September 22, 2015
The Moneyball Approach to Cyber
Security officers use the equivalent of batting averages for cyber risk but can now move toward a Moneyball level of sophistication.
It took a while for me to understand baseball: I didn’t get it until someone pointed out that I was watching the game when I should have been watching the season.
Much of the game’s strategy snapped into focus — and the differentiation between game-day action and long-term success illustrates key lessons that information security executives need to learn.
Love it or hate it, Moneyball is part of the game now. Moneyball and sabermetrics-applying sophisticated statistical analysis to baseball records-helps teams avoid overspending on showy all-arounders and focus instead on key metrics, however unusual, to build a successful team.
Information security should follow the same strategy. (And most chief information security officers (CISOs) probably feel more kinship with the cash-strapped Oakland Athletics, pioneers of Moneyball, than with the flush New York Yankees.) CISOs will see that, as in baseball, relying on a few stars to carry the team is a short-sighted and potentially costly plan.
In his 2014 Black Hat keynote, computer security analyst Dan Geer declared the end of the era of information security generalists. It can be hard to measure the contributions of specialists. We understand the easy metrics intuitively-the “batting averages” of information security. But it is the hard and subtle metrics that really teach us something new. Getting these metrics will require automation and thoughtful changes to existing sources of unstructured data: processes performed manually can’t keep pace with business needs.
Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends
Alongside the outmoded concept of star all-arounders, we also should toss the concept of clutch players. Statistically, they don’t exist, and seeking them out in a technical organization is asking to be deceived; individual heroics are dramatic but not sustainable. An organization’s long-term success won’t be seen in the individual who burns the midnight oil to deploy the patch of the week, but in the one who quietly solves the problems around reliable, rolling deployments.
CISOs should also listen to the refrain of baseball commentators: “fundamentals.” A team that cannot execute basic, everyday maneuvers flawlessly is not prepared to get fancy. There’s no point in deploying a shiny intrusion-detection system or hiring an expensive, full-contact “red team” unless operations can convince you that every last default password has been changed.
Finally, we can take one more lesson from the game: Every so often, be sure to stand up and stretch.