Interesting stuff in a Kaspersky threatpost.com editorial
Across the variety of orientations which exist within security, outcomes are what counts. Some examples:
- Compliance officers want to keep the CEO out of jail. All the process in the world is useful because when they’re not, they can talk about their plans for correcting that.
- Applied Researchers ask “did you pwn it?” They’re concerned with testing a hypothesis, which is “this system resists this type of attack”
- Law enforcement wants to catch the bad guy (or gal). Much of the friction between civil libertarians and law enforcement comes from a conflict about prioritization of goals.
We’ve focused on process because we have so little data on outcomes. People will talk about their training processes. But when you ask them, did that process work? no one wants to say.
Source: Security is about outcomes, not about process, Adam Shostack, 13 April 2009
My CIO has a great metaphor which sums up following process without an eye on outcomes: “We did everything right, but the patient died.” In other words, the team followed all the processes to the letter, but the project was a failure or the business value just didn’t materialize.
Processes are important. They provide consistency to our outcomes. But they shouldn’t be the final word when working through a project or providing customer support. At some point we have to stop and ask whether what we’re doing is actually taking us to the desired destination. If it isn’t, then a course correction in the form of a permanent or temporary process change is in order.