Manage Learn to apply best practices and optimize your operations.

Six Sigma and CMM models offer security best practices

Security can learn a lot from Six Sigma, CMM and other established business methodologies.

When Al Schmidt joined Arch Chemicals as CIO in 1997, security wasn't the first thing on his mind; IT survival was. The legacy mainframe system was shaky, and the company wanted to implement SAP on top of it.

"We didn't have the skills and organization to be able to manage what we had," Schmidt says. Six Sigma was the key to improving Arch's IT systems and, ultimately, the company's security.

Only 20 percent of corporate infosecurity departments are pursuing formal management methodologies; the remaining 80 percent continue to use ad hoc, unfocused approaches.



Schmidt, who learned about the Six Sigma continuous improvement methodology as an engineer, brought discipline to IT and eventually expanded it to infosecurity.

"People began to get the idea that 'it isn't enough for me to succeed. I'm going to be totally dependent on my neighbor succeeding, and if he or she doesn't succeed, I'm going to fail and I'll feel it in the pocketbook,'" Schmidt says.

Everything started with business objectives: Keep the operations running and lower the costs. The IT department conducted a formal risk assessment to quantify the business costs of potential problems so Schmidt could more effectively deploy its resources. The metric that measured system availability--print and file servers, e-mail servers and PBX systems--ruled the decisions. Uptime had to be at least 99.9 percent, and costs had to drop. Compensation depended on reaching objectives.

Suddenly, typical concerns, such as the number of discovered viruses or attacks per day, had context. Decisions about standard server configurations, phased disaster recovery and remote control software became clear. Uptime eventually hit 99.94 percent, and it's still climbing.

Companies like Arch are applying traditional business management methodologies to security and making continuous improvements. Whether you adopt Six Sigma, Total Quality Management, Enterprise Risk Management, Portfolio Risk Management, Capability Maturity Model (CMM) or other approaches, business-rooted discipline improves operations, lowers costs and creates a connection between cybersecurity and corporate functions. And, by aligning infosecurity decision-making to widely accepted business principles, there's a better chance of gaining boardroom attention and financial support.

Method Acting
Management fads are as short-lived as Fifth Avenue fashions, but metrics-based management methodologies have proven their worth for decades. They focus on business objectives and use key measurements to gauge improvement.

Six Sigma is a Motorola creation that started as statistical quality control in manufacturing. Another methodology is CMM, developed by Carnegie Mellon's Software Engineering Institute to assess the maturity of a software development organization through, in part, the measures of performance and the use of feedback. In finance, Portfolio Risk Management has uses ranging from guiding mutual fund investment decisions to managing credit offerings to clients. (See "Management Methodologies.")

Notice that none of these methodologies specifically includes the word "security" in the title, and for good reason. Although they all have foundations in specific disciplines, each has moved beyond parochial concerns to focus on business needs. Each also uses metrics to measure whether the company is on track to meet its objectives, and each depends on a process of constant improvement.

"[Security practitioners] need formalized management theories," says IT consultant and futurist Thornton May. "They were never part of IT, never part of mainstream corporate culture, so they were never able to integrate themselves into corporate culture."

The result is a communications gap between the security and business sides of the house. "In spite of your excellent technical skills or knowledge of threats, it will be the equivalent of you speaking Greek and they're speaking Latin," says Bill Boni, VP and CISO at Motorola. "If you tell a senior executive that there's a risk, they'll say, 'Of course there's a risk--there's always risk in business.' The big challenge is translating the technology risk and control challenges into the business value."

Making the Leap
Formal management bridges the gap between a company's technology and business arms. The first step is realizing just how big a bridge is needed.

Mitch Clemons, corporate director of information systems at Louisville, Ky.-based Baptist Healthcare System, was--to put it mildly--surprised when he first determined how close the six-hospital chain was to HIPAA compliance: 16 percent. "I would have thought that we'd have been in the 40 percent to 50 percent readiness stage," he says. (HIPAA's security requirements go into effect in April 2005.)

"It's still really immature out there," says Chad Cook, CTO of Black Dragon Software, an IT security software and consulting company. "Most organizations still have a technology focus on security, and any processes they have revolve around that technology." Sound management is the proper governance of technology, processes and people. If the focus is technology alone, it's impossible to manage--let alone improve--an organization.

