How Can We Improve Our Capabilities?

Abstract

Discussion about cybersecurity often focuses on observed risk dimensions or associated control strategies devised in response to observed risks. However, optimizing enterprise cybersecurity risk reduction is a more general capability essential to minimizing cybersecurity risk. McKinsey and Company have described organizational capability as “anything an organization does well that drives meaningful business results.” Ideally, recognized strategic priorities, such as cybersecurity risk reduction, should be supported with organizational capabilities and appropriate actions taken to create and continuously develop capabilities aligned with such strategic priorities. A valuable contribution of independent observers such as McKinsey has been to notice that this alignment is sometimes lacking.¹ As described in Chapter 7, such alignment can be achieved with an architectural view that describes a comprehensive, largely top-down approach intended to drive the organization toward enterprise cybersecurity decisions that are consistent with organizational goals. An architecture view strengthens communication on strategy and informs the selection of the “right” things to do, with respect to identification and execution of projects to build desired capabilities. Although successful project execution provides verification that plans for security measures have been accomplished, there is recognition of the need for more substantive validation that security architecture achieves security goals. The National Institute of Standards and Technology (NIST) characterizes this distinction as correctness versus effectiveness.² From an architecture perspective, verification is the determination that a system is “built right,” while validation determines that the “right system was built.”³ The validation question is meant to assist in the determination that the resulting architecture does what we intended it to do. In other words, it is how we know that our capabilities actually accomplished our goals for reducing risk. It is how we can be sure they drive meaningful results in the organization. It is how we continuously monitor and develop our capabilities for continuous improvement and respond to emerging threats. In short, we need to “get real,” so to speak, in our planning as well as in our execution. Cybersecurity is not a domain that tolerates theoretical attribution based on a project plan; enterprise capabilities are only relevant when applied to real-world conditions.