Monday, December 5, 2016

CISO - In project planning define what "it" is

I reviewed project plans from four teams of really smart technical people today and after doing so, I am a bit troubled. One of the big problems in cybersecurity is that management is not convinced cyber-techies have any idea of what they are doing. Management may be right.

Two of the plans were, to be kind, minimalistic. Maybe a half page of cryptic notes. The third looked like a government RFP with 12 pages of writing for a 100 hour effort and the forth struck a balance between using as much paper as possible and actually laying out the work breakdown structure.

All four plans had the same serious flaw. They did not put any effort in defining what "it"is. This is one of the classic communication failures. The boss knows, (or at least thinks), she knows what she wants. So she directs her team, "build me a framus". So they go to work to build a framus, but they don't wait to define what "it" is. The most common definition of course is a vintage stringed instrument. However, for people familiar with the space program and that still have a moonshot flight jackets with the mission patches know it can be a synonym for a gizmo, or gadget, or more recently app or chatbot.

This is not a new problem, everyone has heard of garbage in - garbage out. However, hearing about a thing and dealing with it well are separate issues.

The good news is that this was not an effort to deflect an asteroid from striking the earth. All four were graduate level programs to increase the documented level of cybersecurity defensive information.

The bad news is the first week of the assignment is dedicated to the planning part. If we are dedicated to creating the next generation of cybersecurity leaders, we are going to have to solve the problem of teaching them to define what "it" is or we will end up with every imaginable framus.

No comments:

Post a Comment