Applying Lean to Information Risk Management
Credit to Author: William “Bill” Malik (CISA VP Infrastructure Strategies)| Date: Tue, 12 Dec 2017 13:00:36 +0000
Lean Manufacturing brings significant benefits to industry, including cost reduction, quality improvement, reduced cycle time, and greater customer satisfaction (See “The Machine that Changed the World”, Womak, J., Jones, D., and Roos, D., Free, Press, 1990 for the groundbreaking analysis of Toyota’s Lean Production). Can Information Technology organizations apply Lean to cybersecurity?
The core challenge in manufacturing is to avoid the seven deadly wastes – activities that use resources but do not add value. These are:
1. Defects – incorrect products or processes requiring rework or rescheduling
2. Overproduction – building more than the customer needs, or sooner, or faster
3. Transportation – moving components around within or among processes
4. Waiting – parts or people waiting for processes to complete
5. Inventory – holding raw materials, spare parts, or work in process in case they are needed
6. Motion – requiring people to move around to accomplish a task
7. Over Processing – providing more capabilities than the customer requires (“featuritis”)
8. Often Lean includes an eighth waste – the waste of human potential.
Some of these apply more directly to information security than others. All bear on the problem. This analysis is timely as many organizations are extending security to unfamiliar realms, such as IIoT (the Industrial Internet of Things), third party risk management, and privacy. As they do, understanding how to apply security efficiently can avoid failed implementations and ineffective processes.
Defects. Information security defects include failure to identify an attack, patch a vulnerability, or permit a safe but unfamiliar activity. Note that testing does not improve quality. All testing does is reveal the quality of whatever you have built. Start with simple, clear requirements, then design appropriate tests to validate that the product meets those requirements.
Overproduction. An information security or privacy program can be too elaborate to meet its business or regulatory requirements. Simplicity in design and execution will make a program effective without being burdensome.
Transportation. An information risk management program may require data to be passed across multiple steps, or notifications to cross multiple screens, or alerts to notify many intermediaries. The core problem is weak or sloppy architecture, with little value add across processing steps. The risks include network delay, complexity making debugging take too much time, and fragility meaning minor perturbations in system characteristics cause inconsistencies down-steam.
Waiting. Failure to match speed between critical events and appropriate responses. Particularly with the integration of Industrial Control Systems (ICS, sometimes generally referred to as OT) into Information Technology, real-time processing can outpace conventional asynchronous IT processing. Messaging between cloud and local workstations can take orders of magnitude longer than continuous processes can wait. Personnel waiting for the results of an analysis or verification of a fix also introduce risk.
Inventory. In IT, this can refer to IT environmental waste, such as not spinning down unused virtual machines, not clearing information once it is processed and archived, holding sensor data or unneeded personally identifiable information for potential future analysis. Do not collect what you do not need.
Motion. Requiring analysts to move among consoles costs productivity. In an early study (“The Economic Value of Rapid Response Time”, Walter Dougherty and Ahrvind Thadani, IBM Systems Journal, Nov. 1982) the introduction of even ½ second of delay in a display causes an individual’s attention to wander, and their thought processes are interrupted again with the information finally arrives. These pairs of interruptions work against the analyst being able to see the data’s underlying pattern, making analysis slow, error-prone, and frustrating for the individual.
Over processing. Too often in software development, coders add features that the user does not wand and did not require. As defect rates are strongly correlated with code volume, more code means more bugs. Information security tools that offer too many “bells and whistles” can slow implementation and impede effectiveness.
Information security programs can be Lean. That is, they can avoid waste, minimize errors, and maximize value to the organization. Select tools that offer clear, correct, unambiguous results. Use products that support advanced automation and integration with key infrastructure components. Engage with vendors that provide focused training and timely, usable documentation. Design processes that optimize your most valuable resources – your skilled analysts and technicians. Lean processes will give you less of what you do not need, and more of what you do need: indicators of the real problem, and the optimal solution for your specific environment.
Let me know what you think! Please add your thoughts in the comments below, or follow me on Twitter: @WilliamMalikTM.