The job of security is to reduce security risks to acceptable levels, at an acceptable cost, in a manner that is harmonious with the business. Lean Security Operations, an application of lean principles to security operations, can help us do that.
Lean is the systematic elimination of waste from all aspects of an organization’s administration and operations, where waste is viewed as any application or loss of resources that does not lead directly to value the customer is willing to pay for. That means both what the customer wants and when the customer wants it. Waste is any action, process or activity that does not add value from the customer’s perspective.
For example, obtaining a photo ID badge is of value to the customer — waiting in line for a long time to get one is not. Having a lengthy and complicated issuance process that ties up security personnel does not add value either — it occupies security staff and keeps them from performing other actions that could add value.
In manufacturing, waste typically has financial impacts — for example, the costs involved with excess inventory. What is different in the security function is that in addition to the financial impacts of waste, there can be risk impacts.
One category of waste is defects (any process, product or service error). In security, errors often increase risk. In the presence of an active threat, defects in a security process can be catastrophic. For example, failing to cancel physical access and/or computer systems access for a disgruntled employee can permit extensive damage, including theft, misuse of private or proprietary information and even physical violence against personnel.
Eliminating time and energy spent on actions that do not mitigate risk improves the focus on actual risk mitigation using existing resources. “Doing more with less” should mean doing more of the right things. That is a key result of applying lean principles.
Lean includes perspectives and tools that can be of tremendous use in increasing the value that security managers provide to their organizations. (Editor’s note: for an in-depth look at Lean Security Operations, please see the feature story in the July issue of ST&D).
What can I look forward to in future columns?
This column will introduce lean perspectives and tools and provide a path for security practitioners to follow in applying lean principles.
To start, the column’s focus will be on security management and leadership perspectives required to understand and apply lean principles to security. If your organization is already successfully applying lean principles outside of security, the initial material will help you and your organization’s existing lean leaders establish a common understanding of Lean Security Operations.
Later columns will present practical examples on applying lean principles to security operations. At that point, readers applying the material in this column should begin to experience benefits from applying lean principles to security operations.
How do I begin?
Here are two immediate steps to begin your Lean Security Operations journey:
1. Create a Lean Journal. This can be a paper journal book or a Word document. In it, record your initial thoughts and questions about what has been presented in this column, the July article and the two online sidebar columns (SecurityInfoWatch.com/STandDextras).
2. Perform a Stakeholders Exercise. To think about customer value, you have to know who your customer is. Security’s customers are the security stakeholders. To identify the stakeholders ask these two questions:
• Who depends on Security performing its functions? This is the first category of stakeholders — people who depend on critical assets (including critical business processes) that are protected by Security. Employees as a general class are dependent on having a safe and occupiable facility. For each type of stakeholder, answer these questions:
• What Security functions is the stakeholder dependent on and why?
• What are their expectations of Security?
• How do they rate Security’s performance (in general terms)?
• Who has a role in the performance of security functions? This is the second category of stakeholders — it will include security staff; management decision-makers senior to security; non-security personnel (employees, contractors and visitors); heads of business units, divisions and departments. It is a responsibility of all managers to see that the people in their charge follow security policies and procedures that apply to them. What role in security does the stakeholder perform and why? How do you enable them to perform that role? How do you influence their performance?
Record the answers and your thoughts in your Lean Journal. Next month will examine how Security’s customers “pay for” security, and how this differs from the typical customer role in Lean Manufacturing.
Derrick Wright, CPP, is the security manager for Baxter Healthcare, Cherry Hill, N.J. With more than 19 years of progressively higher management experience in a highly regulated pharmaceutical manufacturing environment, he has built a converged security program that focuses on top-of-mind business issues as well as technology interoperability to support improved business processes. Derrick is a member of the Security Executive Council and the Convergence Council of the Open Security Exchange (OSE), where he provides insight and direction for working group activities.