Have you ever played Jenga? The game begins with a solidly stacked tower of blocks. Each player takes a turn at pulling a block from the stack and balancing it on top of the increasingly precarious tower until it becomes so unstable that it can no longer stand, and the whole thing comes tumbling down.
This game is an apt metaphor for the state of many federal security operations. At first, there were just a few strategic priorities - the tower was solidly built. As new priorities emerged, security leaders were forced to draw from existing resources, creating gaps in the remaining programs while tacking new preventative measures and initiatives on top of current operational processes. This seemed like a convenient way to address immediate risks and comply with new policy requirements, but over time it resulted in inefficient (and even illogical) processes that were more susceptible to the risks they were originally designed to mitigate.
Fast forward to today: few in the security office have a comprehensive understanding of how all of the operational processes work together (especially where complex IT systems are concerned) - and it’s only a matter of time before a critical gap leaves the door open to a devastating threat. That door may be open already.
Clearly Define the Current State
You already know that there is room for improvement in your government security program, but solving any problem requires resources, so the allocation should be carefully considered. Before you jump into fixing those challenges that are top of mind, step back and look at the information you already have - then make a strategic decision about where to start.
Clarify what your purpose is, who your customers are, and what they need from you. We all take great pride in our work and strive for excellent results. It's easy to get carried away and expend unnecessary time and resources in the pursuit of excellence, then ultimately lose track of the minimum output required to satisfy those you serve. Is it possible that you've always delivered a 20-page report to the team next door, when they only need the first five pages to do their job? You must understand the larger organizational processes and where you and your team fit to clearly understand your "customers" (internally and externally) and what they require from you.
Never assume that policy equals practice. Say your standard operating procedures state that “upon employee termination, badges must be reclaimed by HR within 24 hours and destroyed.” Maybe your team in the field has devised an unofficial way to run the process that is more efficient - or maybe badges are only being reclaimed during an exit interview, but exit interviews are only held for those employees who leave on good terms. Either way, you must find out the ground truth of what is actually happening - and not just what is written in policy and procedural guidance.
One of the most effective exercises to understand who you are and what you do is process mapping. Process maps can range from high-level to profoundly detailed, depending on your needs. Here are examples of two types of process maps:
A High-Level SIPOC (Suppliers, Inputs, Process, Outputs, and Customers) Chart
A Detailed Value Stream Map
In both of these mapping examples, the objective is to visualize a single process on paper at the desired level of detail to clarify how it works today from start to finish, who is involved to make it work, what goes in, and what comes out. It is critical to involve a variety of stakeholders at all levels and functions to build an accurate representation of the process in question. Participants typically walk away from these sessions with a completely new understanding of their program and a better sense of how their functions fit into the larger scope of operations.
Visualize The Future State
Once you have built a comprehensive illustration of your security operations today, it’s time to think about how you want these processes to work in the future. While it may be tempting to determine the future state based on current qualitative goals (e.g. policy compliance), it's important to use quantitative data to realize efficiencies and reallocate resources from your existing processes.
Consider looking externally for benchmark data and/or best practices to measure your processes against. For example, if your value stream map revealed that it takes 30 days on average to get a new hire set up with a security badge, but the industry standard hovers somewhere closer to a 10-day flow time, you might set a goal of reducing the time to complete that workflow by 50%.
The only way to hold your team and other stakeholders accountable for their efforts is to establish SMART (Specific, Measurable, Achievable, Realistic and Time-bound) goals and accompanying metrics to track progress towards them. In the early stages of process improvement, your selected metrics may be educated guesses - and that's OK. The goal at this point is to set your team's overall direction; as you move through the following Prioritize and Visualize phases (coming up next in this blog series), these metrics can be refined.
You should walk away from the Visualize phase with three main outputs:
- Comprehensive quantitative and qualitative descriptions of the current state process
- A list of process steps that have been identified as inefficient or contributing to waste
- SMART goals and accompanying metrics to guide improvements - these are only the first draft and will be refined as your efforts move forward.
Read more in our free guide -- click below to download your copy: