Jump to content
Greg Witte

Current or Target super smash debate

Recommended Posts

Coming off the excitement of this week's ISACA CSX conference, I wanted to share a heated debate that we had there that is rivaled only by the infamous bathroom tissue OVER vs UNDER debate. (Not that there is a debate - I've been known to enter friends' houses and quietly CORRECT their rolls to the OVER position.)


My personal default is to identify priorities, risk architecture, critical supporting assets, and then start with a Target Profile that defines what must be done to protect those resources. Upon completing an impartial list of where do I want to be, I can then record my Current State and review gaps.


Many of my colleagues and customers, and indeed COBIT 5 itself, start with where we are and then decide where we want to be.


From my perspective, in determining where I need to go, my current position has little value. If I need to get to Cleveland for a meeting, then I need to get there regardless of where I'm starting from. Once I've decided that, though, I can determine that I'm in Baltimore and I can calculate routes to get there.


The counter-argument, though, is that in a real world, I should consider reasonable steps from my current position, not hypothetical targets that may or may not be reachable from here.


What do you think - which comes first?




Share this post

Link to post
Share on other sites

In my humble opinion. The issue boils down to: it depends on what Tier you are on. If you start with a Current Profile and move to a Target Profile, you are Tier 1. If you start with a Target Profile and move to a Current Profile you are a Tier 2. In the end, having both is essential for iterative progress. 


This topic will be the basis for the next white paper.

Share this post

Link to post
Share on other sites

For what it's worth, the Framework leaves out a profile. The profiles should read "Current, As Is", "Current, As Believed", and "Target Profile".  The key starting point is bridging "As Is" and "As Believe" before ever considering "Target", as the gap between the former set is exploited far more often than the gap between the latter set and minimizing that gap creates (and speaks to) the kind of organizational maturity that will make the gap between ultimate priorities and "reasonable steps" much smaller.  

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now