Cyber security is in denial, that's why it needs the Lean Six Sigma approach

Published: Friday, 07 May 2021 07:31

If most businesses were honest, they would admit that they don’t have a full picture when it comes to understanding what threats they face from cyber attacks. That’s why security leaders need to take lessons from the corporate world and approach cyber security through a new Lean Six Sigma lens says Miles Tappin.

Lean Six Sigma is a process improvement methodology used to eliminate errors, remove waste and inefficiency, and improve operational performance. It combines the principles of Lean manufacturing (eliminating waste) and Six Sigma (eliminating errors). When combined, the two methodologies create a powerful team-oriented approach for analysing processes and the steps, or actions, that make up those processes.

Some of the world’s biggest businesses use this approach to increase efficiency in their company. But its principles are rarely applied to cyber security. With cyber security teams increasingly stretched and attacks increasing, it’s time for that to change.

It’s time to truly understand cyber risk

If businesses are to be able to defend themselves against the growing tide of cyber criminals and state-backed hackers, they must learn to truly understand the risks they face.

That’s why the Lean Six Sigma approach could become vital for cyber security – it relies on data, not guesswork. Rather than assuming what is happening, companies gather data, analyse it, and determine what is actually happening. By taking this approach, the underlying causes of a problem can be identified and fixed.

Currently, most companies find themselves in a state of denial - most don’t know what their exposure is to any given cyber event, including what the impact is in terms of response costs, lost revenue, and other secondary forms of loss such as fines and judgments.

Until now, the result has been a lack of focus on the risks that matter most to the business and an inability to communicate an accurate risk posture to the C-Suite and board of directors.

If businesses are to overcome the denial of these problems, a key step in the Lean Six Sigma approach, they must act now and explore ways to quantify cyber risk. Cyber risk quantification (CRQ) is an industry in its infancy but going forward it will be critical to improving the way cyber security actually works.

The reason many businesses fail to understand the true risk they face is because many cyber security leaders fail to ‘talk business,’ which results in the rest of the board lacking understanding and, as a result, failing to take appropriate action. CRQ could change all that, as it acts, if you will, as a Rosetta Stone that translates the technical nature of security into the language of the business.

Risk scenarios should be - and can be - quantified in a way that the board can understand. A board that understands the risk, threat, response paradigm is better equipped to understand prioritisation and resource allocation – and the need for right-sizing of security investments.

Risk mitigation becomes the focus

This approach also helps CISOs make the most of the dozens, if not hundreds, of tools they use. These tools are creating more data than ever before – but rather than supporting cyber security teams, most find themselves drowning in data and security alerts, and unable to successfully triage alerts. And all this data is not helping CISOs translate threats and vulnerabilities into the real picture they need to provide – a financial view into cyber risk.

When risk is quantified and a financial view is offered, security and business leaders are on the same page. Risk mitigation then becomes the North Star focus, and the struggle of resource prioritisation finally dissipates as it becomes crystal clear what scenarios matter most. CISOs and security leaders will also know exactly what scenarios to protect against, threat teams where to focus their attention, and Security Operations Center (SOC) teams how to prioritise their response.

By quantifying risk, based on possible losses from business interruption and response, exposure can be directly linked to the business services that are affected. This is the missing link in the ability of CISOs to communicate the risks facing their companies.

The framework for continuous improvement

Lean Six Sigma, in its essence, is a continuous improvement methodology that begins with quantifying risk.

The key elements of Lean Six Sigma: Define, Measure, Analyze, Improve, and Control

Once cyber risk is quantified, a whole host of processes and procedures can be improved. For example, the board can better understand potential hazards and can, therefore, better understand what level of funding is required. What’s more, with a more understanding board and a CISO armed with financial metrics, security initiatives can be more proactively escalated. Finally, by demonstrating how risk has been reduced, security leaders can more easily defend security decisions and investments.

Currently, security teams are battling against a rising tide of attacks. To ensure their businesses can defend themselves the best possible way, security leaders must take action now – they need to better understand how to prioritise resources and, more importantly, need to get the board on side. Turning to Lean Six Sigma should make that possible.

The author

Miles Tappin is VP EMEA at ThreatConnect