Security improvements are often viewed skeptically, as they always seem to be associated with higher time requirements and rising costs. This is not always the case, because common types of business process optimization (Gadatsch 2017, p. 35 and Bleicher 1991, p. 196) can be triggered or facilitated by security improvements:
• Removing process activities is useful if an activity does not have a positive effect on the result. If activities involve a security risk without being required by business, removing these activities can not only increase security, but also optimize the process. For example, a media break that involves a data conversion should be removed because of potential integrity problems. If one single medium can be selected for the whole process, the process will be optimized and the security improved.
• Outsourcing can be achieved by transferring activities from one process to another. Activities or entire processes can be outsourced to external organizations. Outsourcing is recommended for activities that can be carried out more efficiently when outsourced. Certain security activities can be performed faster and more reliably by specialists. Examples include vulnerability scans, penetration testing and source code analysis. These activities require a certain expertise that other professionals, such as software developers or network administrators, often struggle to acquire.
• Summarization means that two or more activities are combined into a new one. The advantage of summarization is the reduction of interfaces at which data must be transferred. From a security perspective, interfaces often involve the risk of data compromise, manipulation, or corruption. However, the separation of functions, which is an important security principle, must not be impaired. Otherwise, manipulations and other security violations are less likely to be detected by colleagues.
• Parallelization is suitable if sequential activities can be carried out in parallel or if an activity can be divided into several parallel activities. Often, security activities can be carried out in parallel to business activities. Improving security can be advantageous to product quality. Besides, existing processes will not be delayed if additional security activities are integrated.
• Relocating activities leads to an earlier execution of activities. This can shorten the time needed for executing a process. Especially in information security, relocation has an important status for optimizations. If security activities are performed sooner in a process, fewer design issues arise and less time-consuming reworking is required. Security by design is a principle that aims at embedding security as early as possible, thereby optimizing processes.
• Accelerating activities leads to shorter process times, such as by providing additional work equipment. This means less waiting time, which is not only an advantage for the business, but also for security. Certain security processes are very time-critical, such as the distribution of security patches, the response to security incidents and the activation of recovery mechanisms. Besides, business processes can become more secure when accelerated; for example, faster patenting of new ideas reduces the risk of stealing ideas.
• Avoiding loops can be achieved by certain checks, like input checks and integrity checks of data submissions. Mostly, the integrity of data can benefit from additional checks, whereby errors and subsequent corrections and rework can be avoided. Ensuring that errors are identified as early as possible not only improves security, but also eliminates time-consuming loops.
• Adding activities can ultimately increase the quality of the final product. Information security can be a quality feature. Some customers take security for granted, especially in IT products. Adding security-improving activities might require more effort initially. However, by considering security as an important component in overall quality, both the business process and the resulting product will be improved.