Home Up Balance of Technology Engineering Solutions



Engineering Total Quality Management of Security (TQMS) 

By Roy D. Follendore III

Copyright (c) 2001 RDFollendoreIII

revised 2002

All Rights Reserved


The Deming Method of Total Quality Management (TQM) is based on fourteen obstacles to productivity and is being adapted here as Total Quality Management of Security (TQMS).  As with the Deming cycle, these fourteen points should be reinforced by a Security Cycle. Without more detailed explanations, the methodology sounds like a group of simple exhortations but when examined in context and in detail, the methodology is far more than hollow sloganeering.  As with TQM, TQMS is simple to state, but difficult to carry out.  With this in mind, I have intentionally stayed away from specific project orientations and stayed within the context of best consulting practices.  With respect to consulting, technology is easy to satisfy, people are hard.  Consultants therefore must at times be analysts, professors, psychologists, mentors, philosophers, priests and evangelists to the clients and their organizations.  From the clients perspective, half of the satisfaction of having a consultant available is to have someone to listen carefully and reply with what is in security should be just common sense. From the client's perspective it is the unstated duty of the consultant to recommend and therefore sway the internal status quo of the client toward good security practices.     




  1. Create a practice of constancy of engineering purpose designed to improve client security products and services.  

    The most important point is to begin a practice of security innovation. New security products and services must help organizations of people be productive in material ways. Resources must be placed into research and education because there can be no innovation without research, and no research without properly educated users and employees. The status quo should never be viewed as satisfactory, instead there should be continuous improvement in product or service. The organization must invest in maintaining equipment, the communication environment and in new aids to organizational engineering and implementation of security.


  2. Assure that ALL management are convinced to wholeheartedly adopt the new security philosophy.  

    Its mind must be transformed to think of security as an ongoing productive issue.  Many of the existing security structures put in place will have to be dismantled. They were never right in the first place and competition has shown their defects. Quality must become the organizations new religion. It can no longer afford the luxuries of security mistakes, security engineering defects, poor operational and implementation workmanship, bad materials, handling damage, fearful and uninformed users and employees, poor to nonexistent security training, executive job-hopping, as well as inattentive and sullen security services.


  3. Require that the organization must cease depending upon mass security inspections to uncover defects. 

    Security quality never comes from inspection processes but from the process of operational improvement. While security  inspections may be necessary to discover what is being accomplished, the overall goal of security inspections is to decrease variations within established security implementations and to learn and respond from new operational opportunities as well as mistakes.


  4. Put an end to the practice of awarding security solutions on price alone. 

    It produces lack of faith between the needs of the security users and the objectives of production oriented management. Other problems associated with using cost as the only criteria are a proliferating the number of security solution suppliers, buyers jumping from vendor to vendor and creating a reliance on security specifications; a barrier to continuous improvement to the production process.

    The cost of any security item is a meaningless measure of its quality. Thrift must be balanced by quality. This issue fits neatly with the concept of time to quality. 


  5. Demonstrate constant and forever improvement of the system of security production and security services. 

    The organizational management is obligated to continually improve security. Quality must be built into each and every security product at the design stage. Teamwork is essential to the entire process of creating quality. Simply because an irritant is removed or a particular problem solved, a security process is not usually improved. Statistical thinking is a sine qua non for improving the security process, but only if used properly, otherwise statistics create problems.  Those responsible for security management must always strive to go beyond the status quo. The crucial questions they must ask must include the following: Has performance improved over the past year or two?  Is individual productivity more effective?  Has customer satisfaction increased and has employee pride, confidence and concern improved?


  6. Institute internal and external security training and retraining and participation for everyone. 

    Control charts must be used to discover when a educational process becomes stable. Security is under statistical control when users performance reaches the point where further training will not lead to any improvements. When new equipment is purchased or a new processes are  invented, retraining the operational work force is necessary.


  7. Provide security leadership, not security supervision. 

    Security leadership is management's job and it should be a clear part of the evaluation. It is management's responsibility to discover barriers preventing users from taking pride in the security of their work. Users know the barriers such as: emphasizing security quantity not security quality, turning out insecure products quickly not properly, turning a deaf ear to user suggestions, spending too much time on re-working old security practices and solutions, using poor security tools, and institutionalizing security quality problems with incoming materials. Every manager's job is to lead security in order to help people perform their jobs better. When management hires people, it takes responsibility for their secure success or failure.


  8. Drive out the fear of security.  

    Most people, especially those in management, neither understand the job of security nor what security is doing right or wrong. Many are afraid to ask questions about security or take a position. For better security quality and productivity, people must first feel secure. They must neither be afraid to express ideas and ideals, nor afraid to ask questions. Fear about security disappears as management security leadership improves and as employees develop confidence in management security objectives.


  9. Break down security barriers between staff areas.  

    The security goal of different staff areas must not be conflict; it can ruin the security awareness of the company. Security teamwork is better.


  10. Eliminate security slogans, exhortations and targets for the workforce. 

    Security slogans generate frustration and resentment. A goal or target without a method for reaching it is useless.  Management's job is to establish a stable security system, because without stability anything can happen. An unstable security system is a bad mark against management. Only management can change the security of the organizational system.


  11. Remove security numerical quotas. Quotas impede the quality of security investigations as well as guarantee inefficiency and high cost. They bias statistics but do little to improve security performance. Proper work standards define what is and is not acceptable in terms of the quality of security.


  12. Redefine and delete barriers to the pride of security engineering workmanship and authorship. 

    Three of the main problems to reaching this point are: (a) Security engineers are regarded as a necessary commodity, to be used as needed. If they are not needed, they are returned to something productive. (b) Management never invests security engineers with authority. (c) Management never acts on user decisions and recommendations concerning security issues.


  13. Institute a vigorous program of security communication involving education and retraining.  

    Security communication involving education and retraining is absolutely required for long term planning. There is a need to constantly acquire new organizational security knowledge and new skills to deal with new security materials and new security production methods and theories.  As a result, security education and training must fit the best available people into new jobs and responsibilities.


  14. Take action to accomplish the security transformation.  

Action speaks louder than words.


The Six Steps of Active Security 
  • Study the operational organizational process with respect to the technology to decide what security changes might improve it. Organize an appropriate team to accomplish this. Use the team to decide in part: What data, information and knowledge must be collected? Does the data, information and knowledge already exists?  Is it necessary to carry out any change and make any observations? Are tests necessary? Do not proceed without a plan but put a time limit on forming the plan.
  • Engineer the security solution if necessary, and perform the appropriate tests to verify the solution is appropriate and works, or make the necessary changes incrementally, preferably on a small testable scale.
  • Observe the effects of the security tests and/or make new changes as required.
  • Study and systematically evaluate the security tests that change the results. Document what was learned. Repeat the test if necessary, perhaps in different environments as required. Make sure to look for side effects of security changes.
  • Repeat the first step, using the knowledge accumulated so far.
  • Repeat the second step, and onward. Halt when satisfied or when complete.  Repeat these six steps as required or necessary.


    Organized Security Process Security technology is not an end product. The product of security technology are the benefits that the client receives through the use of the technology.  This product is valuable but it is also often transparent.  It is part of the job of consultants to make security benefits opaque.  This all means that there is a rational procedural approach to security engineering within organizations and that approach is consistent with other organized production procedures.  Overall it this represents a plan involving constant open ended security engineering development, not incremental development within a prespecified timeframe.

    Within top management, operational consistency in the implementation of security is just as important as purpose of implementing security. Top managers should be involved and work together with mutual understanding of the fourteen points.


  • Top management must feel pain and dissatisfaction with past security practices and performances.  To succeed they must have the courage to change security. This is part of their fitness criteria.
  • Top management must explain to a critical mass of employees why security changes are necessary and they must communicate the fact that security changes will involve everyone in the company. The reason is simple.  Without the cooperation of a critical mass of employees, top management will be helpless in security implementation and the recognition of reaping the benefits of implementation.
  • Every activity involving security represents a process that can be improved.  Everyone belongs on a security team, to work within the cycles that address one or more specific security issues. The cycles will lead to continued security improvement involving new methods and procedures and can be applied to every production process.



      Consultants need to be able to recognize the problems of client organizational management in order to understand the significance of technical security issues. These diseases are life threatening to organizations that require security in order to exist.  No organization, however important is immune.  Usually the only viable option that can fix these diseases is surgery.  In order to revitalize the organization, the managerial dead wood must be cut out and expelled.  To do otherwise is to invite the diseases to reoccur. It may not be your job to recommend this decision but it is your job as a consultant to recognize that it is inevitable these issues are resolved. Consultants do not generally run the client's security software, but they are expected to evaluate the software which by definition includes the environment in which it operates.  Depending on the client relationship, the following factors may or may not be communicated to the client but knowing them can reduce the barriers between the consultant and his/her clients.       


    1. Lack of constancy and purpose with respect to security. Its absence spells doom for the internal security of an organization. Proof of management's seriousness about security constancy and the purpose of security is absolutely required. This is best accomplished through positive concrete actions, e.g., spending money on security training and equipment or the willingness to temporarily shut down operations when something is wrong.
    2. Emphasis on short term security. This phenomenon is fed by fears that senior management would rather have consistent productivity than secure productive quality. Near sighted decisions never results in overall positive changes in productivity or quality.
    3. Performance evaluations, merit ratings, or annual reviews, are also known as management by fear. This style of management has two devastating effects on security: (a) It encourages short term performance at the expense of long term security planning. It discourages risk taking, builds fear of standing up for security, undermines teamwork between the security engineers, management and users and it pits people against each other for the same rewards. (b) It increases the blind reliance in statistical production numbers without considering quantifiable evidence. Part of the job of the leader is to shrink the security variations and establish useful control limits. This leads to less security variations between activities and simplifies the security concerns.
    4. Mobility of top management. Can managers be committed to improving the quality of security when they are constantly building their resumes? People require time to learn about the operations of security together. User mobility is also a serious problem. Dissatisfaction with their performance is the chief reason.
    5. Running a company on visible figures alone, also known as "counting the money." Visible figures are, of course, important in running an organization. They help management navigate the waters of an organization's environment. However, the "unknown and unknowable" issues that security confronts are just as or even more important.
    6. Excessive productivity salary to security salary cost ratios.  Security is an important activity that must be associated with effective productivity.  Without parody security remains a fringe organizational activity rather than a core activity. 
    7. Excessive costs related to security "insurance", fueled by managers and lawyers who think that legal contracts actually solve or avoid security engineering problems.  Managers foolishly make the awful mistake of comparing loss of opportunity with compensation of existing value.  Insurance can not stop the results of harmful accidents for the same reasons that life insurance is not worth your life.  Insurance and contract protection only works when there is a low probability of reoccurring and low cost risk. There are many reasons for security and supporting the foundation of insurance and contracts are not them.  



      Find these symptoms within any organization and you are certain to find security problems that need to be resolved. 
    1. Neglect of long term security planning and security engineering transformation: upper management focuses its attention on changing frivolous security policies and dealing with short term security issues.  They ignore actual security problems and go after symptomatic issues and concerns.  
    2. The supposition that solving specific security problems, or enabling security automation, or handing out security gadgets, or new security machinery will somehow transform the nature of the organization and the people involved.
    3. The blind professional focus to search for security examples: concentration on learning absolutely why or how  organizational security practices succeeds or fails.
    4. The false complaint that our security problems are different.  (False because they are always different.)
    5. Professional school of security obsolescence: it is not necessary to learn about security on the production floor. 
    6. Reliance on security departments for security, rather than users and management for security.
    7. Blaming the users for security problems: there should be no doubt that fixing the organizational security system is management's responsibility.
    8. Security quality by inspection.  The false assumption is that security management is equivalent to oversight.  
    9. False starts, what Deming calls "instant pudding:" The fact is that security can not lift itself out of its organizational boots.  Management and company philosophy must change before anything else.
    10. The secure unmanned computer.  Actually computers do nothing secure by themselves.  The common rationality of people should be left out of the loop is a dangerous myth.
    11. Meeting security specifications.  Security specifications are to be reconsidered, reestablished and surpassed, not blindly implemented and accepted forever.
    12. Inadequate and proper security testing.  There can be no Verification and Validation without adequate and proper testing.   No security system is secure if security certification can not be maintained over time. 
    13. Anyone that is qualified to help us improve our organizational security must first understand all about our business.  The primary job of the security engineer is to implement systems that work to improve organized and individual productivity.  This involves engineering an inclusion, not exclusion of new knowledge and capabilities and the creation of a metric to make and measure change. 



    How do you know your consulting efforts will be accepted and appreciated? 

    Security Engineers and Consultants need to consistently and clearly impress upon engaged client organizational management the fact that it is essential that the perspective of people be considered when designing security systems.  

    These are the questions that you need to ask from the perspective of others involved in the security project:  

    1) Is the resolution of this security problem important to me?

    2) Are my thoughts and my objectives related to security appropriate with the facts?

    3) Is this security situation modifiable? In other words, is there anything I can do about it?

    4) Would it be worth it to do what I have to do to change the existing security situation?


    If any one or more of these questions cannot be answered with a truthful positive response then the security activity you are pursuing will be in jeopardy.  Unless these questions are positive, some degree of frustration and anger on the part of the client will be inevitable.  To a degree this may be acceptable and expected by the client, even though they may not be willing to admit it.  The value of the solutions you provide the client today determines their willingness to express their good will tomorrow. 




Copyright (c) 2001-2007 RDFollendoreIII All Rights Reserved