Objetivos y estrategias (planeamiento estratégico)

There are several advantages to developing a formal approach to CSFs in National CIRTs, and organizations generally. These advantages include:

– Reducing ambiguity. CSFs can help managers build agreement across their staff on the purpose and activities of the organization. The process of identifying and implementing CSFs can help to foster communication throughout teams by involving them in the discussion, improving the

– Identifying Candidates for Measurement and Goal Setting. As noted, a key aspect of managing any organization is measuring performance. However, measuring organizational performance involves costs and complicated questions. Gathering and analyzing data can consume man hours and require investment in technology. What is to be measured? How often? Many organizations find measuring the right things difficult—or or they measure only those activities that are simple to measure [Hubbard 2009]. Sometimes this uncertainty results in no, or sub- optimal, measurement of the organization’s activity. Evaluating CSFs can provide clarity and direction on this question, ensuring that measurement and metrics help to produce optimal results.

– Identifying Information Requirements. When closely aligned with goal setting, CSFs can help managers identify what types of information they really need to understand the operations and health of their National CIRTs. Sometimes an objective, thorough evaluation of CSFs can identify information requirements that are not obvious. For example, the success of a National CIRT often hinges on how willing major constituents are to communicate incident and other information to the organization. An objective, formal examination of CSFs may indicate that whether or not the National CIRT is perceived as trustworthy or as a technology leader in its community is a CSF. This can lead the National CIRT manager to request and watch types of indicators and information he or she may not have considered.

– Identifying Risk Management Concerns. CSFs can help identify the vital assets and services supporting the organization’s mission. This function can help a National CIRT identify which systems and assets should be subject to a risk management process. This use of CSFs has become common in many industries.

CSFs can be especially helpful for new and evolving organizations like National CIRTs. People in organizations with many similarly-situated peers - the automobile industry for example, which serves a mature market with a long, well studied history - have at least some gut-level understanding of what it takes (i.e., the CSFs) to succeed in their industry. This understanding may be based on organizational learning, talking to peers in other firms, or on historical experiences in the industry. Managers of National CIRTs do not typically have the same advantages, and can benefit from a formal process to identify their essential practices.

5.4

Sources of CSFs

Much of the existing literature about CSFs centers on private industrial firms. These firms look to various entities and sources to derive CSFs [Rockhart 1979, Caralli 2004]. These include their industry, their peers, the general business climate, government regulation, specific problems or barriers facing the organization, and the different hierarchies in their own organization. For a National CIRT, the sources of CSFs are not very different. They include the following:

– The constituency. This is probably the most important source of CSFs for a National CIRT. The needs and demands of the constituency form a primary input to the services to be provided. Services will vary depending on the constituency. A National CIRT that supports government agencies directly may monitor government agency networks if granted the authority to do so. Alternatively, a National CIRT serving private infrastructure owners and operators may collect incident information through voluntary reporting. Much of its role may relate to disseminating best practices and fulfilling a warning function. Beyond the question of selecting services, the constituency can provide input to operational questions for the National CIRT; for instance, how quickly incidents must be processed or analyzed to be of service.

– Governing or oversight organizations. The organization that sponsors and overseas the National CIRT is an important source of CSFs. This is often expressed in the parent organization’s mission or objectives.

– Peers. The experiences of other National CIRTs can form a valuable bank of knowledge to inform operations. For instance, where peer organizations serve similar constituencies or face similar challenges, they may have already learned lessons that can be helpful.

– The legal or political environment. There may be constitutional or regulatory demands or limitations placed on National CIRTs that also affect CSFs. Constitutional limitations may prevent the National CIRT from obtaining certain information, or may place duties on the National CIRT to safeguard particular information to a certain standard. These may include regulations having to do with the privacy of personal information, for instance.

Organizational issues fall into this category, as well. For example, if the National CIRT is part of an organization that also overseas or regulates the constituency, this organizational relationship itself may create challenges that must be considered. In this particular case, the willingness of constituents to provide information about incidents or their vulnerabilities, despite an obvious concern that it could be used for regulatory purposes, could be identified as a CSF.

– Resource constraints. The resource constraints National CIRTs may face are a potential source of CSFs. A basic constraint in many environments is the limited availability of skilled staff. Other constraints might include uncertainty surrounding funding. Resource constraints may imply CSFs that limit or constrain operations, or the resulting CSF may express the need to alleviate the constraint and develop human capital or funding sources.