The Cyber Security Team’s Continuous Improvement Problem
Cyber practitioners like to refer to continuous improvement as if it were an independent project instead of a fundamental part of all projects. We say things like, “oh, next year, we’ll tackle continuous improvement”. We then mark some dates on a calendar, and take on the burdens of planning and coordinating.
The two disconnects, of course, are that continuous improvement is extremely difficult to “peanut butter” into a cyber program at the program level and that continuous improvement as a standalone project is difficult to plan, execute, or measure.
Continuous improvement is metaphorically more like DNA. The human body doesn’t contain DNA. Individual cells do.
Continuous improvement is likewise an integral part of the project level within your program. And, like DNA defines and impacts the overall body, continuous improvement winds through the entire program while defining and impacting it. Just like every cell needs DNA, everything in cyber defense should be structured so that it can continuously improve and mature — each program level cyber discipline, each ongoing activity, each capability producing project as well as the supporting team members, responses, processes, automation, and tools.
So, instead of being just another planning burden, how can teams unlock continuous improvement and turn it into some kind of a value-add?
Heraclitus, a Greek philosopher born in 544 b.c. famously said, “no one ever steps in the same river twice, for it’s not the same river and not the same person.”. Like a river, your network, APIs, risks, and endpoints change continuously and, at any given point, your team has either improved or fallen behind relative to those changes.
We kid ourselves into thinking that, by standing in the spot in the river, we’re still in the same river. The same thing happens with our cyber program.
The inputs to our cyber program naturally change with time and we have to recognize and accept that certain aspects, especially the cyber threat landscape, that are responsible for many of these inputs changes constantly. One day it’s phishing. The next, ransomware, and the next, third party vendor security. And, so on.
So we are always in a cycle of moving expectations. We have expectations from last year’s past investments to this year’s new investment or perhaps we are even looking forward next year’s planned investment. The constant change of program inputs may make us feel like current investment never is sufficient to cover all of the change.
But things don’t have to be that way.
What if we weren’t just relying on current investment to deal with today’s rapid changes in the cyber program? What if we had planned and executed last year’s investment (with some small incremental add from this year’s investment) to continuously improve? Some examples:
- Reassess, refine, or if necessary, completely redefine cyber outcomes at the project level and what success for those outcomes looks like. Work towards those new desired outcomes. This might include previous years’ projects as well as current projects. Don’t be afraid to raise the bar to meet current challenges even if things have to go “red” for some amount of time. Challenge the cyber and stakeholder teams to correspondingly raise their game.
- Measure more of the right things right out the box to know when more of the wrong things might be occurring.
- Close more corner cases for previous years’ projects and increase coverage for any given current project.
- Staff someone to oversee and measurably improve critical cyber functions and disciples (even when outsourced) as program initiatives instead of managing them as part time “activities”. Vulnerability management, alerts and logging, disaster recovery, incident response, and third party vendor security management come immediately to mind. Start with one area and show success to your executives.
The outcome of continuous improvement is like an on-going dividend that continues to pay off in increasing payment over time.
And, the recipient is your cyber program.
If you were to purposely harness the capability for continuous improvement in enough areas of your cyber program, suddenly you might have a cyber program that grows, adapts to change, and keeps scaling positive results across the entire cyber landscape. Continuous improvement can help an area of your cyber program survive an unexpected lean year of investment or times in which the threat landscape shifts rapidly requiring a transfer of investment away from pre-planned initiatives.
Defining, leading, and driving cyber change into the DNA of your organization is completely in your control. Continuous improvement is one way to help you accomplish and maintain that change over time.
