The Best Security

Is A Great Process:
The Executive's Guide To Running
a World-Class Security Program
Table of Contents
I. Introduction ..................................................................................................................................... 1

II. Visualize............................................................................................................................................ 3
SIPOC Exercise ........................................................................................................................................................... 5
Value Stream Mapping ............................................................................................................................................ 7
TIMWOOD .................................................................................................................................................................. 9

III. Prioritize ....................................................................................................................................... 12

Fishbone Diagram ................................................................................................................................................... 12
Risk Ranking ............................................................................................................................................................. 14
Benefit-Effort Matrix................................................................................................................................................ 15
Communication ....................................................................................................................................................... 18

IV. Realize .......................................................................................................................................... 18

Metrics ....................................................................................................................................................................... 19
Culture ...................................................................................................................................................................... 20

V. Conclusion ................................................................................................................................... 24

The Best Security Is A Great Process

I. Introduction

Remember When Security Meant “Gates, Guns,

and Guards”?
Consider your office’s mission. How much has it changed since the office was established?
Chances are, not much - at least on paper. As a federal security executive, your objective is
still the same: protect the organization’s most valuable assets. While this mission, and the
bureaucratic structures that support it, has remained constant, the modern threat
environment has expanded far beyond “gates, guns, and guards”.

Comprehensive security now includes protection from cyber threats and insider threats,
among many others. This has necessitated an exponentially more complex approach to
executing your mission. To make matters worse, emerging protection requirements are far
outpacing the dollars allocated to the protection mission.
To put it bluntly: You are constantly asked to do more
with less. Use process
There are many ways to deal with this problem, but only improvement to
one that doesn’t involve adding additional layers of
complexity: use process improvement to untangle existing
untangle your existing
security operations, increase efficiency, and get rid of security operations,
waste.
increase efficiency,
The secret to this approach? Security is a process.
and get rid of waste.
Say you want to keep unauthorized individuals out of your
building - your first thought may be to procure an
automated entry system that will only allow employees access after scanning their ID
badges. No doubt the system can get the job done; folks without a badge are blocked. But
what about the felon who was hired and given a badge because HR forgot to complete his
fingerprint check? How will the system know to stop the woman who stole an employee's
badge out of an unlocked car yesterday? Will the person whose badge was stolen be able to
get into the office to notify security? Adding the automated entry system only addressed
one step of a process that started far before the attempted entry, and could end with a

The Best Security Is A Great Process

1
catastrophic security breach.

Strive to use tech solutions the same way you use spellcheck. Both serve a purpose -- but
just as spellcheck comes up with many false positives and doesn't (yet) perfectly understand
the nuances between “there”, “their”, and “they're”, automated security fixes are limited to
their programmed scope. Neither system should be relied on as a comprehensive solution.
Before you invest precious resources in a shiny new database or monitoring tool, consider
the problem you're trying to solve and how it fits into the larger security process; if the
process itself is broken, patching up bits and pieces is a waste of time and money.

Successful implementation of technology requires humans to carefully consider every

element of a process first, and then determine which elements can and should be
automated. Once your resources and efforts are laser-focused on mastering and optimizing
the processes that protect your organization, you are positioned for success.

This guide will show you how to think about your security challenges as operational
processes and how to solve them using process improvement tactics.

With this approach, you will:

1. Visualize how your security processes work from end-to-end, how practices "on the
ground" differ from policy and procedural documents, and where there are protection
gaps and wasted resources;

2. Prioritize your most valuable assets and opportunities to mitigate risk while using
data and root cause analysis to support your resourcing decisions; and finally,

3. Realize the full potential of your security processes through strategic and cost-
effective process improvement efforts that will both simplify and optimize your
operations.

The Best Security Is A Great Process

2
II. Visualize

Houston, We Have a Problem

(But We Don’t Know What It Is)
Have you ever played Jenga? The game begins with a
solidly stacked tower of blocks. Each player takes a turn at
pulling a block from the stack and balancing it on top of
the increasingly precarious tower until it becomes so
unstable that it can no longer stand, and the whole thing
comes tumbling down.

This game is an apt metaphor for the state of many federal

security operations. At first, there were just a few strategic
priorities - the tower was solidly built. As new priorities
emerged, security leaders were forced to draw from
existing resources, creating gaps in the remaining
programs while tacking new preventative measures and
initiatives on top of current operational processes. This
seemed like a convenient way to address immediate risks
and comply with new policy requirements, but over time it
resulted in inefficient (and even illogical) processes that were more susceptible to the risks
they were originally designed to mitigate.

Fast forward to today: few in the security office have a comprehensive understanding of how
all of the operational processes work together (especially where complex IT systems are
concerned) - and it’s only a matter of time before a critical gap leaves the door open to a
devastating threat. That door may be open already.

