FoxPointe Security Hub

Measuring the Costs of Cyber Risk; Applying Lean Six Sigma Methodologies for a Customer’s First Mindset

cyber risk compliance

The year 2020 will be forever remembered for the impacts of how the global pandemic forced the adoption of innovative production, logistics, and workforce solutions. Many best practices emerged from the experiences of COVID-19, we continue to learn that these new methods can pay significant dividends in 2021 and in the years ahead. Nowhere is this more evident than in the solutions offered by Lean Six Sigma practices as a comprehensive solution for effectively securing data and creating an ongoing culture of excellence through quality.

The Importance of Cyber Risk Assessment

Many organizations may not be accurately measuring the business costs of cyber risk and are not always able to quantify the damage cyber-attacks could have on their businesses. As a result, decisions about the allocation of resources, investments in technologies and the prioritization of threats are sometimes being made without critical information. Many times, KPIs used to measure cyber risk are inadequate according to a still relevant independent study by Ponemon Institute LLC sponsored by Tenable (December 2018). The study reports that the reasons organizations continue to face serious information security challenges and will continue to be vulnerable to cyber- attacks is attributable to understaffed IT security; lack of resources to manage vulnerabilities; the proliferation of IoT devices in the workplace; complexity of the IT security infrastructure; lack of controls over third-party access to sensitive and confidential data; dependency on manual processes to respond to vulnerabilities; and insufficient visibility into their organization’s attack surface. The Institute reports that common cyber KPIs are inadequate for three key reasons: 1) they focus on the tech side of the issue without fully considering the financial and business implications; 2) they are tactical, rather than strategic, in nature and 3) they reflect the widespread inability to effectively prioritize risk.

The Lean Six Sigma DMAIC Approach to Cyber Security Assessment

Successful information security programs must contribute to the cultural change within organizations to be truly effective in supporting better security. The challenge is to find controls that are meaningful and measurable. The Lean Six Sigma DMAIC approach fits well with cybersecurity’s Identify-Protect-Detect-Respond methodology. Define (Identify), Measure (Protect), Analyze (Detection), Improve (Response), Control (NIST and other prescribed frameworks). Lean principles designed well, follow sound information security practices, satisfying the needs of the customer, first! Customers include, prioritized in order, users, managers, and the customers of the business itself. Continuous improvement applies to the individual security processes, such as access management and it also applies to the entire security program. Policies must be enforced without, or very few, exceptions to successfully implement a security program. It is critically important that respect by and for each employee and contractor, understanding that everyone is an information security risk manager, and can continuously improve upon her or his job for which they are held accountable. Success of an organization’s security program depends on doing the work right the first time, in part, in accordance with information security policies.

The flow, pull, and just in time Six Sigma principle can be applied to security processes such as access management and change management, where multiple steps can often result in delays or inaccuracies. As described by the International Six Sigma Institute, the purpose of implementing a pull system is to build processes based on actual need: not only on projected risks. For example, coined by Elizabeth M. Ferrarini, Infomania can be applied to the obsessive need to over communicate in building information security awareness programs. According to the philosophy of Informania, the stress of information overload reduces the mental acuity of employee’s awareness of information security risks. Just because you have the resources and authority to implement robust information security controls, does not mean you should. When it comes information security awareness, often, less is more. The CISO’s decision process must always consider who are the users? Will everyone be using the company’s email? How many users have company supplied mobile devices? With so many features available in modern information security tools, which applications truly align with Organization’s customer focused mission?

Lean Six Sigma Secrets for the CIO by Peter Davis and William Bentley provides insight into the value of introducing Six Sigma principles into an organization’s information technologies. The authors write that “left to their own devices, employees will always think there is one right perspective: theirs. Rarely do people see themselves as working to satisfy customers. The more departments you have, even if there is only one person in each, the harder it is for people to see how work fits together to create customer satisfaction. People need a road map; what Lean Six Sigma advocates call a Process Map.

Successful IT professionals need to be continuously asked do we understand the needs of our customers (users, managers, and the customers of the business). How much effort does it take to produce an information secure environment? How can we best respond to customers information security needs with a consistent effective approach?!

For additional cybersecurity information, please reach out to our experts at FoxPointe Solutions today!

This article was written and produced by William Veit, SSGBC, Senior Security Consultant, FoxPointe Solutions. Looking to get in touch with William? Reach out today: wveit@foxpointesolutions.com.

FoxPointe Solutions is solely responsible only for the content of FoxPointe Solutions authored information and is subject to change at any time. Any forward-looking statements are not predictions. FoxPointe Solutions is not responsible for any errors or omissions, or for the results obtained from the use of this information. Questions regarding your legal or compliance position should be addressed through your legal counsel, security advisor and/or your relevant standard authority. Nothing contained herein should be used nor relied upon as advice nor constitute a consultant-client relationship.