The Cynefin framework to overlay formative security management approaches

Tags: #<Tag:0x00007fbc5551f248> #<Tag:0x00007fbc5551f068> #<Tag:0x00007fbc5551eed8> #<Tag:0x00007fbc5551ed98> #<Tag:0x00007fbc5551ec58> #<Tag:0x00007fbc5551eaf0>


Chaos, Complex, Complicated, Simple - self-reflect to avoid manifested disorder

Cynefin - sounds biological. According to Wikipedia {1} it’s a Welsh name for “habitat”. A habitat of mind, and situational awareness.

In Information Security management you are involved with all kinds of projects:

  • chaos-projects often surface from the Agile domain to introduce rapid change. Often the stakeholder influence is rather low. Due to this typical Project Management approaches like Six Sigma or even CMMI do not work well here. These days you can find these methods within compliance teams.

  • Complex projects often collect innovation around their progressive nature, which isn’t necessary as agile as chaos-projects can become. Before action there is probing here. The improvements (think Plan Do Check Act) are not permanent.

  • Complicated projects lack standardisation, and due to this teams have to analyse the situation before they are able to respond.

  • Simple projects have standards, by which anyone can classify what to do in a procedural way.

In between the lines you can see that information security (for example within compliance management) has the tendency to avoid disorder, chaos, complexity and complications by standardising its response methods with policies and procedures.

External audits involve reviews, that can include complex corporate IT landscapes. Such audits usually fail, if the projects aren’t “simple” or formative {2} enough, in regards to the implemented procedures.

Nowadays many SMB (Small / Medium sized Businesses) adopt complex projects from large companies. Like Micro-Service cluster orchestration frameworks (for containerisation with Docker, rkt etc.). The transition from complex (better practices) to complicated (good practices) towards simple (best practices) doesn’t necessarily happen smoothly. – Why is that?

Because of the inherent complexity within DevOps. This complexity needs to be matured towards “simple” as well. But simple isn’t “easy”. On the contrary.


Simplicity builds on the individual. One of the key issues with Agile and DevOps in the project management space is, that too many managers are faithful believers of the dogma, that they have to de-individualise processes with standards. But that is wrong, because it can create a high inherent complexity, instead of stability and continuity.

The competence of empowered individuals is the driving energy of the field of DevOps. – Inherently competence is a force, that simplifies. If it’s being used correctly. Otherwise project management can aid to manifest a compliant disorder, that sooner or later boots the security posture back to chaos as a whole. Security management is hard. Without inter-departmental competence it’s impossible.

Security projects inter-departmental, across business domains and involve hybrid project-management approaches

The inter-departmental nature of security projects allows us to map where projects are within the Cynefin framework. Focusing on security, after a project cycle there should be a measurable tendency towards “simple”, in a clock-wise fashion.

This movement needs to be translated to fit the reporting needs of different business domains in a measurable way; which is the idea of OKRs (Objective Key Results, also known as KPIs).

The movement towards “simple” representations of the security posture often works across different team or department specific project-management approaches.

But on the Cynefin map it’s not magic. It’s useful for very visual reflections, status reports and abstracted measurements to fit the needs to compress knowledge to transport it into the different business sections.


{1} Wiki article

{2} How did you cultivate your InfoSec?