In Depth

Ideas You Can Steal from Six Sigma

Tips for improving the effectiveness and efficiency of physical and information security

By Tracy Mayor

December 01, 2006CSO — Six Sigma—the defect-reduction methodology first developed in the mid-1980s at Motorola as a way to manage deviations and improve quality in manufacturing processes—is notorious for complex and arcane jargon. Six Sigma's data-driven, acronym-laden focus on quality improvement might seem like a mismatch if the rest of your company isn't on the program. But if you listen to a few well-respected security veterans of Six Sigma talk about its benefits, you might be ready to give some Six Sigma ideas a try.

"Six Sigma is all about measuring process improvement, about taking defects out of a process," explains Frank Taylor, CSO of General Electric. "And security can be viewed as a series of processes that work together to bring increased safety and efficiency to the organization. So Six Sigma is a tool we can use to measure our performance over time. As fiscal pressures and consequences of security grow, business leaders are going to demand that we have a way to indicate how effective our programs have been," Taylor points out.

"If we can reduce errors, save time, take the data we gather during our investigations and turn it into business knowledge, then we're viewed as a true partner in the business," says Motorola's CSO, Joe Murphy. "Six Sigma is a way to build up our own business IQ by understanding the various processes that run the company."

The starting point is a good control program for documenting and tracking security-related incidents (i.e., defects). Once you've got that in place, here are a few Six Sigma tenets that stand to deliver the biggest bang for the buck in terms of improving the efficiency and effectiveness of both physical and information security.

Business Process Quality Management

The act of simply mapping out business process flow—defining both macro and micro processes, assigning ownership and determining responsibilities—can be invaluable to the security discipline. "Like any other business function, security has to understand what its key business processes are, then remove defects and measure that improvement over time," says GE's Taylor. If you're experiencing a particular kind of loss throughout the company that's affecting the bottom line, he says, the first step is to identify all the elements that are involved in that process and then attack the gaps. "Business process mapping allows us to focus our efforts on specific, real defects," Taylor says.

Taylor knows of one government organization that was able to reduce its defects—that is, its physical security violations—by 70 percent through the knowledge it gained from business process mapping. By pinpointing exactly where in the process breaches were occurring, the agency was able to see consistent patterns, related primarily to personal inattention to existing security guidelines. Once security was able to show business leaders that their employees' lax behavior was statistically related to the violations, managers were motivated to require workers to better adhere to guidelines, which resulted in the dramatic drop in incidents.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

Manage your IT more effectively

Secure your virtual and physical environments with the same software

Simplify your data center with Juniper Networks. View the webcast

How Are Open Source Development Communities Embracing Security Best Practices?

IDC Defines an Identity and Access Management Submarket

Using Likewise to Comply with PCI Data Security Standard

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Enabling Compliance with Converged Mainframe Security and Storage

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

Efficient - Flexible - Compliant

Any company can promise identity protection. Only Debix can prove it

Envision Identity-Based Access Control for the Datacenter

Digital Identity Protection and Data Security Get Personal

Welcome to the age of Service-Oriented Security (SOS)

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Understanding Data Location is Imperative for Data Loss Prevention

5 Steps to Secure Outsourced Application Development