Stuff I Say - Iterative Improvement

   This is yet another in my "Stuff I Say" series of posts.  I like to think about concepts of security management, though these ideas can certainly be applied to IT management (and management in general).  The themes of these posts are both things I think about and things I actually say.

   We've all got an incredible amount of work to do.  Most organizations have too many projects and ongoing development work, as well as too many existing and legacy tech assets to secure.  There are not enough resources to go around and the shortage of talent has been discussed in the tech media.  Prioritization is always a challenge.

   Security professionals have a difficult job.  Protecting individual and corporate data, and systems and networks is complex and often not well defined.  We don't really know when we've got it "right" (if there is a right), but we often find out the hard way when we've got it wrong!

   So, when faced with a new project, some security groups want to try to do everything at once.  We can't boil the ocean... but we have to start somewhere.  Some call it baby steps. Some call it putting one foot in front of the other.  I call it Iterative Improvement.

   Two security frameworks I like are NIST and CObIT (well, CObIT is more of a total IT framework).  Both include cyclical frameworks.

   The NIST Risk Management framework is illustrated here:

   This shows that the process of managing controls is never ending!  So you get the opportunity to improve at each phase of the cycle, and with each new cycle.

   CObIT takes this further by providing a maturity model.  This model, originally based on the SEI Capability Maturity Model (CMM), provides actual specifications corresponding to the various maturity levels in a wide variety of areas.

   I'm a big fan of both of these frameworks.

   The point is, though, that you don't have to use one of these frameworks to introduce iterative tactics into your program.  You simply need to start with something basic, then look to improve.

   For example, let's say you are trying to introduce a security awareness program to your organization.  There are all kinds of products and services you can purchase.  There are consultants you can hire.  But it might not be cost- or resource effective to start your program with: an expensive online training program, with an online assessment tied to your ELM (Learning Management) systems, bringing in outside talent to give advice and presentations, and having 4 major company-wide events per year.  Perhaps you can start by doing a few senior management briefings plus brown bag staff sessions.  That's your first iteration.  Then you re-evaluate, plan and improve.

   It doesn't have to be perfect the first time.  But you do have to start.  As the Great One, Wayne Gretzky said, "you miss 100% of the shots you don't take".  You've got to try and you've got to start somewhere.