The elimination of waste is a primary focus of lean. (See the special sidebar titled, “The Eight Wastes of Lean” in the in the online version of this article on SecurityInfoWatch.com.) The impact of waste is generally different for security than for manufacturing. In manufacturing, waste typically has financial impacts, for example, the costs involved with excess inventory or excessive transportation. What is different in the security function is that in addition to financial impacts there can be risk impacts to waste. Eliminating time and energy spent on actions that do not actually mitigate risk enables an improved focus on risk mitigation using existing resources. “Doing more with less” should mean doing more of the right things. Lean tools focus on exactly that.
One of the most powerful tools of lean is value stream mapping. Typically in applying lean a map or flow diagram is drawn (usually by hand) to capture the steps and actions in a business or manufacturing process. The critical starting point for lean thinking is value. The key value focus is value from the perspective of the customer. Thus, business or manufacturing processes are called value streams, to facilitate the focus on value. Most lean practitioners will say that once they began thinking of each process as a value stream, they could not revert back to thinking of them simply as steps or actions. The value orientation becomes an ingrained part of their thinking, which is one of the lasting benefits of applying lean.
In value stream mapping, each step and action is looked at to determine whether it either adds value or not. If not, it is a waste of motion or action or resources (called muda, the Japanese word for waste). Some steps that do not add value are necessary (as transportation often is) to achieve the end result — they simply don’t add more value to the product or service. Waste that cannot currently be eliminated is classified in lean as Type One muda. Other steps or actions can and should be eliminated if they don’t add value that the customer cares about. Those are Type Two muda. A primary focus of lean is to eliminate muda from the value stream.
In Lean Security, there are often opportunities to turn Type One muda into value-adding steps. That type of opportunity is not common in other applications of Lean. For example, much of a security officer’s “guard tour” is Type One muda: walking between areas and doors to be inspected. It cannot be eliminated, but it does not add value. However, in many environments, there is the opportunity to have patrolling officers check computer screens and desktops for violations of desktop security policy (such as passwords written on sticky notes or laptops left powered up and logged on). Patrolling officers can also carry small pocket-sized scanners to detect and locate rogue wireless access points connected to the network in violation of network security policy. These are examples of turning wasted actions into value-adding actions. (See the special sidebar titled “How the City of Vancouver Added Value to Security Patrols” in the online version of this article on SecurityInfoWatch.com.)
The Lean Journey
As with all applications of lean, Lean Security is not a one-time exercise. It is a path to follow to help align security with the business, to the end of creating an organization that is achieving optimal security risk. The job of security is to reduce security risks to acceptable levels at an acceptable cost, in a manner harmonious with the business. Lean Security is a highly effective set of tools, and a way of thinking, that can help you do just that within your security function.