Skip to main content

Turning a Gemba Board Into Real, Weekly Security Improvement

In the world of security operations, we often talk about metrics — detection times, vulnerability remediation, incident counts, backlog ages. The Driving Real Security Improvement with a Gemba Board post does a great job of outlining how a Gemba board makes these metrics visible to the team and shifts ownership of outcomes to the people doing the work.  


But visibility is only the beginning.


The Power of Weekly Gemba Walks


A Gemba board becomes transformative when the team gathers around it consistently— ideally weekly — not just to glance at numbers, but to connect those numbers to real work and real process challenges happening every day.


This practice — a weekly Gemba walk at the Gemba board — isn’t an administrative review. It’s an opportunity to go to where the work happens, see what’s actually happening there, and engage the team in meaningful conversation about how to improve. In Lean practice, that’s what “Gemba” means: the real place where value is created.  


Weekly walks help teams:

Connect metrics to actions. Rather than seeing a number in isolation, teams can ask: Why is throughput down this week? What changed in the process?

Spot both successes and failures. A Gemba walk provides space for the team to share what went well and what didn’t — validating good work and uncovering process friction.

Surface process issues, not personal blame. The goal is not to point fingers but to understand where processes break down or fall short — and collaboratively improve them.


Conversations Over Blame


One of the biggest cultural shifts you get from weekly Gemba walks is a move away from individual blame toward collective learning.


Real improvement comes when:

Team members feel safe to share challenges, without fear of being singled out for mistakes. Psychological safety like this fuels honest discussion and real insights.  

Failures become learning opportunities. When you treat a failure as a process insight rather than a personal flaw, the team can analyze what happened and co-create solutions.

Successes are recognized and understood. Celebrating what workedbuilds positive momentum and shows the process improvements that contributed to that success.


This is exactly what Lean leadership encourages during Gemba walks: Observe first, ask good questions, engage respectfully, then improve the process.  


How Weekly Gemba Walks Drive Continuous Improvement


Consistency is key. Many organizations that embed Gemba walks into weekly routines find that it accelerates continuous improvement because:

Teams begin to spot patterns over time, not just isolated incidents.

Conversations become actionable: ideas, experiments, follow-up tasks.

You build a cadence of improvement rather than a cadence of crisis response.


A weekly Gemba walk creates a rhythm for improvement — a reliable space for reflection, adjustment, and collective problem-solving.


This is how you make a Gemba board more than a dashboard. It becomes the hub of real operational insight, where the whole team converges to learn, adapt, and improve the security processes that matter most.


Final Thought


A Gemba board tells you what’s happening. Weekly Gemba walks help you understand why it’s happening — and how to make it better.


When teams consistently engage around the board, focusing on processes instead of people, they unlock a culture of continuous improvement. That’s where real security improvement lives: visible metrics, weekly reflection, open dialogue, and shared ownership of solutions.

Labels:

Popular posts from this blog

Generative AI Governance: Using the NIST Framework to Build Trust, Reduce Risk, and Lead Secure AI Adoption

Generative AI has moved faster than nearly any technology security leaders have dealt with. Tools that can generate text, code, images, and data insights are now embedded into productivity platforms, security tooling, development workflows, and business operations—often before security teams are formally involved. For CISOs, this creates a familiar but amplified challenge: innovation is happening faster than governance, and unmanaged generative AI introduces material risk across confidentiality, integrity, availability, compliance, and trust. For aspiring information security professionals, AI governance represents a growing and valuable discipline where strategic thinking matters just as much as technical depth. The good news? We don’t need to invent governance from scratch. NIST’s AI Risk Management Framework (AI RMF) provides a practical, flexible structure that security leaders can use today to govern generative AI responsibly and defensibly. Why Generative AI Governance Matt...
Read more

AI Governance Security Leadership | NIST AI RMF Series

A practitioner's deep dive into building a real generative AI governance program — from policy to controls to board reporting If you read my earlier post, Generative AI Governance: Using the NIST Framework to Build Trust, Reduce Risk, and Lead Secure AI Adoption , you got a solid introduction to why the NIST AI Risk Management Framework (AI RMF) matters and how its four core functions — Govern, Map, Measure, and Manage — provide a structure for responsible AI adoption. That post was intentionally high-level. This one is not. Over the past two-plus decades in security leadership, I have watched organizations repeatedly make the same mistake with emerging technology: they adopt first and govern later. We did it with cloud. We did it with mobile. We are doing it right now with generative AI — and the consequences are more significant than most leadership teams realize. Generative AI is not just another SaaS tool your employees are using without IT approval. It is a...
Read more