tag:blogger.com,1999:blog-9079742631670078384.post5858307632513084484..comments2024-03-28T03:19:51.528-07:00Comments on Exploring Possibility Space: Ten Dimensions of Cyber Security PerformanceRussell Thomashttp://www.blogger.com/profile/06123406032076292954noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-9079742631670078384.post-76449117591800692042013-09-08T18:10:10.540-07:002013-09-08T18:10:10.540-07:00Thanks, Andy.
> What about backing up even f...Thanks, Andy. <br /><br />> What about backing up even further and making business decisions<br /><br />You are sing my hymn, brother! That is <em>exactly</em> the sort of change that the Ten Dimensions is aimed at promoting. Yet I know that for the vast majority of organizations, this would require a huge shift in culture, practices, and even hiring/promotion within InfoSec and related groups. To get there would take some serious vision and commitment. But that's where I think we need to be going.Russell Thomashttps://www.blogger.com/profile/06123406032076292954noreply@blogger.comtag:blogger.com,1999:blog-9079742631670078384.post-63969217426120354612013-09-08T18:01:45.381-07:002013-09-08T18:01:45.381-07:00Superb stuff Russell ... all of it. But let's...Superb stuff Russell ... all of it. But let's extend:<br /><br />"What about the sources and root causes of those vulnerabilities? What about vulnerabilities that have not yet been discovered?"<br /><br />What about backing up even further and making business decisions (e.g., M&A, strategic partnering, new system acquisition and deployment, hiring, etc.) with "new vulnerability minimization" having a seat at the table? abAndy Bochmanhttps://www.blogger.com/profile/16597503314698812234noreply@blogger.comtag:blogger.com,1999:blog-9079742631670078384.post-9094306553436436052013-07-14T06:37:09.323-07:002013-07-14T06:37:09.323-07:00Just completed a quick scan of this post and the 1...Just completed a quick scan of this post and the 10 supporting posts. Very interesting concepts especially since they are worked together so completely. It will take some digestion to really see where I agree and disagree.<br />Big question for me is how this can/will apply to the industrial control system field as opposed to IT. At first glance it should apply without to much modifification.PJCoylehttps://www.blogger.com/profile/03390039682578324978noreply@blogger.comtag:blogger.com,1999:blog-9079742631670078384.post-8356426915162509242013-07-12T13:00:28.102-07:002013-07-12T13:00:28.102-07:00Thanks for your comments, Dave. Other readers sho...Thanks for your comments, Dave. Other readers should read Dave's blog post a reference: http://orthosec.blogspot.it/2013/07/risk-management-value-oriented-process.html.<br /><br />Regarding "value to the organization", I think we agree. I didn't call this out explicitly in the 10 Dimensions, partly to keep the presentation shorter and focused. But let me say it clearly now (and maybe also in a separate post): cyber security exists to <em>support</em> the value-creating processes of an organization, and also the value-creating processes of stakeholders. This relationship is captured in the financial services industry in their use of the measure "Risk-adjusted Return on Capital" (RAROC).<br /><br />Yes, the 10 dimensions draw on ideas from 6 Sigma and DMAIC in several places. But it's not a full transplant since there are some very important differences from quality improvement in manufacturing or service.Russell Thomashttps://www.blogger.com/profile/06123406032076292954noreply@blogger.comtag:blogger.com,1999:blog-9079742631670078384.post-16107808532388422572013-07-12T11:10:48.674-07:002013-07-12T11:10:48.674-07:00Fascinating work. There's a lot to take in her...Fascinating work. There's a lot to take in here, but I can tell right way that we are in sync on designing for correct protection levels and the business agility that can be attained. I'm not sure threat exposure can every be fully optimized but the end goal is a continued pilgrimage toward optimization. They key in my mind is for people to understand that the journey has to begin. Instead I see professionals look for the easy button through addiction to frameworks, expensive technology, and buzzword bingo. <br /><br />What I'm finding infinitely fascinating is that we appear to be approaching similar conclusions from entirely different starting points (there must be a scientific term for that). One area that might be different is in value to the organization. In my corporate role decisions are based around using security to help build value to business processes. But I also see that as implicit in the 10 dimensions so its probably just a difference in the environmental influence we both live in. Oddly for me a strong base of this came from adapting concepts from Saddle Back Church's Purpose Driven principles (removing the theology its an interesting work of lean manufacturing principles). <br /><br />For me the concept of value has to be dealt with to ensure that risk treated correctly. We will take a lot more steps to treat risk to our family than to the tomato plant in the back yard I guess. Protecting the most sensitive and valuable aspects of organizations; those things than will prevent them from doing what they do. Your measurement of cost is great in that respect. I'm curious if your 10 dimensions draw from Six Sigma DMAIC in some way?<br /><br />That's all just off the top of my head. There's a lot here and it will take me time to digest. My mind is more of a rock tumbler than quick strike surgical tool :)Davehttps://www.blogger.com/profile/17630049499328395073noreply@blogger.com