Clearly Define the Current State

You already know that there is room for improvement in your security program, but solving
any problem requires resources, so the allocation should be carefully considered. Before you
jump into fixing those challenges that are top of mind, step back and look at the information
you already have - then make a strategic decision about where to start.

The Best Security Is A Great Process

3
Clarify what your purpose is, who your customers are, and what they need from you.
We all take great pride in our work and strive for excellent results. It's easy to get carried
away and expend unnecessary time and resources in the pursuit of excellence, then
ultimately lose track of the minimum output required to satisfy those you serve. Is it possible
that you've always delivered a 20-page report to the team next door, when they only need
the first five pages to do their job? You must understand the larger organizational processes
and where you and your team fit to clearly understand your "customers" (internally and
externally) and what they require from you.

Never assume that policy equals practice. Say your standard operating procedures state
that “upon employee termination, badges must be reclaimed by HR within 24 hours and
destroyed”. Maybe your team in the field has devised an unofficial way to run the process
that is more efficient - or maybe badges are only being reclaimed during an exit interview,
but exit interviews are only held for those employees who leave on good terms. Either way,
you must find out the ground truth of what is actually happening - and not just what is
written in policy and procedural guidance.

One of the most effective exercises to understand who you are and what you do is
process mapping.

Process maps can range from high-level to profoundly detailed, depending on your needs.
On the next pages you will find examples of two types of process maps:

 A high-level SIPOC (Suppliers, Inputs, Process, Outputs, and Customers) Chart

 A detailed Value Stream Map

In both of these mapping exercises, the objective is to visualize a single process on paper
at the desired level of detail to clarify how it works today from start to finish, who is involved
to make it work, what goes in, and what comes out. During these exercises, it is critical to
involve a variety of stakeholders at all levels and functions to build an accurate
representation of the process in question. Participants typically walk away from these
sessions with a completely new understanding of their program and a better sense of how
their functions fit into the larger scope of operations

The Best Security Is A Great Process

4
SIPOC Exercise
The example below uses a simplified bakery scenario to illustrate the different elements and
metrics included in a SIPOC Chart.

To complete a SIPOC with your team, choose the process you want to map out and break it
down into 5-7 main steps that take it from start to finish. Let’s say you are mapping a
personnel vetting process - does it begin when the candidate is hired, when they submit an
application, or when a job notice is posted? Facilitating this discussion among your
stakeholders and reaching a consensus is a crucial part of the exercise.

From there, identify the outputs of the process - what is the end result of the process? Once
you have listed some outputs, customers should be easy to identify; they are the people,
departments, or organizations that are on the receiving end of your outputs.

Finally, brainstorm a list of inputs, or "ingredients" that go into the process - what must be
present in order to produce the desired output? You can complete the suppliers section by
considering the origin of each input.

SIPOC Bakery Example

SUPPLIERS INPUTS PROCESS OUTPUTS CUSTOMERS
Ingredient Vendors Manpower 1. Mix ingredients Cakes Bakery customers
Landlord Raw ingredients 2. Bake cake Satisfied customers -Walk-ins
Utility Company Secret recipe 3. Decorate cake -Phone orders
Retail space 4. Add to display case
Electricity/Phone 5. Sell to customers Corporate business
Appliances -Coffee shops
-Supermarkets

INPUT METRICS (X) PROCESS METRICS (X) OUTPUT METRICS (Y)

QUALITY Freshness of ingredients
Maintenance of steady heat in oven
Clarity of decoration request details
SPEED Ingredients delivered on time
#/length of breaks baker takes
COST Price of ingredients
Hours + overtime worked by baker
Accuracy of following recipe
Alignment of decoration
with request
Time to mix ingredients
Time to decorate cake
# of cakes burned
# of decoration errors
Customers enjoy cake
Cake appearance matches
customer expectation
Full cycle time per cake
Time from display to sale
Total cost per cake
% cakes not sold (waste)

The Best Security Is A Great Process

5
The resulting SIPOC chart is a comprehensive visual of a single process from start to finish
that can be used as a reference for subsequent strategy discussions. You can take your
SIPOC to the next level by listing the metrics (quality/speed/cost/etc.) aligned with your
identified inputs, processes, and outputs. These metrics will help your team pinpoint key
value drivers that, if improved, would significantly improve the process and the security of
your organization as a whole.

Click here for a step-by-step example of how to complete a SIPOC chart.

Ask yourself a few key questions as you go through the SIPOC exercise:

 Could any of our existing processes be combined or eliminated altogether?

 Are we facing any significant challenges (time / quality) in our current processes?

