Deming and the Strategic Nature of SecurityBy Mike Rothman
FierceCIO’s Derek Slater offers an interesting perspective on why W. Edwards Deming hates your approach to IT security. I was educated as an industrial engineer, so we had to study Deming left, right, and center in school. Of course when I graduated and went into programming, nobody realized that Deming’s concepts also apply to software development. But that’s another story for another Six Sigma.
Derek’s point is that as long as security is treated as a tactical, reactive, part of the organization… it’s doomed to fail.
The most common approach is that IT security is regarded as a tactical discipline. The IT security director is part of the IT department, reports to the CIO (or lower), and manages his or her work based on a set of tactical metrics–many of which are merely forms of counting: We blocked this number of web-based attacks and this other number of malware attachments.
This approach is purely reactive and therefore doomed to fail.
The late business management guru W. Edwards Deming said this about reactive management–that it’s not rational: “Rational behavior requires theory. Reactive behavior requires only reflex action.”
He also said this about counting: “It is easy to count. Counts relieve management of the necessity to contrive a measure with meaning.”
Yup. The answer is to become more strategic in the eyes of the folks who matter. You could certainly become Pragmatic as a means to do that. But Derek offers a few pointers on that front as well. First is to treat security as a risk management function. As long as you can gain consensus on how to quantify security risk, that’s a good start. Second, you had better React Faster, because you are only as good as your last response. We agree. Finally, security needs better measurement. No kidding.
There, friends, is the biggest gap in security: becoming strategic to the business. It’s measuring what we do relative to the business metrics that make an impact on the value of your company. Unfortunately there is no simple answer to the question of what matters to your business.
Photo credit: “W. Edwards Deming–statistician…saint” originally uploaded by Peter Kazanjy