Guest post by Brian Barnier. This is the second in a 2-part series on using Deming for cyber security. Click here to read Part 1.
In the mid-1990s, the Israel Defense Forces brought design thinking to the military. The U.S. Joint Special Operations University has videos from several countries. Deming understood the chaotic situations of weather and war, and his System of Profound Knowledge accounts for those and other threats to stability.
Enemy motives vary. Yet, cyber-attacks are similar, and cyber security professionals aim to protect people from danger.
“Hard work and best efforts will not by themselves dig us out of the pit. In fact, it is only by illumination of outside knowledge that we may observe that we are in a pit.” The New Economics, 3rd edition, page 16
It is imperative for us today to learn from Deming and fellow systems thinker Russell Ackoff:
- Understand the nature of the system, how it works and the reality that anything that can change the outcome of a system is part of the system
- The system is NOT just IT (challenging enough) – it is also the behavior of adversaries AND cyber pros like consumers and designers as in Dr. Deming’s diagram below. It is essential to define the boundary of the system and its span of influence, as you will build your system to include everything in that boundary.
- Failure flows from misunderstanding the whole system – tech OR behavior
- Outthinking enemies is essential (Sun Wu/Tzu)
- Outthinking requires challenging assumptions, reframing problems and creativity (critical thinking and systems thinking)
- Imagination requires envisioning alternative futures (see JSOU videos and new products management discipline)
For Deming, implementation was vital so that people and companies could continuously improve.
- Deming’s workshops were in a hybrid education-advisory style
- Coaching to enable people to be successful
- Transformation starts with the individual
- Top managers need to take responsibility for changing the system
Dr. Deming used this graphic for his dramatic improvement initiatives in Japan starting in the 1950s:
From this diagram, a closer look at his system view:
- Design thinking – understanding and empathizing with your customer – is one part of systems thinking
- Design is aesthetics plus ease of manufacture, use and service – beyond “User Experience” and “human-centric”
- Consumers and consumer research drive redesign
- Machinery is tested as a system – unlike point products in cyber that lack integration and boost costs
- “Inspection” is about designing in quality from the beginning – not disconnected audit
- Improved methods and machinery designed to focus on the system – Improvement in design and system optimization will result in significant cost savings, eliminating the need to arbitrarily cut costs across the organization, and individual departments, which is demoralizing.
- Most importantly, processes and methods and testing to understand the capability inherent in the design of the system, and then use PDSA to improve the process and decrease common cause variation and other structural flaws so that people can be successful in the system
Some in cybersecurity reject this approach saying, “cyber isn’t an assembly line.” Yet, this misses the reality of business – systems are complex, dynamic and chaotic – from consumers to supply chain. Businesses face adversaries from weather to war. Deming worked for years at the U.S. Department of Agriculture (he was born in Iowa and raised in Wyoming) and taught seminars for the U.S. War Production Board during WWII.
Building knowledge to avoid ransomware by outthinking our enemies
For Deming, it wasn’t just individual methods that needed improving; it was also the system of creating knowledge and the system for educating people.
Deming’s System of Profound Knowledge has four aspects: appreciation for a system, knowledge of variation, theory of knowledge and psychology.
For cyber pros:
- Appreciation for a system – a system is more than tech; it is everything cause that can change the outcome of a system, including the behavior of our enemies and ourselves.
- Knowledge of variation – What root causes of incidents are designed into a system and which are not? Deming observed that by expanding a system view, more causes are part of a system.
- Theory of Knowledge – This is Critical Thinking and Epistemology that is central to Industrial-Strength Design Thinking. For Deming, this started with providing a new, outside view and includes thinking in new ways with new knowledge (not just information).
- Psychology – Deming put people in the center. To successfully apply knowledge, he stressed the need to remove fear from the workplace, realize the power and pleasure derived from intrinsic motivation and cultivate cooperation.
Luckily, Deming wrote:
“One need not be eminent in any part nor in all four parts [of the System of Profound Knowledge] in order to understand it and to apply it.” The New Economics, 3rd edition page 64
Finally, here are a few questions for cybersecurity professionals to consider:
- How much training is tech and tactics versus education in how a system works?
- Would you fly on a plane with a pilot who only knew components? Would you go to a doctor whose methods were as siloed as those in cyber?
- How do cyber root cause analysis methods compare to more robust methods in other disciplines?
- We need to be aware that root cause analysis:
- Assumes this is a single issue when there may be more than one
- Does not usually ask the question of what events from a distance may have facilitated the root cause
- How can we design out root causes that were designed-in?
- How often is cyber limited by structural blindness, cognitive bias, and groupthink?
- When are cyber pros set up to fail by methods they are forced to use?
Want to learn more?
We invite you to check out DemingNEXT – the new way to learn and deepen your understanding of Deming. With case studies, interactive exercises, videos, articles, interviews, and more, DemingNEXT is the only place for authentic Deming learning. Click here to learn more and sign up for a free trial!
For the latest updates, events, and learning opportunities, subscribe to our mailing list.
Brian Barnier is a co-founder of Think.Design.Cyber and CyberTheory Institute. More at www.thinkdesigncyber.com