 Which requirements are we not currently meeting? Can any of our existing processes be
expanded to meet this requirement?

 Are we “over delivering” in any areas? Is there anything we are providing to customers
that they don’t actually want, or need, that we can cut back without consequence?

 Which key metrics tell us whether the process is functioning properly?

Your team may want to create multiple SIPOC charts to map out key processes within your
purview. This is a useful way to gather the information required to identify the most
challenged processes and the processes with the highest potential to be
combined/expanded.

Once you have settled on one process that has room for improvement, the next step is to
dig deeper by creating a Value Stream Map.

The Best Security Is A Great Process

6
Value Stream Mapping
Value Stream Map Example

Value Stream Mapping (VSM) will

help you understand a single process
at the most granular level. Unlike
simple process flow charts, VSM
details material and information flow
and timing, and categorizes each step
according to the value it adds to the
overall process. This thorough and
objective approach quickly highlights
undeniable inefficiencies and allows
your team to easily identify areas for
improvement while eliminating the
cost associated with targeting the
wrong steps in your improvement
efforts.

The key to a successful VSM session is to make sure that you and other executive-level
leaders set the tone by assuring all participants that the session is a safe environment to be
completely honest about how processes work today. If even one participant does not feel
comfortable revealing elements of broken, challenging, or non-conforming processes, the
mapping session will be an exercise in wasting time.

Additional Visualization Resources

Four Reasons Why Your High-Level Process Map Isn’t Effective

7 Hidden Benefits of Process Mapping

How To Use Value Stream Mapping To Address Insider Threats

Now that you've mapped out a comprehensive picture of your security process, the next step
towards clearly defining the current state is to identify areas of waste that can be eliminated.
This step is generally included as part of a formal VSM session, but it deserves special note
because it’s important for your team to have a baseline understanding of what constitutes
waste in a process and how to address it.

The Best Security Is A Great Process

7
Identify Waste in the Process
Security processes are rarely designed in whole.
Instead, they evolve to suit the shifting needs of the
organization. As both policy requirements and staff
inevitably change over time, a sense of institutional
amnesia takes hold: no one remembers why things
are done the way they are, and new requirements
are continuously added to the mission. The
security officers simply do their jobs and the mission
is accomplished to achieve baseline policy
compliance.

The problem with this approach to operations is that

the security processes will lose efficiency over time,
eventually becoming so inefficient that a backlog of
work begins to pile up.

Would you be shocked to learn that your

processes are 95% wasteful? This figure indicates
that less than 5 percent of the resources applied
against a particular problem actually add value to the
end product. The next example illustrates why this
may be true for your organization (and how you can
measure for yourself).

Ask a security manager how his process works and

he’ll usually tell you something like: “A request comes
in from the next division. I take a look at it, make sure the request is properly formatted, and
task it out to one of my people. After the task is finished, I take a look to ensure that
everything is correct, and then I send it back out.” Usually, conducting a personal review is a
point of pride for that manager. “If something leaves this office, I’m going to make darned
sure it’s correct.”

On its face, this process doesn’t sound so bad. It’s only after asking a few questions that the
problems begin to emerge. Ask, for example, how long it takes to review and task out a
product, and the manager will usually give a figure of 30 minutes or less. However, ask how
long it takes him to get around to reviewing the request, and the answer will likely be several

The Best Security Is A Great Process

8
hours or even days. During that time, the customer’s request is just sitting there, not being
worked on. To add some numbers to the example, let’s say it takes 30 minutes to review
and task out a product, but the product sits in the manager’s inbox for 4 hours before
he gets to it. Of the total time the request is with the manager, he is working on it only
30mins/270mins = 11 percent of the time. Now consider what happens every time that
same manager has to review the final result, and the drastically low efficiency figures begin
to make sense.

There is a further catch in the example above: The process efficiency of the manager’s
review process is actually zero percent. This is because the manager’s review did not add
any value to the product. By conducting a spot check to make sure the request was properly
formatted, the manager essentially presumed that the request contained an error. A far
better policy would add an error-proofing step into the beginning of the process that would
prevent a document with errors from moving forward at all, eliminating the entire 4.5 hours
that the request spent with the manager.

TIMWOOD
Waste of this sort can be categorized by the acronym TIMWOOD, which stands for
Transport, Inventory, Movement, Waiting, Overproduction, Overprocessing, and Defects. The
most relevant form of waste within security processes are Waiting, such as the queuing time
in the example above; Overprocessing, as in spot-checking of both the request and the
finished product or requiring a host of arbitrary approval steps; and Defects, which can
completely undermine a security process.

Your team can use the value stream map to perform a TIMWOOD analysis, annotating the
areas of the process where waste is identified. Some of these areas can be resolved very
easily by experimenting with creative solutions. These “quick wins” should be implemented
as soon as possible, especially if the risk of failure is low.

