The rise of cyber risks is placing the average stressed-out CISO in further peril. With mega-hacks hitting organisations, how can we deliver security improvements when the resource base is already under such strain? Is it possible to reduce the overheads arising from updated cyber security strategies and associated implementation plans?

There might be an answer. Cyber security strategy planning must become lean and integrate with business improvement planning to ensure it meets these demands.  Within both the NHS and Police Service many CISOs are pursuing leaner strategies to secure the organisation whilst limiting resource demand.



After a decade of global economic uncertainty CISOs’ last desire is for new areas of work to require additional resources. Yet with British Airways and Ambassadors Hotels being hit by sizeable fines by the UK’s Information Commissioner’s Office in 2019 there is now a new urgency to cyber security planning activities. The need to raise the defensive posture is increasing before an organisation is subject regulatory intervention and huge financial penalties.

The tension for CISOs is that this arrives at the time of continued economic uncertainty in the UK with decisions still required with regard to the nation’s membership of the European Union. There are few organisations that are able to increase spending in regard to cyber security at present as the benefits remain elusive when compared to shiny new appliances that can be unveiled to great fanfare.

The required responses in this environment need to delivery cyber security in new way, by dismissing the orthodox ways of developing and deploying security services. It is essential to develop a new strategy regarding cyber security that ensure that lean methods are integrated into development and delivery to optimize standards and reduce threats to manageable levels.



Popularized in the last two decades in manufacturing, lean methods might offer solutions to changing the CISOs approach to security strategy planning. Lean methods tend to fall in and out of fashion depending on the state of corporate finances, but the value has been demonstrated in such diverse industries as car manufacturing and healthcare.[i]

The ‘lean’ methods approach sees waste in the organisation as the key impediment to progress. Lean methods contrast with other methodologies in that it does not seek to set a strict, rigid set of rules, tools, processes, or practices. Instead it promotes a total approach to managing services with a view to understanding where the value exists within a system. This focus enables all services activities to be separated into valuable or wasteful steps.

CISOs who are seeking to develop new cyber security services that integrate with business operations should consider a lean methods approach as this will optimize security and provide intelligence regarding on-going improvement.



Lean cyber security services should apply key Lean methods to the way it plans, manages, and measures work. These methods are built on a number of key principles including;

  1. Security Service Planning; CISOs must manage the entire cyber security strategy as one value-generating system. This requires taking decisions that optimize the entire organization’s ability to deliver value to all stakeholders rather than just one team or department.
  2. Better Knowledge Management; Lean services must be adaptive and learn all the time, using new ways of working to test processes and methods to aid intelligent discovery. In order to retain the insight gained from constant testing of organisational boundaries, Lean cyber security must integrate knowledge capture methods to build experience for future development.
  3. Reducing Information Pollution; Lean strategists are obsessive about eliminating any process, activity, or practice that does not result in more value. Within cyber initiatives if activities deliver no obvious value, it must be waste and should be removed.
  4. Codifying Excellent Standards; Lean organizations set themselves up for on-going growth by building quality into security processes and documentation. They use automation and standardize any tedious, repeatable process such as logging or any process prone to human error including analysis of events. This allows them to enhance value streams by reducing errors to zero.
  5. Encouraging Information Sharing; Good flow describes a Lean system with a steady, consistent flow of value delivery across security activities. Any processes that are unpredictable are unsustainable and need to be addressed and revised.
  6. Define Value of Services; In a Lean security system, CISOs define, visualize, and refine their processes to optimize for a consistent flow of value. They actively manage flow by limiting work in process. This Lean approach says that Lean systems should function as just-in-time systems, waiting until the last responsible moment to make decisions and deliver work to optimize results. This is based on the CISO’s decisions being well-informed, based on data that reflects the reality of the service. 



Or those organisations that have begun to consider lean cyber security methods there have been some key activities identified that can improve deliver. These include;

  1. Improved information asset management; Simplify every security process to minimize your need for information management inputs.   For example, the simple act of moving improving information sharing by daring to share knowledge eliminates all of the management policy information needed to tell each department and step what to do during process steps. A UK police service had great success when it transformed its information support services into value-driven services with teams sharing information via new knowledge capture techniques including communities of practice and after action reviews.
  2. Codify cyber security standards; Make every step in your process capable and available via codified cyber standards delivered in a consumable format. Security incidents generate the need for managers to manage more information.  Instead of automating this task, try to eliminate the need for it.  For example, an NHS organisation in South Yorkshire sought to introduce information protection technology to compile root cause analysis for all security incidents, leading to improved anticipation of threats.
  3. Plan for Disruption; Lean Thinkers use an approach to planning that is “reflexive” because it is just like your reflexes.  Planners should consider using a tool for reflexive upstream planning for all cyber security activities.  This includes using risk forecasting and futures studies to build richer intelligence regarding emergent risks.[ii]



Make your cyber security strategy and standards transparent and intuitive.  This can reduce the wasteful activities that are impinging on the progress of our security projects and initiatives. As austerity is predicted to end it is vital that resourcing mistakes made by CISOs in the previous decade are addressed and resolved via a change to a Lean mindset.

Too many of our current activities are simply rendering more waste for review and analysis to no obvious end. Policy making, event logging or incident management without root cause analysis are example of cyber security activities that are highly wasteful, offering little actionable intelligence for CISOs.

Simple Kean methods like Kanban cards and value stream mapping are often ridiculed as faddish and ineffective.  Yet they are intuitive and simple to aid clearer thinking about cyber security strategy.  Security anomalies quickly become obvious via simple analytical techniques and can be addressed and resolved.

Lean is no complete solution. However, it does offer an updated approach to ensure cyber security is optimized for delivery for the next decade.


[i] Source; https://books.google.co.uk/books/about/The_Lean_Information_Management_Toolkit.html?id=rajdXwAACAAJ&redir_esc=y

[ii] Source; https://books.google.co.uk/books/about/The_Lean_Information_Management_Toolkit.html?id=rajdXwAACAAJ&redir_esc=y

Have Your Say: