Home » Security Leadership » Strategic Planning

In Depth

Ideas You Can Steal from Six Sigma

Tips for improving the effectiveness and efficiency of physical and information security

By Tracy Mayor

December 01, 2006 — CSO — Six Sigma—the defect-reduction methodology first developed in the mid-1980s at Motorola as a way to manage deviations and improve quality in manufacturing processes—is notorious for complex and arcane jargon. Six Sigma's data-driven, acronym-laden focus on quality improvement might seem like a mismatch if the rest of your company isn't on the program. But if you listen to a few well-respected security veterans of Six Sigma talk about its benefits, you might be ready to give some Six Sigma ideas a try.

"Six Sigma is all about measuring process improvement, about taking defects out of a process," explains Frank Taylor, CSO of General Electric. "And security can be viewed as a series of processes that work together to bring increased safety and efficiency to the organization. So Six Sigma is a tool we can use to measure our performance over time. As fiscal pressures and consequences of security grow, business leaders are going to demand that we have a way to indicate how effective our programs have been," Taylor points out.

"If we can reduce errors, save time, take the data we gather during our investigations and turn it into business knowledge, then we're viewed as a true partner in the business," says Motorola's CSO, Joe Murphy. "Six Sigma is a way to build up our own business IQ by understanding the various processes that run the company."

The starting point is a good control program for documenting and tracking security-related incidents (i.e., defects). Once you've got that in place, here are a few Six Sigma tenets that stand to deliver the biggest bang for the buck in terms of improving the efficiency and effectiveness of both physical and information security.

Business Process Quality Management

The act of simply mapping out business process flow—defining both macro and micro processes, assigning ownership and determining responsibilities—can be invaluable to the security discipline. "Like any other business function, security has to understand what its key business processes are, then remove defects and measure that improvement over time," says GE's Taylor. If you're experiencing a particular kind of loss throughout the company that's affecting the bottom line, he says, the first step is to identify all the elements that are involved in that process and then attack the gaps. "Business process mapping allows us to focus our efforts on specific, real defects," Taylor says.

Taylor knows of one government organization that was able to reduce its defects—that is, its physical security violations—by 70 percent through the knowledge it gained from business process mapping. By pinpointing exactly where in the process breaches were occurring, the agency was able to see consistent patterns, related primarily to personal inattention to existing security guidelines. Once security was able to show business leaders that their employees' lax behavior was statistically related to the violations, managers were motivated to require workers to better adhere to guidelines, which resulted in the dramatic drop in incidents.