Friday, July 5, 2013

Dimension 5: Effective/Efficient Execution & Operations

This is the fifth post defining each of the Ten Dimensions of Cyber Security Performance.

The dimension of Effective/Efficient Execution & Operations is closely related to the previous one, 4. Quality of Protection & Controls.  It has nearly identical relationships with the other dimensions and thus is portrayed in the block diagram using the same form.  It has a complementary and mutually supporting relationship with protections and controls.  Crudely speaking, the protections and controls are the "brains" while execution and operations are the "brawn" -- i.e. the "engine" that gets work done within the cyber security system and also in the interface between cyber security and every other aspect of the organization.

It also opens a separate interaction path with Actors, who can engage with the related processes as artifacts themselves, not just as they are implemented in the organization.

This dimension includes processes related to implementing and monitoring cyber security, including logging, training, reporting, patching, configuring and updating (e.g. servers, firewall rules, access control rules), and so on.  Using similar reasoning, the software industry has recently developed a similar concept and method under the name "Development Operations" or "DevOps".  Here are some good summaries on DevOps applied to information security:
If anyone doubts the significance of execution and operations, consider the recent case of the Windows Azure outage, which was caused by an operational error regarding expired SSL certificates.  (described here and here).  This outage had significant financial consequences for Microsoft beyond the response and recovery costs because they offered a compensating credits to their customers.

Moving beyond the details of each of the processes, I'll focus on how to view execution and operations, taken as a whole, can be measured and managed as a performance dimension.

I argue that performance in this dimension is both a matter of effectiveness and efficiency.  This is a contrast to most of the other dimensions where effectiveness is the central concern and efficiency is secondary.

Execution and operations need to be effective -- "doing the right things" -- because the benefits of focusing on the most important things far exceed the benefits of doing a little bit of everything ('averaging" or "covering").  Plus, there's a constant challenge to identify what is most important given the changing demands and circumstances of cyber security, both inside and outside the organization.

But execution and operation processes also need to be efficient -- "doing things right (i.e. properly, well, etc.)" -- because results and performance often depend on speed, fast cycle time, through-put, and peak-volume capacity.

(It could be argued that quality is also an important performance dimension for execution and operations.  For example, if patch management is important and also needs to be done efficiently, it should also be done well -- free of defects.  However, in my opinion this will have a secondary effect on execution and operations, compared to effectiveness and efficiency, which are first order effects.)

Therefore, the dimension of Efficient/Effective Execution & Operations can be measured using the same methods as used in process improvement and service improvement.

The glue between other dimensions

Very simply, the reason for being for this dimension is to act as glue for the other performance dimensions, especially in the operational core dimensions 1 -- 5.  Therefore, the performance standard is determined by the requirements to "make things happen" within and between these other dimensions.  For example, any element of Design for cyber security also needs to be implemented in people, processes, and technology, and that implementation needs to be updated and revised as things change.  Likewise, change control in Controls is a major challenge, especially when the volume of changes is high and the time to implement them is short.

In it's "glue" role, this dimension includes all the data sensing, data logging, and data reporting to support cyber security operations and strategy.  But this isn't just a passive role where all data is collected and warehoused for any conceivable purpose.  Instead, data collection and storage related to cyber security needs careful attention to be effective in supporting other cyber security functions, to be efficient to avoid waste, but also selective so as to avoid increasing Exposure of sensitive, confidential, or private information.

While it may be clear and obvious how execution and operations support information security, there are  aspects of cyber security where it is just as critical and maybe even more difficult.  Though it's not my area of expertise, I'd like to highlight federated identity management ecosystems as a prime example.  Interested readers can learn more here, here, and here.

In summary, this performance dimension is often under-appreciated by executives and by people who are only thinking about protection and controls.  But I argue that if it is viewed as a set of services that support and glue the other cyber security performance dimensions.  I also argue that it can be effectively measured and managed using well established methods of process and service improvement.

(Next dimension: 6. Effective Response, Recovery, & Resilience)

No comments:

Post a Comment