship of risk management to operations excellence? The presence of risk is the business driver for the security program. Excellence in our business mission has to link to a positive impact of security activities on the reduction of targeted risk. If our security activity was the singular source of identification and proven elimination of an exploitable vulnerability, would that activity be accurately labeled as having achieved excellence? If I can demonstrate the business impact of adversary exploitation of that vulnerability, have I demonstrated measurable value? It may be said that excellence in security operations cannot be achieved without a robust process of security risk assessment that results in the measurable elimination of business process vulnerabilities.
Where is value in the excellence equation? Defining the value proposition for our services is a primary objective of an exercise in operations excellence. We seek to document the sum total of the benefits the customer, the stakeholder or the enterprise will receive from the security service we offer. When we can define a level of performance that delivers a measurable benefit (like less risk or faster, better response), we have the ability to not only improve performance but to positively influence the perception of value by key constituencies or stakeholders.
If a security process or activity lacks established performance measures, can excellence be achieved in that process or activity? It is not possible to establish that a security process has achieved excellence or provided value if relevant performance measures have not been vetted and consistently applied.
Probing Potential Measures of Excellence in Security Programs. What statements might sufficiently convey a demonstration of excellence in security programs? Consider the following:
Target Analysis: A Business Excellence Template. If a process has not already been identified for analysis and application within your company, you may want to consider the following table as a team exercise. Several components in the disciplines noted above, along with a few others that are appropriate, have been incorporated under Business Excellence Factors. Each of the Security Programs and Services may be discussed, evaluated and selected for the potential benefits that may accrue as a result of an in-depth application of an operations excellence approach. For the purposes of this paper, several items in the table have been highlighted and noted (+/++)1 where an added benefit may be found through subsequent analysis. (You could probably color every box in green, but this seeks to call out the most obvious.) The idea is to think through how each of the possible benefits on the left may impact and deliver measurable results to the security service targeted. This is only an example of how this matrix may be used; a blank table is offered in the appendix.
1 A scoring routine might enable a more granular assessment. Score 1 for low benefit and up to 5 for an almost guaranteed improvement
Next Steps: Building a Business Excellence Toolkit. The fact that OpEx is only now gaining some traction in security management circles speaks volumes about our level of alignment with several decades of established business excellence and quality programs across technology, manufacturing and service industries. We have interest from several member organizations and an opportunity to initiate a movement that is overdue in our profession.
What is necessary now is to engage organizational leaders, find answers to the questions we have raised in this paper, and develop a body of practical tools and techniques that may be applied across a wide range of corporate security programs. There is no “one size fits all” in corporate security functions or in the diversity of business missions and models they serve. But we do believe we can collectively put forth a body of workable definitions for various security activities, provide measures and metrics appropriate to assessing performance and service quality and craft tools and templates that will support the pursuit of documented excellence.
Suggested Reading. There are scores of books and reams of Internet data on the business excellence subject. For an outstanding summary, check out Back to Basics: A Practitioner’s Guide to Operations Excellence by Douglas Sutton, Operations Excellence Services, LLC (2012). For tools and techniques: The Lean Six Sigma Pocket Toolbook, Michael George, McGraw Hill (2005); Balanced Scorecards and Operational Dashboards with Microsoft Excel, Ron Person, Wiley Publishing (2009); “Shingo Prize Model and Guidelines,” Jon Huntsman School of Business, Utah State University, www.shingoprize.org.
Appendix: Business Excellence Analysis Template
For more information on driving excellence see Demonstrating Value: Operational Excellence
Watch our 3-minute video to learn about how the SEC works with security leaders. Contact us at: contact @secleader.com.
Copyright Security Executive Council. Last Updated: April 13, 2018
A PDF file of this article is available below.