Deming for Ransomware and Cyberwarfare? Yes!

Guest post by Brian Barnier. This is part 1 of a 2-part series on Deming in cyber security.

Do you remember the “I Love Lucy” episode where Lucy and Ethel try working in a chocolate factory? They scramble to meet their quota, hiding the chocolates they didn’t have time to process from their supervisor, who then speeds up the assembly line because they did such a great job! The new quota is hilariously beyond what the women are capable of processing, so they stuff the chocolates in their hats, into their uniforms, in their mouths, and push them under the machine. When the supervisor catches them, they’re fired – even though the system was the problem. (You can watch the mayhem here.)

It’s funny, yet an obvious example of people set up to fail.

When flaws are designed into a method because a system isn’t fully understood, people are set up to fail. Consider a building with flawed engineering – a structural flaw. An interior designer can create beautiful décor and maintenance crews can fix broken pipes. But neither can fix the structural flaws.

Inappropriate methods applied to cyber security problems are like flaws in a building’s engineering: they set people up for failure and burnout. Deming’s System of Profound Knowledge is the antidote, but few understand how it applies to cybersecurity.

The system in which cyber lives is more complex, adaptive and chaotic than many others. Unfortunately, rather than use methods appropriate for the cyber system, typical methods are adapted from linear, stable systems, such as bookkeeping.

Given problematic methods, more tech tools only complicate the problems.

“It is a common supposition that quality and productivity can be achieved by putting on the screws, and by installing gadgets and new machinery.” This is the wrong way. (Out of the Crisis, Reissue Page 20)

Instead, Dr. Deming described identifying and managing two types of variation to improve quality and productivity:

  1. Common causes (problems resulting from the inherent design of the system, and therefore the responsibility of the management that designed the system.)
  2. Special causes (something special, not part of the system of common causes, like an employee becoming sick and unexpectedly out for two weeks.)

“Numerous examples…illustrate how failure to appreciate the two kinds of variation, special causes of variation and common causes…brings loss and demoralization.” Out of the Crisis, Reissue, Location 259 (Kindle edition)

Dr. Deming noted that 94% of troubles and possibilities for improvement  belong to the system where “no amount of care or skill in workmanship can overcome fundamental faults of the system.” The New Economics page 25

Deming devised his Red Bead Experiment to make clear to managers how a failure to understand the system, and variation within the system, only led to frustration, not improvement. I love Dr. Deming’s wry humor in this video.

Using the System of Profound Knowledge and Plan-Do-Study-Act cycles allows you to reduce common cause variation (including structural flaws) to get a better result. How? 1) By understanding the system that produced the variation, default or defect(s)and 2) By changing methods or designing a better approach that will lead to improvement of the process or system. You can investigate the special cause problems separately because they arise from causes outside the system and beyond your control (for example, a government shutdown.) The mistake is to react to an outcome from a special cause when it comes from a common cause and vice versa.

Today, cyber pros are victims of a decades-old problem. Cyber has been left behind. It doesn’t have to be this way.

Nine keys to improving cybersecurity – inspired by Dr. Deming’s famous 14 Points for Management.

Deming’s legacy has never been more valuable: we can use his System of Profound Knowledge in our increasingly complex world.

“Investment in gadgets, high technology, automation, new machinery, are not by themselves the answer. Expenditures must be guided with profound knowledge.”The Essential Deming: Leadership Principles from the Father of Quality, page 44

His book, Out of the Crisis, has influenced systems thinkers facing complex challenges like cybersecurity. In it, he offered his famous 14 Points for Management to achieve objectives and cut costs more easily. Note that Deming emphasizes the power of the 14 Points comes from first understanding his System of Profound Knowledge.  He states in The New Economics 3rd Edition, page 64:

“The 14 points for management (Out of the Crisis, Ch. 2) … follow naturally as application of this outside (System of Profound) knowledge, for transformation from the present style of Western management to one of optimization.”

It starts by putting people in the center.

Most cyber security breaches are self-inflicted from structurally flawed cyber methods – focused on threats (such as ransomware and design of attacks) and tech instead of people and what to protect. Deming sought to empower people.

Innovation and education in cyber have fallen far behind other disciplines.

Nine of Deming’s 14 points apply to cyber:

  1. Constancy of purpose toward improvement of product and service.
  2. Adopt the new philosophy … and take on leadership for change.
  3. Cease dependence on inspection (audit) to achieve quality. Eliminate the need for inspection on a mass basis by building quality into the product in the first place.
  4. Improve constantly and forever the system of production and service, to improve quality and productivity, and thus constantly decrease costs.
  5. Institute leadership (see Chapter 8 in Out of the Crisis). The aim of supervision should be to help people and machines and gadgets to do a better job.
  6. Drive out fear (in cyber, this is internal infighting across “lines of defense”) so that everyone may work effectively for the company.
  7. Break down barriers between departments.
  8. … the bulk of the causes of low quality and low productivity belong to the system and thus lie beyond the power of the workforce.
  9. Institute a vigorous program of education and self-improvement.
  10. Put everybody in the company to work to accomplish the transformation. Transformation is everybody’s job.

You can find the complete list here, and I recommend reading his books to appreciate the context fully.

Some in cybersecurity reject this approach saying, “cyber isn’t an assembly line.” This misses the reality of business – systems are complex, dynamic and chaotic, from consumers to supply chain. Businesses face adversaries from weather to war. Deming understood this, having worked for years at the U.S. Department of Agriculture (he was born in Iowa and raised in Wyoming) and taught seminars for the U.S. War Production Board during WWII. His System of Profound Knowledge elegantly provides a framework for designing and improving systems.

Want to learn more? Check out DemingNEXT

We invite you to learn more about DemingNEXT – the new way to learn and deepen your understanding of Deming. With case studies, interactive exercises, videos, articles, interviews, and more, DemingNEXT is the only place for authentic Deming learning. Click here to learn more and sign up for a free trial!

For the latest updates, events, and learning opportunities, subscribe to our mailing list.

Brian Barnier is a co-founder of Think.Design.Cyber and CyberTheory Institute. More at

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top