(More mature thoughts on RDOSing…)
If you have one error, you fix it and move on.
If you have the same error again, you fix it “better” and move on.
But if you keep having a variety of errors at a steady or increasing rate, you stop looking at the causes of individual errors and look at your basic business practices.
Cyber Security problems are errors. Cyber Security problems are systems or data doing things their owners and society do not with them to do.
Cyber Security errors keep occurring despite being fixed individually.
New types of cyber security errors are occurring over time as new systems are built, as data changes, and as new use cases develop.
By the time we fix our past errors, we’ve created new ones.
Let’s stop focusing national and organizational programs on fixing individual cyber security errors – or even fixing common classes of cyber security errors.
Instead, let’s focus on reducing cyber security error rates in general.
To reduce the rate of cyber security errors, non-cyber specific business practices must be evaluated to determine where cyber security errors are being introduced.
Hmm. This sounds a lot like business management and quality control, not cyber.
Yes, it does.
Tackling individual cyber security errors in our critical infrastructure without reducing error rates will assure failure.
Tackling error rates will create long term, sustainable success by freeing up the vast, unnecessary number of resources we’ve allocated to individual problems to better use through the reduction of the number of errors which have to be dealt with in the first place.
Stop wasting so many resources. :)