This paper describes a method (almost a philosophy) for using the Critical Security Controls (CSCs) to drive long term improvement by carefully choosing specific metrics linked with operational processes. In contrast to formal process models, this method begins with identifying existing areas where (often small) changes can be used as starting points. Several examples are given using specific controls, concepts for driving change are presented, and the use of metrics as an underlying mechanism is discussed. The resulting “organic” approach promotes continuous improvement by taking advantage of natural behavioral tendencies of people and organizations.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program