Sabermetrics (Moneyball) and Data Security
Initial thinking about Jobs-to-be-Done and cyber team structure
I've been hearing about this concept of applying the Moneyball (Sabermetrics) concept to cybersecurity...
Listen to this podcast for more about it
What appears to be driving this thinking is that too many enterprises are investing in one very experienced and very expensive resource instead of developing a larger, competent, and less expensive team with the same money.
Is this the answer to protecting an enterprise's digital assets?
I think it is certainly a part of the answer in the shorter term. I recently published a customer needs catalog on protecting an organization's digital assets. It covers a lot of ground.
I've also been narrowing the focus to designing effective cybersecurity teams and in there are a number of success statements around reliance on a single resource, or not having a broad set of competencies. It also highlights all of the different team structures that could be in place. Here’s an example:
Centralized Structure: In a centralized structure, all security responsibilities are handled by a single, core team. This team is typically led by a Chief Information Security Officer (CISO) or similar role, and it could include specialists in various areas such as network security, application security, incident response, and compliance.
Decentralized Structure: In a decentralized structure, each department or business unit has its own security resources. This can allow for more specialization and better alignment with specific business needs, but it can also lead to inconsistencies in security practices across the organization.
Hybrid Structure: A hybrid structure combines elements of both centralized and decentralized structures. There may be a core security team that sets overall policies and strategies, along with decentralized resources in individual departments or business units to implement those policies in ways that best meet their specific needs.
Matrix Structure: In a matrix structure, employees have dual reporting relationships - usually to both a functional manager and a project manager. This type of structure promotes better collaboration and flexibility but can lead to confusion and conflicts about roles and responsibilities.
Outsourced Structure: In this model, much of the organization's information security needs are outsourced to a third-party provider. This can provide access to high-level expertise and round-the-clock coverage but can also lead to less control over security practices and potential issues with vendor management.
Follow-the-Sun Model: This model is usually employed by organizations that require 24/7 coverage. Teams are located in different parts of the world, ensuring that someone is always working during their regular daytime hours, providing constant coverage.
Team structure and balance is definitely measurable using Jobs-to-be-Done. But it needs to be analyzed against real-world results or it won't mean much. JTBD does part of this, the rest will require a reconciliation with real-world data on actual attacks, prevention, and/or extent of damage so we can assess the rating of professionals against the actual capabilities.
But, let's not forget that all Jobs are ultimately automated away and the solutions don't look anything like their forefathers. Possibly the data itself becomes the solution and obliterates the concept of attack surface? I dunno, I'm not a cybersecurity expert.
What if instead of having traditional security tools we had the ideal data, such that it was invulnerable and we didn’t need barriers and teams. What are the characteristics that we should look for? A new type of data would essential couple the object we are trying to protect with the solution - that would eliminate the need for teams in most situations. This may take some time to manifest, but if we can identify the characteristics today, maybe someone will spot a way to do it as our capabilities evolve. Here are 50 characteristics (not solutions) off the top of my head:
The data is impervious to all forms of breach - This statement describes the state of absolute security, where the data remains unaffected by any potential threats or attacks.
The data remains inaccessible to unauthorized individuals - This reflects the need for access controls, ensuring only those with proper clearance can access the data.
The data maintains its integrity at all times - This means the data is always accurate and reliable, free from corruption or manipulation.
The data is resilient to physical damage or destruction - This implies that the data is safeguarded against physical threats such as natural disasters or hardware malfunctions.
The data is resilient to digital damage or corruption - This emphasizes that the data is safe from digital threats such as viruses or software malfunctions.
The data retains its original quality regardless of its location - This ensures that the data maintains its integrity regardless of where it is stored or transmitted.
The data retains its original quality regardless of time - This guarantees the durability of the data, ensuring that it remains valid and accurate over time.
The data is always available for authorized use - This emphasizes that there should be no barriers to accessing the data for those with the proper permissions.
The data is resistant to unauthorized modification - This highlights the importance of protecting the data from unwanted changes or alterations.
The data is resistant to unauthorized deletion - This underscores the need for safeguards against the loss of data through unauthorized actions.
The data remains confidential when necessary - This reflects the need to keep certain data private, accessible only to specific individuals or groups.
