Organizational Excellence in the Cyber-Risky Age

In August of 1987 Congress created a public-private partnership that spawned a global movement, the Baldrige Performance Excellence Program. This small program was given a great big purpose: to improve the quality and performance of U.S. businesses so as to improve our national competitiveness. As a nation, we struggled at that time to produce high-quality, low-cost products and services, and we were losing market share and jobs to global competition. The Baldrige Program was established to help turn that around, and for the past 29 years, we have been extremely successful, establishing a globally recognized standard of excellence used to facilitate and enable a systems approach to organizational excellence and improved outcomes in businesses, nonprofits, educational institutions, and health care providers of all kinds.

Today, there is another threat to the long-term success and sustainability of nearly every organization in the United States: ensuring appropriate cybersecurity. In our increasingly connected data-driven world, protecting data, information, and systems has become a basic necessity for organizations of all kinds and a critical national priority.

In response to President Obama’s Executive Order (EO) 13636 and in partnership with industry, the National Institute of Standards and Technology (NIST) developed the Framework for Improving Critical Infrastructure Cybersecurity (PDF). NIST's Cybersecurity Framework helps organizations understand what should be included in a robust cybersecurity risk management program, and it has now been deployed across critical infrastructure sectors and more broadly throughout the United States. Since then, numerous implementations have been developed, tailoring the Cybersecurity Framework to specific industries, associations, and even specific organizations.

So what does this have to do with the Baldrige Program and the Baldrige Excellence Framework? Those familiar with the Baldrige framework know that ensuring the security of data, information, and systems is not new to the Baldrige Criteria, and in fact it first showed up in the Information and Analysis section (Category 4) of the 2001 version.

However, over the past 15 years, the prevalence, importance, and, unfortunately, the misuse of electronic data and information have increased exponentially. In keeping with our mission and in response to an expressed need across multiple industries, we are now partnering with NIST’s Applied Cybersecurity Division to develop a Baldrige-based assessment tool aligned to the Cybersecurity Framework. This tool will enable an evaluation of not only the robustness, but also the effectiveness and “maturity” of the cybersecurity risk management programs of organizations of all kinds.

U.S. Chief Information Officer Tony Scott, who is helping to lead the President’s Cybersecurity National Action Plan, is a strong advocate of the potential benefit to be derived from a Baldrige-based cybersecurity assessment process:

“We are making strides in raising the level of cybersecurity across the nation.  Baldrige-based approaches have helped organizations to improve their performance over several decades,” said Scott. “Voluntary cybersecurity assessments using a Baldrige approach will stimulate improvement, begin to pool talent, and share solutions to the security challenges and problems organizations face today.”

Over the past six months, the Baldrige Program has been part of a working group, including the Applied Cybersecurity Division, Mr. Scott’s office, and a diverse cross section of more than 20 industry participants representing hundreds of organizations, to explore the need for, the potential of, and the pitfalls to avoid in regard to a Baldrige-based cybersecurity initiative. Industry organizations taking part in these discussions have included Baldrige Award recipients PricewaterhouseCoopers Public Sector Practice, Advocate Good Samaritan Hospital, and Boeing. Working with industry to determine the path forward is one of NIST’s core competencies and is certainly key to this effort.

“NIST’s efforts to couple the proven processes and value of the Baldrige Program with the increasingly popular Cybersecurity Framework will be voluntary and private sector-driven. We will measure this initiative’s success by its usefulness to companies and other organizations in strengthening their cybersecurity risk management,” said Willie E. May, Under Secretary of Commerce for Standards and Technology and Director of NIST. “The goal is to help organizations get even greater value from the Cybersecurity Framework by providing a way to assess and guide their cybersecurity risk management.”

The first step in this effort will be the development of a self-assessment tool—the Baldrige Cybersecurity Excellence Builder. The tool will enable organizations to better understand the effectiveness of their cybersecurity risk management efforts and identify opportunities for improvement based on their cybersecurity needs and objectives as well as their larger organizational needs, objectives, and outcomes.

We are very excited about the opportunity to partner with industry to help address this critical national need. For nearly 30 years, we have been fostering organization-wide excellence, and in 2015 we embarked on two strategic initiatives that will bring the Baldrige concepts to a much wider audience: cybersecurity and Communities of Excellence 2026. The cybersecurity initiative drills down into a critical component of organizational performance and sustainability, while COE2026 adapts Baldrige’s systems approach to achieving excellence to entire communities.

We estimate that a draft of the Baldrige Cybersecurity Excellence Builder will be available for broad public input in early-fall 2016. If you would like the opportunity to review, just send an email to baldrige [at] nist.gov (baldrige[at]nist[dot]gov).

The Baldrige Foundation is also supporting our cybersecurity and Communities of Excellence efforts through advocacy and fundraising. You may visit their website for more information. ~ ~ ~ ~ ~ For over 25 years, the Baldrige Program has used a public-private partnership approach to provide U.S. organizations with a management and leadership framework to facilitate organization-wide excellence. This approach has enhanced the performance and economic competitiveness of U.S. organizations. Through the Baldrige Excellence Framework, volunteer Baldrige Examiners, and the broader Baldrige community, the program promotes excellence in business, education, health care, nonprofit, and government sectors. It also educates leaders, assesses organizational performance, honors those who are proven national role models, and supports Baldrige Award recipients in the sharing of their best practices with other organizations.