Lean Security

Oct. 27, 2008
Applying lean manufacturing principles to security is part of continual improvement at Baxter Cherry Hill

Most security practitioners have heard the word lean in its most common context of Lean Manufacturing or Lean Production — a set of principles for improving product quality while lowering cost and production time. The term Lean Manufacturing evolved from the Toyota Production System (TPS), which is an adaptation of Total Quality Management (TQM), continuous process improvement, or Kaizen, and a number of other principles focused at reducing costs, improving quality, reduction of rework and speeding up cycle.

The growth of Toyota from a small company to the world’s largest automaker is directly attributable to its thorough application of quality principles. As one would expect, Toyota’s success has generated tremendous interest in these methods, which have been captured in methodologies such as Six Sigma, Continuous Process Improvement, and Least Waste Way, as well as Lean Manufacturing. The 1996 book “Lean Thinking” popularized lean principles by presenting the case studies of a number of well-known firms who transformed their production capabilities and enhanced profitability by the application of lean principles. One of the key elements of Lean focuses on “design for manufacturability,” which involves designing products properly from the beginning to reduce the complexity of manufacturing the product.

Originally known as the Toyota Production Method, over 60 years Toyota’s application of process improvement has evolved beyond manufacturing and is now referred to as the Toyota Business System (TBS). The business processes of any administrative, production or service activity can be significantly improved using lean concepts. Lean is a way of improving critical business processes that impact customer satisfaction and operational excellence. Thus, the outstanding results that many companies have achieved applying Lean Manufacturing have inspired additional applications of lean including those now known as Lean Healthcare, Lean Laboratory, Lean Software Development, Lean Government, Lean Office and finally Lean Enterprise.

What might surprise you is that Toyota’s success can actually be traced back to the efforts of two American quality gurus — Joseph Juran and W. Edwards Deming — who were brought to post-war Japan by General Douglas MacArthur to assist the Japanese in rebuilding their economy through teaching the virtues of TQM.

Lean Security
Lean is the systematic elimination of waste from all aspects of an organization’s administration and operations, where waste is viewed as any application or loss of resources that does not lead directly to value that is important to the customer. That means both what the customer wants and when the customer wants it.
Lean principles contain perspectives and tools that can be of tremendous use in increasing the value that security managers and executives provide to their organizations. This is especially important today, when the pace of organizational change is high, and when the local and global economic, social and legislative environments in which companies operate can change drastically almost overnight. Such changes heavily impact the risk picture. Security management and security operations must be ready to provide the kind of security controls and responses that their organizations need, when they need them.
This is the challenge of today’s security leadership. It requires a high degree of business alignment, and a high capability to adapt and adjust the security function as security risks change. At the same time, it is important to not lose sight of the fundamentals when designing or redesigning security processes:

• Focus on processes and measurements
• Focus on continuous improvement
• Create “lean” organizational structures and polices
• Value people
• Plan – Do – Check – Act

This article introduces the concepts of Lean Security and Lean Security Operations and provides real-life examples of applying lean principles to the security function. There are a few key differences between applying lean to security and to manufacturing; these are important to know especially if your company has already been (or is about to be) applying Lean Manufacturing. Two examples follow.

Waste
The elimination of waste is a primary focus of lean. (See the special sidebar titled, “The Eight Wastes of Lean” in the in the online version of this article on SecurityInfoWatch.com.) The impact of waste is generally different for security than for manufacturing. In manufacturing, waste typically has financial impacts, for example, the costs involved with excess inventory or excessive transportation. What is different in the security function is that in addition to financial impacts there can be risk impacts to waste. Eliminating time and energy spent on actions that do not actually mitigate risk enables an improved focus on risk mitigation using existing resources. “Doing more with less” should mean doing more of the right things. Lean tools focus on exactly that.

Value Stream
One of the most powerful tools of lean is value stream mapping. Typically in applying lean a map or flow diagram is drawn (usually by hand) to capture the steps and actions in a business or manufacturing process. The critical starting point for lean thinking is value. The key value focus is value from the perspective of the customer. Thus, business or manufacturing processes are called value streams, to facilitate the focus on value. Most lean practitioners will say that once they began thinking of each process as a value stream, they could not revert back to thinking of them simply as steps or actions. The value orientation becomes an ingrained part of their thinking, which is one of the lasting benefits of applying lean.

