Where the Does Pressure for Productivity Come From?The drive for perpetually increasing productivity comes from the sources of profits for companies, costs reductions and revenues. When a company reduces their wasteful costs they are able to increase saving which in turn increases their profits. Additionally reducing waste can lead to a more streamlined production process and optimized operations. This can yield either a higher quantity of product or a better quality of product/service. The role of managers is to boost productivity in order to increase profitability. This is the expectation of shareholders and the Board of Directors. Outside of the organization you have competition who are constantly seeking to deliver similar value but better and faster. Not to mention technological advances that are creating new business models that can render a production process obsolete. The pressure a manager faces is enormous. In recent years their troubles have only intensified as information technology has redefined what security means for many businesses. While increasing productivity is a reasonable goal, sacrificing security is just reckless. If an organization suffers from a data breach then all their efforts into boosting productivity are rendered obsolete. Now there is a public backlash, lost sales, reduced brand equity, lawsuits, and overall decreases in profitability. Managers place their organizations under a ton of risk by ignoring cyber security.
Common Business Process Improvement FrameworksWhen trying to improve productivity managers often turn to business process improvement frameworks such as Lean, Six Sigma, Kaizen, or Process Reengineering. These frameworks often have the goal of waste elimination and utilizing labor and assets in the most efficient ways possible. For example with the Lean process improvement framework managers are supposed to follow the following five principles: (1) determine perceived value of output, (2) identify the value stream, (3) reduce large batch processing, (4) develop demand-pull activation, and (5) continuous improvement. Six Sigma is focused on quality improvement and sets a goal to reduce errors down to nearly zero. Kaizen is a more incremental approach until efficiency goals are achieved. Kaizen works best with repetitive tasks. Process reengineering is a general approach that seeks to redevelop end to end processes to become more efficient. The goal is to eliminate unnecessary steps, reduce hands-off, reduce errors, and boost cycle times. In each one of these process frameworks, take notice of something. Security is not mentioned or highlighted anywhere. Instead it would be up to the manager to understand the need for cyber security and develop an innovative way to integrate it. This is a problem because these are just a sample of the popular approaches that managers use to make their operations more productive and efficient. Thankfully in the development of a process or operation there is a security design philosophy that blends well with these frameworks.
Integrating Security-by-Design PrinciplesSecurity by Design is a set of principles that works with the design of a product or process to secure the data as a core part of the development, rather than being a retroactive feature. In the context of security, a quality process will be as secure as possible from the start. Data security’s core principles are confidentiality, integrity, and availability. The security-by-design framework was built on these three pillars. The security by design principles include the following:
Principle of Least PrivilegeEnsure that access to information is limited and only done on a need-to-know basis. Users need to operate on a minimal amount of privileges. This principle should apply without discrimination regardless of title. Meaning the CMO should only access what they need to access and nothing more, no different than the new hire in Payroll.
Fail SafelyYou should design sub-processes to ensure that even in a failed state, the main system remains unexposed to threat. This can be considered part of developing a continuity plan. The goal is to ensure that your organization can still operate with each process well, even if your technology is offline. Fedex had to do this during the NotPetya outbreak where their IT systems failed globally, but they were able to continue operation.
SimplicitySecurity is about control and protection, which becomes harder the more complex a system is. Ensure that information systems provide only exactly what is needed in a way that allows for productivity to proceed without bottlenecks. The more complex a system (features, plugins, integrations etc.) is the more exposed it becomes to threat and bypass. The more simple a system, the easier oversight and control of it becomes.
Don't Accept ObscuritySystems dependent on secrecy often will be exposed or rendered obsolete. Do not aim to be secure by secrecy. Division of data on servers, will help better than keeping secret files which are likely to get exposed during a cyber attack.
Psychological AcceptabilitySecurity needs to be integrated with an operations process and not a hindrance to the continuation of work. For this reason ensure that your security system is user-centric in the sense that it takes into account what their job is and what too much added work will do to their motivation to participate. If this critical people component is not taken into account the exposure to insider threat rises for your organization from negligence and frustration. This is at the heart of maintaining productivity.
Layering DefensesDo not rely on just one mode of defense and any mode is subject to bypass. Security in people’s behaviours are just as important as the supporting technology, it is the first line of defense. You should embed at least two mitigation strategies in the event of a breach to ensure that information data is not accessed by outsiders. Most of these will be passive and unnoticeable to users on the network.
Where to Integrate Them Into The FrameworksFor each security by design principle you should seek to include them in each phase if possible. The principles really do blend well with the process redesign frameworks, you do not have to apply each and every single principle at the same time, but do try to apply as many as you can into your process redesign. The most important when it comes to productivity is to ensure the process is psychologically acceptable. It is also important to realize that you need to design a secure process first and then consider what technology will be applicable later. Technology needs to be implemented only after root causes are identified. If you implement technology on top of an as-is process, you will only add more complexity and reduce productivity. At its heart process design is the effort of creating repetition. So design the process first, ensure that it is both secure and efficient. Then integrate new technologies.