Deming’s system of profound knowledge for digital organisations
If you know anything about W. Edwards Deming’s work, above all else you probably know about his 14 points for management, his seven deadly diseases of management, and his system of profound knowledge. In recent years, I have developed a greater appreciation for Deming’s philosophy mainly because I have made and seen the mistakes he warns us against. I believe that these mistakes are driven by the culture in which we live; a culture that emphasises performance and competition above quality and collaboration. Therefore, there is much we can learn from Deming’s work to improve how we live and work. In this article I focus on the system of profound knowledge (SoPK) in the context of cybersecurity.
Let’s start by reminding ourselves what SoPK is. There are four interrelated components of this system:
- Appreciation for a system
- Knowledge of variation
- Theory of knowledge
- Psychology
Of the four components, knowledge of variation has been much harder to articulate in the context of cybersecurity than the others. In a recent podcast with John Willis, I talk about how this discipline is hard to implement within an organisation and its importance is not very well understood within cybersecurity. I hold onto the theory that because cybersecurity is driven by metrics such as vulnerability count, time to remediate, and code coverage, there should be more statisticians analysing the data to identify potential areas for engineers to investigate. But in my experience, I have rarely seen a statistician working within a cybersecurity function extracting and analysing data from the outputs of various security tools. Indeed, aggregation tools have been developed to present data from these outputs, but these are often used for reporting purposes, or by internal governance teams to evidence security practices, above any other practical implementation. It does not help an organisation understand its cybersecurity status as effectively as a statistical analysis of the data in the context of the environment in which the data is collected.
I feel the need to ask the question “is knowledge of variation” still relevant as a tool that will help release us from the crisis that has gripped the cybersecurity industry? Crisis? What I mean by this is that we are seeing more and more cybersecurity incidents affecting organisations from all industry sectors across the world. Does knowledge of variation and statistical analysis perform as important a function to organisations dealing with cybersecurity as it does for those dealing with manufacturing quality? My attempts to introduce methodologies to understand variation within organisations has been a difficult quest. It seems to me organisations have no appetite to adopt statistical control practices, which leads me to believe that such practices are not relevant in a digital first organisation. Deming’s red bead experiment is easily understood in the context of manufacturing but less so in the context of software engineering and cybersecurity.
Of the three other principles from Deming’s SoPK, appreciation of a system is probably the most misunderstood. In systems thinking terms, understanding a system can be viewed ontologically as hard systems (an objective view at a system) or epistemologically as soft systems which views systems from the subjective perspectives of those who are within the system. A system from one perspective is different from the perspective of another. A CEO may view a system that produces software to meet the needs of its clients and generate interest from shareholders to invest in the organisation. On the other hand, a software engineer views the same system as a means to earn money by using their skills and knowledge to develop software. How these different perspectives relate to each other defines how the system emerges over time. Appreciation of the system means challenging what we think we know about it and looking for opportunities to learn and evolve, not only as individuals but collectively, and creating an environment for continual improvement through that learning and evolution.
Appreciation of the system encompasses the principles of the theory of knowledge and that of psychology through soft systems modelling to gain an understanding of peoples’ worldviews, traditions of understanding, and emotional intelligence, as well as their knowledge of their role within the system.
But where does this leave knowledge of variation? I believe that this principle derives from Deming’s own background in statistics. I think this conceals another principle that can apply to different types of businesses including manufacturing and digital. What I think Deming is doing is providing us with a principle that defines how we measure and make sense of the purpose of the organisation. It’s interesting that this principle is not included within his 14 points for the transformation of management. But what is included is the idea that there is a constancy of purpose and empowering employees to learn continually. It is my belief that the knowledge of variation is a means to learn how to improve the system, being aware of the traps of tampering and common causes that are part of the system. From a digital and cyber security perspective, I believe we need to understand what is relevant and what isn’t relevant. Focusing on irrelevant issues or treating critical issues as irrelevant will cause problems. Note though, the terms ‘irrelevant’ and ‘critical’ in this statement are based on the potential impact to the organisation, not some arbitrary vulnerability score produced by a tool, which drives from an appreciation of the system. Likewise, having constancy of purpose is linked to knowledge of variation through focusing on what is important to the organisation and not being caught up in the details of day-to-day changes that have no impact on the direction of the business.
In conclusion, I believe that the four principles of Deming’s SoPK are relevant to manufacturing, but the specific nature of the knowledge of variation is not as key to the digital and cybersecurity industry as defined by Deming. My understanding of this principle leads me to believe that within cybersecurity we should identify and focus more on genuine issues that increase the risk of security incidents and focus less on the inherent risks within the system. If you want to reduce inherent risks, change the system.
