Many organizations are adept at deploying information security controls, but these measures are often reactive, meaning they are designed to mitigate incidents after they occur rather than prevent them. Understandably, it is not feasible to deploy proactive security controls for all potential InfoSec incidents. This is where the DMAIC (Define, Measure, Analyze, Improve, Control) approach from the Six Sigma methodology can be valuable. In this article, I explain how to use the DMAIC approach with a real-time case study, demonstrating a proactive reduction in information security tickets/incidents using the Six Sigma project methodology.
Situation
In my previous company, one of the critical projects involving 12 onsite resources and 40 offshore resources consistently reported defects beyond the agreed-upon level with the client. After a certain period, the client decided to terminate the contract.
Task
To reduce the defects, improve the quality of service provided, and ultimately save that vital contract, we implemented a comprehensive strategy focused on quality assurance and process improvement.
Actions
The director of my project management team selected me to handle this situation. Together with my team, we carefully studied the client escalation report, defined the scope of the problem, and identified the key performance indicators that needed improvement. We then analyzed the data, brainstormed potential solutions, and selected the most optimal one. With the support of the project team, we implemented the solution and monitored the progress to ensure improvement.
Result
We achieved a remarkable 74% reduction in defects, which satisfied the client and led to the continuation of our services. As a result, the contract was saved and extended for an additional two years.
Note: This article assumes that readers have a basic understanding of Six Sigma and statistics. It focuses on using these statistical tools to reduce information security incidents. While it may not cover every statistical term in detail, reference links are provided for further reading.
Design Phase
Six Sigma Team Project Charter
Infrastructure Stabilization through InfoSec Ticket Inflow Reduction
Note: This article discusses stabilizing applications and infrastructure by preventing service interruptions related to information security (InfoSec) incidents.
Business Case
Business cases typically highlight compelling reasons for undertaking a project, weighing the advantages of doing the project against the disadvantages of not doing it. The primary focus of this project was to reduce the volume of InfoSec tickets (service interruptions or defects) affecting the applications and infrastructure supported by our team. Through client satisfaction surveys and various meetings, the client strongly emphasized the need for more proactive service optimization initiatives.
Projected advantages of the project:
- Application and Infrastructure Stability
- Resilience from an InfoSec Perspective
- Improved User Experience
- Effort Savings
- Increased Resource Availability
- Higher Customer Satisfaction
- Additional Orders
Project start date: 01 Oct 22
Project end date: 31 March 23
Project Strategy
- Design Phase: Involves seven applications in the project: Backup, Microsoft, SAP, DBA, ERP, Monitoring, and AIX.
- Measure Phase: Drill down into InfoSec ticket data to identify potential failure modes.
- Measure Phase: Tag each ticket with cause categories or failure modes.
- Measure Phase: Calculate the occurrence of each cause category/failure mode using pivot tables.
- Analyze Phase: Prioritize the top failure modes of each area using Failure Modes and Effects Analysis (FMEA).
- Analyze Phase: Develop action plans for failure modes with higher Risk Priority Numbers (RPNs).
- Analyze Phase: Conduct a cost-benefit analysis to select action proposals.
- Improve Phase: Pilot the selected action plans on one application to validate success.
- Improve Phase: If effective, roll out the action plans to other applications and infrastructure.
- Control Phase: Identify control limits using data from the improved weeks and monitor performance over at least 4–6 weeks.
Measure Phase
Inflow of InfoSec tickets data — Before
We plotted a histogram chart based on the raw data to represent the frequencies and other statistical parameters of the As-Is situation.
Fig 1:
The measurement phase primarily included measurements and data collection around InfoSec incidents, as well as tickets reported during the given duration. We plotted the following classification chart from the raw data received to convert raw data into measurable information. The resulting InfoSec Incidents classification chart is shown below.
Fig 2:
Then, we used the Incident Failure Mode and Effects Analysis (FMEA) technique to identify prominent failure modes using the 80-20 rule. In this context, the failure modes refer to the root causes behind various InfoSec tickets. We analyzed the top four causes, which contributed to more than 80% of the total failure modes, and prepared action plans for them.
The next steps involved determining the Risk Priority Number (RPN) for each prominent failure mode.
Analyze Phase
Recommended action items and cost-benefit analysis:
Fig 3:
Fig 4:
The two figures above highlight the four action plans selected for implementation based on the detailed cost-benefit analysis.
Improve Phase
Below are the details on the improvements achieved after the different teams responsible for the selected improvement actions implemented those actions.
Fig 5: 2 sample T-test (InfoSec Ticket count Oct–Dec 22 VS Jan–Mar 23)
- Before Stage: InfoSec ticket data from October 2022 to December 2022 has been considered.
- After Stage: InfoSec ticket data from January 2023 to March 2023 has been considered.
- Box Plot: The plot shows a significant shift in the mean and a reduction in variation between the before and after stages.
- 2-Sample T-Test: The test result indicates that the p-value is significantly different and less than 0.05, suggesting that the null hypothesis is true and there is a difference in the mean between the before and after stages.
Fig 6: Box Plot Representation of the data above
FMEA On high call volume — After
Control charts of InfoSec tickets: Before & After
- Before Stage: InfoSec ticket inflow from October to December 2022 has been considered weekly.
- After Stage: InfoSec ticket inflow from January to March 2023 has been considered weekly.
- A significant shift in the Upper Control Limit (UCL) and Mean is shown in the table below and highlighted in the control chart.
CONTROL PHASE:
Control is about finishing the final 10 percent. If the changes are not implemented correctly or accurately measured, then the entire DMAIC process has failed. The DMAIC process should end with Delivering a process improvement that returns savings to the business
Conclusion
Tangible Benefits of Six Sigma Implementation:
- Reduction in InfoSec-related ticket volume.
Intangible Benefits:
- Improved infrastructure stability.
- Increased resource availability for handling additional work or other value-adding activities.
- Enhanced customer satisfaction due to fewer incident tickets related to InfoSec.
References
- American Society for Quality. (n.d.). Homepage. ASQ. https://asq.org/
- International Association for Six Sigma Certification. (n.d.). Homepage. Six Sigma Council. https://www.sixsigmacouncil.org/
- Encyclopaedia Britannica, Inc. (n.d.). Statistical quality control. Encyclopaedia Britannica. https://www.britannica.com/topic/statistical-quality-control
About the Author
Vivek Shitole is an experienced professional with 18 years of experience in information security, privacy, risk management consulting, and performance improvement. He has led teams in data-driven risk management engagements and has held leadership roles in Oracle's Business Assessment & Audit group. Vivek holds an MBA in Operations and IT and an engineering degree. Additionally, he is a dedicated athlete, having completed a full-distance Ironman at IMTX 2023 and participated in various marathons.
Vivek's innovative approach and methodology of using Six Sigma methodology to reduce InfoSec incidents has been widely recognized and deployed in the InfoSec industry. At his previous employer, Capgemini Consulting, his methodology was deployed in around 20+ Technology Infrastructure projects across the Americas and Europe. These deployments resulted in significant cost savings and increased the stability of the tech environment for those clients. His work has been a valuable contribution to the industry, with around 500 team members involved in deploying the methodology developed by Vivek.