Methodologies shouldn't be chosen in a vacuum, though. Security managers should adopt the metric commonly used by key business units and their executives. Those using disparate metrics run the risk of their security managers speaking a different language than their counterparts. If an organization doesn't use metrics, the security manager should get the ear of the CIO, or another senior executive, and champion the adoption of a metric that benefits all departments.

Choosing a metric depends completely on a company's business and operating requirements. For example, tracking the number of security patches installed in the enterprise is relatively meaningless, while knowing the status of patches on mission critical systems is important.

Pay Dirt
Formal security management adds to the corporate bottom line. Corporate imperatives drive the protection of systems, with the most valuable resources and processes taking precedence. This enables infosecurity to use its resources efficiently and to argue for more resources (funding, staff, equipment, etc.) based on the business value of the systems, the potential disruption or damage of an attack and the cost of increased protection.

A more subtle benefit is certainty. A formal methodology provides a common framework of business needs and expectations that will help determine risk and choose the appropriate metrics. The security department would need to meet with other groups to understand their needs. As a result, there's "zero ambiguity about who owns which risk," says Dan Geer, chief scientist at Verdasys, which specializes in defending against insider threats.

That makes sense, but according to the IT Leader-ship Academy at Florida Community College, only 20 percent of corporate infosecurity departments are pursuing formal management methodologies; the remaining 80 percent continue to use ad hoc, unfocused approaches. And, most companies adopting a management methodology are still in the early stages.

More sobering is that an infosecurity framework--or formal security policies and processes--is mandatory before formal management can be employed. Al Decker, executive director of security and privacy services at Electronic Data Systems, estimates that only 25 to 30 percent of the companies he sees have formal security frameworks, and most are "patchwork" efforts. "Either you have redundant security, with groups using more people and processes than they need, or you have areas that are left out," he says.

As a result, there isn't enough control to support meaningful metrics or process adjustments. This is where a standard like ISO 17799 can help, providing a framework on which to build a management methodology.

Avoiding Method Muck
Even with a robust set of security processes, implementing a management methodology requires careful planning. The infosecurity department must involve other departments, particularly when it comes to identifying the metrics that will support business needs.

"Quite often, because of the way business is conducted, the IT or security groups aren't the [process] owners, and they aren't in the position to make the decisions and changes they need to make," says Dave Drab, director of information content security services for Xerox Global Services.

ITC^DeltaCom, a telecom company, addressed this while expanding its use of Six Sigma to infosecurity. Senior management literally sat down and decided what to include: risk assessment and prevention, security perimeters, documentation, training and security awareness. Without a clear concept that everyone accepted, the ownership of risk--and its management--would have been ambiguous.

"The problem is defining what it is you have to measure and not being fuzzy," says Pam Schaard, VP of IT at ITC^DeltaCom.

The challenge then becomes the introduction of change. Companies that have embraced metrics like Six Sigma have an easier time getting security staffers to buy in, but some employees will resent having their actions and performance measured.

"The hardest part was getting people on board and helping them to see that it would take them to a different place," Arch's Schmidt says. "If someone comes in with a change agenda and wants to go from no experience to world class in six months, it won't work. It will trigger an immune reaction, and you're the antigen that gets spit out."

Change must be moderate and proceed only as fast as people can absorb it. Xerox's Rajiv Agarwala suggests a technique called "tollgates," through which no one in the organization proceeds until everyone has a chance to evaluate the previous assumptions and decisions.

"Whether you're a psychologist or engineer or MBA, as you go through the tollgate, it creates a shared vision," says Agarwala, Xerox's VP of lean Six Sigma (a modified version of the methodology). "Sometimes certain people have a hard time, especially at the [operational] level, if you're telling them to do things differently or that their jobs are being eliminated."

Agarwala also recommends watching processes over time rather than declaring early victory. According to what organizational development experts call the "Hawthorn Effect," employee performance improves in the short run when people know they are being measured. Let changes settle in before deciding whether the project has been successful.

About the author:
Erik Sherman is a Massachusetts-based freelance writer.

Dig Deeper on Web application and API security best practices