Security, how far to go? 4 answers

How far to go?

It’s probably one of the questions I can’t answer easily.

I could say: “when you would be really reassured.” You wouldn’t be helped much, do you?

However, I can bring some information useful to your own evaluation.

The trivial answer

If you have defined objectives, the answer is easy: when they will be reached.

— Reaching them by 80%, is it sufficient? would you argue.

— If what remains isn’t essential, it might, could be my response.

We however remain blurry, don’t we?

Your action plan and how you follow its progression is your best guide.

And, when you arrive at the end of this plan, remember it’s not finished. It’s never finished!

The managerial answer

Management proposes to produce some sort of control on what’s done and achieved, and also on maintaining the achievement on the long term. It doesn’t help much to achieve an objective you’ll forget the day after.

Our follow-up of the action plan will hence be continual.

The maturity answer

We all now what maturity is. It’s not the issue here.

The Software Engineering Institute of the famous Carnegie Mellon University described, in the nineties, an evolution scale for the capability maturity*. This is quite clear and easy to use. It uses 5 levels, each building on the previous one.

Level 1. Ad-hoc/Initial

One does as one can, a bit haphazardly. One finds here and there working solutions that are applied without tailoring them to the real situation. One tries to have a clear conscience.

In organizations, the ‘hero’ is allowed to do how he feels.

Level 2. Repeatable/Disciplined

One seeks for best practices and follows them as best as one can. Tailoring isn’t yet totally there. The action is more coherent and, frequently, note is taken of what is done – and works – to redo it later on.

In organizations, the results of the ‘hero’ are looked at with interest. This activity shouldn’t yet interfere with his daily work.

Level 3. Defined/Standardized

The tailoring of the best practices to the real situation is completed. One is organized and manages at best. All depends on available resources (time and money). One uses written techniques, rules and plan.

In organizations, the management takes over the definition of objectives and provides the necessary resources. The ‘hero’ gains an official role and remains in control.

Level 4. Managed

The management of actions, of the implemented solutions, od the resources is ensured. One supervises and measures how to adapt what needs to, case by case.

The objectives and the strategy are regularly evaluated and updated.

Level 5. Optimized

This sort of paradise integrates a permanent and automatic improvement cycle.

(* If you want to go further: http://en.wikipedia.org/wiki/Capability_Maturity_Model)

You feel that level 5 is only necessary for actions and solutions that concern the most important and urgent. Up to you to decide which level to reach for each.

You also feel the presence of a ‘zero’ level where indifference, lack of concern, negligence and ignorance (deliberate or not) reign. Even if, eventually, some results are achieved, by chance.

The governance answer

The governance concept is currently clichéd by politicians. It however possesses an indisputable signification and utility.

Without entering in a too deep discussion, the highest level of governance and he most natural one – the one I recommend – consider 3 actions: Evaluate, Direct and Monitor.

Analyse the situation, both internal and external to evaluate the changes to foresee and their time limit.

Decide on what to do and directing the resources towards the achievement of these objectives.

Regularly monitor the results of actions and solutions to identify the weaknesses to correct and the successes to consolidate to perpetuate them.

 

What is the type of answer that fits your needs today? Will that be still valid in one year from now?

See you soon, safer with your information.

Jean-Luc

© Freds | Dreamstime Stock Photos

Leave a Reply

Your email address will not be published. Required fields are marked *