Click here for a free, downloadable TIMWOOD checklist.

The Best Security Is A Great Process

9
Visualize The Future State
Once you have built a comprehensive illustration of your security operations today, it’s time
to think about how you want these processes to work in the future. While it may be tempting
to determine the future state based on current qualitative goals (e.g. policy compliance), it's
important to use quantitative data to realize efficiencies and reallocate resources from your
existing processes.

Consider looking externally for benchmark data and/or best practices to measure your
processes against. For example, if your value stream map revealed that it takes 30 days on
average to get a new hire set up with a security badge, but the industry standard hovers
somewhere closer to a 10-day flow time, you might set a goal of reducing the time to
complete that workflow by 50%.

The only way to hold your team and other stakeholders accountable for their efforts is to
establish SMART (Specific, Measurable, Achievable, Realistic and Time-bound) goals and
accompanying metrics to track progress towards them. In the early stages of process
improvement, your selected metrics may be educated guesses - and that's OK. The goal at
this point is to set your team's overall direction; as you move through the following Prioritize
and Visualize phases, these metrics can be refined.

You should walk away from the Visualize phase with three main outputs:

1. Comprehensive quantitative and qualitative descriptions of the current state process

2. A list of process steps that have been identified as inefficient or contributing to waste

3. SMART goals and accompanying metrics to guide improvements - these are only the
first draft and will be refined as your efforts move forward.

The Best Security Is A Great Process

10
Expert Tips for the Visualize Phase:
 Don’t plan to rely solely on IT solutions to solve a problem. IT-based fixes can
boost productivity dramatically, but only if the underlying process is sound. It’s
almost always preferable to complete an initial overhaul of a process before
attempting to design an IT solution. Nailing down the process first simplifies the
scope and difficulty of an IT project, making it much more likely to succeed.

 Document your current state of operations both quantitatively and

qualitatively. Describe each process and your initial findings in qualitative terms. Any
Joe Schmo off the street should be able to understand your current state. Be sure to
also use quantitative data wherever possible (Number of resources required, lead
time, work in progress, etc.). This data will help you to not only better understand
your current operations, but also defend the processes that should not change.

 Document and plan to take action on any quick wins. Quick wins are problems
that can be fixed very easily (by 1-2 people, within one month, and at a low cost). For
instance, co-locating personnel who work on highly interrelated processes could be a
quick win. By placing these personnel near one another in the physical office, it
becomes easier for them to collaborate and share information.

 Eliminate as many review steps as possible. This might make many managers
nervous, but there are powerful reasons for it. First, eliminating senior reviews gives
the security officers handling requests full responsibility for their work. Eliminating
the safety net should make falls much less common. Second, this step allows
managers to manage and to focus on more productive tasks than checking their
subordinates’ work.

 Reduce defects through error-proofing. In the above example, it would be far

more effective to program a web form to reject all improperly formatted requests
than to have a manager review each one individually. Likewise, simplifying the final
result to conform to the customer’s precise needs will prevent judgment calls and
simple formatting errors from ever occurring.

 Minimize the number of data “handoffs.” A delay occurs each time a person has to
transmit information to another person. A handoff is also an opportunity for a defect
to occur. Therefore, it’s best to minimize the number of times a request must change
hands. Lightweight IT workflow solutions can be useful in this context.

The Best Security Is A Great Process

11
III. Prioritize

If You’ve Got 99 Problems (Then Prioritizing Is

One of Them)
While the visualize phase establishes a common understanding of problems and potential
solutions, the prioritize phase ensures that resources are channeled into the areas that most
influence your bottom line.

With the understanding that you cannot fix everything (at least, not all at the same time), the
goal of the prioritize phase is to "rack and stack" the problems that your office is
experiencing and then prioritize solutions accordingly. One way to pinpoint which problems
are most pressing is to investigate the root cause(s) at the source of multiple emergent
challenges. There are various methods of performing root cause analysis, including Five
Whys Analysis, Failure Mode and Effects Analysis, Pareto Analysis, Fault Tree Analysis, and
many others. This guide highlights a straightforward framework for generating answers
called a Fishbone Diagram (also called an Ishikawa Diagram).

Another way of prioritizing your process improvement efforts is to determine the areas of
your process that allow the most unacceptable level of risk, and use those areas as a starting
place. Making that determination can be complex, but it's possible to use data to support
your decision. This section provides an overview of a risk ranking methodology that can be
applied to prioritize efforts based on risk.

