For several years I have been fascinated by comparisons between Quality and Security. I have also learned a lot from them.
Quality and Security first came to my attention a few years ago, when I was invited to a company’s senior executive meeting, called to figure out what to do about a major information security incident. The company had just experienced a significant and public critical data breach. Ouch!
Management’s initial response was to assemble a task force of the key IT person plus a few executives and managers known for their ability to lead and get things done. They were definitely off to a good start.
Next they had selected ISO 17799 as a likely template to help them fix the data security situation.That’s where things had ground to a halt. The language of the standard was too foreign to them. The scope of the standard was too expansive to be applied quickly. But they liked what they did understand.
They asked me, “Do you have a recommendation?”
I knew from experience that no matter how good a job they did applying ISO 17799, without a security management system in place whatever they implemented now would start to fade and they would be at greater risk again before too long. (See The Security Minute Article #6 for more on that phenomenon.)
I began talking, and this is where things started to get strange in the meeting. It seemed like I was caught in the middle of a Twilight Zone episode.
I suggested that they needed a security management system with a continual process improvement element, and that they needed to have a senior executive assigned security responsibility.
Usually this is where faces get long, and where the push-back starts. But I didn’t expect anything like what happened.
I started explaining about the Plan-Do-Check-Act cycle of ISO 27001 (a standard for an information security management system), and suddenly things got wild.
I could hardly finish a sentence. Every time I tried to make an explanation, one of the executives would jump up and state my conclusion. Several people began to advocate for the security management system, explaining why it was exactly what they needed. The next thing I knew, right in front of my eyes, executive responsibility was assigned. Before I could get a word in, the next meeting was set, and I was asked to direct them to the ISO 27001 standard and help them get the management system established.
Everyone knew what had happened except me!
How could people who knew nothing about the ISO 27001 standard not only enthusiastically endorse it, but also start assigning responsibilities for the management system it defined? I didn’t have a clue. But obviously they did. This was the Twilight Zone aspect.
It was as if some Higher Power had suddenly enlightened them and given them marching orders.
As I listened to the conversations of people leaving the meeting, I finally realized what had happened.
That Higher Power was Quality.
This was an ISO 9001 certified company. The senior executive and managers had instantly recognized the security management system by my few words, because it was just like their incredibly successful quality management system of ISO 9001. That was all they needed to know.
Well, I had read earlier that the ISO 27001 standard committee had taken particular pains to “harmonize” (that is their exact word) ISO 27001 with ISO 9001, ISO 14001 and so on. But until that moment, I didn’t really know what that meant or how important it was.
It was this company’s successful experience with their ISO 9001 and 14001 management systems (for which they have a common management framework), that enabled them to make phenomenal progress on their security management system in the next 90 days.
The senior quality executive is also the senior security executive. He knows the business, he knows the management system used for security, and he’s learning the key things he needs to know about information security measures.
My experiences since then have shown that security managers can learn a lot from the quality managers in their companies, and from the significant body of knowledge that exists aroundQuality.
Many companies have learned that the “Quality is Free” mantra of the 1980’s is more than true when Quality is “done right”. Now I have even seen quality managers assert the probability that similarly, “Security is Free” if you do security right.
It makes sense. What a refreshing security perspective—and from non-security folks at that!
Best regards,
Ray Bernard