[Infra to use, to protect]

On then, with the dream of rational (i.e., ‘cost-effective’) information security control selection. Apart from the definitions, distinctions and boundaries between operations management, information management, data management, information security, IT security, business continuity management, etc. – I don’t really care, they all end up with the same sort of ‘risk analysis’ quod non (see earlier posts, the most prominent being this one) and a sort of afterburner about weighing costs versus benefits of controls to be put in place. Nothing on all the stuff I discussed in that prominent post; the time-sensitive chances, impacts and effectivenesses of threats, vulnerabilities, controls individually and in interactions, feedforward and feedback loops, the enormity of lack of reliable data and the overwhelming noise and error this introduces into any calculation.
And nothing on how one should go about estimating the costs of controls vis-à-vis their effectiveness. Because that’s even harder to do, when one has continuous but very often hardly-quantifiable costs of controls individually let alone in conjunction with others (all with costs varying in time, again, too ..!).

Can we do discretionary spend ..? Yes, IF (that’s a big if) we compare it with the discretionary gain in protection (risk reduction) if embedded in the set of controls already in place. In place, not on paper, but in reality – if you think you’re fully compliant: So was the NSA until Edward S. came along; you are infinitely further off.

Can we do overall cost, and overall effectiveness ..? Yes, IF (that’s a big if) you stay away from anything that resembles numbers and keep it completely qualitative.

Will that show that we’re just doing something, and end up with something, and nobody’s sure about anything ..? Yes, big certainty (pun wasn’t intended but I’ll leave it in).

Can we do better ..? Maybe, as far as we plaster our memos in boldface caveats and leave accountability where it should be; at the Board level. If they don’t get it and you can prove that, they should be fired for incompetence and malpractice. They’re paid to live with the risks, and the accountabilities. (No, they’re not paid for performance or so. Their positive contribution to the bottom line cannot be provably linked to them, negative performance often can be. See my post on Mintzberg’s Managing, quotes of pp. 225– for indications.
So, how would they be capable of discussing security improvement project budgets ..? As the aforementioned book by quote has throughout: Just let the folks at the shop-floor level do their work; give them the room to do what they think, know, in detail, is best.

Leave it to beaver. My hourly rate isn’t all that bad.

I’ll return to this subject. Also in the light of porosity and OSSTMM.