How Security Ball Can Help Enterprises Succeed in a Risk-Nado!

Learn how to change the game of security with better statistics

November 5, 2013

Michael Lewis revealed the winning formula for a low payroll Major League Baseball team in “Moneyball:” Numbers, or really, the application of quantitative analysis to the game of baseball, according to this "Moneyball" excerpt:

There is an epidemic failure within the game to understand what is really happening. And this leads people who run Major League Baseball teams to misjudge their players and mismanage their teams. People who run ball clubs, they think in terms of buying players. Your goal shouldn’t be to buy players; your goal should be to buy wins. And in order to buy wins, you need to buy runs. You’re trying to replace Johnny Damon. The Boston Red Sox see Johnny Damon and they see a star who’s worth seven and half million dollars a year.

When I see Johnny Damon, what I see is... is... an imperfect understanding of where runs come from. The guy’s got a great glove. He’s a decent leadoff hitter. He can steal bases. But is he worth the seven and half million dollars a year that the Boston Red Sox are paying him? No. No. Baseball thinking is medieval. They are asking all the wrong questions. I think it’s a good thing that you got Damon off your payroll. I think it opens up all kinds of interesting possibilities.

It’s about getting things down to one number. Using the stats the way we read them, we’ll find value in players that no one else can see. People are overlooked for a variety of biased reasons and perceived flaws. Age, appearance, personality. Bill James and mathematics cut straight through that.

These metrics were often overlooked or misunderstood by other teams. Billy Beane, General Manager of the Oakland Athletics used those numbers to reach the playoffs. By leveraging statistics as Bases on Balls, Slugging Percentage, On-base Percentage, Runs Batted In and BA/RISP (batting average with runners in scoring position) he changed the future of baseball to a game of applied statistical probability. If you are a baseball fan, you have Mr. Beane to thank for the 30 minutes it now takes for a specialty pitcher to enter the game, warm up, pitch to one batter and be relieved by the next specialty pitcher.

The Oakland A’s success made the case that the traditional thinking and management practices for predicting player success and building teams was fatally flawed. Any manager in today’s game who fails to invest 30 minutes and insert that specialist pitcher to face one batter based on stats would risk his job. And fans, immersed in statistics, would boo such a flagrant disregard for measurable statistical facts.

So how does this apply to enterprise security?

The Security 500 members are playing Security Ball: The application of quantitative analytics to risk management. Security may be late to the party, but it is not immune to management principles that demand metrics based decision-making. For example, take a walk through your enterprise. Start with your CFO, who probably lives with the mantra “The spreadsheet never lies” to identify how a business unit or service department is truly performing. Marketing genius is now less about creative ability and more about mathematical calculation. The best brand managers deal in hundredths of a percent market-share shifts, not memorable jingles. And sales success is predicted by activity reports in a Customer Relationship Management system such as Salesforce.com. Forecasting performance is preferred by the most successful sales managers over waiting for last quarter’s sales to reveal what analytic forecasts already show.

As Steve Van Till wrote recently in Security: “At the core is the application of big data mining to risk management. Big data is a perfect fit for cloud computing due to unlimited on-demand resources. The ROI comes from unique insights not previously possible on smaller data sets or local servers. Besides economics benefits, there is real potential for improving life safety and property protection with real-time analytics.” The security occupation has become a profession and with that shift, it has changed from doing to managing. And managing demands metrics. It is time to play Security Ball.

As this year’s Security 500 Report identifies, CSOs and their teams have worked to get in front of risk and ensure resilience when mitigation fails and events occur. Gathering intelligence, creating situational awareness, implementing a risk management program and remaining resilient demands gathering and managing the numbers to document threats and justify investments that eliminate vulnerabilities.

Yes, we are having some fun playing off of the hit cult movie “Sharknado,” to make the point that getting in front of risk means managing in a Risk-Nado. While resilience and response to unforeseen events is a critical component of successful security programs, nothing is clearer in this year’s survey results than the significant and continued move to proactive identification of risk and mitigation of threats. It is the best practice to get investment by supporting organizational goals and managing within a constantly growing Risk-Nado.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.