Finally, you have a complete understanding of the problems keeping your security processes
from achieving their full potential -- your analysis has led you to the point where you know
exactly what needs to be fixed. There is one more crucial step left in the prioritize phase:
ranking possible solutions to those problems, ensuring the maximum return on the time and
money you decide to invest in process improvement. Big Sky's go-to tool for this analysis is
called a Benefit-Effort Matrix, covered at the end of this section.

Fishbone Diagram
Have you ever had a sticky problem - one that just didn’t seem to go away? You tried several
solutions, but nothing seemed to work? For example, let’s say you are the owner of a

The Best Security Is A Great Process

12
restaurant and you’ve had several complaints from customers that they were served the
wrong item. You immediately spring into action and increase the training of your wait staff,
reward those who make the fewest mistakes on orders, and even get your managers to
conduct random audits to check that staff are writing down all orders correctly. None of this
seems to work…. because as you later discover, the problem isn’t your people, but your
computer software! This is the value of root cause analysis. It is a structured approach that
helps you diagnose the true cause of your problem so you don’t waste time and money
trying to fix the wrong thing.

One of the simplest and most effective tools for getting to the root cause of a problem is the
Fishbone Diagram. Executed correctly, this exercise can push you and your team to think
beyond what’s “commonly known” in your office and reveal underlying issues that must be
addressed before any of the symptom issues can be resolved.

Fishbone Diagram:

Read more
Click Here for a step-by-step guide to Uncovering Root Causes Using a Fishbone Diagram

5 Tips to Get to the Root of Your Root Cause Analysis

How to use a Pareto Chart to Identify and Solve the 20% of Causes That Result in 80% of Problems

Find the Weakest Link in Your Security Process using a Failure Mode Effects Analysis (FMEA)

The Best Security Is A Great Process

13
Risk Ranking
At this point, you should have a good sense of the problems and risks present in your
operations, but is a paperwork bottleneck as risky as the fact that some former employees
never had their access to the organization's network shut off? In practice, you cannot
protect everything, so you need to have a clear idea of what is worth protecting. Risk
ranking is a valuable exercise that allows your team to methodically think through the
consequences of assets being compromised, and make forced trade-offs to focus limited
resources on the most important areas. Here’s a high-level overview of how to do it:

1. Identify your key assets - your SIPOC chart is a helpful resource to review, as you may
find that nearly all of the elements listed could be considered assets for your
organization. If the list of assets is lengthy, narrowing it down to a "top ten" list will
make it more manageable.

2. Quantify the damage your organization would incur if these key assets were lost or
compromised. The most accurate approach is to estimate the cost (in dollars). This
may seem like a challenge but is absolutely possible - just ask any insurance actuary. If
that doesn’t work for you, ranking loss of assets on a scale of severity from 1-5
ranging from “insignificant” to “catastrophic impact” can be used to quantify potential
damage.

3. Rank each potential loss according to the likelihood that it will occur on a scale of 1-5
from “rare” to “inevitable”.

4. Plot each risk on a matrix (see example), creating a visual illustration of how your
program’s risks rank from low to extreme.

The Best Security Is A Great Process

14
Risk Ranking Matrix:

EXTREME
HIGH
MODERATE

LOW

Just because some of the risks you’ve identified fall into the “extreme” range doesn’t mean
that you should necessarily address them first. Again, this is an opportune time to pause and
look at the big picture in order to make strategic decisions about how to proceed. Once you
understand the assets and risks that you’re contending with, get together with your team
and generate a list of possible solutions to address each risk. It’s possible (even likely) that
some solutions will address multiple risks. The next prioritization exercise is a great way to
test this possibility.

Benefit-Effort Matrix
The next step towards optimizing your security processes is to take your list of solutions and
prioritize it, using a Benefit-Effort Matrix. This tool provides meaningful context for
prioritizing solutions based on the benefit you expect to get out of the fix and the level of
effort required to implement. Just as you did in the risk ranking exercise, go through your list
of solutions and assign a numerical value to each attribute:

 Benefit: Rank the level of benefits you can reasonably expect to get out of
implementing each solution on a scale of 1-10. Think in terms of the solution’s
capacity to address the risks you've identified, ranging from “would address a
minor/insignificant risk” to “would prevent multiple extreme risks.”

 Effort: Rank the level of effort you anticipate in implementing each solution on a
scale of 1-10, where 1 equates “would require no additional funds and less than one
person to implement” and 10 equates “would require significant additional funding
and the full attention of a team of people.”

