Shostack + Friends Blog Archive

 

Decision Making Not Analysis Paralysis

There’s been a lot of pushback against using Risk Management in Information Security because we don’t have enough information to make a good decision. Yet every security professional makes decisions despite a lack of information. If we didn’t we’d never get anything done. Hell we’d never get out of bed in the morning. There’s a great post by Ben Horowitz talking about how CEOs make decisions:

Courage is particularly important, because every decision that a CEO makes is based on incomplete information. In fact, at the time of the decision, the CEO will generally have less than 10% of the information typically present in the ensuing Harvard Business School case study.

Sound familiar? Sounds like my job every single day. Personally, I like to have some data based rationale for how those decisions get made. Don’t you?

[Hat Tip to @aneel]

2 comments on "Decision Making Not Analysis Paralysis"

  • Dan Arista says:

    Adam,
    I’ve made a similar analogy to marketing and advertising decisions…there is plenty of guess work there too, but executives make decisions (and are held accountable to them) everyday.
    -Dan

  • Pingback: It’s Your Methods, Not Your Madness — Security Bloggers Network [link to http://www.securitybloggersnetwork.com/2010/06/its-your-methods-not-your-madness/ no longer works]

Comments are closed.