Inside The Lean Six Sigma of Cybersecurity

lean six sigma cyber risk quantification

Some of the greatest companies in the world have embraced the Lean Six Sigma process improvement methodology to eliminate errors, remove waste and inefficiency, and improve operational performance. At ThreatConnect, we’re building the tools that for the first time can help companies apply these same groundbreaking principles to cybersecurity.

Lean Six Sigma combines the principles of Lean manufacturing (eliminating waste) and Six Sigma (eliminating errors). When combined, the two methodologies create a powerful team-oriented approach for analyzing processes and the steps, or actions, that make up those processes. And it is the process of cybersecurity that is in urgent need of optimization today.

Start With Risk Data

Lean Six Sigma relies on data, not guesswork. Data is captured and used for analysis to determine what is actually happening in a given process, not what everyone assumes is happening. This analysis verifies the underlying causes so that the correct problem is fixed.

Cyber risk quantification (CRQ) is an industry in its infancy, but it is critical to improving the way cybersecurity actually works. It is the beginning of the cybersecurity process.

One of the biggest challenges often experienced in Lean Six Sigma projects is overcoming the businesses’ denial of problems. That is exactly where cybersecurity finds itself today in the modern enterprise. Most businesses don’t know what their exposure is to any given cyber event, including what the impact is in terms of response costs, lost revenue, and other secondary forms of loss such as fines and judgments. Until now, the result has been a lack of focus on the risks that matter most to the business and an inability to communicate an accurate risk posture to the C-Suite and board of directors.

The Rosetta Stone that translates the technical nature of security into the language of the business is here – cyber risk quantification (CRQ). By quantifying cyber risk, Chief Information Security Officers have the ability to speak the language of business.

Risk scenarios should be and can be quantified in a way that the board can understand. A board that understands the risk, threat, response paradigm is better equipped to understand prioritization and resource allocation – and the need for right-sizing of security investments.

Eliminate Muda, Mura, and Muri

The term “lean” was coined to describe Toyota’s business during the late 1980s by a research team headed by Jim Womack, Ph.D., at MIT’s International Motor Vehicle Program. At Toyota, the Lean methodology was applied to the Toyota Production System to eliminate three types of waste:

  1. Muda
    Wastefulness, uselessness, and futility.
  2. Mura
    Unevenness, non-uniformity, and irregularity. It is the force behind Muda.
  3. Muri
    Over-burdening resources beyond their normal capability – stresses and damages resources so that they are unable to do a normal workload.

Let’s take a look at how the ThreatConnect approach to CRQ maps to these types of waste in the cybersecurity context.

  1. Muda
    Quantifying cyber risks enables the identification of the most important risks to the business from a financial and operational perspective. With this north star understanding of risk, CISOs can focus and prioritize the work of their teams to avoid wasteful and futile efforts.
  2. Mura
    A key element of the ThreatConnect approach to CRQ is the ability to conduct a “what if” analysis on risk mitigation techniques. This ensures that the response to risk is right-sized, not uneven or irregular.
  3. Muri
    With risk quantified, overburdened teams are given a clear focus on where they should prioritize, both from a threat management and security operations perspective. This eliminates common problems, such as alert fatigue.

Cybersecurity & Lean

Chief Information Security Officers have more data on emerging cyber threats and vulnerabilities than ever before. In fact, the majority of CISOs at Fortune 1,000 companies will tell you they are drowning in data and alerts. Most businesses have dozens, if not hundreds, of security tools in use at any given time. And each of these tools creates its own logs and contributes to an environment ripe for security alert overload and inconsistent triage.

Despite having all of this information, most security leaders struggle to explain to their fellow C-suite executives and board of directors how at risk their organizations actually are from cyber events. They can’t translate threats and vulnerabilities into the real picture they need to provide – a financial view into cyber risk.

Once translated into this view, security and business leaders are on the same page. Risk mitigation then becomes the north star focus, and the struggle of resource prioritization finally dissipates as it becomes crystal clear what scenarios matter most. CISOs and security leaders will also know exactly what scenarios to protect against, threat teams where to focus their attention, and Security Operations Center (SOC) teams how to prioritize their response.

By quantifying risk, based on possible losses from business interruption and response, exposure can be directly linked to the business services that are affected. This is the missing link in the ability of CISOs to communicate the risks facing their companies.

Continuous Improvement

Lean Six Sigma in the cybersecurity context is a continuous improvement methodology that begins with quantifying risk. But what processes does it improve?

Automated CRQ delivers a decision support system that operates in real-time rather than waiting for lengthy interviews, training, and manual reviews. As such, it delivers significant business benefits beyond improved cyber defenses:

Business Benefit 1: C-Suite leaders and board members can clearly see potential hazards, narrow the focus to the risks that matter most, and better understand the need to fund and support specific mitigation measures.

Business Benefit 2: Armed with metrics like business interruption, reputational damage, and legal fines, leaders can proactively escalate security initiatives.

Business Benefit 3: Calculate the return-on-investment of your security tools and technologies by demonstrating risk reduction to underpin budget proposals and defend security decisions.

Dan Verton
About the Author
Dan Verton

Dan Verton is ThreatConnect's Director of Content Marketing. Dan is an award-winning journalist and a former intelligence officer in the U.S. Marine Corps. He has authored several books on cybersecurity, including the 2003 groundbreaking work, Black Ice: The Invisible Threat of Cyber-Terrorism (McGraw-Hill) and The Hacker Diaries: Confessions of Teenage Hackers (McGraw-Hill). He has a Master of Arts in Journalism from American University in Washington, D.C.

Share

Subscribe