For a long time, many companies have used process improvement strategies—ideas such as Six Sigma, Lean, Kaizen, Total Quality Management, Re-engineering, and a slew of others—to streamline operational processes, and they have done so with great success. Process improvement and continuous improvement initiatives, which often rely on the help of internal audit and are based on a healthy dose of metrics, have succeeded in cutting waste, speeding production times, creating efficiency, simplifying processes, lowering costs, improving safety, and providing many other benefits.
Yet many companies have not been as successful at applying these process improvement strategies to technology-based processes. That’s because they often see them as either too complex and don’t understand them well, or they chalk up inefficiency as the price of security. Managers don’t have a good idea of what is happening in those complex lines of code or inside the “black box” so they don’t bother to try to improve the processes they run. In manufacturing, operational waste and production problems are easier to see, identify, and remedy compared to a technology process where so much is happening inside a network or piece of complex code and work is not easily observed.
It doesn’t have to be that way. In fact, there is a great deal of the “human element” in technology processes that can be improved. There is also a lot of waste and inefficiency that gets built in along the way. There is no reason we can’t approach technology-based processes in the same manner and with the same techniques and rigor we use to improve operational processes. And internal audit can be a great catalyst to spark such an effort and aid in its progress. We also need to rethink the way we use metrics to assess technology-based processes.
Applying operational process thinking to technology-based systems can have a wondrous effect. We can streamline technology processes to make them simpler, faster, cheaper, more efficient, and, yes, actually more secure.
Quality and Cybersecurity
Let’s consider cybersecurity operations as an example to examine my point. Cybersecurity is usually thought of as either effective or ineffective. Rarely is quality, efficiency, or cost effectiveness discussed in cybersecurity. A cybersecurity process can be daunting for anyone without deep experience just to understand what is happening, never mind building efficiency and quality into the equation.
What is quality in a cybersecurity process? Is it just simply checking to see that various systems have controls in place? Perhaps, but isn’t there more to quality than just that? In the fast-paced cybersecurity world, risk is not only prevalent in securing various technology systems but in operations as well.
By taking an outsider’s view of a transaction (email message, online sale, electronic ledger input, etc.) and following it into and through the process, breaking it down into minuscule steps, an auditor (IT auditor or internal auditor) can uncover the risks hiding in plain sight. An auditor doesn’t have to be an expert in the process to identify the holes in it. By simply asking what happens at each step and thinking about what could go wrong within it, the auditor working with the process owner can uncover a tremendous amount of operational problems that easily put the organization at risk. And who’s to say that the ideas of Lean—where any activity or step that uses resources but doesn’t add value is eliminated—can’t also be applied here.
Bad things, such as the wrong information posted to the wrong account, inadequate access controls, poor password habits, or a breach occurring due to the potential that an employee falls victim to an obvious phishing scam, are suddenly brought into focus. These are the fundamental problems that a cybersecurity organization faces each day that go largely unnoticed. Alerting management to those risks is absolutely critical. What’s more, many of the problems are human-related, such as poor employee habits or inadequate training, rather than faulty code or improperly configured machines.
Going Through the Motions
Several years ago, I sat down in the director of internal audit’s office in a large technology company and excitedly told him about different operational measurement systems that my team and I had designed for a professional services division and a global security operations center. After describing the impact we were having operationally and how management was embracing them, his response was: “I wish we could do this more often!” Our conversation then settled on how my process improvement team could partner with the internal audit team to help identify issues and implement solutions to address findings in their audit reports. The partnership yielded successes that were welcome by internal audit, senior management, and, perhaps most importantly, the process owners themselves.
This experience is hardly the norm. A report issued by Deloitte last year, the 2018 Global Chief Audit Executive Research Survey, found that “only 33 percent of chief audit executives (CAE’s) believe that their internal audit function is seen in a positive light.” This comes as no surprise to me, based on my experiences in various companies, and will be a familiar notion for many internal audit leaders. From my experience, getting called out during an audit can involve not a small amount of shame for the manager, since the implication is that they overlooked or ignored something, immediately followed by the sinking feeling of how to resolve the findings within a specified time frame and with a team that is already stretched thin just trying to do their jobs each day.
