How to educate members of the security team on using the Six Sigma process.
In early 2013, a multimedia entertainment company explored Six Sigma as a way to address access control concerns. Several members of the company’s security leadership were already familiar with Six Sigma, and they wanted to know how it might be used and implemented within a security environment.
While senior management believed that the security program could benefit from Six Sigma, their questions and concerns centered on how to implement the program. Executives requested that, regardless of the approach taken for implementation, various team members be trained, with the intent that the security department could eventually take on additional improvement projects.
The company chose a blended learning program, which incorporates different learning modes, is designed to appeal to different learning styles, and is engineered to meet the requirements of effectiveness, cost, and flexibility. Common components of a good model include interactive e-learning, classroom simulations, live and recorded webinars, online or paper-based testing, one-on-one coaching, support structures such as study halls, interactive Six Sigma software tools, and reference sources.
Although technically not part of the official training, the company decided to have an initial meeting on the project to provide an opportunity for the trainer to understand the company culture. The meeting provided the security team with a chance to evaluate the personality and expectations of the trainer. The meeting was also used to codify the scope of the overall initiative, ask any questions, and discuss benefits and concerns.
Individuals within the company came to the meeting with varying degrees of buy-in, from skepticism to total acceptance. However, as ideas for applying Six Sigma began to develop and projects were offered for consideration, cotmpany employees agreed that several key security projects could benefit from using this methodology.
At the conclusion of the meeting, the company agreed to set up an e-learning program for each security team member.
For the e-learning portion of the blended training program, the company chose MoreSteam.com, which specializes in online Six Sigma training. Over several weeks, each security team member worked on the online beginner class, which provided a cost effective way to evaluate Six Sigma. Individuals worked at their own pace until completing the program. Each member’s progress was monitored via the Web by tracking online quiz results. Teleconferences were held to support the e-learning, as well as to discuss possible projects.
The subjects taught during the class included the DMAIC process, process mapping, measurement and basic statistics, understanding variation, and standardized work documentation.
One team member was given additional training and served as the Six Sigma project leader after the trainer left. The remaining team members stopped after the initial training.
The purpose for training each member at a basic level was to give all members an understanding of terminology as well as driving cultural change. The goal was not just to save money and improve quality on a project-by-project basis, but to create an environment driven by data and measurements.
As an initial project, the company chose to address access control issues. The overall problem was that security received a significant number of access control alarms. When security responded to these alarms, they often found that the access control devices were malfunctioning. The data had been collected from the system audit reports that showed thousands of data points indicating various potential security breaches. However, security eventually responded to these alarms as if they were false, creating the potential for a real security incident to be ignored or handled poorly. Once the project was chosen, the Six Sigma project leader worked alongside the trainer to apply to the real world what had been learned in the online training class.
Applying the Six Sigma process, the company decided to work with the access control vendor and address each malfunctioning device. After this was completed, a maintenance schedule was devised to ensure that devices remained in good working order.
The accumulated data also revealed failures in access control points not associated with component failure. Other problems resulted from failures of system design and employee use, such as tailgating. These issues were addressed through reconfiguration of access control readers and training for nonsecurity employees.
Once those problems were addressed, remaining alarms were treated as potential breaches in security. With this in mind, security used Six Sigma methodology to devise a prioritization of responses for each access control point. The ranking considered the location of each access control point and what the security device was meant to protect. This led to the next project: identifying individual access rights.
The company’s goal was to reap ROI on the training and consultation services associated with the initial project, and to carry on with future projects without the need for outside consultation.
The access control project recouped 150 percent of the training and consultation costs. The cost savings were associated with wasted resources responding to false alarms or low-priority alarms, and the reduction in risk achieved when security was able to respond to actual incidents.
The company continued the Six Sigma program through the employee who was trained as a project leader. This ensured that the program, and the culture of continuous improvement, remained strong once the advisor and trainers departed.
Gary Retherford is founder of Six Sigma Security, Inc.