Organizational Excellence in the Cyber-Risky Age
Robert Fangmeyer, Director, Baldrige Performance Excellence Program
In August of 1987 Congress created a public-private partnership that spawned a global movement, the Baldrige Performance Excellence Program. This small program was given a great big purpose: to improve the quality and performance of U.S. businesses so as to improve our national competitiveness As a nation, we struggled at that time to produce high-quality, low-cost products and services, and we were losing market share and jobs to global competition. The Baldrige Program was established to help turn that around, and for the past 29 years, we have been extremely successful, establishing a globally recognized standard of excellence used to facilitate and enable a systems approach to organizational excellence and improved outcomes in businesses, nonprofits, educational institutions, and health care providers of all kinds.
Today, there is another threat to the long-term success and sustainability of nearly every organization in the United States: ensuring appropriate cybersecurity. In our increasingly connected data-driven world, protecting data, information, and systems has become a basic necessity for organizations of all kinds and a critical national priority.
In response to President Obama’s Executive Order (EO) 13636 and in partnership with industry, NIST developed the Framework for Improving Critical Infrastructure Cybersecurity (PDF). NIST’s Cybersecurity Framework helps organizations understand what should be included in a robust cybersecurity risk management program, and it has now been deployed across critical infrastructure sectors and more broadly throughout the United States. Since then, numerous implementations have been developed, tailoring the Cybersecurity Framework to specific industries, associations, and even specific organizations.
So what does this have to do with the Baldrige Program and the Baldrige Excellence Framework?
Those familiar with the Baldrige framework know that ensuring the security of data, information, and systems is not new to the Baldrige Criteria, and in fact it first showed up in the Information and Analysis section (Category 4) of the 2001 version.
However, over the past 15 years, the prevalence, importance, and, unfortunately, the misuse of electronic data and information have increased exponentially. In keeping with our mission and in response to an expressed need across multiple industries, we are now partnering with NIST’s Applied Cybersecurity Division to develop a Baldrige-based assessment tool aligned to the Cybersecurity Framework. This tool will enable an evaluation of not only the robustness, but also the effectiveness and “maturity” of the cybersecurity risk management programs of organizations of all kinds.
U.S. Chief Information Officer Tony Scott, who is helping to lead the President’s Cybersecurity National Action Plan, is a strong advocate of the potential benefit to be derived from a Baldrige-based cybersecurity assessment process:
“We are making strides in raising the level of cybersecurity across the nation. Baldrige-based approaches have helped organizations to improve their performance over several decades,” said Scott. “Voluntary cybersecurity assessments using a Baldrige approach will stimulate improvement, begin to pool talent, and share solutions to the security challenges and problems organizations face today.”
Over the past six months, the Baldrige Program has been part of a working group, including the Applied Cybersecurity Division, Mr. Scott’s office, and a diverse cross section of more than 20 industry participants representing hundreds of organizations, to explore the need for, the potential of, and the pitfalls to avoid in regard to a Baldrige-based cybersecurity initiative. Industry organizations taking part in these discussions have included Baldrige Award recipients PricewaterhouseCoopers Public Sector Practice, Advocate Good Samaritan Hospital, and Boeing. Working with industry to determine the path forward is one of NIST’s core competencies and is certainly key to this effort.
“NIST’s efforts to couple the proven processes and value of the Baldrige Program with the increasingly popular Cybersecurity Framework will be voluntary and private sector-driven. We will measure this initiative’s success by its usefulness to companies and other organizations in strengthening their cybersecurity risk management,” said Willie E. May, Under Secretary of Commerce for Standards and Technology and Director of NIST. “The goal is to help organizations get even greater value from the Cybersecurity Framework by providing a way to assess and guide their cybersecurity risk management.”
The first step in this effort will be the development of a self-assessment tool — the Baldrige Cybersecurity Excellence Builder. The tool will enable organizations to better understand the effectiveness of their cybersecurity risk management efforts and identify opportunities for improvement based on their cybersecurity needs and objectives as well as their larger organizational needs, objectives, and outcomes.
We are very excited about the opportunity to partner with industry to help address this critical national need. For nearly 30 years, we have been fostering organization-wide excellence, and in 2015 we embarked on two strategic initiatives that will bring the Baldrige concepts to a much wider audience: cybersecurity and Communities of Excellence 2026. The cybersecurity initiative drills down into a critical component of organizational performance and sustainability, while COE2026 adapts Baldrige’s systems approach to achieving excellence to entire communities.
We estimate that a draft of the Baldrige Cybersecurity Excellence Builder will be available for broad public input in early-fall 2016. If you would like the opportunity to review, just send an email to firstname.lastname@example.org.
The Baldrige Foundation is also supporting our cybersecurity and Communities of Excellence efforts through advocacy and fundraising. You may visit their website for more information.
To make sure you never miss our blog posts or other news from NIST, sign up for our email alerts.
About the Author
Bob Fangmeyer was named director of the Baldrige Program in November 2013. He is only the third director to lead the BPEP since its establishment by Congress in 1987. As deputy director, acting director, and director, Bob has led the design, development, and successful implementation of a new business model for the program; managed overall program operations; tracked performance against the business plan; ensured efficient and effective operations; and planned for strategic capability and capacity needs.