Ah, now I see: All the nice (and so utmostly necessary) work on Risk Management the Real Kind – Quantitative, driven top-down from business objectives down to tech control / parameter settings, all the way mixed with qualitative sense-making and sensibility checks –, COSO/CObIT/ISO2700x/CSF/…/…/… my keyboard is running out of ‘…’, will fail for a particular reason. A reason that goes (went) by the name of Von Moltke the Elder.
Particularly, this quote: No plan of operations extends with certainty beyond the first encounter with the enemy’s main strength.
Which demonstrates (well, not the quote or its meaning but practice demonstrates everywhere where ideas are put into practice ..!) that the plan is nothing. But planning is everything. But if one focuses on the planning – can you hear me, eager “PDCA” (not! the correct version is Shewhart) beavers? –, one doesn’t see:
- The bigger picture; one is drafting, and executing most often just somewhat, somehow, – an error in itself, that ‘somewhat’ logical-or somehow – a strategic plan. In an external environment that changes faster than a battlefield, relative to one’s own response;
- One finds oneself not in hierarchical command. No organisation can be run as absolutely reliably as an army in battle – errors and omissions happen everywhere and one’s own aren’t that reliably on one’s side, and to a degree that one doesn’t know which are that 50%, or which are correct and true. And all sorts of change unrelated to what one wants to achieve, also takes place. The internal environment is a mess, too;
- Too many are discussing things about which they know – in a Wisdom sense of know – too little. They’re touching the elephant, and even if some (collectively) have the whole picture, they cannot see inside. Meanwhile, some are just Trojan horseing around…
- This may be the leading cause of the need for Requisite Variety, as outlined in e.g., my post below (in Dutch so let’s see what G Translate can do). Which demands some internal variety or you’re toast. Overly regimented things don’t last, and your security controls are a bad case / good example of that. But at what point are top-down plans half-baked, and where is the Too Far limit ..?
- Boyd.
Read the real work, then study what’s being made of it these (latter) days. That’s how you do “PDCA” … As in: ‘Agile’ – quod non, almost always exactly the opposite! – organisational operations. As in: If you think you’re Agile enough, you’re not going fast enough; quote from the ancient Chinese philosopher Emerson, Fittipaldi, the elder – yes, since this).
These five are not alike, I know, but yet, they do tie into a Gordian knot and still, they ‘collaborate’ against you.
There, you see why and how all plans re risk management and information security are so ideal, and reality isn’t. [Don’t start me on Idealism which again gains ground, even in the hardest-proving science of theoretical physics if it isn’t the bedrock foundation of that already.]
In the mean time, the operational battle, where every bullet counts, rages on. Don’t forget to patch everything not just the highest risk-scoring vulns. And chase operational-style best of breed standards, e.g., this, and others, when properly applied and with much risk-based scrapping from chapter(s) 1 onwards, not splatter-under-the-weight-of-bureaucracy ones with Der Totalen All Details Are Musts.
Hence, heed the quote!
In the mean time, here’s …:
Another kind and a better kind of particle accelerator; Ployez-Jacquemart, Ludes]
