Security 500 conference     

 Don’t miss the networking event of the year for security executives!
Register today for the Security 500 Conference.

Trends Column / Security 500 Report

How Security Ball Can Help Enterprises Succeed in a Risk-Nado!

Learn how to change the game of security with better statistics

November 5, 2013
Trans

Michael Lewis revealed the winning formula for a low payroll Major League Baseball team in “Moneyball:” Numbers, or really, the application of quantitative analysis to the game of baseball, according to this "Moneyball" excerpt:

            There is an epidemic failure within the game to understand what is really happening. And this leads people who run Major League Baseball teams to misjudge their players and mismanage their teams. People who run ball clubs, they think in terms of buying players. Your goal shouldn’t be to buy players; your goal should be to buy wins. And in order to buy wins, you need to buy runs. You’re trying to replace Johnny Damon. The Boston Red Sox see Johnny Damon and they see a star who’s worth seven and half million dollars a year.

              When I see Johnny Damon, what I see is... is... an imperfect understanding of where runs come from. The guy’s got a great glove. He’s a decent leadoff hitter. He can steal bases. But is he worth the seven and half million dollars a year that the Boston Red Sox are paying him? No. No. Baseball thinking is medieval. They are asking all the wrong questions. I think it’s a good thing that you got Damon off your payroll. I think it opens up all kinds of interesting possibilities.

            It’s about getting things down to one number. Using the stats the way we read them, we’ll find value in players that no one else can see. People are overlooked for a variety of biased reasons and perceived flaws. Age, appearance, personality. Bill James and mathematics cut straight through that.

These metrics were often overlooked or misunderstood by other teams. Billy Beane, General Manager of the Oakland Athletics used those numbers to reach the playoffs. By leveraging statistics as Bases on Balls, Slugging Percentage, On-base Percentage, Runs Batted In and BA/RISP (batting average with runners in scoring position) he changed the future of baseball to a game of applied statistical probability. If you are a baseball fan, you have Mr. Beane to thank for the 30 minutes it now takes for a specialty pitcher to enter the game, warm up, pitch to one batter and be relieved by the next specialty pitcher.

The Oakland A’s success made the case that the traditional thinking and management practices for predicting player success and building teams was fatally flawed. Any manager in today’s game who fails to invest 30 minutes and insert that specialist pitcher to face one batter based on stats would risk his job. And fans, immersed in statistics, would boo such a flagrant disregard for measurable statistical facts.

So how does this apply to enterprise security?

The Security 500 members are playing Security Ball: The application of quantitative analytics to risk management. Security may be late to the party, but it is not immune to management principles that demand metrics based decision-making. For example, take a walk through your enterprise. Start with your CFO, who probably lives with the mantra “The spreadsheet never lies” to identify how a business unit or service department is truly performing. Marketing genius is now less about creative ability and more about mathematical calculation. The best brand managers deal in hundredths of a percent market-share shifts, not memorable jingles. And sales success is predicted by activity reports in a Customer Relationship Management system such as Salesforce.com. Forecasting performance is preferred by the most successful sales managers over waiting for last quarter’s sales to reveal what analytic forecasts already show.

As Steve Van Till wrote recently in Security: “At the core is the application of big data mining to risk management. Big data is a perfect fit for cloud computing due to unlimited on-demand resources. The ROI comes from unique insights not previously possible on smaller data sets or local servers. Besides economics benefits, there is real potential for improving life safety and property protection with real-time analytics.” The security occupation has become a profession and with that shift, it has changed from doing to managing. And managing demands metrics. It is time to play Security Ball.

As this year’s Security 500 Report identifies, CSOs and their teams have worked to get in front of risk and ensure resilience when mitigation fails and events occur. Gathering intelligence, creating situational awareness, implementing a risk management program and remaining resilient demands gathering and managing the numbers to document threats and justify investments that eliminate vulnerabilities.

Yes, we are having some fun playing off of the hit cult movie “Sharknado,” to make the point that getting in front of risk means managing in a Risk-Nado. While resilience and response to unforeseen events is a critical component of successful security programs, nothing is clearer in this year’s survey results than the significant and continued move to proactive identification of risk and mitigation of threats. It is the best practice to get investment by supporting organizational goals and managing within a constantly growing Risk-Nado. 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security Magazine 2014 September cover

2014 October

Security takes a look at safety and preparedness for the harshest of weather phenomena in this October 2014 edition of the magazine. Also, we investigate supply chain security and the many benefits of PSIM. 

Table Of Contents Subscribe

Travel & the Ebola Risk

Are you and your enterprise restricting travel due to Ebola risks?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.