Learn how to change the game of security with better statistics

November 5, 2013

Michael Lewis revealed the winning formula for a low payroll Major League Baseball team in “Moneyball:” Numbers, or really, the application of quantitative analysis to the game of baseball, according to this "Moneyball" excerpt:

There is an epidemic failure within the game to understand what is really happening. And this leads people who run Major League Baseball teams to misjudge their players and mismanage their teams. People who run ball clubs, they think in terms of buying players. Your goal shouldn’t be to buy players; your goal should be to buy wins. And in order to buy wins, you need to buy runs. You’re trying to replace Johnny Damon. The Boston Red Sox see Johnny Damon and they see a star who’s worth seven and half million dollars a year.

When I see Johnny Damon, what I see is... is... an imperfect understanding of where runs come from. The guy’s got a great glove. He’s a decent leadoff hitter. He can steal bases. But is he worth the seven and half million dollars a year that the Boston Red Sox are paying him? No. No. Baseball thinking is medieval. They are asking all the wrong questions. I think it’s a good thing that you got Damon off your payroll. I think it opens up all kinds of interesting possibilities.

It’s about getting things down to one number. Using the stats the way we read them, we’ll find value in players that no one else can see. People are overlooked for a variety of biased reasons and perceived flaws. Age, appearance, personality. Bill James and mathematics cut straight through that.

These metrics were often overlooked or misunderstood by other teams. Billy Beane, General Manager of the Oakland Athletics used those numbers to reach the playoffs. By leveraging statistics as Bases on Balls, Slugging Percentage, On-base Percentage, Runs Batted In and BA/RISP (batting average with runners in scoring position) he changed the future of baseball to a game of applied statistical probability. If you are a baseball fan, you have Mr. Beane to thank for the 30 minutes it now takes for a specialty pitcher to enter the game, warm up, pitch to one batter and be relieved by the next specialty pitcher.

The Oakland A’s success made the case that the traditional thinking and management practices for predicting player success and building teams was fatally flawed. Any manager in today’s game who fails to invest 30 minutes and insert that specialist pitcher to face one batter based on stats would risk his job. And fans, immersed in statistics, would boo such a flagrant disregard for measurable statistical facts.

So how does this apply to enterprise security?

The Security 500 members are playing Security Ball: The application of quantitative analytics to risk management. Security may be late to the party, but it is not immune to management principles that demand metrics based decision-making. For example, take a walk through your enterprise. Start with your CFO, who probably lives with the mantra “The spreadsheet never lies” to identify how a business unit or service department is truly performing. Marketing genius is now less about creative ability and more about mathematical calculation. The best brand managers deal in hundredths of a percent market-share shifts, not memorable jingles. And sales success is predicted by activity reports in a Customer Relationship Management system such as Salesforce.com. Forecasting performance is preferred by the most successful sales managers over waiting for last quarter’s sales to reveal what analytic forecasts already show.

As Steve Van Till wrote recently in Security: “At the core is the application of big data mining to risk management. Big data is a perfect fit for cloud computing due to unlimited on-demand resources. The ROI comes from unique insights not previously possible on smaller data sets or local servers. Besides economics benefits, there is real potential for improving life safety and property protection with real-time analytics.” The security occupation has become a profession and with that shift, it has changed from doing to managing. And managing demands metrics. It is time to play Security Ball.

As this year’s Security 500 Report identifies, CSOs and their teams have worked to get in front of risk and ensure resilience when mitigation fails and events occur. Gathering intelligence, creating situational awareness, implementing a risk management program and remaining resilient demands gathering and managing the numbers to document threats and justify investments that eliminate vulnerabilities.

Yes, we are having some fun playing off of the hit cult movie “Sharknado,” to make the point that getting in front of risk means managing in a Risk-Nado. While resilience and response to unforeseen events is a critical component of successful security programs, nothing is clearer in this year’s survey results than the significant and continued move to proactive identification of risk and mitigation of threats. It is the best practice to get investment by supporting organizational goals and managing within a constantly growing Risk-Nado.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

How Security Ball Can Help Enterprises Succeed in a Risk-Nado!

Learn how to change the game of security with better statistics

Related Articles

Related Events

Report Abusive Comment