How to Allocate Resources
The other day, I wrote:
I also don’t buy the bad management argument. Allocating resources to security is an art, not a science. I’ll offer up a simple experiment to illustrate that shortly.
So here’s the experiment. It works better in person than in blog comments. Ask two experts to write down how they’d allocate $100 to secure information. Pick a business that both know. Compare. Then watch them argue.
Now imagine that you’re a CEO, and ask yourself what you’d do to resolve this debate.
Easy. Fire one of them, pocket the salary savings, and use the other’s numbers :^)
In fact, I think a variant of this is what often happens. A consulting firm gets brought in, they make recommendations, they leave (or implement and then leave), and the staff carry on from there.
Wow, I’m willing to argue that you can do this in something that resembles a scientific approach. We have this exact exercise as part of risk management training. I believe that you can reach consistency, and have it be very defensible if you understand risk well enough.
Easy, give them both $100 and have them both implement their plan.
(This is the science of CAPM, etc).
Variation:
1. Ask two experts to write down how they’d allocate $100 to secure information. Pick a business that both know.
2. Bring each expert into a mock courtroom, one at a time. Assume that there has been a data breach. Have two opposing attorneys question the expert. One attorney’s goal is to prove, through the expert’s testimony, that the other expert’s choices were were reasonable under the circumstances. The other attorney’s goal is to disprove that proposition.
Put the two experts’ testimonies together and see what you get.
I suggest that you’d probably get very similar answers from both “experts” in terms of _what_ to do, because they’d likely both lean towards implementing “best practices”. In other words, a herd response that comprises the typical laundry list of initiatives. In the absence of objective data to support any particular solution, the default approach is to do what everyone else is doing.
That said, the two “experts” would almost certainly be unable to agree on how to distribute the $100 across the tasks that comprise “best practice”. This is a laughable state of affairs, and speaks to the profound lack of data regarding what actually works and what doesn’t.
“I believe that you can reach consistency, and have it be very defensible if you understand risk well enough.”
Alex – In order to “understand risk”, wouldn’t you need actuarial-like data regarding risks? Do you have such data?
Mr. X nails it in that last comment.
This is exactly why I advocated firing one expert and doing what the other says. Each is equally likely to be right, so you can save money and not be any worse off.
It may be awkward to implement my approach, so a smart CEO will avoid having two competing experts. Just bring in a consulting firm, have them provide “objective guidance” as a one-shot, and send them on their way.
“Alex – In order to “understand risk”, wouldn’t you need actuarial-like data regarding risks? Do you have such data?”
Not necessarily. Not to get terribly technical, but why should we be any different than any other science with “poor data”?
Why shouldn’t we do what they do?
Bayes Theorem has all sorts of uses.
Alex,
You ask “why should we be any different than any other science with ‘poor data’?” Because we don’t need to have poor data?
“Because we don’t need to have poor data?”
I completely agree. lotsa data would be greata.
And it’s my sincere hope that someday I can help good people such as yourself collect the right data in enough quantity for it to be meaningful. However, in lieu of that… Until that fine day comes….
We still have to make decisions. Theories to test – accepting or rejecting based on usefulness in the real world. My assertion is that we should do that in a way that makes sense, not just put the wet finger in the air and exclaim “Seems like a high risk day to me!”
Of course, most don’t even get that far. We put all our effort into some checklist with the short-sighted goal of keeping an auditor at bay for the next 8-12 months.
Alex,
Of course we need to make decisions. We also need to look to how our methods compare to idealized ones, and ask how can we get better.
“We also need to look to how our methods compare to idealized ones, and ask how can we get better.”
Amen. Got a list of methods you consider “ideal”? I’d like to look at what you think would be ideal, and do a little personal gap analysis between current state and desired state.
Sometimes I hate being a consultant. I say things like “current state” and “gap analysis” sometimes.