The Best Security Is A Great Process

15
Next, plot each potential solution on a matrix to see into which zone each project falls.
Illustrated in the example below, Zone 1 projects are “quick wins”. These are the projects that
require little to no dedicated team effort to execute. These can and should be implemented
immediately. Zone 2 projects should be executed next. These projects typically take 1-4
months of dedicated project team effort. Zone 3 projects may also be executed, but should
be planned carefully and generally require 5-6 months to complete. Zone 4 projects should
not be executed - yet. As time goes on and Zone 1 projects are completed, Zone 4 projects
may become more beneficial to the organization or may require less effort, ultimately
moving them into a different zone. This process should be repeated at regular intervals to
continuously generate a listing of top priority projects for execution.

Benefit-Effort Matrix Example:

Many senior executives naturally gravitate towards “shiny” solutions (often technology-
based) that are generally costly and time-consuming to implement. Benefit-Effort Matrices
redirect focus towards more realistic solutions. If you opt for the easiest solutions first and
demonstrate quick wins, positive momentum will build and the shinier solutions become
more realistic to implement, sooner.

The Best Security Is A Great Process

16
You should walk away from the prioritize phase with three main outputs:

1. A list of problems that introduce risk into your security operations. Gather
groups of stakeholders to identify the root causes of the problems you've identified to
avoid solving the wrong issues, then rank your list based on risk.

2. A list of potential solutions that, once implemented, will help you do more with
less. Assess the expected return on investment for each solution before you move
forward with implementation, and prioritize the possible solutions to ensure that
you'll get the biggest bang for your buck.

3. A list of quick wins. Plan to implement these first to see immediate results and gain
momentum.

Additional Prioritization Resources

Big Results on a Budget Webinar: Operations Improvement in Your Federal Agency

4 Steps to Better Insider Threat Detection Without a Budget Increase

Strategic Resource Allocation - There’s an App for That!

The Best Security Is A Great Process

17
IV. Realize

The Times They Are A-Changin’

Now that you’ve developed a clear and comprehensive picture of the current state of your
security operations and have a prioritized list of risks and solutions, it’s finally time to act on
your findings. The process improvement plan that you've created should be launched and
implemented with as much care as you would put into a project that you are delivering to
external stakeholders. There are many keys to achieving success in project management and
maintenance - in fact, we've published an entire guide on the nuts and bolts of this topic:

Click Here to Download The Guide to Successful Project Management for Federal Agencies.

However, even with the best project management tactics, security process improvement
efforts can fail if the environment is not set up for success. To prevent this occurrence (and
to save the cost of repeating the entire project months or years down the road), executives
should focus on three key areas: communication, metrics, and culture.

Communication
Even the most careful planning cannot prevent unexpected variables from cropping up
during the implementation phase and beyond. If communication expectations are not clear
from the start, it can lead to disaster down the road. Here are a few steps you can take to
mitigate this problem:

 Complete a RACI Chart. RACI stands for Responsible, Accountable, Consulted,

Informed. These categories should be assigned to individual stakeholders and then
communicated across the team to clarify roles in relation to project tasks.
Click here to learn more about RACI Charts

 Create a detailed communications plan, including channels and structures. Make

sure to address both the internal implementation team and the larger stakeholder
group. For each action in the communication plan, cover the four W's: Who is

The Best Security Is A Great Process

18
 included, What is the objective, When (and how often) the communication will occur,
and Where the communication will take place (i.e. weekly meetings, e-mail messages,
etc.) If you're unsure which communication channels best suit your project, refer back
to the process maps you created during the Visualize phase.
Click here to learn more about defining communications plans

 Document decision-making frameworks. As the name suggests, "unexpected

variables" are, in fact, unexpected. That means you probably won't have a perfect plan
prepared to deal with the nuances of each and every surprise event. Still, you can
prepare by creating a plan for the necessary decision-making processes. This plan
should detail everything from who makes the decision to which metrics will be
consulted before the decision is made.
Click here to learn more about decision-making frameworks

Metrics
Measurements are an important part of any organization's operations- after all, how can you
monitor progress or know when you've reached the goal if you have no objective knowledge
of the starting point? Measuring process-specific aspects (e.g. lead time, cycle time, queue
time, etc.) may already be part of your plan, but many leaders stop there and forget to
measure the success of the project as a whole. If you're not measuring results, you will never
know if your new process is better (or worse!) than the one you started with, and it is not
possible to justify your investment.

One of the best metrics for overall process improvement is Return on Investment (ROI). The
most basic approach to ROI is to add up the expected benefits (in dollars, if possible),
subtract any upfront costs or fees of implementing the solution, and then divide the new
number by your total costs. The resulting percentage is your total ROI.

Unfortunately, costs and benefits are not always crystal clear, particularly for national
defense and security agencies, where the objective is the prevention of a security incident.
Furthermore, most agencies opt not to publicize savings that will result in a funding cut in
the next budget cycle. Still, it's important to understand the quantifiable results of process
improvement projects.

