Tuesday, July 16, 2013

How simple can we make it?

In the Q&A session of the first day of the 3rd NIST Cybersecurity Framework (CSF) workshop, someone asked if there was a way to simplify the proposed five functional categories in the Core.  Basically, he was saying that he needed to persuade non-specialists, especially executives, and that the five functional categories plus subcategories was too complicated. (full question and answer is on the video at 1:18:00).  When I heard that, I nearly sprayed coffee all over my keyboard.  "You want it even SIMPLER??" I yelled out (to my screen).

I immediately thought of this: cyber security in one dimension using the Grissom Dimension, which is named after Astronaut Gus Grissom.  Grissom gave a speech in 1959 to the workers at the Convair plant where the Atlas rocket booster was being built.  The entire speech:  "Do good work." (remembered by a worker)  Yes, we could reduce all of cyber security to the Grissom Dimension, then it would be simple, right?

I'm a bit sensitive to this because I know many people will say my Ten Dimensions are too complicated.  I wonder myself if it is too complicated and I'm certainly interested in ways to simplify it.  Parsimony is good.  Occam's razor keeps our models clean.



But I also feel like Mozart when he heard this reaction from Emperor Joseph II’s to his The Abduction from the Seraglio in 1782:
"Too many notes, my dear Mozart, and too beautiful for our ears."
In the movie Amadeus, Mozart replied:
"I don't understand. There are just as many notes, Majesty, as are required. Neither more nor less."
Until someone convinces me otherwise, I believe that the Ten Dimensions has just the right number of "notes", neither more nor less.  In other words, all Ten are necessary (can't leave any one out) and sufficient (don't need any additions) to define the full range of cyber security performance for nearly all organizations.

In this post, I argue that NIST five functional categories are too simple, in that they leave out vital performance dimensions, and not the best partitioning because of gaps, redundancy, etc.  I also explain why I think that the Ten Dimensions are better.

Of course, we could make the Ten Dimensions appear simpler by grouping them into two categories according to the two learning loops:  1) Operational Cyber Security, and 2) Agile Cyber Security.  But  the minute we want to actually measure performance and make decisions based on those measurements, we would need to disaggregate and this would take us right back to the Ten Dimensions.

If we can't simplify further, and if simplification makes things worse, then we are led to this conclusion:
Cyber security is complicated.  It's hard.  
and:
Don't over-simplify.  That may be one reason why we keep failing.
Maybe some other post I'll write about the cultural biases toward simplification, especially in the US and especially among business and policy leaders.

No comments:

Post a Comment