The result of this typical situation is remediation solutions that are not thought through completely, but are only done to satisfy the audit report. In other words, the findings are remediated for the audit report, but the business now suffers from having to take more steps in their work to complete a transaction. When asked why the process is so slow, no one can really say why, except that the “busy work” they must now do to satisfy the internal auditors is gumming up the works. Even worse, that complaint is often followed by the refrain: “They just don’t get it!” When it comes to technology-based processes, these problems are only magnified.
Cybersecurity and Operational Challenges
Nowhere is this scenario more common than in cybersecurity. Cybersecurity operations are often chaotic, intense operations that can involve dozens of individual technology systems and even more processes to handle a multitude of transaction types. Processes such as configuration, patch and alert management, along with attack management all must be executed perfectly every time. Unfortunately, they aren’t. As humans design and execute the processes, mistakes are going to be made.
In the world of Cybersecurity and tech-based transactional processes in general, the approach to improving operations is decidedly different than in manufacturing. In manufacturing, operational waste and production problems are easier to see and remedy compared to a technology process where so much is happening inside the hardware or software code. As with manufacturing, the focus is on the flow of a transaction from front to back, looking for areas that slow the process down or are confusing or challenging to work through. It’s easier to talk to employees on the line and ask them where they see problems or potential for waste, inefficiency, and mistakes. Where there are operational challenges, there is almost always a greater chance of something going wrong.
In technology we tend to accept more wrinkles in the systems. Moving beyond accepting inefficiency requires a change in mind-set. So let’s look at how we can borrow some of these process improvement and continuous improvement strategies from traditional operational processes and apply them to tech-based processes.
Move to Improve
Process Improvement can help address problems with identified risks and implementation of controls, but it can do more than just that. It is important to remember that in process improvement, it’s not about the implementation of tools, but rather a holistic systems-thinking approach introduced by W. Edwards Deming and Walter A. Shewhart. This approach gets us to why we have operational gaps in the first place and leads us down the path to operational improvement and risk reduction. In my opinion, risk is introduced in a variety of ways by managers who take a siloed approach to managing their processes. Optimizing their own operations with technology and business rules designed to make their functions operate more smoothly and efficiently does not always work out the way it was intended for customers, both internal and external.
If the goal is to reduce risk in its many forms in an operation, the quickest way to fail is to start trying to improve processes right away. A more successful approach is to instead focus on people and data that ultimately lead to lasting success. The following approach has been proven to work in cybersecurity environments:
- Understand what operational waste and risk looks like.
- Map processes to help improve understanding of what those processes really look like.
- Design and implement a measurement system to reflect what happens in each process and highlight barriers to efficiency.
- Rework the process to overcome inefficiencies, remove wasteful steps, and improve operations where needed through continuous improvement of people.
Never Ending Story
Process improvement is important, but it can never be a one-time exercise. Internal audit and continuous improvement (CI) teams are typically aligned from the perspective of reducing risk and improving operations on an ongoing basis. From a CI perspective, having internal audit identify various risks helps open the door for them to begin working in an area that is normally resistant to change. Compliance becomes more manageable, for example, as operational risks and controls are dealt with appropriately. Internal audit can recommend that the CI team engage in improvement activities and report back any issues to ensure compliance. This gets operational experts closer to the problems quickly and helps eliminate the findings and observations that have been recorded. Additionally, this approach brings a different perspective to the senior leadership team as they get a chance to not only see operational risk mitigated, but also operational value unlocked. Of course, this relationship isn’t limited to just cybersecurity operations but across the entire enterprise.
Technology processes are especially vulnerable to the “set it and forget it” mentality. How often do we revisit technology-based processes to ensure that they are organized for optimal performance given the current risk environment or to ensure that changing business environments don’t demand tweaks to a given process? We should be continuously monitoring for outdated software; duplicate systems to achieve the same goals; opportunities for streamlining by, for example, standardizing on one top-performing vendor; the emergence of new, more efficient, systems and apps, and other improvements. Indeed, technology-based processes simply must be subjected to continuous improvement techniques, particularly since the shelf life of nearly all technology components and elements is shrinking all the time.
Simplicity Synchronicity
Even with technology processes, this quote from management guru Tony Robbins holds true: “The enemy of execution is complexity.” Applying end-to-end process thinking to a security or network operations center, with an eye toward simplifying processes, we will find operational issues in areas such as siloed technology and processes. Another possible area for