Fortunately, Deming’s 1986 book, Out of the Crisis (MIT, Center for Advanced Engineering Study), spoke to the real management task at hand, on the basis of his experience in Japan: “Long-term commitment to new learning and new philosophy is required of any management that seeks transformation. The timid and the fainthearted, and the people that expect quick results, are doomed to disappointment.” An octogenarian at the time, Deming admonished managers and corporate leaders to accept responsibility for creating an environment that encouraged poor quality. With a subtle mix of humor and pedantic paternalism, he preached his 14 points of management and maintained a travel schedule beyond the limits of many people half his age until his death at 93.
Over time, management provided the needed training and the empowering environment to allow employees to address quality issues through small incremental improvements and simple tools such as Ishikawa (or “fishbone”) diagrams to identify possible root causes and Pareto charts to focus on the critical few. But as Deming had predicted, many leading companies eventually concluded that simple tools and frontline employees were insufficient to the task.
To push for step-function rather than incremental improvement, in the mid-1980s Motorola developed Six Sigma and trained a set of technical experts, known as black belts, to apply more sophisticated problem-solving tools. General Electric CEO Jack Welch learned of the power of the methods from Larry Bossidy, CEO of Allied-Signal (now Honeywell) in the early 1990s and helped popularize the Six Sigma approach by training thousands of GE managers as certified black belts. Although most of the tools had existed in previous quality system manifestations, Six Sigma added a clear focus on quantifying the benefits of solving problems and investing critical time in getting stakeholder buy-in to implement proposed solutions.
Most importantly, Six Sigma raised the bar of expectations for quality performance and made it everyone’s job. The language of “acceptable levels” of poor quality had been permanently erased from the business lexicon. The philosophic mantra of “zero defects” was replaced by the goal of Six Sigma quality, precisely defined as defects of less than 3.4 parts per million. And building on the Japanese notions of quality circles and continuous improvement, Six Sigma engaged the entire organization. Problem-solving black belts led the way, but a host of green belts, from frontline employees to senior managers, also participated.
Quality and Information Security
If today’s managers adopted the approach taken by the quality movement toward product flaws, they could revolutionize how we tackle online security problems. The goals of information security are simple but daunting: ensure the confidentiality, integrity, and availability of information. Unpacking those three words reveals that we want information to be limited to the owners and to those they grant access. We don’t want the information to be changed without the owner’s permission, and we want to be able to access our information anytime we want.
Achieving these goals requires maintaining control over both logical systems and their physical environment. We are all familiar with physical security. At home, we install strong doors that we lock, giving keys only to our family and friends. We install intrusion alarms that monitor doors, windows, or movement in the house. We examine travelers’ identities and use metal detectors and body scanners at airport entries to watch for terrorists. We install surveillance cameras to watch for suspicious behavior.
Many of these analogies carry over to the digital world. Firewalls limit access through specific doors, called ports. As e-mail passes into a corporate network and then a user’s machine, it is examined to see if it contains malware. Besides watching the doors, antivirus software continues to monitor suspicious files and activity. Identity management and access control systems require users to identify themselves and ensure users see only information they are entitled to see. Intrusion detection systems watch for hackers who have found a way into the network. And encryption is used for both data at rest (in storage on a hard drive) and data that is moving on a network to make it impossible to read without the appropriate keys in case it is stolen or lost.