The data retains its usefulness across different platforms and systems - This ensures the data remains valuable and applicable across a variety of technological contexts.
The data preserves its relevance regardless of changes in technology or industry standards - This guarantees that the data will remain meaningful and applicable, even as technologies evolve.
The data maintains its value over time - This emphasizes that the data's importance and utility does not diminish with time.
The data retains its accessibility during emergencies or crises - This highlights the need for robust contingency planning to ensure data accessibility during unexpected events.
The data retains its consistency across different systems and platforms - This ensures that the data stays uniform and consistent, regardless of where it's used or accessed.
The data remains undamaged during transmission - This emphasizes the need for secure and robust data transmission protocols.
The data remains intact in the face of system or hardware failure - This acknowledges the importance of data durability, even when confronted with technical failures.
The data remains accurate and up-to-date - This points to the necessity for data to reflect the most recent and valid information.
The data remains free from redundancy - This implies the need for efficient data management, avoiding duplication and unnecessary storage.
The data is resilient to environmental threats - This asserts the requirement of data safety against environmental risks such as power outages or heat.
The data remains free from unnecessary complexity - This suggests the need for the data to be simple and understandable, without added confusion or complexity.
The data maintains a low cost of storage and transmission - This emphasizes that the cost of data handling should be kept to a minimum.
The data maintains its portability across different systems - This asserts the need for the data to be easily transferable between different systems.
The data minimizes the need for maintenance - This highlights the desire for data that requires minimal upkeep.
The data avoids the risk of obsolescence - This suggests the data should remain applicable and useful, even as technologies and needs evolve.
The data minimizes the need for time-consuming management - This implies the data should require minimal effort in terms of its ongoing management.
The data minimizes the risk of legal repercussions - This points to the need for data to be handled in a way that is compliant with all relevant laws and regulations.
The data minimizes the potential for misinterpretation - This emphasizes the importance of data clarity, reducing chances for misunderstanding.
The data minimizes the need for training or specialized knowledge for use - This highlights the desire for data that is accessible and user-friendly, requiring minimal training.
The data maintains a minimal environmental impact - This points to the importance of sustainable data practices that have a low impact on the environment.
The data minimizes the potential for misuse - This underscores the need for safeguards against the misuse of data.
The data remains free from dependence on specific hardware or software - This suggests the need for data that is not bound by specific technologies.
The data avoids creating waste in terms of storage and transmission - This emphasizes the desire for efficient use of resources in storing and transmitting data.
The data minimizes the need for extensive setup or installation - This implies the data should be easily accessible and ready for use.
The data remains free from dependence on specific personnel or roles - This suggests the need for data accessibility that is not reliant on specific individuals.
The data avoids causing harm or distress to individuals - This underscores the importance of ethical considerations in data handling.
The data maintains its accessibility regardless of user location - This highlights the need for data that can be accessed remotely, from any location.
The data avoids unnecessary expenditure on security measures - This points to the importance of efficient security measures that do not excessively inflate costs.
The data avoids creating a burden on system performance - This implies the data should not cause unnecessary strain on system resources.
The data remains free from biases and assumptions - This emphasizes the importance of objectivity and fairness in data.
The data minimizes the risk of conflicts with other data or systems - This highlights the need for data compatibility and interoperability.
The data minimizes the time required for processing or analysis - This suggests the need for data that is readily usable and quick to process.
The data avoids causing disruptions to business operations - This highlights the importance of seamless data handling that does not interfere with normal operations.
The data maintains its confidentiality during transmission - This underscores the importance of secure data transmission that protects sensitive information.
The data avoids causing strain on network bandwidth - This suggests the need for efficient data transmission that does not overburden network resources.
The data remains unaffected by system upgrades or changes - This points to the importance of data durability and resilience in the face of system alterations.
The data minimizes the need for manual intervention or handling - This emphasizes the desire for data that can be managed autonomically, reducing the need for manual oversight.
The data avoids causing unnecessary notifications or alerts - This implies the data should be managed in a way that avoids creating distractions or disruptions.
The data maintains its value and relevance in the face of changing user needs - This underscores the importance of data adaptability and relevance, even as user needs evolve.
So, do we keep building walls around data, or we change the data itself? Do we paint walls, once every 5 years, or do we use digital walls that can change color and intensity on demand?