The Cyberspace Solarium Commission, McCrary Institute, and others provide long lists of initiatives they recommend for the next administration. They tend to be bureaucratic. Stand up this new organization, draft this document, study this issue, … A lot of the Cyberspace Solarium Commission recommendations drove Biden Administration actions and the National Cyber Strategy and Implementation Plan.

In May of this year, the Biden Administration announced Version 2 of the Implementation Plan and that 33 of 36 (92%) Version 1 initiatives have been completed.

92% is impressive, but did it check a box or achieve the desired results?

We don’t know. The desired results were never decided, documented or measured.

Leaning back on Peter Drucker:

Whenever executives make an important decision, they put down in writing what results are expected and when.

Record what you expect the results to be of every key action or key decision you take, and then compare actual results nine months or a year later to your expectations.

The Effective Executive by Peter Drucker

My guidance for the new administration around OT cybersecurity is to follow one simple rule:

Document and publish what metric(s) you will use to measure the success of each project or program, and what your expectation is for that metric in 1, 2, and 3 years.


Sign up for my ICS Security: Friday News & Notes

Photo Credit: AgnosticPreachersKid, CC BY-SA 3.0 https://creativecommons.org/licenses/by-sa/3.0, via Wikimedia Commons