Kevin Beaver's Security Blog

Crunch risk numbers or fix the obvious?

My colleague Ben Rothke (@benrothke) recently wrote a good piece on basing information security decisions on good data. I like his approach – it’ll make you think. It’s true we do need good data so we can make better decisions. Sadly, we often don’t have the data or, if we do, we’re not qualified to interpret it.

Maybe it’s just me but I don’t believe my degrees in computer engineering and management of technology qualify for “enterprise statistician”. That still doesn’t make information security oversights okay. The dilemma reminds of something that Gilbert Arland once said: “Failure to hit the bullseye is never the fault of the target.” We do need good data. It’s just not that simple in the world of information security.

The problem is similar to the underlying principle of goal setting and leadership: how are you going to know where to go if you don’t know where you’re going, much less how to get there?

The reality is, we’re never – at least for the foreseeable future – going to have all the right data to make good information security decisions. We have to do the best with what we’ve got. But that shouldn’t keep us from focusing on what’s obviously important. Case in point I can say based on experience that the majority of organizations I’ve seen (both small and large) haven’t even addressed the basics of information security. Why burden ourselves with complex risk calculations when the bleeding and the cure are right before our eyes?

Don’t get me wrong. Quantifiable risk calculations have their place in our industry. But unless and until we get the basic stuff under control, what’s the point of making things even more complicated? I’m just saying.

Staying tuned for Part 2 of Ben’s article…