In value stream mapping, each step and action is looked at to determine whether it either adds value or not. If not, it is a waste of motion or action or resources (called muda, the Japanese word for waste). Some steps that do not add value are necessary (as transportation often is) to achieve the end result — they simply don’t add more value to the product or service. Waste that cannot currently be eliminated is classified in lean as Type One muda. Other steps or actions can and should be eliminated if they don’t add value that the customer cares about. Those are Type Two muda. A primary focus of lean is to eliminate muda from the value stream.
In Lean Security, there are often opportunities to turn Type One muda into value-adding steps. That type of opportunity is not common in other applications of Lean. For example, much of a security officer’s “guard tour” is Type One muda: walking between areas and doors to be inspected. It cannot be eliminated, but it does not add value. However, in many environments, there is the opportunity to have patrolling officers check computer screens and desktops for violations of desktop security policy (such as passwords written on sticky notes or laptops left powered up and logged on). Patrolling officers can also carry small pocket-sized scanners to detect and locate rogue wireless access points connected to the network in violation of network security policy. These are examples of turning wasted actions into value-adding actions. (See the special sidebar titled “How the City of Vancouver Added Value to Security Patrols” in the online version of this article on SecurityInfoWatch.com.)

The Lean Journey
As with all applications of lean, Lean Security is not a one-time exercise. It is a path to follow to help align security with the business, to the end of creating an organization that is achieving optimal security risk. The job of security is to reduce security risks to acceptable levels at an acceptable cost, in a manner harmonious with the business. Lean Security is a highly effective set of tools, and a way of thinking, that can help you do just that within your security function.

Lean Security and Lean Security Operations
Lean Security has the following scope:

• applying lean principles to the security function;
• use of information from other applications of lean (such as Lean Manufacturing or Lean Office) in support of the security function; and
• use of security resources to support lean elsewhere in the organization.
Through the second element above, security can gain insight about critical assets and business processes. For example, such information is valuable input for business continuity planning. Information about the critical assets and processes also provides insight into organizational risks.
Lean Manufacturing, for example, impacts the risk equation by reducing inventory levels. This is important from a business resiliency perspective, as the ability to draw from inventory to offset a delay of component parts due to a disruption in the supply chain is greatly reduced. Thus, Lean Security is actually an important compliment to Lean Manufacturing. Security must always take the changing business picture into account when assessing the company’s risk profile, including changes resulting from lean improvements to the organization.
Lean Security has applicability throughout the enterprise security function, from top to bottom.
Lean Security Operations focuses on applying lean to specific aspects of security operations, such as security operations at the site level, or within supply chain operations. This can be done independently of the rest of the security function.

For example, in an R&D lab environment, a critical process in developing a new product often involves months of tests and monitoring. Many times, key components may involve maintaining temperature or humidity within certain parameters over a long period of time. If the temperature gets too hot or too cold, or the humidity is too high or too low, the test may be invalidated — resulting in significant costs to redo the test and major delays in bringing the new product to market. In a situation like this, deploying temperature and humidity sensors connected to the main security command center, along with detailed response protocols can provide invaluable risk reduction for the new product development cycle and assist the company in bringing new products to market without interruption.

Lean Security Operations at Baxter Cherry Hill
At Baxter Healthcare Corp.’s pharmaceutical manufacturing facility in Cherry Hill, N.J. — where the Security Department is part of Human Resources — managers of key business functions have partnered with Security (headed by one of this article’s authors, security manager Derrick Wright) to implement Lean Security Operations. “Lean Security Operations is being implemented as part of an ongoing effort by our Security Department to align security with our business,” explains Herman Ford, director of Human Resources. “Security has been examining the best practices implemented in other business units, and applying them to improve the Security function. For example, our Engineering Department has an excellent project management system. Engineering provided guidance to Security on implementing a project management system of its own, helping to make the Security function more efficient and effective.”

“Sharing knowledge and fostering initiative is part of the overall business culture at Baxter,” adds Mike Viggiano, director of Manufacturing. “Lean Security is an example of that sustainable culture at work in its continual improvement of our enterprise.”

Baxter Cherry Hill is currently piloting the use of network video cameras to support operations pertaining to quality, manufacturing, and environmental health and safety — with particular attention to how the technology can support lean improvements. For example, in clean-room manufacturing areas, the ability to use security cameras to supervise processes saves considerable time, increasing the supervision capability while drastically reducing the time involved. A quarter-mile walk through the facility to a production line, donning a clean room suit, performing a 5-minute observation, and then returning to the office area can take an hour. In contrast, a 5-minute camera observation by computer would take six minutes, when you include the time to log in and out of the video application. Additionally, a pan-tilt-zoom camera can provide a close-up inspection of machine operations (and facilitate review in slow motion) that would not be possible with an in-person inspection.

