Cybersecurity Through the Lens of Lean Six Sigma
Michael Parascandola
Agile Leader & Scrum Educator ? Lean Six Sigma Black Belt ? Scrum Master (CSP-SM) ? Product Owner (PSPO 2) ? SecureSuite Specialist ? Cybersecurity Professional ? Helping organizations succeed for 17+ years ??
In this digital age, leaders must recognize that traditional approaches to cybersecurity are no longer sufficient. From sophisticated hacking attempts to stealthy phishing schemes, organizations are constantly targeted by malicious actors who seek to exploit any vulnerabilities within a digital infrastructure. By adapting and incorporating new concepts, such as those that stem from Lean Six Sigma and the DMAIC (define, measure, analyze, improve, control) model, leaders can foster a proactive and efficient defense system that can continuously adapt to the ever-changing threat landscape.?
What is Lean Six Sigma?
Primarily utilized for process improvement, Lean Six Sigma relies on data analysis and facts to increase result satisfaction. This is done by reducing variation, waste, and cycle time while simultaneously promoting a straightforward and streamlined workflow. Lean Six Sigma teaches us to think outside the box and come up with innovative solutions utilizing various techniques and tools. Not only do these new ways of thinking drive process efficiency, but it also stimulates a new organizational culture leaning towards proactively addressing emerging challenges.?
DMAIC Explained
DMAIC refers to the data-driven improvement cycle. It provides a structured framework for organizations to identify areas for improvement, collect and analyze relevant data, implement targeted solutions, and establish control measures to sustain improvements over time. It specifically allows for the analysis of root cause issues within a project or process, then drives towards improving the development of techniques to overcome and solve the problems at hand.?
Within the graphic above, each section has checkpoints to obtain before continuing to the next phase. This is to ensure maximum success. Within Lean Six Sigma, it is not uncommon to have meetings solely for brainstorming, data collection, and delving deeper into the “why” behind things.
Think of the DMAIC process like an onion. The team brings up a problem, which can be represented as the outer layer of this onion. Leaders bring forth data and have ideas as to what the problem could be resulting from. This could be viewed as the second layer of the onion. Teams will often stop here and try to find and apply a solution. DMAIC instead forces the process to continue since the goal is to essentially get to the core, down to the deepest layer, where the root cause of the issues can be stemming from. Only then can process improvements change. With tools such as the cause-and-effect fishbone diagram and the 5 Whys, organizations can begin exploring root causes and innovative solutions.
Why CISOs Should Adopt Lean Six Sigma and DMAIC Methods
It is common to view cybersecurity with a very black-and-white mindset. There are policies and regulations that must be followed, deadlines that must be met, and certain security standards that must be upheld. However, incorporating Lean Six Sigma into cybersecurity can encourage leaders to view it as a dynamic and evolving landscape that requires continuous improvement and innovative thinking.
The adoption of Lean Six Sigma principles in cybersecurity can bring out several advantages to enhance the organization’s defense against malicious cyber threats. By integrating Lean Six Sigma concepts into cybersecurity practices, leaders can create a better security health posture that is also more proactive.
CISOs and C-Suite Executives don’t always speak the same language. One identifies threats and vulnerabilities but has a hard time quantifying them; the other understands financial objectives. With Lean Six Sigma and the tools provided, risk can be quantified, and risk mitigation can become a priority for the organization. Both parties can be on the same page when there is a strong DMAIC approach, and CISOs can then more easily lead the decision-making process and defend the need for additional financial support.?
Examples
Within cybersecurity, conducting comprehensive vulnerability scans is standard practice, followed by a patch management plan that is created to address the identified vulnerabilities. However, it is essential to recognize that the adoption of the DMAIC methodology takes it one step further. While patching vulnerabilities seems like a straightforward solution, it may not always address the root cause of the problem. DMAIC methods empower teams to go beyond superficial fixes and delve deeper into issues. For instance, there could be various factors that contribute to the vulnerabilities. Things such as offline computers that missed the original patch deployment or something as simple as a human error during the patch scheduling process. Without uncovering the root cause, cybersecurity teams may find themselves locked in a cycle of recurring battles each time vulnerability and patch management activities come up.
When getting upper-level management involved in the DMAIC process, defining the scope and sharing Key Performance Indicators (KPIs) and analytics that can be translated into financials can be beneficial in ensuring everyone understands the larger picture.
