Shostack + Friends Blog Archive


My Advice for the Pragmatic CSO

gordon-and-loeb.jpgMike Rothman writes:

On the Wikid blog, they tackle the mess of incentive plans in this post (h/t to Emergent Chaos). I can see the underlying thought process, but I have a fundamental issue with the idea of capping information security expenses to about 1/3 of the expected loss. Now I haven’t read Gordon & Loeb’s book, so maybe there is a reason it’s 37% and not 50%. Obviously you need to show a “return” on the security investment, so it isn’t going to be 100% – but whatever.

“Whatever?” “Maybe there’s a reason?” It’s not like this is a $200 book. It’s $40 and 225 pages.

My advice for the pragmatic CSO is to read Gordon and Loeb instead.

PS: Now I know why it’s called the Security Incite, not the Security Insight.

3 comments on "My Advice for the Pragmatic CSO"

  • Mike Rothman says:

    Grumpy grumpy grumpy. Nice job of taking my snippet out of context Adam. The reality is that little snippets of this book (like don’t spend more than 37% on security) traverse the Internet and pick up steam. I wanted to share my opinion that putting an arbitrary cap on what you should do from a security budgeting standpoint didn’t make sense to me.
    And if I recall correctly, you’ve gotten some “incite” from my work in the past. 🙂

  • Mike:
    Did you read my ( original post? I think I was pretty clear that you could pick your own percentage. Consider:
    “First, assume that you believe, as discussed in Gordon & Loeb’s book Managing Cybersecurity Resources: A Cost-Benefit Analysis and discussed here that an organization should spend no more than 37%”
    and, pertinently:
    “If this cap doesn’t work for you, then you can do more research or negotiate a cap.”
    or, to sum:
    “So there it is, just a simple, starting point proposal.”
    I posted a response to responses:, since I took umbrage at some of the responses posted by the grump-meisters at Emergent Chaos.

  • Adam says:

    Out of context? Please tell, what’s the additional context needed? I believe Gordon and Loeb to be an important partnership-they’ve published important papers (I’ve bemoaned them not being available online in the past), and an important book.
    In both a paper and their book, they explain, in depth, the reason they say to cap spending at 37% based on a continuous, price curve. It’s easy to argue that prices are not contiguous, and there are (as Nick Owen has pointed out) other critiques. But you were incitefuly dismissive.

Comments are closed.