My Advice for the Pragmatic CSO
Mike Rothman writes [link to http://securityincite.com/blog/mike-rothman/the-daily-incite-december-14-2006 no longer works]:
On the Wikid blog, they tackle the mess of incentive plans in this post (h/t to Emergent Chaos). I can see the underlying thought process, but I have a fundamental issue with the idea of capping information security expenses to about 1/3 of the expected loss. Now I haven’t read Gordon & Loeb’s book, so maybe there is a reason it’s 37% and not 50%. Obviously you need to show a “return” on the security investment, so it isn’t going to be 100% – but whatever.
“Whatever?” “Maybe there’s a reason?” It’s not like this is a $200 book. It’s $40 and 225 pages.
My advice for the pragmatic CSO is to read Gordon and Loeb instead.
PS: Now I know why it’s called the Security Incite, not the Security Insight.
Grumpy grumpy grumpy. Nice job of taking my snippet out of context Adam. The reality is that little snippets of this book (like don’t spend more than 37% on security) traverse the Internet and pick up steam. I wanted to share my opinion that putting an arbitrary cap on what you should do from a security budgeting standpoint didn’t make sense to me.
And if I recall correctly, you’ve gotten some “incite” from my work in the past. 🙂
Mike:
Did you read my (http://www.wikidsystems.com/WiKIDBlog/incentive-plan-for-an-information-security-team) original post? I think I was pretty clear that you could pick your own percentage. Consider:
“First, assume that you believe, as discussed in Gordon & Loeb’s book Managing Cybersecurity Resources: A Cost-Benefit Analysis and discussed here that an organization should spend no more than 37%”
and, pertinently:
“If this cap doesn’t work for you, then you can do more research or negotiate a cap.”
or, to sum:
“So there it is, just a simple, starting point proposal.”
I posted a response to responses: http://www.wikidsystems.com/WiKIDBlog/response-to-responses-incentive-plans-for-information-security-professionals, since I took umbrage at some of the responses posted by the grump-meisters at Emergent Chaos.
Out of context? Please tell, what’s the additional context needed? I believe Gordon and Loeb to be an important partnership-they’ve published important papers (I’ve bemoaned them not being available online in the past), and an important book.
In both a paper and their book, they explain, in depth, the reason they say to cap spending at 37% based on a continuous, price curve. It’s easy to argue that prices are not contiguous, and there are (as Nick Owen has pointed out) other critiques. But you were incitefuly dismissive.