Lean Security Practices
There are many discussions that have plagued both public safety and corporate security alike, but none more compelling then how to get more “bang for your buck” out of your program. A common tactic of throwing contract security bodies at a problem or hiring additional FTE aren’t always the answer. Neither is purchasing all of the most advanced security tech. None of these things alone will have the desired impact long term and will just be a band-aid for the symptoms rather than addressing a root cause issue.
You should consider that most C-Suites do not look at security as a value proposition and as a result, in most places, security is not as well funded as it should be. Keep in mind, I am generalizing here. There are some very strong programs out there, that do get the requisite funding to do what they need to do. But this article is less about funding and more about how you can more efficiently utilize the funding you do have and bring value to your customers.
Also, consider that most employees look at security measures as a hindrance to their productivity. In some cases, they may be absolutely right. Productivity = Profits. If your security organization is seen as a roadblock to productivity, you will not be the most popular kid on the block. In addition, most will then look to circumvent security procedures out of convenience rather than malfeasance.
Having a well-developed and cohesive security strategy combining technology, human interface and training, both for security teams and employees will normally yield the best results. But to do this, one must understand their own program intimately and understand where a majority of the gaps and challenges are. Then one can begin to map appropriate resources to those pain points. As I pointed out, not everyone has “F-You” money to throw at every minor problem. Therefore, employing lean concepts will help make the most of a rather sparse budget, as most programs have.
So, what is Lean and what does it mean? Lean is a concept that is designed to eliminate waste from processes. While it has its roots in the manufacturing world, it does have some applicability to the security space. There are several areas where this can be applicable:
- Do you have the right people doing the right jobs?
- Do you have old or outdated legacy systems that cause delays in service?
- What are your processes for acquiring access cards, employee badges, filing reports etc?
- Employee Security Awareness Training.
- Contract Security providers.
Those are just a few samples of areas of waste that can hamper or cause complications in your security operations. Obviously, every security program has its own maturity level, nuances and culture to contend with. It is up to the security leadership to navigate these potential hurdles and look for areas to improve efficiency and effectiveness. To lean out your organization, you must use a process to map things out. Those that are familiar with Lean processes could use what is referred to as an “A-3”. There are numerous resources online if you conduct a search for “Lean A-3”. Many of these resources can be helpful in reviewing what you have in place, identifying pain points and looking toward what your future state might be. There are many ways to process map how you can implement efficiencies, using the A-3 method is just one way I have found useful.
The most important part of this, in my opinion, is to define your current state and to define what the optimal state looks like. In the middle are the details of how you will get there. Be honest when you are identifying gaps, however. There is a tendency to gloss over things we think may be very minor. Those should also be included in your analysis to ensure a full picture.
The goal of this process is to identify the waste in your program and to stream line things for efficiency. All of this is not done in a vacuum, however. Security processes potentially affect everyone in the organization. Soliciting input from stakeholders is a terrific way to quickly identify specific items that are pain points that are having an impact on productivity and efficiency. This has the added benefit of zeroing in on commonalities amongst the stakeholders. It also shows that you want everyone to make security a priority by involving them in the solution process.
Keep in mind what you are looking for is efficiency while still maintaining the right level of security posture. I know some will view conducting a survey of stakeholders around “gaps” as a violation of OPSEC. It is not if you do it right. You are not revealing any operational security gaps in your survey but assessing on whether or not they are efficient. As an example, finding out how long it takes for an average employee to report a lost access badge and acquire a new one. If you have a long drawn out process, this can impact efficiency. In this scenario, while it is the employees’ fault for the lost access badge, the process to acquire a new one should not be overly burdensome.
I spoke earlier about soliciting input from stakeholder involvement in the process to ensure you are working towards well rounded efficiency. As an example, HR has very different needs than Facilities to some degree. The point here is to gain as much perspective as possible to have the best approach. Also, data is a powerful weapon and you should collect as much as needed for the specific process you are targeting to make it more efficient. Being collaborative also shows that you are invested in streamlining your processes to make life easier for everyone else.
Creating efficiencies in a security program can be beneficial. Ideally most security leaders want to receive less complaints, get more buy in from stakeholders and have more employees embrace the processes you are trying to implement with less push back.
At the end of the day, the idea is to ensure security programs are providing the proper level of security to the employee population while not being a hindrance to productivity. Being collaborative and inclusive to identify opportunities to strike a balance will be certainly be welcomed by all!!