I was speaking with a Global Security Director recently who was expressing his frustration about a lack of staff and resources. It’s a common concern. Whenever resources are constrained I am reminded of the importance of the concept of “value-added” versus “non-value-added” work. I first learned about this many years ago during Lean Six Sigma quality management training at General Electric.  

In a manufacturing context, an activity adds value only when it transforms the product, typically from raw materials, into finished goods in a way that the customer is willing to pay for. Conversely, non-value-added activities are everything else that doesn’t change the product’s worth (value) in the eyes of a paying customer. Although these concepts originated in manufacturing, they are also easily adapted to services, in fact, we were applying them to lending processes at GE Capital. 

As a Security Director, you need to define both your “customer” and your “product”. For the purposes of this article, I will define the product (technically it is a service) as security risks that you and your team are managing. Obviously, to manage these risks you must identify, assess, and prioritize them and then apply and maintain controls to reduce their likelihood of occurrence or their impact. That is the service you are providing. The customers, those paying for the service, are the owner or the shareholders whose financial interests are typically represented by the Board of Directors, the President, and CFO.

So what constitutes value-added work within the security department? Which activities actually transform (modify or make changes to) the service in ways that your customer is willing to pay for? Does conducting a security risk assessment add value? What about implementing a new control measure? Or changing an existing control measure? How about conducting an audit or a supplier review or investigating an incident? Publishing an SOP? Submitting a travel expense claim? Reviewing timesheets? Conference calls? Emails? Zoom meetings?

As the Security Director, your department relies on you to clearly define your department’s service as well as who your customers are. Only then can you observe, assess, and monitor your team’s activities and determine which ones add value to the finished product. While you may never know specifically, on any given day, week, or month whether the ratio is 90/10, 30/70, or 50/50 you can get a rough idea. With that baseline, you can embark on continuous improvement by teaching your team how to prioritize their efforts and increase the value they are adding.