Improvement is a great concept but can be a strange thing in
reality. Improvement can be ill defined and poorly executed making it difficult
for executives to understand, resource, or acknowledge. But, improvement
initiatives that are well planned with agreed upon goals and solid execution
towards those goals can be a beautiful tool in any cyber security practitioner’s
bag of tricks.
What is a solid process that can be used by cyber
professionals to improve their improvement skills? Let's walk through one.
First you have to be able to measure or describe the current
state of whatever needs improvement. Think of this as your starting
measurement. It’s hard to say that things have improved without being able to
describe where you started.
Is it a time based improvement? Alert quality? Top line score against a
standardized assessment?
Something else?
Once you find the right measurement(s) to describe your
starting point, you’ll need to gain buy-in on the measurement from decision makers
to ensure that they agree on the measurement. If you aren’t measuring something
in a way that is important to decision makers or executive, you may recognize improvement
but they perhaps won’t.
Improvements that aren't well understood by others aren't generally recognized as improvements.
Next, you’ll have to define what’s good (or acceptable) and
what’s great based on those measurements.
You are almost there.
The hardest part is deciding what needs to change that will
move your measurement to a more acceptable state. I call these “levers to pull”.
Are there improvements to existing process?
Do you need new process? Do you need to improve engagement with an
external team? Do you need to add instrumentation? Remove some obstacles?
Now that you know current state, what’s good, what’s great, and
the levers to pull that will move the needle, you’ll need to establish a goal
for improvement. The goal will be how you know that you’ve improved
enough.
A goal that will have the
following two components:
- The desired measurement that you want to achieve
- The timeframe in which you plan to achieve the above desired measurement
You need to plan and decide if additional resources or
cooperation from other teams are required to meet your goal. I like to also
have a less ambitious goal in my back pocket that can be met without additional
resources. It’s not just a fall back, it’s
also an indicator of impact if resources aren’t approved.
Lastly, you'll need to execute and measure your progress towards execution.
Once you've met your goal, circle back around with the execs and decision makers to remind them how the improvements now provide benefit to your cyber security program.
Better, faster, higher quality, whatever.
Success breeds success. This may make them more inclined to support you on your next improvement project.
Better, faster, higher quality, whatever.
Success breeds success. This may make them more inclined to support you on your next improvement project.
As you can see, improvement just doesn’t happen. You need a
plan, measurements, and perhaps extra resources. You also can’t convince execs that something
has improved if you don’t know where you started.
Now, go out there and start improving your programs!
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment