Mike Rothman writes:
On the Wikid blog, they tackle the mess of incentive plans in this post (h/t to Emergent Chaos). I can see the underlying thought process, but I have a fundamental issue with the idea of capping information security expenses to about 1/3 of the expected loss. Now I haven’t read Gordon & Loeb’s book, so maybe there is a reason it’s 37% and not 50%. Obviously you need to show a “return” on the security investment, so it isn’t going to be 100% – but whatever.
“Whatever?” “Maybe there’s a reason?” It’s not like this is a $200 book. It’s $40 and 225 pages.
My advice for the pragmatic CSO is to read Gordon and Loeb instead.
PS: Now I know why it’s called the Security Incite, not the Security Insight.