Lean Security 101: The Comic Book
by Josh More
Publisher: RJS Smart Security
Number of Pages: 24
Josh More over at RJS Smart Security obviously had some fun putting this together. Lean Security 101 is a neat little info-graphic that looks an awful lot like a comic book.
Percy the Protection Pangolin
I'll admit it; I had to look up what a Pangolin actually was (+1 for originality). The Pangolin is Josh's sidekick throughout the story.
The 80x5 Rule
The biggest insight I got out of this comic was the 80x5 Rule. So you've probably heard of the "Pareto Principle", commonly referred to as the 80/20 rule. Well the 80x5 rule builds on this idea using concepts from Lean.
The 80/20 rule is often quoted by business managers and executives as a rallying cry to take some action or get started with some new project by trying to justify quick returns with minimal effort. But hidden within this management standard is an implicit acknowledgment that getting a project to 100% perfection (meeting all of the requirements on time and within budget) becomes increasingly difficult. The law of diminishing returns takes over and additional effort is needed just to make incremental progress towards the goal.
When applied to Information Security, this concept is just as true. There is no silver bullet for protecting your digital assets, so no single project or technology or defense mechanism is ever going to be 100% effective at keeping your data safe.
The 80x5 rule is designed to help you get the most value from the least amount of effort, and while maximizing your defensive posture.
The 80x5 rule says that instead of spending all of your effort trying to implement a single defensive measure (that will never reach 100% effectiveness), it would be much more productive to add complementary layers of security. After you have spent the first 20% of your effort on that defensive measure (and reached 80% of the results), any further effort on that task could be considered waste (based on Lean). In terms of opportunity cost, if you took the remaining unspent effort (you still have 80% left at this point) and divide that into four more blocks, you could potentially get 80% results from each of another four projects. This is obviously a much better ROI than spending that remaining 80% and only obtaining at most 20% benefit from your current task.
Assuming each layer is 80% effective (based on the Pareto Principle), eight layers could give you up to 99.999% effective security. Yes, there can and will be various exceptions to this line of reasoning. But why spend all your effort on fixing things that should be considered "good enough" when there are other more productive security measures you could be working on (like building up your incident response team and testing your IR plan)? I see this as an important tool for helping to prioritize competing projects and assessing those final inches toward the goal line.
The book goes into more detail, but hopefully you get the idea. Go download a free copy for yourself, http://www.rjssmartsecurity.com/Lean-Security-101-Comic/, and give them a call about a free Lean Security Assessment.
No comments:
Post a Comment