Skip Ribbon Commands
Skip to main content

Building your Cyber Security Program: Stones, Pebbles and Kaizen


A compelling metaphor has been circulating the internet in recent years, explaining how to create a balanced, productive and happy life. It breaks the various aspects of a person’s everyday experience into four component parts – a jar, sand, pebbles and stones.

The jar is you: It has a finite capacity and can only hold so many things at once.
The sand is your daily minutiae: Errands, chores, social media, television, etc.
The pebbles are the more important, but less consequential tasks: Meetings, email, etc.
The stones are the critical and value-laden aspects of your life: Family, exercise, career-defining work.

The question is, how do you fill the jar with all three elements without leaving anything behind or having it spill over?

Stones First

According to the metaphor, most people run on autopilot. They busy their lives with the sand and pebbles. Once they get to the stones, they realize there’s no room. Their jar is, quite literally, overflowing.

Data Governance

However, when they learn to prioritize the most important things (i.e. put the stones first) they realize all three fit comfortably. It’s an apt visual and a powerful message: Take care of the big things and the little things will fall into place.

Stones and Cyber Security

This analogy translates effectively into building an effective cyber security program. There is no shortage of potential controls an organization could deploy and improvements it could make. The great limiting factors – not unlike an individual – are time and money. So, where does a business start?

Some security controls offer more protection than others. Many security controls also lay the groundwork that others need to function. These are the stones. And once those are in place, selecting the sand and pebbles will follow more naturally.

Identifying the Stones

A helpful method to determine which controls are sand and pebbles and which ones are stones is to refer to the cyber progression Venn diagram in part four of this series. Stones reflect the smallest possible investments which move organizations closest to the intersection of controls, risk and maturity. Another method is to consider the tangibility-abstraction matrix in part five. In this case the stones are controls which provide the widest spread for the smallest possible investment.

For instance, organizations that primarily interact with customers through a web application can achieve significant risk reduction with a web application firewall. Another example is restricting network access based on privilege, job functions and specified access requirements.

Embrace the Spirit of Kaizen

The Japanese concept of Kaizen celebrates the power of incremental daily changes to influence significant improvements over time. It’s a powerful idea in today’s world of life-hacks and instant gratification.

Data Governance

When organizations focus on sustained progression rather than sweeping change, their initiatives become more cohesive, measurable and sustainable. Kaizen is therefore a strategic imperative in building an effective cyber security program.  

Some additional thoughts to keep Kaizen at the forefront:

  1. Focus on the destination: If you aim for the sun, you just might hit the moon.
  2. Use security crisis to your advantage: Keep a cool head when everyone else is panicking – use key learnings to advance your cyber security posture.
  3. Marry the cyber security and business strategies: It is as much of a day-to-day concern as capital projects and operational programs.

Tomorrow’s technology is shaping business today. To learn more about how MNP can help you build an effective cyber security strategy, contact Jason Murray at 647.333.6241 or [email protected]