Monday, November 25, 2019

Mentoring Execution Improvements In Cyber Security


A key moment in the career of a cyber leader is when they realize the difference between simple activity and a planned set of work designed to mature the security program in a purposeful direction. 


Activity isn't a reliable metric for improvement within a security program. And, yet, activity seems to be a popular justification for more resources. We have to think like a business leader to understand why it might not be.


Imagine riding a bike that has a chain that falls off every 100 yards.  If it takes 10 minutes every 100 yards to put the chain back on, we might ride 600 yards in an hour. This is representative of simple activity. 

Maturing our bike riding program would mean planning to take 30 minutes to replace the broken parts. We’d then be able to spend the the rest of the hour riding for 10 miles without interruption. 


Now, let’s use the same bike metaphor to better understand the impact of improved execution on the outcome and quality of our bike ride.


Let's say that a talented rider with practice can achieve better execution than the original rider when the chain is falling off the bicycle. Good execution might reduce the time to replace the chain by 2 minutes. Excellent execution? Perhaps by 5 minutes. But, neither changes the distance ridden before the chain falls off again or the total distance by much for an hour of "riding" (maybe 200 extra yards).

Having to execute well every 5 minutes over a lengthy ride would be exhausting for the rider.


That said, if the team focused their execution improvements to more quickly plan and fix the broken parts in 15 minutes rather than thirty minutes, the outcome might be additional and enjoyable 5 miles of riding.


The lesson for cyber leaders in that you have to purposefully build your way out of exhausting cyber security environments. Training team members to execute better within a broken model might not actually improve things. In fact, they may end up more exhausted. And, even the best intentioned, seemingly well executing cyber teams often complain about being exhausted.

Yet, exhausted teams trying to squeeze out a bit more distance with better execution seem to be the norm. 

Take the time to find what needs to be fixed.

Make changes that measure improvement in miles rather than yards.


Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


SEE ALSO



Framing Data Security Conversations To Executives

Mentoring Cyber Leaders Around Prioritization 

Mentoring Scope of Authority Within Cyber Security Teams
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)