My friend Mike Rothman had some fun things to say about this post I made last year in his recent insight. Love ya Mike, but I have to respond in kind.

“I’ve used the saying, “when all you have is a hammer, everything looks like a nail.”  Alex’s idea that maturity is based on the ability to measure (from this early December post) is true, but only if you are focused on quantifying risk.”

1.)  Um, no.  The reason to measure is two-fold, to either align risk tolerance or create operational efficiencies.  The latter has little to do with quantifying risk. It’s also worth noting that both can be done and measured qualitatively if you so wish.

“There are a lot of different ways to qualify security maturity, especially program maturity and not all of them involve measurement.”

2.)  Mike, I challenge you to name one.  The act of observation lends itself to judgment, which is in turn measurement.  The only way to not measure is to not look. Or maybe you’re holding out on us, and the follow up to the Pragmatic CSO is a whole new approach to business management - the Schrödinger’s Cat School of Risk Management?

“A mature security program has as much to do with perception as it does with metrics. In my opinion anyway. I believe that some programs that are weak on metrics (how many do we know that have strong metrics) can still be mature in perception, where the CISO is respected and part of the discussion.”

Who cares about mature in perception?  Wouldn’t you rather have mature in practice?  Mature in practice would have to be demonstrable using more than a sun tan, and a grin.

The logical outcome of this sort of thinking, if I’m reading this right, is that maturity for an IRM program is not equated to “secure”, but to “individual charisma”.  Honestly, I would think that this would be the exact sort of reason folks would want to measure. 

Because think about that for a second, what you’re saying is that our faith in the Big Chief makes us secure, not the act of managing the program(1).  Public company CEO’s, other significant figures in business, they are graded not on personality, but on the measurements we create for them.  That’s just the way business works.  But a Chief Security Officer is different for some reason?  They can suck and get away with it?

Honestly, if this were true, would we have any reason to buy Mike’s product?  Doesn’t EiQ want you to not just “collect data, but make sense of it?”

============
(1) And if we think that Big Chief Security is doing a good job just because they look good, isn’t that a measurement anyway that just relies on a very faulty metric?

Posted on January 21