Success and Sustainability -- How to Ensure Lasting Results with Security Process Improvement

By Dan Jodarski


Click the links to read the first two blog posts in this series:
How to Visualize Your Process
If You've Got 99 Problems (Then Prioritizing is One of Them)

Now that you’ve developed a clear and comprehensive picture of the current state of your security operations and have a prioritized list of risks and solutions, it’s finally time to act on your findings. The process improvement plan that you've created should be launched and implemented with as much care as you would put into a project that you are delivering to external stakeholders. There are many keys to achieving success in project management and maintenance - in fact, we've published an entire guide on the nuts and bolts of this topic.

However, even with the best project management tactics, security improvement efforts can fail if the environment is not set up for success. To prevent this occurrence (and to save the cost of repeating the entire project months or years down the road), executives should focus on three key areas: communication, metrics, and culture.


Even the most careful planning cannot prevent unexpected variables from cropping up during the implementation phase and beyond. If communication expectations are not clear from the start, it can lead to disaster down the road. Here are a few steps you can take to mitigate this problem:  

  • Complete a RACI Chart. RACI stands for Responsible, Accountable, Consulted, Informed. These categories should be assigned to individual stakeholders and then communicated across the team to clarify roles in relation to project tasks. 
  • Create a detailed communications plan, including channels and structures. Make sure to address both the internal implementation team and the larger stakeholder group.
  • Document decision-making frameworks. As the name suggests, "unexpected variables" are, in fact, unexpected. That means you probably won't have a perfect plan prepared to deal with the nuances of each and every surprise event. Still, you can prepare by creating a plan for the necessary decision-making processes.


Measurements are an important part of any organization's operations- after all, how can you monitor progress or know when you've reached the goal if you have no objective knowledge of the starting point? Measuring process-specific aspects (e.g. lead time, cycle time, queue time, etc.) may already be part of your plan, but many leaders stop there and forget to measure the success of the project as a whole. If you're not measuring results, you will never know if your new process is better (or worse!) than the one you started with, and it is not possible to justify your investment.

One of the best metrics for overall process improvement is Return on Investment (ROI). The most basic approach to ROI is to add up the expected benefits (in dollars, if possible), subtract any upfront costs or fees of implementing the solution, and then divide the new number by your total costs. The resulting percentage is your total ROI.

Unfortunately, costs and benefits are not always crystal clear, particularly for national defense and security agencies, where the objective is the prevention of a security incident. Furthermore, most agencies opt not to publicize savings that will result in a funding cut in the next budget cycle. Still, it's important to understand the quantifiable results of process improvement projects.

The simplest way to demonstrate ROI is through cost savings. Here are three ways to calculate this figure:  

  • Direct Cost Benefits
  • Indirect Cost Benefits
  • Intangible Benefits


Arguably one of the most important guarantors of process improvement success is an invisible force that leaders may not even be aware of, or may not feel equipped to influence: office culture.

The only way to protect your organization from security threats is to create a culture that focuses relentlessly on continuous improvement. Regardless of their efforts, top executives can't be expected to achieve this target alone. Every employee must be responsible for generating innovative solutions to keep their processes lean and as secure as possible. When organizational culture demands that employees at all levels search for ways to improve collective efficiency, continuous improvement becomes as natural as breathing.

Culture change takes time, but the following strategic steps can make the shift straightforward and painless.

  1. Define your values and continue to reinforce them. Values set the stage for every organizational culture, so attempting culture change without first defining your values is analogous to setting sail without a compass.
  2. Get rid of the fluff. Some security tasks can be mundane and repetitive - not unlike work performed on a manufacturing line. When employees become bored with these tasks, they are less attuned to red flags, loopholes, and inefficiencies within the system, opening up the door to destructive security breaches.
  3. Honestly assess your organizational maturity. Don't pay lip service to the idea of culture. Make world-class, continuous improvement culture a goal for your organization, and measure progress towards that goal on a regular basis. Organizational culture will develop regardless of whether it's monitored or not, so it's best to take an intentional approach.
  4. Incentivize new ways of thinking. Taiichi Ohno, father of the renowned Toyota Production System, articulated the chief role of forward-thinking in Toyota’s organizational culture: “The Toyota style is not to create results by working hard. It is a system that says there is no limit to people's creativity. People don't go to Toyota to 'work' they go there to 'think.'”

When the work of a security office is driven by active and engaged thinking rather than by automated and outdated habits, the threat of an imminent security incident begins to shrink. After all, isn’t thinking a few steps ahead of an attacker the best way to prevent the attack in the first place? Forward-thinking should be a constant practice - not just a once in a while event. Rewarding employees for taking creative initiative is a great way to stimulate norm and behavior change and sends a clear message that the organization values new ideas.

  1. Practice Constant Learning. Any security department that says it has a 100% complete understanding of its organization’s threat environment is lying. The tools at the disposal of malicious attackers are constantly evolving – and at such a rapid pace – that it’s nearly impossible to be up-to-date at all times. In today's environment, security personnel should constantly strive to learn about new aspects of their processes. In fact, members at all levels of the organization should adopt this mindset and be on the perpetual lookout for new developments and relevant implications in their knowledge space.
  1. Empower Employees to Take Process Ownership. Just as every step of a process should add value to the final product, every employee should add value to the maintenance of a secure environment. When every individual is responsible for a slightly different (and therefore unique) experience within the organization, every individual also has unique insight to offer. By showing respect for employees' thoughts, knowledge, feelings and capabilities, you can create a safe and positive environment to voice shortcomings and generate ideas for improvement.

Red Flag: Insider Threat

Insider threat is a particularly pernicious type of security problem to manage through traditional “perimeter protection” because, in this case, the perpetrator has been given legitimate access to organizational assets. As you plan to implement security process improvements, be sure to look beyond the network and facilities and focus on the upstream and downstream processes: screening and vetting employees, and monitoring for anomalous behavior that occurs off-network. Take the following into consideration:  

Create an Insider Threat Working Group. The group should be cross-functional, and serve as a governance structure to facilitate sharing, analyzing, and responding to warning signs that may emerge from multiple streams of data inputs. The working group must have senior leadership buy-in and include members from functions not traditionally aligned with security, such as Legal and Personnel.

Read more in our free guide! Click below to download your copy now:

Download Big Sky's Executive Guide To Running a World-Class Security Program