A key moment in the career of a cyber leader is when they
realize the difference between simple activity and a planned set of work
designed to mature the security program in a purposeful direction.
Activity isn't a reliable metric for improvement within a security program. And, yet, activity seems to be a popular justification for more resources. We have to think like a business leader to understand why it might not be.
Imagine riding a bike that has a chain that
falls off every 100 yards. If it takes
10 minutes every 100 yards to put the chain back on, we might ride 600 yards in
an hour. This is representative of simple activity.
Maturing our bike riding program would mean
planning to take 30 minutes to replace the broken parts. We’d then be able to
spend the the rest of the hour riding for 10 miles without interruption.
Now, let’s use the same bike metaphor to better understand the impact of improved execution on the outcome and quality of our bike ride.
Let's say that a talented rider with practice can achieve
better execution than the original rider when the chain is falling off the bicycle. Good execution might reduce the
time to replace the chain by 2 minutes. Excellent execution? Perhaps by 5
minutes. But, neither changes the distance ridden before the chain falls off again or the total distance by much for an hour of "riding" (maybe 200 extra yards).
Having to execute well every 5 minutes over a lengthy ride would
be exhausting for the rider.
That said, if the team focused their execution improvements to more quickly plan and fix the broken parts in 15 minutes rather than thirty minutes, the outcome
might be additional and enjoyable 5 miles of riding.
The lesson for cyber leaders in that you have to purposefully build your way out of exhausting cyber security
environments. Training team members to execute better within a broken model might not
actually improve things. In fact, they may end up more exhausted. And, even the best intentioned, seemingly well executing cyber teams often complain about being exhausted.
Yet, exhausted teams trying to squeeze out a bit more distance with better execution seem to be the norm.
Take the time to find what needs to be fixed.
Make changes that measure improvement in miles rather than yards.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment