© Thapana_Studio/Shutterstock.com

Key Points

  • Hoshin Kanri aligns security initiatives with long-term business goals, transforming security from a reactive force into a strategic enabler.
  • Iterative PDCA cycles guarantee that cybersecurity efforts support measurable organizational outcomes.
  • Cross-functional collaboration and continuous improvement create organizational resilience.

In today’s enterprise environment, IT security isn’t a technical function. Instead, it is a critical business enabler. That said, some organizations struggle with aligning cybersecurity initiatives with long-term goals. Misallocated resources, fragmented teams, and missed opportunities are just a handful of the symptoms that result from this misalignment.

Hoshin Kanri, a structured planning methodology, becomes invaluable when integrated alongside IT initiatives. However, it takes a bit of finesse to create the right conditions to align cybersecurity initiatives alongside your long-term strategic goals. Today, we’re looking at some of the practical applications of Hoshin Kanri to your cybersecurity needs, alongside how those align with strategic vision.

Vision into Action

Serious millennial african-american man using laptop sitting at cafe table, focused black casual guy communicating online, writing emails, distantly working or studying on computer in public place

©fizkes/Shutterstock.com

Implementation of Hoshin Kanri begins by setting an organization’s long-term strategic vision, typically something set out over the next 3 to 5 years. IT security typically gets treated as something reactive, done in the event of a mishap or incident in need of response. However, by integrating your cybersecurity needs into Hoshin Kanri, you’re setting things up to map your security initiatives to business outcomes.

Think of it like this: an organization wants to expand its digital services safely, with goals like the integration of multi-factor authentication systems over the next two years. This creates clarity and purpose for the security teams at work, empowering them as enablers and an integral part of the proceeding long-term vision. Adjusting your mindset is vital for how you view cybersecurity in the grander scope of your business.

Cascading Objectives

Moving from high-level strategic visions, Hoshin Kanri typically breaks things down into cascading objectives. Work is assigned to various departments and teams, which is where you can start to integrate security objectives alongside the tasks at hand. At the executive level, this might be an objective like maintaining brand reputation while staying within regulatory guidelines.

Security personnel might be looking to reduce incident response time, bringing MTTR down by 40 or 50% while also integrating better threat intelligence. Operational teams in your IT department might be looking to automate patching, implement continuous monitoring, and enforce more secure computer practices.

Cascading your objectives means that IT security efforts aren’t isolated technical projects. Instead, they’re directly tied to the measurable outcomes of your business. This creates alignment between the long-term strategic vision and short-term objectives, alongside security priorities to maintain business continuity.

Prioritizing Initiatives

So, how do you know which objectives to prioritize when looking at the broader picture? You’ll want to make use of the X-Matrix, a critical tool in Hoshin Kanri. This visual aid enables you to see the connection between goals, initiatives, metrics, and who is responsible for the tasks at hand. For IT security, this might have decidedly different contents than for the marketing team.

Main goals to keep in mind might be to maintain business continuity, reduce downtime, and support digital transformation and other technological efforts. Initiatives might be things like user training, automated threat detection, and implementation of the principle of least privilege to curtail the rate of incidents.

As far as ownership, that is going to be extended to the IT team, DevSecOps, if available, and other departments. This visual representation enables management to identify dependencies, eliminate redundancies, and prioritize objectives with the highest potential impact. You aren’t just taking security projects in a vacuum, but rather something that benefits the security department and the organization as a whole.

Metrics and Business Impact

msi

©Gorodenkoff/Shutterstock.com

As someone who used to work in security, I will say one of the biggest shortcomings in gathered metrics is focusing only on technical aspects. Teams will focus on things like patching rates, vulnerability counts, and other KPIs that are mostly relevant for internal use. Under Hoshin Kanri, some business-relevant metrics are worth recording, primarily when relating to the overall value presented from any security initiatives.

Things like reduced downtime, customer trust metrics, and mean time to remediate are all vital metrics when applied to business operations. As such, for security teams, it becomes a matter of reframing core metrics with business operations in mind. You’ll want to focus on criteria like risk reduction, cost avoidance, and revenue protection. This makes the work done by any IT team take on a tangible, quantifiable impact that your C-suite executives can understand.

Continuous Review and Improvement

Hoshin Kanri, and Lean by extension, make use of PDCA, or the Plan-Do-Check-Act methodology. When considering Agile and DevSecOps principles, this is a fantastic methodology that directly aligns with iterative needs. Under the context of an IT security operation, PDCA might look like this:

  • Plan: Identify risks and map to security actions.
  • Do: Implement security projects.
  • Check: Measure KPIs, conduct audits, and assess alignment with business objectives.
  • Act: Adjust policies and priorities based on results, alongside evaluating the current threat landscape.

Implementing an iterative approach, which security teams will already be used to, means that cybersecurity operations take on a proactive, adaptive role. This runs counter to how most businesses implement security operations, with them being purely technical, compliance-driven needs.

Enhancing Cross-Functional Collaboration

Cross-functional collaboration is a must when integrating Hoshin Kanri, and something emphasized by the need for cross-departmental alignment. While IT security teams and business teams often have a disconnect, that doesn’t have to be the case. Joint planning sessions can be held to understand the business impact of security investments.

Further, you’ll want to encourage shared accountability and ownership for metrics and risk mitigation outcomes, as these aren’t solely a focus of IT teams. Finally, you’ll want to foster communication channels where those big technical decisions are rendered into business terms. Investing $425k in endpoint detection systems might be nebulous, but revealing that you can save millions a year in prevented downtime has a far more tangible impact.

Strategic Risk Management

One of the most powerful aspects of implementing Hoshin Kanri is its ability to link risk management to business strategy. You aren’t treating IT security needs as a regulatory checkbox to stay within compliance. Instead, you’re doing things like prioritizing high-value assets for advanced protection, segmenting critical systems, and developing data-driven decision-making based on threat intelligence and incident trends.

If anything, you want to foster a connection between security efforts and financial outcomes. It might seem hard to grasp at first glance, but your security posture plays a direct role in brand reputation, revenue, and customer trust. Security should be at the boardroom table, not relegated to server rooms and IT departments.

Cultural Alignment

Continuous improvement is the name of the game with anything in Hoshin Kanri, reflecting its ties to Lean principles. Such concepts are directly applicable to security concepts. Threat management isn’t a one-and-done practice, and nor should it be. Employees should be trained to recognize common security threats, regardless of department, regularly.

Additionally, security should be a central pillar of all business operations, rather than just an afterthought. Teams will also want to integrate the lessons learned from incidents and their aftermath into future strategy and process design. Over time, as you’re in pursuit of your long-term strategic goals, this builds a resilient organization. Further, it builds an organization where security practices reinforce and complement business objectives, rather than acting as a bottleneck.

Other Useful Tools and Concepts

Ready to keep going? You might want to take a closer look at how Six Sigma creates a powerful combination when utilized with DevSecOps. By leveraging the tools, methodology, and principles behind Six Sigma in your CI/CD pipeline, you’re building better, cleaner software that only serves to foster customer trust.

Additionally, you might want to consider making use of Kaizen for your inventory management needs. Being proactive, continually improving, and integrating good practices will only serve to bolster your daily operations and create an inventory system that can weather any hardships.

Conclusion

Hoshin Kanri and IT security aren’t at odds with each other in the slightest. Instead, by integrating security with your long-term objectives, you’re building a far stronger organization. Security objectives shouldn’t hinder strategic vision, but should act as a critical enabler of business continuity, continued excellence, and overall bolster your brand’s reputation.

About the Author

Liam Frady

Liam was first introduced to Six Sigma when entering into the tech industry. With experience in project management, team leading, network security, and network architecture, he understands just how important the methodology is when applied to any industry. Since leaving the tech sector, Liam has pivoted to putting this experience to good use, writing for businesses and consumers alike.