The Best Security Is A Great Process

19
The simplest way to demonstrate ROI is through cost savings. Here are three ways to
calculate this figure:

 Direct Cost Benefits: These are the easiest savings to spot. By eliminating or reducing
an obvious cost, these savings go right back into your bottom line. For example,
maybe you realize that eliminating color printing and limiting your office to printing
in black and white will save $5,000/year in ink costs. The savings to your organization
in supplies and even time required to order and install replacement color ink are all
very straightforward, and the saved funds show up clearly in your budget.

 Indirect Cost Benefits: These are also known as cost avoidance. Indirect benefits are
downstream results from upstream process improvements. For example, picture one
of your processes getting bogged down by a large number of customer service calls
and complaints. You might implement a fix that addresses an issue early in the
process, resulting in fewer calls and complaints down the line. This will lead to lower
staffing requirements for customer services representatives and thus, lower resource
requirements. These types of benefits are less obvious than direct savings, but just as
valuable.

 Intangible Benefits: As you might expect, intangible benefits are the most difficult to
quantify, but are no less important than the other benefit categories. Intangible
benefits include positive effects from your improvement efforts, such as increased
morale, improved customer perception, or enhanced clarity across the organization.
While difficult to measure precisely, even an estimated benefit is better than no
calculated benefit at all.

Culture
Arguably one of the most important guarantors of process improvement success is an
invisible force that leaders may not even be aware of, or may not feel equipped to influence:
office culture.

The only way to protect your organization from security threats is to create a culture
that focuses relentlessly on continuous improvement. Regardless of their efforts, top
executives can't be expected to achieve this target alone. Every employee must be
responsible for generating innovative solutions to keep their processes lean and as secure as
possible. When organizational culture demands that employees at all levels search for ways
to improve collective efficiency, continuous improvement becomes as natural as breathing.

The Best Security Is A Great Process

20
Culture change takes time, but the following strategic steps can make the shift
straightforward and painless.

1. Define your values and continue to reinforce them. Values set the stage for every
organizational culture, so attempting culture change without first defining your values
is analogous to setting sail without a compass. If you don't have clear parameters to
guide you, it's very difficult to find your way, even when everyone agrees on the
destination. Once your values are defined, it's crucial that you directly address the
aspects of your organization that don't align today. Actions speak louder than words,
and if the values are not clearly visible in the day-to-day operations, they won't be
taken seriously, and they simply won't stick.

2. Get rid of the fluff. Some security tasks can be mundane and repetitive - not unlike
work performed on a manufacturing line. When employees become bored with these
tasks, they are less attuned to red flags, loopholes, and inefficiencies within the
system, opening up the door to destructive security breaches. By eliminating arbitrary
tasks that take up time but don't add value, personnel can direct their focus towards
crucial areas that are both interesting and mentally stimulating. Engaged employees
take ownership of their work and are intrinsically motivated to improve their
operational environments.

3. Honestly assess your organizational maturity. Don't pay lip service to the idea of
culture. Make world-class, continuous improvement culture a goal for your
organization, and measure progress towards that goal on a regular basis.
Organizational culture will develop regardless of whether it's monitored or not, so it's
best to take an intentional approach.

4. Incentivize new ways of thinking. Taiichi Ohno, father of the renowned Toyota
Production System, articulated the chief role of forward-thinking in Toyota’s
organizational culture: “The Toyota style is not to create results by working hard. It is a
system that says there is no limit to people's creativity. People don't go to Toyota to
'work' they go there to 'think.'”

The Best Security Is A Great Process

21
When the work of a security office is driven by active and engaged thinking rather than by
automated and outdated habits, the threat of an imminent security incident begins to
shrink. After all, isn’t thinking a few steps ahead of an attacker the best way to prevent
the attack in the first place? Forward-thinking should be a constant practice - not just a
once in a while event. Rewarding employees for taking creative initiative is a great way to
stimulate norm and behavior change and sends a clear message that the organization
values new ideas.

5. Practice Constant Learning. Any security department that says it has a 100%
complete understanding of its organization’s threat environment is lying. The tools at
the disposal of malicious attackers are constantly evolving – and at such a rapid pace
– that it’s nearly impossible to be up-to-date at all times. In today's environment,
security personnel should constantly strive to learn about new aspects of their
processes. In fact, members at all levels of the organization should adopt this mindset
and be on the perpetual lookout for new developments and relevant implications in
their knowledge space. Rather than taking a passive approach, employees should use
regular data collection and analysis to continuously uncover new insights about their
organization's operations.