Another example in which DMAIC can greatly assist is incident response. DMAIC allows teams to get a clear picture and define the scope of the response efforts early in the process. Roles and responsibilities can be assigned, and a response plan moving forward can be developed. Throughout the DMAIC process, data that is collected can be analyzed to determine underlying causes, not only with the incident itself but the incident response process. Maybe there are areas in which automation of manual tasks could be implemented in the future, or enhancing alert mechanisms to catch any malicious acts quicker. Ultimately, changes such as these would lead to a more resilient and adaptive incident response framework, the protection of critical assets, and reduced impact of downtime on the infrastructure.?
Innovation and Continuous Improvement
Continuous improvement is a core feature of Lean Six Sigma, and applying it to cybersecurity methods can greatly enhance the security posture of the organization. As technology evolves, so do new cyber threats and malicious attacks on organizational networks. By continuously streamlining cybersecurity processes, finding innovative solutions to the root of problems, and regularly analyzing data, cybersecurity experts can adapt the in-place security measures to align with the new threat landscape.?
领英推荐
DMAIC is a continuous cycle. Due to this, organizations can continuously improve upon their operations, giving them an edge over competitors. The control phase not only allows organizations to ensure the processes can be sustainable in the long term but also ensures that it is scalable or adaptable to future changes if need be.
Lean Six Sigma can provide CISOs and the whole cyber team with cyber resiliency - the ability to anticipate, withstand, recover from, and adapt to adverse conditions and cyber threats. Thinking outside the box and using innovative strategies to optimize and improve cyber tactics, staying one step ahead of malicious adversaries, potential threats, and the growing cyber landscape, can drastically improve the organization as well as the culture it fosters.
Fitting in to the Security Framework
Organizations must continue to follow required regulations and cannot substitute the methodologies and tools of Lean Six Sigma for the different processes and procedures that the regulations require. It can, however, be combined to improve what is already in place.
The NIST framework’s five key elements - identify, protect, detect, respond, and recover - provide a solid foundation for understanding cyber risks and implementing necessary controls. Lean Six Sigma complements these elements by offering an approach to improving on concepts already in place. The two can work in harmony to strengthen the organization’s cybersecurity practices.
Money. Money. Money.
Managers, CEOs, stakeholders, and those in a position of power within the organizations view things in a cost-benefit mindset. Lean Six Sigma is no different. There can be a price in terms of the training or hiring of Lean Six Sigma Champions to lead the team to success. Incorporating Lean Six Sigma to enhance cybersecurity and become a proactive leader in the industry should, however, be viewed as an investment.
The 2022 Data Protection Trends report, conducted by Veeam, calculated the average cost of downtime due to cyber-attacks and data breaches was upwards of $88,000 per hour or $1,467 per minute. This varies between industries as well as the size of the business, but this was an average cost from those surveyed. The downtime can hurt not only sales but also trust from the customer, vendors, and stakeholders. With cyber threats always looming, it is crucial to have a strong cyber framework, quick solutions, streamlined processes, and an adaptable team.
Final Thoughts
Lean Six Sigma not only encourages continuous improvement but also provides the structured framework, methodologies, and tools necessary to facilitate and guide the improvement process. By adopting the Lean Six Sigma mindset, organizations can achieve sustainable growth and increase process efficiency while simultaneously bolstering the overall security health posture of the organization.?
References
https://asq.org/quality-resources/six-sigma
https://www.biz-pi.com/what-is-dmaic/
https://ukdiss.com/examples/lean-six-sigma-cyber-security.php
https://csrc.nist.gov/glossary/term/cyber_resiliency
https://www.continuitycentral.com/index.php/news/technology/6237-cyber-security-is-in-denial-that-s-why-it-needs-the-lean-six-sigma-approach
https://www.cybersaint.io/blog/nist-cybersecurity-framework-core-explained#https://goleansixsigma.com/cause-and-effect-diagram/
https://terranovasecurity.com/truth-about-cost-of-data-breaches/
https://www.cybersaint.io/blog/nist-cybersecurity-framework-core-explained
Excellent article Michael Parascandola Thanks for sharing
(Cybersecurity | Networking) CySA+, PenTest+, CASP+
3 个月Great insight, Michael Parascandola.
Cloud Infra Architect @ AWS | Security+ | Cybersecurity | AWS x3 | Top Secret Clearance
1 年I am late to the party but thank you for this article!!
Active TS/SCI Clearance | SAFe 6.0 certified | LSS Green Belt | Section 508 Trusted Tester
1 年Great read and explanation as to where lean six sigma fits into the cybersecurity arena!
SmartWork/ Agile Coach/ Scrum/ Kanban/ Kaizen/ Lean/ Lean Startup/ Management 3.0/ Design Thinking/ Design Sprint/ Workshop
1 年A compelling case for Lean Six Sigma in cybersecurity! Delving into root causes is key. Brilliant perspective Michael Parascandola! ???? #CyberFuture