Engineering Total Quality Management of Security (TQMS)
By Roy D. Follendore III
Copyright (c) 2001 RDFollendoreIII
All Rights Reserved
The Deming Method of Total Quality Management (TQM) is based on fourteen obstacles to productivity and is being adapted here as Total Quality Management of Security (TQMS). As with the Deming cycle, these fourteen points should be reinforced by a Security Cycle. Without more detailed explanations, the methodology sounds like a group of simple exhortations but when examined in context and in detail, the methodology is far more than hollow sloganeering. As with TQM, TQMS is simple to state, but difficult to carry out. With this in mind, I have intentionally stayed away from specific project orientations and stayed within the context of best consulting practices. With respect to consulting, technology is easy to satisfy, people are hard. Consultants therefore must at times be analysts, professors, psychologists, mentors, philosophers, priests and evangelists to the clients and their organizations. From the clients perspective, half of the satisfaction of having a consultant available is to have someone to listen carefully and reply with what is in security should be just common sense. From the client's perspective it is the unstated duty of the consultant to recommend and therefore sway the internal status quo of the client toward good security practices.
The most important point is to begin a practice of security innovation. New security products and services must help organizations of people be productive in material ways. Resources must be placed into research and education because there can be no innovation without research, and no research without properly educated users and employees. The status quo should never be viewed as satisfactory, instead there should be continuous improvement in product or service. The organization must invest in maintaining equipment, the communication environment and in new aids to organizational engineering and implementation of security.
Its mind must be transformed to think of security as an ongoing productive issue. Many of the existing security structures put in place will have to be dismantled. They were never right in the first place and competition has shown their defects. Quality must become the organizations new religion. It can no longer afford the luxuries of security mistakes, security engineering defects, poor operational and implementation workmanship, bad materials, handling damage, fearful and uninformed users and employees, poor to nonexistent security training, executive job-hopping, as well as inattentive and sullen security services.
Security quality never comes from inspection processes but from the process of operational improvement. While security inspections may be necessary to discover what is being accomplished, the overall goal of security inspections is to decrease variations within established security implementations and to learn and respond from new operational opportunities as well as mistakes.
It produces lack of faith between the needs of the security users and the objectives of production oriented management. Other problems associated with using cost as the only criteria are a proliferating the number of security solution suppliers, buyers jumping from vendor to vendor and creating a reliance on security specifications; a barrier to continuous improvement to the production process.
The cost of any security item is a meaningless measure of its quality.
Thrift must be balanced by quality. This
issue fits neatly with the concept of time to quality.
The organizational management is obligated to continually improve security. Quality must be built into each and every security product at the design stage. Teamwork is essential to the entire process of creating quality. Simply because an irritant is removed or a particular problem solved, a security process is not usually improved. Statistical thinking is a sine qua non for improving the security process, but only if used properly, otherwise statistics create problems. Those responsible for security management must always strive to go beyond the status quo. The crucial questions they must ask must include the following: Has performance improved over the past year or two? Is individual productivity more effective? Has customer satisfaction increased and has employee pride, confidence and concern improved?
Control charts must be used to discover when a educational process becomes stable. Security is under statistical control when users performance reaches the point where further training will not lead to any improvements. When new equipment is purchased or a new processes are invented, retraining the operational work force is necessary.
Security leadership is management's job and it should be a clear part of the evaluation. It is management's responsibility to discover barriers preventing users from taking pride in the security of their work. Users know the barriers such as: emphasizing security quantity not security quality, turning out insecure products quickly not properly, turning a deaf ear to user suggestions, spending too much time on re-working old security practices and solutions, using poor security tools, and institutionalizing security quality problems with incoming materials. Every manager's job is to lead security in order to help people perform their jobs better. When management hires people, it takes responsibility for their secure success or failure.
Most people, especially those in management, neither understand the job of security nor what security is doing right or wrong. Many are afraid to ask questions about security or take a position. For better security quality and productivity, people must first feel secure. They must neither be afraid to express ideas and ideals, nor afraid to ask questions. Fear about security disappears as management security leadership improves and as employees develop confidence in management security objectives.
The security goal of different staff areas must not be conflict; it can ruin the security awareness of the company. Security teamwork is better.
Security slogans generate frustration and resentment. A goal or target without a method for reaching it is useless. Management's job is to establish a stable security system, because without stability anything can happen. An unstable security system is a bad mark against management. Only management can change the security of the organizational system.
Three of the main problems to reaching this point are: (a) Security engineers are regarded as a necessary commodity, to be used as needed. If they are not needed, they are returned to something productive. (b) Management never invests security engineers with authority. (c) Management never acts on user decisions and recommendations concerning security issues.
Security communication involving education and retraining is absolutely required for long term planning. There is a need to constantly acquire new organizational security knowledge and new skills to deal with new security materials and new security production methods and theories. As a result, security education and training must fit the best available people into new jobs and responsibilities.
The Six Steps of Active Security
Organized Security Process Security technology is not an end product. The product of security technology are the benefits that the client receives through the use of the technology. This product is valuable but it is also often transparent. It is part of the job of consultants to make security benefits opaque. This all means that there is a rational procedural approach to security engineering within organizations and that approach is consistent with other organized production procedures. Overall it this represents a plan involving constant open ended security engineering development, not incremental development within a prespecified timeframe.
Within top management, operational consistency in the implementation of security is just as important as purpose of implementing security. Top managers should be involved and work together with mutual understanding of the fourteen points.
THE SEVEN DEADLY SECURITY DISEASES
Consultants need to be able to recognize
the problems of client organizational management in order to understand the
significance of technical security issues. These diseases are life
threatening to organizations that require security in order to exist. No
organization, however important is immune. Usually the only viable
option that can fix these diseases is surgery. In order to revitalize
the organization, the managerial dead wood must be cut out and expelled.
To do otherwise is to invite the diseases to reoccur. It may not be your job to recommend this decision
but it is your job as a consultant to recognize that it is inevitable
these issues are resolved. Consultants do not generally run the
client's security software, but they are expected to evaluate the software which by
definition includes the environment in which it operates. Depending
on the client relationship, the following factors may or may not be
communicated to the client but knowing them can reduce the barriers between
the consultant and his/her clients.
SECURITY ENGINEERING RISK FACTORSFind these symptoms within any organization and you are certain to find security problems that need to be resolved.
How do you know your consulting efforts will be accepted and appreciated?
Security Engineers and Consultants need to consistently and clearly impress upon engaged client organizational management the fact that it is essential that the perspective of people be considered when designing security systems.
These are the questions that you need to ask from the perspective of others involved in the security project:
If any one or more of these questions cannot be answered with a truthful positive response then the security activity you are pursuing will be in jeopardy. Unless these questions are positive, some degree of frustration and anger on the part of the client will be inevitable. To a degree this may be acceptable and expected by the client, even though they may not be willing to admit it. The value of the solutions you provide the client today determines their willingness to express their good will tomorrow.
Copyright (c) 2001-2007 RDFollendoreIII All Rights Reserved