6. Empower Employees to Take Process Ownership. Just as every step of a process

should add value to the final product, every employee should add value to the
maintenance of a secure environment. When every individual is responsible for a
slightly different (and therefore unique)
experience within the organization, every
individual also has unique insight to offer.
By showing respect for employees'
thoughts, knowledge, feelings and
capabilities, you can create a safe and
positive environment to voice shortcomings
and generate ideas for improvement.

It is much more efficient to empower all personnel to take note of problem areas and
recommend solutions than to wait for higher-ups to discover these problems. Many
problems can lie hidden for years because they are simply not visible to those who are
not involved in the process at the field level.

The Best Security Is A Great Process

22
Red Flag: Insider Threat
Insider threat is a particularly pernicious type of
Quick Security Win: Closing
security problem to manage through traditional
“perimeter protection” because, in this case, the Network Vulnerabilities
perpetrator has been given legitimate access to  Address your network
organizational assets. As you plan to implement protection posture. There are
security process improvements, be sure to look thousands of vulnerabilities in
beyond the network and facilities and focus on the any given information system.
upstream and downstream processes: screening
No patch is perfect and new
and vetting employees, and monitoring for
exploits are discovered all the
anomalous behavior that occurs off-network. Take
time.
the following into consideration:
 About 80% of vulnerabilities
 Pre-employment screening and
can be closed using a set of
vetting. Consider if and when legal
20 key actions. Completing
background checks should be conducted,
just the first five steps will
especially for candidates who will have
make a meaningful push
access to confidential information.
towards your goal. The SANS
 Inculcating a security culture. Make all Institute has developed a list
employees responsible for the organization’s of Critical Security Controls
success so they will feel a shared that every organization must
responsibility for protecting organizational implement to keep out the
secrets. Remind them of the policies bad guys.
governing the protection of information and
the acceptable use of the organization’s Read the full report at
http://www.sans.org/critical-
information assets. Train them how to security-controls.
respond if they note anything suspicious.

 Monitor for signs of disaffection. Insider

threats do not appear overnight. The process of employee disgruntlement is one that
generally brews for some time before the individual decides to take action.

Create an Insider Threat Working Group. The group should be cross-functional, and serve
as a governance structure to facilitate sharing, analyzing, and responding to warning signs
that may emerge from multiple streams of data inputs. The working group must have senior
leadership buy-in and include members from functions not traditionally aligned with
security, such as Legal and Personnel.

The Best Security Is A Great Process

23
V. Conclusion

Louis, I Think This Is the Beginning of a

Beautiful Process
As you continue to do the hard work of defending your organization’s most valuable assets
from a continually evolving portfolio of threats, it’s important to remember that it is
impossible to completely eliminate risk - but there is room in any process for incremental
improvements, and those small steps add up.

Whether you are struggling to meet unfunded requirements, run programs with less
manpower than you think you need, protect your data from cyber threats, or develop a team
of world-class security practitioners, the first requirement is to step back and envision all of
your discrete functions working together as a comprehensive protection process. In this
process, one input (such as an adjudicated background investigation) feeds the next
(granting access to a network) and results in a certain level of protection for your
organization's assets.

Without this honest (and sometimes difficult) current-state assessment, it is impossible to

make a plan for improvement or demonstrate how far you have come once you reach your
goals. Planning for improvement and establishing metrics to track your progress are both
critical components of a future-state plan, which will guide you through the rest of the
strategy and implementation process.

Once the ins and outs of your operations have been investigated and validated with
quantitative data, strategic decisions like prioritizing the protection of your assets, ranking
your most pressing risks, and choosing a path for implementation will become much easier
and more defensible. Getting to the ground truth of your existing processes can be complex
and challenging, but absolutely worth it.

IT solutions have their place, particularly when it comes to automation and error proofing.
But a database full of information will not solve your underlying operational inefficiencies,
and more likely will only complicate the existing problems. At their core, security problems
are process problems and the only effective way to address them is through process
improvement efforts.

The Best Security Is A Great Process

24
Big Sky
At Big Sky, we’re specialists in operations improvement dealing with
security, suitability, and insider threat. We use a customizable, data-
driven approach that delivers our clients powerful results as efficiently as
possible, building on our industry-leading methodologies to provide
better solutions faster. And our team’s deep experience and relationships
throughout the industry give us the insight and resources to tackle the
toughest operations improvement challenges.

Seeking expert assistance with your project management challenges?

Contact us today to discuss how Big Sky can help you succeed.

Contact us:
2101 L St NW #800
Washington, DC 20037
P (202) 903-0790
bigskyassociates.com

Copyright © 2015
Published by: Big Sky Associates
All rights reserved. Except as permitted under U.S. Copyright Act of 1976, no part of
this publication may be reproduced, distributed, or transmitted in any form or by
any means, or stored in a database or retrieval system, without the prior written
permission of the publisher.