How sure are you that your security policy is effective. Let's say that it is, so how effective is it? What costs are incurred by the policy, and I don't mean just monetary. One way to answer these questions and ensure the policy is not only effective, but also efficient, is to apply the Six Sigma approach.

I'm meeting more and more IT folk who are Six Sigma trained, either Black Belt or in training for the recognition. A Black Belt must be able to explain the philosophies and principles of the quality program, including how systems, tools, processes, and continuous improvement can best be applied at multiple management levels and to diverse business processes throughout the organization., (quality, process/continuous improvement, etc.) and will be able to apply them in various business processes throughout the organization. However, quality is frequently mentioned in terms of product development and manufacturing. I think that it must also be applied to digital security.

Who is responsible for the security of digital assets? Each and every employee who has contact with the data must understand that she's responsible for the data's security, to the extent authorized by her corporate authority. However, policies based on making everyone responsible rarely succeed, be cause ultimately, no one accepts the personal responsibility. By using a Six Sigma approach, the security analyst starts at the other end, rather than the corporate user of data, the analysis begins with the customer, ultimately the real end user of corporate data. The Six Sigma process can evaluate security holes, causes, and what long-term affects intermediate actions have by evaluating the number of times customer service has been affected by security failures.

Dave's Opinion

The Six Sigma approach to effectiveness and quality assurance is based on ensuring no failures occur. Sigma is used to mean deviations from the norm: defects from perfect quality. Six Sigma means that only 3.4 defects per million occur.

The Six Sigma approach is popular in many management applications, not just information technology; however, I have rarely seen it applied to security management. Maybe, it's time.