Deming and the Strategic Nature of Security

By Mike Rothman

FierceCIO’s Derek Slater offers an interesting perspective on why W. Edwards Deming hates your approach to IT security. I was educated as an industrial engineer, so we had to study Deming left, right, and center in school. Of course when I graduated and went into programming, nobody realized that Deming’s concepts also apply to software development. But that’s another story for another Six Sigma.

Derek’s point is that as long as security is treated as a tactical, reactive, part of the organization… it’s doomed to fail.

The most common approach is that IT security is regarded as a tactical discipline. The IT security director is part of the IT department, reports to the CIO (or lower), and manages his or her work based on a set of tactical metrics–many of which are merely forms of counting: We blocked this number of web-based attacks and this other number of malware attachments.

This approach is purely reactive and therefore doomed to fail.

The late business management guru W. Edwards Deming said this about reactive management–that it’s not rational: “Rational behavior requires theory. Reactive behavior requires only reflex action.”

He also said this about counting: “It is easy to count. Counts relieve management of the necessity to contrive a measure with meaning.”

alt textYup. The answer is to become more strategic in the eyes of the folks who matter. You could certainly become Pragmatic as a means to do that. But Derek offers a few pointers on that front as well. First is to treat security as a risk management function. As long as you can gain consensus on how to quantify security risk, that’s a good start. Second, you had better React Faster, because you are only as good as your last response. We agree. Finally, security needs better measurement. No kidding.

There, friends, is the biggest gap in security: becoming strategic to the business. It’s measuring what we do relative to the business metrics that make an impact on the value of your company. Unfortunately there is no simple answer to the question of what matters to your business.

Photo credit: “W. Edwards Deming–statistician…saint” originally uploaded by Peter Kazanjy

No Related Posts

Deming’s head would explode if he had to deal with security risks. Other risks are bad, but information security is worse.

- Distributions of impacts have fat tails. Their means keep increasing and their variances get larger the more data you have. The central limit theorem doesn’t even hold.

- Information and information losses are often intangible things like intellectual property and brand “goodwill”.  Accounting rules discourage assignments of values to IP except under special circumstances like actually selling patent rights or writing off losses.

- Because malware developers and APT teams come up with new tools & techniques every day, the statistics of risk-generation processes aren’t ergodic, they’re not even stationary.  Almost all of the assumptions of six-sigma theory are violated, and the whole agenda becomes a facade.

Under these circumstances, structuring your IT environment and business functions to limit the damage from any given incident is the most important thing that you can do.  Outsourcing business functions (not infrastructure!) with strong penalties for SLA violations, nowdays to SaaS providers, adds diversity and transfers risk, which may be more than enough compensation for the loss of control that it also entails.

By Dean

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.