The following is a guest post by Phil Fuhrer. Phil has many years of experience in the assessment and management of IT systems quality. In addition to his current work at VeriSign his interests include requirements, systems architecture and security technology.

Edward Deming is considered the father of statistical quality control .The “Deming Cycle” and his fourteen points for managing quality improvement are the most widely known parts of Deming’s work.

The “Deming Cycle” is much like the Systems Development Life cycle and other methods that ratchet change allowing continuous improvement. Less well known is Deming’s insistence that effective quality improvement can not be done without statistically stable quality measurements (Bell Laboratories Deming Quality class about 1996). As a statistician he recognized that attempting to improve an unstable or poorly understood system is non-scientific tampering.

The fourteen points are rooted in the idea that management must advocate quality in non-production line systems where success and failure cannot be counted or otherwise easily measured.

Security is a type of quality and cannot be measured by counting successes and failures. Restating Deming’s fourteen points as security directives is a useful way to direct security management.

Deming’s 14 points for management paraphrased and their security implications are:

1.”Create constancy of purpose towards improvement”. Replace short-term reaction with long-term planning. – Assessment, testing and compliance evaluation are tools to identify defects. Further analysis should be done to identify the root cause of defects and to systematically improve the processes that determine security level.

2.”Adopt the new philosophy”. The implication is that management should actually adopt his philosophy, rather than merely expect the workforce to do so. Often security as other quality dimensions only receive upper management attention when there is an abject failure causing resulting high cost or low profit. Management should adopt a security policy.

3.”Cease dependence on inspection”. If variation is reduced, there is no need to inspect manufactured items for defects, because there won’t be any. – In security inspection should be built into production processes and not considered separate or add on.

4.”Move towards a single supplier for any one item.” Multiple suppliers mean variation between feed-stocks. – In security variation can be caused by overly complex interfaces between software suppliers and by incorrect or malicious user input.

5.”Improve constantly and forever”. Constantly strive to reduce variation. – As with other quality dimensions there is no such thing as perfect security.

6.”Institute training on the job”. If people are inadequately trained, they will not all work the same way, and this will introduce variation. This applies to both production and development staff. Security (as other quality) training is inadequate when it creates machine-like rote behaviors that reduce attention to variation (unusual security risks).

7.”Institute leadership”. Deming makes a distinction between leadership and mere supervision. The latter is quota and target-based. This fits for security.

8.”Drive out fear”. Deming sees management by fear as counter- productive in the long term, because it prevents workers from acting in the organization’s best interests. This fits for security.

9.”Break down barriers between departments”. Another idea central to TQM is the concept of the ‘internal customer’, that each department serves not the management, but the other departments that use its outputs. In security while some barriers between production and development are needed, finger-pointing and miscommunication must be addressed.

10.”Eliminate slogans”. Another central TQM idea is that it’s not people who make most mistakes – it’s the process they are working within. Harassing the workforce without improving the processes they use is counter-productive. Security management by slogan is not effective.

11.”Eliminate management by objectives”. Deming saw production targets as encouraging the delivery of poor-quality goods. Real productivity is not measured by volume alone. Security and other difficult to measure quality dimensions should not be short changed.

12.”Remove barriers to pride of workmanship”. Many of the other problems outlined reduce worker satisfaction. This fits for security. Workers should take pride in Identifying potential security holes.

13.”Institute education and self-improvement”. This fits for security.

14.”The transformation is everyone’s job”. This fits for security.

This post originally appeared on