Ideas You Can Steal from Six Sigma

Tips for improving the effectiveness and efficiency of physical and information security

Six Sigma—the defect-reduction methodology first developed in the mid-1980s at Motorola as a way to manage deviations and improve quality in manufacturing processes—is notorious for complex and arcane jargon. Six Sigma's data-driven, acronym-laden focus on quality improvement might seem like a mismatch if the rest of your company isn't on the program. But if you listen to a few well-respected security veterans of Six Sigma talk about its benefits, you might be ready to give some Six Sigma ideas a try.

"Six Sigma is all about measuring process improvement, about taking defects out of a process," explains Frank Taylor, CSO of General Electric. "And security can be viewed as a series of processes that work together to bring increased safety and efficiency to the organization. So Six Sigma is a tool we can use to measure our performance over time. As fiscal pressures and consequences of security grow, business leaders are going to demand that we have a way to indicate how effective our programs have been," Taylor points out.

"If we can reduce errors, save time, take the data we gather during our investigations and turn it into business knowledge, then we're viewed as a true partner in the business," says Motorola's CSO, Joe Murphy. "Six Sigma is a way to build up our own business IQ by understanding the various processes that run the company."

The starting point is a good control program for documenting and tracking security-related incidents (i.e., defects). Once you've got that in place, here are a few Six Sigma tenets that stand to deliver the biggest bang for the buck in terms of improving the efficiency and effectiveness of both physical and information security.

Business Process Quality Management

The act of simply mapping out business process flow—defining both macro and micro processes, assigning ownership and determining responsibilities—can be invaluable to the security discipline. "Like any other business function, security has to understand what its key business processes are, then remove defects and measure that improvement over time," says GE's Taylor. If you're experiencing a particular kind of loss throughout the company that's affecting the bottom line, he says, the first step is to identify all the elements that are involved in that process and then attack the gaps. "Business process mapping allows us to focus our efforts on specific, real defects," Taylor says.

Taylor knows of one government organization that was able to reduce its defects—that is, its physical security violations—by 70 percent through the knowledge it gained from business process mapping. By pinpointing exactly where in the process breaches were occurring, the agency was able to see consistent patterns, related primarily to personal inattention to existing security guidelines. Once security was able to show business leaders that their employees' lax behavior was statistically related to the violations, managers were motivated to require workers to better adhere to guidelines, which resulted in the dramatic drop in incidents.

In a similar vein, Motorola was able to dramatically reduce annual losses of new products in transit that were occurring in one of its international supply chains. With the blessing of top management, security looked at the entire supply chain and made some discoveries that were not apparent to individual managers. "There were dozens of segments in the supply chain, all run by productive managers," explains Murphy. "These were top-flight managers who had in some cases lost their peripheral vision and were sometimes making decisions that inadvertently created additional risk downstream."

By examining the supply chain end-to-end, mapping the process against historic losses and then sharing their discoveries with managers, security personnel were able to make specific, concrete changes to mitigate risk. These included limiting the number of times products changed hands; shipping goods in plain, unbranded containers; changing the metrics used for performance measurement (for example, calculating not how many items left the shipping dock on time, but how many arrived successfully at their destination); and alerting managers as to which goods are more likely to be targeted for theft on the global market at any given point.

Voice of the Customer (VOC)

VOC is the process used to determine the needs of the customer, aimed at improving the customer experience and increasing loyalty. Those needs are captured through direct observation, interviews and focus groups, customer-supplied specifications and requests, data from customer service records and warranty claims, and more.

How does a customer-centric focus translate to the security arena? "Voice of the Customer forces you to leave the ivory tower and reach out and interface with your customers," explains Greg Avesian, vice president of enterprise IT security at Textron. "When you look at security as a service organization, as we do, then VOC is key to understanding the requirements of the many different stakeholders in the business who are your customers," Avesian says. Each one of those groups has its own security pressures, both internal and external, and often governmental and financial regulatory requirements as well. Following VOC's directives to interface directly and frequently with the customer (Avesian meets formally with business unit CIOs every quarter, for example) ensures that security's focus is on servicing the business units rather than guarding the bits and bytes, he says.

Failure Modes and Effects Analysis (FMEA)

The FMEA procedure aims to identify every possible way in which a process or product might fail, rank on a scale of one to 10 those possible failures and probable causes, and prioritize solutions.

"For security, the twist would be to say not just how could a given step fail, but how can we make it fail, how can we force it to fail?" suggests Mark Goldstein, a Six Sigma consultant. "Because that's how your antagonist is going to look at it."

If information security wanted to determine the impact of data loss resulting from a stolen laptop, for example, its FMEA assessment might look something like this: Severity = 10; Likelihood of Occurrence = 7; Detection = 5 (the higher the detection number, the more difficult the failure is to detect); with a total Risk Priority Number of 350, which helps management rank that risk against other threats.

Without an objective template like FMEA, Avesian says, risk too often is in the eye of the beholder. "The IT function might say, I don't think that risk is very important, but the business leader has a whole different perspective."

To rectify those sometimes conflicting views of risk, Textron has adopted a standard risk-assessment template to document business risks, their potential impact to the business and the quantifiable elements by which business managers reached that assessment.

For its part, Avesian's IT risk management group then regularly delivers up to those business executives a "risk radar"—an easy-to-decipher, two-dimensional graph that shows, on the vertical axis, the severity of the risk as it relates to net operating profit and, on the horizontal, the likelihood of occurrence. Being able to show progress from quarter to quarter has helped in communicating with the business, says Avesian.

Change Management

Narrowly defined, Six Sigma Change Management is the process of controlling and managing change while minimizing the risk of disruption to services. Loosely interpreted, it's a way to get the rank and file on your side, by effectively and efficiently communicating what's going to happen and why.

Without that critical step, says Textron's Avesian, all your other good work will go for naught. "We do a lot of work with change management. We view it as one of the crit­ical success factors for any given project," he says.

At Textron specifically, change management requires that security managers introduce a new process to top-level managers—business unit CIOs, for example—and explain why it's important and demonstrate, in clear business terms, why they need to support it.

Tracy Mayor is a freelance writer based outside Boston. Send feedback to csoletters@cxo.com.

Copyright © 2006 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.