#Means vs #Outcomes in #infosec and #privacy. https://lnkd.in/eUR9UhA
A few thoughts on #means* vs #outcomes* in #Cybersecurity: #Leadership 1. "Why are we even doing what we are doing at the moment?" is perhaps the most important question we should be asking ourselves, and doing so often. 2. The question should help clarify and fine-tune our means and help validate that the means present the most efficient and effective route to achieving #meaningfuloutcomes in risk management, supporting business initiatives, facilitating or demonstrating compliance with internal/external mandates or whatever else our objectives for the outcomes might be. 3. If we can't show incremental contributions towards stated outcomes at least on a weekly basis, our means likely need some change or fine-tuning or in some cases, a need to get back to the drawing board. 4. At the end of the day, means are means; they are not outcomes. Even the most sophisticated looking means don't matter if we can't demonstrate incremental progress in outcomes, (and again) at least on a weekly basis. 5. Confusing means for outcomes or getting bogged down in the means happens far too often in infosec, in my view. 6. Our KPIs/KRIs should reflect outcomes (not means). The needle must move every week and do so in the right direction. If it doesn't, it may be time to change our means. ......................... *See comments for examples of means and outcomes in various security verticals.