“Being able to share the security video technology to enhance our Quality activities is an exciting prospect,” says William Godfrey, director of Quality.
Adds H. Brandt Widdoes, manager of Baxter Cherry Hill’s Environmental, Health and Safety Department: “The ability to use network camera technology to directly support safety initiatives saves countless hours in investigative time and helps us keep an accurate picture of activities to determine the root cause of incidents.”

Security Workflow Automation
A key strategy of the Baxter Cherry Hill Security Master Plan is to deploy an enterprise security system that:

• centralizes physical identity management for employees, contractors and visitors;
• allows role-based security access management to closely align security access privileges with job functions;
• links with the HR system to automatically assign and remove security access privileges as employees and contractors come on-board or leave; and
• provides self-service for selected security services, such as access privilege changes and the area work permit process.
The Baxter Cherry Hill Security Department implemented a business process management system for security operations, which provides the functionality above. Automating the manual ASCO (Access Status Change Order) process will eliminate up to a mile of walking back and forth for employees each time a change is required, which is approximately 40 times per month.
As part of the transition to the electronic process, area owners are being involved in reviewing the security access privilege assignments. These are being “right-sized” so that each job role receives only the access privileges required for the particular job. Each time an electronic Access Status Change Order request is made, the area owner will also review and approve the job role assignment. This provides a checkpoint to ensure that access privileges are being assigned as the area owner intends. If the job role has changed and access privileges should be revised, this can be addressed so that the security access privileges are always kept in alignment with the job function.

Automating the manual area work permit process will eliminate the administrator’s walking back and forth between departments. Even more importantly, it will incorporate additional checks and balances to better mitigate some of the operational risks inherent in authorizing work to be done throughout our facility, ensuring the continuity of business when work outside of normal business operations is to be performed.
Lean thinking in Baxter Cherry Hill’s Security Department is helping to expand the ROI from its investments in security technology.

Business Alignment Factor
For those companies that are already applying lean outside of security, the lean leaders of those initiatives can provide valuable mentoring to the security practitioners. In such a situation, security obtains the benefit of resources outside of security, as is often the case when the security function aligns itself more closely with the business.

Ray Bernard focuses on Physical Security Integration, Security Planning, Lean Security Operations and horizon issues in the security profession. Please see page 16 for the rest of his bio.

Lynn Mattice is one of the visionary pioneers in applying Total Quality Management, Six Sigma and Lean concepts to managing security programs, risk oversight, business continuity planning and corporate aviation. He recently retired as the Vice President and CSO of Boston Scientific and during his career held CSO level positions at three other major international corporations.

Derrick Wright, CPP (pictured on the opening page of this article) is the Security Manager for Baxter Healthcare, Cherry Hill, N.J. With more than 19 years of progressively higher management experience in a pharmaceutical manufacturing environment, he has built a converged security program that focuses on top-of-mind business issues as well as technology interoperability to support improved business processes. He is a member of the Convergence Council of the Open Security Exchange (OSE), where he provides insight and direction for working group activities.

Mr. Bernard, Mr. Mattice and Mr. Wright are affiliated with the Security Executive Council (www.SecurityExecutiveCouncil.com). Mr. Mattice is Chairman, Board of Advisors of the Council; Mr. Bernard is a content Faculty member of the Council; Mr. Wright and Baxter Corp., are members of the Council.

The SEC is a member organization for senior security and risk executives that creates innovative leadership solutions and through its affiliated research organization, the Security Leadership Research Institute (SLRI), documents collective practices of baseline security programs from the world’s most successful corporations, agencies and organizations. Using member input, professional staff, a distinguished faculty of former security executives and security-related content experts, the Council combines best practices and proven strategies with original security research to create next generation member resources. The primary goal of SLRI is to document and advance current real world leading practices in the security industry. SLRI research is used by SEC in the development of new tactics and strategies for members and the industry. Both the SEC and SLRI have restricted membership opportunities for public/private sector security and risk practitioners from corporate, government and IT security programs. All research is funded by membership fees and private endowments.

Special Monthly Feature: Lean Security Operations: Beginning with the September issue, Security Technology & Design will incorporate a monthly column titled “Lean Security Operations,” written by one of this article’s authors, Derrick Wright.