Total Quality Management isn't just a gimmick. Its techniques are helping improve information security.
After years of waiting, I've decided the profession is ready to know the truth: what we are doing is essentially a form of Total Quality Manage-ment (TQM). I know what you'll say--it's a fad, a gimmick, a buzzword that lacks substance. At best, it is a manufacturing technique that has absolutely no relevance to the practice of security. Anything that's appeared in so many airport bookstores has to be superficial, right?
There are a lot of misapprehensions about TQM, so let's start with what it isn't. It does not imply a rigid and objective quantification of human activity, and it's definitely not a mechanism for the calculation of security ROI. To be fair, today's TQM owes a significant debt to the pioneering research of Frederick Taylor, whose methodical time and motion studies demonstrated things such as the relationship between the density of a bulk material and the optimal size of a shovel. While statistical controls are still important, they do not apply to many situations, so rest assured that no one will be standing over firewall technicians with a stopwatch.
But if quality management isn't just stopwatches and statisticians, what is it? The core concept is that ad hoc methods can be avoided with a bit of discipline. TQM does not guarantee to provide the "best" of anything; it is just an approach to problem solving such that the way we do things can be continuously improved. It's all about learning what does and doesn't work, doing more of what works and less of what doesn't.
This is not just some new management craze suddenly unleashed on the infosecurity world. Several large organizations have long had their information security function within their quality management departments. In 1995, Mario Devargas published The Total Quality Management Approach to IT Security. The certification standard for BS 7799 developed in the late '90s was based around the Information Security Management System, a process-oriented approach that included a feedback loop. The relationship with TQM was clear in the updated version, BS 7799-2:2002, which uses the so-called Deming Plan/Do/Check/Act (PDCA) Cycle. The check and act phases refer to continuous process improvement--the expectation that you will never get it completely right, but you can always make it better.
The emphasis on process maturity is not meant to be some sort of magic management bullet that will solve all security problems, but the selective use of TQM techniques is slowly but surely improving the infosecurity practice. For example, because we understand better why we are performing certain control activities, we are getting better at communicating their benefits to the rest of the business. The CISOs using these techniques are doing a better job of choosing priorities and goals, and they are winning the respect of the non-IT managers because they can explain it.
Outsiders are also demanding a more precise description of risks and risk controls. Business partners, customers and regulators are demanding that our organizations perform risk management in a more methodical way, and document it more precisely--a requirement tailor-made for TQM techniques.
I recently heard someone joke that the term best practices was a buzzword that just means doing things properly. I agree that it is a pretentious and widely misunderstood term, but it represents an important truth. People don't naturally do things properly when solving new problems--it takes time to learn what works. We've got lots of infosecurity problems to solve, so let's not let buzzword baggage prevent us from taking advantage of a way to figure out how to do things properly.