Deploy MAC filters, obscure identifier feedback, employ replay-resistant authentication: Cyber security techno-advice can be as difficult to unwrap as the excess packaging around children’s toys. (How many metal staples does it really take to secure Barbie’s head?)
Two of the fundamental principles underlying cyber security — integrity and availability — are especially familiar to manufacturers who pursue quality practices. Products match customer specifications with limited rework or spoilage/waste. Production operations are unimpeded by employee injury, equipment failure, or component/material sourcing delays. Manufacturing excellence! Cyber security is, at its core, about business process excellence through data quality: “data fit for its intended uses in operations, decision-making, and planning” (Redmann 2013). This is the end game — integrity and availability with confidentiality as a key factor in reducing the risk that a competitor or adversary can steal or misuse the assets you’ve worked to acquire: trade secrets, intellectual property, money, equipment, customer data, employee information.
Kaizen, the continuous (kay) improvement (zen) philosophy that underlies many manufacturing quality programs, is adaptable to data quality or cyber security programs as well. Incremental changes build organizational resilience — and compliance with statutory and legal requirements that, at first glance, may seem too complex, technical, and daunting. So what are some easy first steps in the cyber kaizen process? How can we adapt the kaizen 5S to our cyber world?
Sort (Seiri). Inventory your technology assets. This includes computing devices (even mobile phones and USBs) that are owned by the business as well as those owned by individuals but used for business purposes. It also includes hard copy documents and network accounts. If accounts exist for individuals that are no longer part of the organization, disable them. Adapt the red tag principle for identifying unneeded or obsolete items and services (e.g., open communication ports in your firewall) by prioritizing them for disposal. (Using traffic light colors — red, amber, green — is an easy way to track progress visually.)
Set in order (Seiton). “A place for everything and everything in its place.” An information asset is not really available if the person who needs that piece of data cannot find it. Certain data, such as controlled unclassified information (CUI), controlled defense information (CDI), or individuals’ personally identifiably information (PII) should be stored securely and even encrypted, as appropriate. Classify and mark data that must receive different levels of protection. Make a high-level diagram of how information flows throughout your organization and supply chain.
Shine (Seiso). As a young child in small-town Ohio, we were told to “redd up” after playing, even if we were going to be using the same toys the next day. Perhaps that odd expression came from “ready up” (although my sisters and I just interpreted it as “because I say so”). Systematic cleaning (and cleaning out) is a big time saver. Searching through an email inbox or multiple file folders for the right version of a document is frustrating and unproductive. Losing data can be worse! At Manufacturer’s Edge, we are expected to synchronize files automatically to a shared drive. This also mitigates some business continuity concerns about knowledge sharing/transfer and how to meet customer, supplier, or employee expectations. It’s part of being a team player.
Standardize (Seiketsu). Reducing variation in production runs is a major outcome of a successful quality program. In cyber security terms it means defining — and communicating effectively — roles and responsibilities, policies (plus their objectives, enforcement/monitoring mechanisms, and consequences), and best practices. At a minimum, your organization should have a system and facility security policy and improvement plan, an incident response plan, and a security best practices training and awareness program. Keep the standards high when it comes to areas like access control (e.g., passwords, least privilege, separation of duties, and guest versus corporate networks.)
Sustain (Shitsuke). As in manufacturing kaizen, continuous improvement in cyber security kaizen means consistent monitoring, tracking, controlling, and correcting. It means committing to the new normal and not backsliding into shortcuts that undercut efforts to secure your data quality and introduce risk. It also means staying alert to changes within the internal and external environment. The cyber threat environment is constantly evolving — the bad guys are diligent in pursuing their own continuous improvement process in terms of tools and attack channels. The cyber risk environment is also evolving — your stakeholders are also diligent in pursuing continuous improvement. Government procurement representatives, for example, announced in late 2018 their intention to apply acquisition regulations like those required by the Department of Defense more broadly to non-Defense solicitations.
The good (in my humble opinion) news is that many control objectives of an effective cyber security kaizen program are addressed through nontechnical means: people, process, policy. Technical tools are only part of the solution. Data quality results from having confidence that your data are usable only by the person(s) or process(es) with a legitimate need to know (confidentiality); your data are correct and as specified (integrity); and accessible by the person(s) or process(es) when, where, and in the format they are needed (availability).
The Challenge: Extend your manufacturing kaizen expertise to cyber security and realize continued ROI through data quality.
©2019 Manufacturer’s Edge