Audit, Governance & Risk Management: NRC should focus on outcomes and not processes. The Nuclear Regulatory Commission outsources to a third-party contractor for security operation centers. The inspector general says a major problem with the NRC takes is that the agency, in its contracts, defines processes the contractor should follow and not the IT security outcomes it seeks. Former U.S.-CERT Director Mischel Kwon contrasts outcome vs. process approach to governing SOCs. Kwon: “Our adversaries don’t follow a playbook and say, ‘We’re going to attack a network today'”]
Source: https://www.cuinfosecurity.com/socs-focus-on-outcome-process-a-8814