CHAPTER 13: CONTINUAL IMPROVEMENT PROCESS

Continual improvement should be a key and frequent part of any organisation’s operations – not just to enhance product quality, process efficiency and overall business performance, but also to remain secure.

The reality is that the cyber threat landscape changes at an extremely fast pace; it is vital that your defences evolve in line with those changes to ensure they remain effective. You must also be prepared to continually adapt your defences in line with both typical and exceptional organisational changes, as well as changes from external influences, such as stakeholder or legal demands. Having a continual improvement process in place will help organisations appropriately adapt to such changes.

By making regular, small adjustments, organisations can mitigate risks and avoid incurring significant costs at a later stage. A formal continual improvement process can also gradually develop cyber security defences into a more mature state while keeping overall security manageable.

Inputs for improvement initiatives

Improvement ideas and suggestions can come from anyone, including but not limited to staff, customers, partners, suppliers, regulators and auditors. Inputs for improvement initiatives can also originate from reviews, audits, ‘lessons learned’ activities, corrective actions, and so on.

Crucially, it is important not to solely rely on initiative takers, a ‘suggestions box’ and other ad hoc ways of getting input. These cannot hurt, but to keep improvement continual and manageable, consistency is key. This means incorporating continual improvement activities into your existing processes – if reviews and planning stages become business as usual, with improvement opportunities identified and implemented as part of that, you are well on your way to achieving a cyclical, consistent continual improvement process.

Implementing a continual improvement process

If your organisation already uses a continual improvement methodology, it is easiest to just extend it to include cyber security initiatives. However, if no formal process exists, it probably makes more sense to apply continual improvement principles to existing processes, and later look to adopt a formal continual improvement model, such as the Plan-Do-Check-Act (PDCA) cycle or ITIL^® 4’s continual improvement model.

For example, you could introduce formal review stages to a process, like evaluating projects at and two months after completion – did the project achieve its intended goals? Was it completed on time? Was it within budget? Answering such questions – and where the response is negative, determining where things went wrong and how to prevent the same mistakes from happening again – and following up with the necessary changes should improve the odds of success for future projects. Alternatively, if everything happened as it should, such a review allows you to conclusively determine that the project truly was a success.

Existing processes will also benefit from incorporating formal planning stages, which should take feedback from past reviews (and audits) into account, ensuring improvements are not just suggested, but also implemented. On the other hand, if the review found that little needed to be changed, this will allow you to complete the planning stage of a new project quickly and confidently.