Comments on: My Advice for the Pragmatic CSO

By: Adam

Adam — Wed, 20 Dec 2006 18:02:48 +0000

Out of context? Please tell, what’s the additional context needed? I believe Gordon and Loeb to be an important partnership-they’ve published important papers (I’ve bemoaned them not being available online in the past), and an important book.
In both a paper and their book, they explain, in depth, the reason they say to cap spending at 37% based on a continuous, price curve. It’s easy to argue that prices are not contiguous, and there are (as Nick Owen has pointed out) other critiques. But you were incitefuly dismissive.

By: Nick Owen, the Whiny

Nick Owen, the Whiny — Wed, 20 Dec 2006 16:53:12 +0000

Mike:
Did you read my (http://www.wikidsystems.com/WiKIDBlog/incentive-plan-for-an-information-security-team) original post? I think I was pretty clear that you could pick your own percentage. Consider:
“First, assume that you believe, as discussed in Gordon & Loeb’s book Managing Cybersecurity Resources: A Cost-Benefit Analysis and discussed here that an organization should spend no more than 37%”
and, pertinently:
“If this cap doesn’t work for you, then you can do more research or negotiate a cap.”
or, to sum:
“So there it is, just a simple, starting point proposal.”
I posted a response to responses: http://www.wikidsystems.com/WiKIDBlog/response-to-responses-incentive-plans-for-information-security-professionals, since I took umbrage at some of the responses posted by the grump-meisters at Emergent Chaos.

By: Mike Rothman

Mike Rothman — Wed, 20 Dec 2006 16:04:55 +0000

Grumpy grumpy grumpy. Nice job of taking my snippet out of context Adam. The reality is that little snippets of this book (like don’t spend more than 37% on security) traverse the Internet and pick up steam. I wanted to share my opinion that putting an arbitrary cap on what you should do from a security budgeting standpoint didn’t make sense to me.
And if I recall correctly, you’ve gotten some “incite” from my work in the past. :-)