by Joseph Socolof
Contributing Editor

Improving an organization’s cyber posture – i.e. continuously generating increased security at the lowest possible cost – requires that effective continuous improvement disciplines be ‘wired’ into the operating cadence of the business. 

Building a cybersecurity program that continuously improves and keeps up with the changing threat landscape shares many of the core features of continuous improvement applied to other aspects of the business. 

  • See what is possible – this is more relevant in today’s digital world where new vulnerabilities are being created and new threats are emerging every day. To determine what is possible – i.e. what is the right performance target – there needs to be a disciplined process for understanding what has changed: technologies deployed in the business, new threats, or improved security software on the market. Simply put, there needs to be an understanding of relevant changes and then a mechanism to include those into an organization’s continuous improvement targets. 
  • Generate Ideas – once the ‘what is possible’ has been identified, the question becomes, “What are the things we could possibly do to get there?” There are many ways organizations can generate ideas – the initiatives that close the opportunity gaps – but more often than not, these efforts are ad hoc and left in the hands of a small group of IT professionals. This is wrong and often costly. Idea generation, like every other step, needs to be a disciplined process that utilizes the right information inputs and right people inputs to ensure all possible solutions are identified.  
  • Prioritize – this is straight-forward – you can’t do everything. There needs to be a mechanism to identify which initiatives will be the easiest to implement and provide the most value. It is surprising how many organizations don’t have an effective process for prioritizing initiatives based on a very simple value:ease model. Having a simple prioritization mechanism will save an organization from wasted efforts. 
  • Manage the pipeline – of course, even prioritized ideas don’t deliver value until they are implemented. Organizations need to establish a process for ensuring initiatives deliver the value they are supposed to deliver in the timeframe they are supposed to deliver it. 

Most organizations make changes and improvements to improve their cyber posture, but few have a formal continuous improvement process which they apply to their cyber programs. The result is often a weak link between the dollars at risk and the investments made in cyber.  

It only takes a few small changes to establish an effective continuous improvement process. A well-wired continuous improvement program around cyber will provide additional security, often at a lower cost. 

Leave a Reply

Your email address will not be published. Required fields are marked *