Skip to main content

Driving Real Security Improvement with a Gemba Board


In information security, we talk a lot about metrics. Mean time to detect, vulnerabilities closed, incidents resolved, backlog aging, control coverage—the list goes on. But too often, those metrics live in dashboards that few people check, or in reports reviewed once a month and quickly forgotten.

A Gemba board changes that.

What Is a Gemba Board?

“Gemba” is a Lean concept that means the place where the work happens. A Gemba board is a visual representation of the team’s work, processes, and performance—displayed where the team can see it every day.
Unlike executive dashboards built for status reporting, a Gemba board is designed for the people doing the work. Its purpose is simple: make the process visible so the team can improve it.

Why Infosec Teams Need Visual Process Metrics

Security work often feels abstract. When you’re buried in alerts, tickets, audits, and remediation tasks, it’s hard to tell whether things are actually getting better.


A well-designed Gemba board answers key questions at a glance:

  • Are we improving detection and response times?
  • Is our vulnerability backlog shrinking or growing?
  • Where are we consistently blocked?
  • What improvements are actually working?

When process metrics are visible every day, improvement stops being theoretical. It becomes tangible.

Turning Metrics into Motivation

One of the biggest benefits of a Gemba board is motivation.

When a team sees that:

  • Mean time to remediate dropped by 20%
  • High-risk vulnerabilities are closing faster
  • Incident volume is stabilizing despite increased coverage

…it creates momentum.

People are naturally motivated when they can connect their daily work to visible progress. Instead of leadership saying “We need to do better”, the board shows how the team is doing better—because of their actions.

This is especially powerful in security, where success often means nothing bad happened. A Gemba board makes invisible wins visible.

Driving Change from the Front Line

Gemba boards work best when they’re used during regular team conversations:

  • Daily standups
  • Weekly operational reviews
  • Continuous improvement discussions

Rather than leadership dictating change, the team can point to the metrics and say:

  • “This step is slowing us down.”
  • “This automation reduced noise.”
  • “This control change actually worked.”

The data sparks discussion. The discussion drives experimentation. And the results show up—again—on the board.

What Belongs on an Infosec Gemba Board?

Every team is different, but strong Gemba boards usually include:

  • Outcome metrics (e.g., incident response time, vulnerability risk reduction)
  • Flow metrics (backlog size, aging, throughput)
  • Quality signals (reopened tickets, false positives)
  • Improvement experiments (what the team is trying to improve this week)

The key is clarity. If the team can’t quickly understand what they’re seeing, the board won’t drive behavior.

From Reporting to Ownership

The real shift a Gemba board creates is cultural.

Metrics stop being something leadership asks for and start being something the team owns. The board isn’t about judgment—it’s about learning. It answers the question: “How is our system performing, and how can we make it better?”

In information security, where complexity is high and burnout is common, that sense of ownership matters.

Final Thoughts

A Gemba board isn’t about more metrics—it’s about making the right metrics visible to the right people at the right time.

When your infosec team can see their process, track improvements, and celebrate progress together, change stops being forced. It becomes a natural outcome of engaged, motivated professionals improving their own system of work.

That’s how security gets better—one visible improvement at a time.

Labels:

Popular posts from this blog

Generative AI Governance: Using the NIST Framework to Build Trust, Reduce Risk, and Lead Secure AI Adoption

Generative AI has moved faster than nearly any technology security leaders have dealt with. Tools that can generate text, code, images, and data insights are now embedded into productivity platforms, security tooling, development workflows, and business operations—often before security teams are formally involved. For CISOs, this creates a familiar but amplified challenge: innovation is happening faster than governance, and unmanaged generative AI introduces material risk across confidentiality, integrity, availability, compliance, and trust. For aspiring information security professionals, AI governance represents a growing and valuable discipline where strategic thinking matters just as much as technical depth. The good news? We don’t need to invent governance from scratch. NIST’s AI Risk Management Framework (AI RMF) provides a practical, flexible structure that security leaders can use today to govern generative AI responsibly and defensibly. Why Generative AI Governance Matt...
Read more

AI Governance Security Leadership | NIST AI RMF Series

A practitioner's deep dive into building a real generative AI governance program — from policy to controls to board reporting If you read my earlier post, Generative AI Governance: Using the NIST Framework to Build Trust, Reduce Risk, and Lead Secure AI Adoption , you got a solid introduction to why the NIST AI Risk Management Framework (AI RMF) matters and how its four core functions — Govern, Map, Measure, and Manage — provide a structure for responsible AI adoption. That post was intentionally high-level. This one is not. Over the past two-plus decades in security leadership, I have watched organizations repeatedly make the same mistake with emerging technology: they adopt first and govern later. We did it with cloud. We did it with mobile. We are doing it right now with generative AI — and the consequences are more significant than most leadership teams realize. Generative AI is not just another SaaS tool your employees are using without IT approval. It is a...
Read more