反对成熟度和基于风险的网络安全方法是没有意义的 (It doesn’t make sense to oppose maturity & risk-based approaches to cyber security)

This interesting piece from McKinsey made me think and deserves some comments: “The risk-based approach to cybersecurity” (Jim Boehm, Nick Curcio, Peter Merrath, Lucy Shenton, and Tobias Stähle — October 2019).

麦肯锡(McKinsey)的这篇有趣的文章让我思考并值得评论：“ 基于风险的网络安全方法 ”(吉姆·博姆，尼克·库西奥，彼得·梅拉特，露西·申顿和托比亚斯·史塔勒-2019年10月)。

The risk-based approach itself which it promotes has solid foundations, and in fact is nothing new. Actually, it echoes in many ways the model we — at Corix Partners — have been developing and delivering with clients and associates for the past 10 years

它所倡导的基于风险的方法本身具有坚实的基础，实际上并不是什么新鲜事物。 实际上，它以多种方式呼应了我们Corix Partners过去10年来一直在与客户和合作伙伴一起开发和交付的模型

But I don’t think it makes sense — or indeed helps the industry move forward — to oppose maturity-based approaches and risk-based approaches. And the characterization of maturity-based models as “a dog that had its day” is frankly excessive.

但是，我认为反对基于成熟度的方法和基于风险的方法是没有意义的，或者确实没有帮助行业前进。 坦率地说，基于成熟度的模型被描述为“有一天的狗”。

The assumption that risk-based approaches are somehow more advanced than maturity-based ones, and represent an “evolution” of cyber security practices is highly disputable, and the quantification of maturity-based approaches as leading to over-engineering and over-spending by a factor 3 compared to risk-based approaches is simply misleading (a foot note actually refers to the costs mentioned as “illustrative and extrapolated from real-world examples and estimates”).

基于风险的方法比基于成熟度的方法要先进一些，并且代表了网络安全实践的“演变”这一假设是极具争议性的，基于成熟度的方法的量化导致过度设计和超支与基于风险的方法相比，因素3完全是误导性的(脚注实际上指的是“从实际示例和估算中得出的说明性费用和推断费用”)。

As a matter of fact, those two approaches are just different ways of managing, driving and measuring action around cyber security in different situations and different firms. One does not have to be superior to the other.

实际上，这两种方法只是在不同情况和不同公司中围绕网络安全进行管理，推动和衡量行动的不同方式。 一个不一定要优于另一个。

The keys are elsewhere: The approach one firm decides to follow has to be right in relation to the firm’s management and governance culture, and its objectives around cyber security. Those will vary naturally from one organization to another, and from one management team to the next.

关键在别处：公司决定遵循的方法必须与公司的管理和治理文化及其围绕网络安全的目标有关。 从一个组织到另一个组织，从一个管理团队到下一个管理团队，这些自然变化。

One trend we are observing more and more is actually the weakening of traditional risk and compliance drivers around cyber security with senior executives. The “when-not-if” paradigm around cyber-attacks is strongly taking root in many boardrooms, and many firms are committing very large amounts to large-scale transformative security programmes; but in return, the board expects execution and protection, and are holding CIOs and CISOs accountable for both.

我们越来越多地观察到的一种趋势实际上是围绕高级管理人员的网络安全的传统风险和合规性驱动力的减弱。 围绕网络攻击的“ 如果不是这样 ”的模式已在许多董事会中扎根，许多公司正在为大规模变革性安全计划投入大量资金。 但作为回报，董事会希望得到执行和保护，并要求CIO和CISO对两者负责。

In those situations, risk often goes to the background, delivery takes centre-stage, and maturity-based approaches generally work well, as long as they revolve around a clear set of capabilities to be developed through the delivery of clear tangible actions to achieve a clear target maturity level.

在这种情况下，风险通常会变成背景， 交付处于中心阶段，基于成熟度的方法通常运行良好，只要它们围绕通过交付明确的实际行动来实现目标的明确能力集合而发展。明确目标成熟度水平。

This is not an approach which will work well only in situations where initial maturity levels are low: It can continue to work throughout the maturity spectrum up to advanced levels. And as long as the capabilities and the actions required to develop them are backed against the firm’s objective around cyber security and the real threats it is facing, there is no reason to assume that it would lead to a greater degree of over-engineering — and over-spending — compared to other approaches.

这不是一种仅在初始成熟度较低的情况下才能很好地起作用的方法：它可以在整个成熟度范围内继续工作，直至达到较高的水平。 而且，只要开发这些功能和所需的功能与该公司围绕网络安全的目标及其所面临的实际威胁背道而驰，就没有理由认为这会导致更大程度的过度设计-并且超支-与其他方式相比。

As a matter of fact, whether a firm takes a maturity-driven route or a risk-driven route to ensure it is well protected from cyber threats, none of that changes the nature, the reality or the virulence of those threats, and as a result, the nature of the measures the firm needs to have in place to be well protected. Those necessary protective measures may end-up ordered or prioritised differently, in order to improve maturity or reduce risk, but barring political manipulation by stakeholders, they will be the same and will cost the same.

事实上，公司是采用成熟度驱动还是风险驱动的方式来确保受到良好的保护，免受网络威胁的影响，这些都不会改变这些威胁的性质，现实或毒性，并且结果，企业需要采取的措施的性质才能得到很好的保护。 为了提高成熟度或降低风险，最终可能会以不同的顺序或优先级对待那些必要的保护措施，但是除非利益相关者进行政治操纵，否则它们将是相同的，并且成本也将相同。

The chosen approach simply needs to be right to give the executives in charge the levers they need to understand and manage the firm’s cyber security posture.

选择的方法只需要正确，就可以为主管人员提供理解和管理公司网络安全状况所需的杠杆。

It is our experience that simplicity, clarity and consistency are often the real factors behind successful approaches, and at that game, maturity-based models often win because they can be action-driven from the start, faster to put in place, and less vulnerable to window-dressing by stakeholders.

根据我们的经验，简单性，清晰度和一致性通常是成功方法背后的真正因素，在该游戏中，基于成熟度的模型通常会获胜，因为它们可以从一开始就以行动为导向，可以更快地实施，并且不那么容易受到攻击。利益相关者的橱窗装饰。

Click here to join our newsletter for more Cyber Security Leadership insights.

单击 此处 加入我们的新闻通讯，以获取更多的网络安全领导力见解。

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

与Corix合作伙伴联系， 以了解有关为您的企业开发成功的网络安全实践的更多信息。

Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.

Corix Partners 是一家精品管理咨询公司，致力于帮助CIO和其他C级管理人员解决网络安全战略，组织和治理方面的挑战。