Lean Six Sigma, Cyber Risk Quantification

Inside The Lean Six Sigma of Cybersecurity

Dan Verton

Some of the greatest companies in the world have embraced the Lean Six Sigma process improvement methodology to eliminate errors, remove waste and inefficiency, and improve operational performance. At ThreatConnect, we’re building the tools that for the first time can help companies apply these same groundbreaking principles to cybersecurity.

Lean Six Sigma combines the principles of Lean manufacturing (eliminating waste) and Six Sigma (eliminating errors). When combined, the two methodologies create a powerful team-oriented approach for analyzing processes and the steps, or actions, that make up those processes. And it is the process of cybersecurity that is in urgent need of optimization today.

Start With Risk Data

Lean Six Sigma relies on data, not guesswork. Data is captured and used for analysis to determine what is actually happening in a given process, not what everyone assumes is happening. This analysis verifies the underlying causes so that the correct problem is fixed.

Cyber risk quantification (CRQ) is an industry in its infancy, but it is critical to improving the way cybersecurity actually works. It is the beginning of the cybersecurity process.

One of the biggest challenges often experienced in Lean Six Sigma projects is overcoming the businesses’ denial of problems. That is exactly where cybersecurity finds itself today in the modern enterprise. Most businesses don’t know what their exposure is to any given cyber event, including what the impact is in terms of response costs, lost revenue, and other secondary forms of loss such as fines and judgments. Until now, the result has been a lack of focus on the risks that matter most to the business and an inability to communicate an accurate risk posture to the C-Suite and board of directors.

The Rosetta Stone that translates the technical nature of security into the language of the business is here – cyber risk quantification (CRQ). By quantifying cyber risk, Chief Information Security Officers have the ability to speak the language of business.

Risk scenarios should be and can be quantified in a way that the board can understand. A board that understands the risk, threat, response paradigm is better equipped to understand prioritization and resource allocation – and the need for right-sizing of security investments.

Read the full story here: https://threatconnect.com/blog/inside-the-lean-six-sigma-of-cybersecurity/

© 2020, Daniel Verton. All Rights Reserved.