Truth About Computer Security Hysteria
Goals? For computer security? Get real!
Rob Rosenberger, Vmyths co-founderMonday, 3 January 2005
| BOB! I'M GLAD you could see me. Come in. Shut the door. Let's talk security. | |
| I hope you've been able to settle in as our new CIO, sir. What can I do for you today? | |
| As a matter of fact, Bob, I've settled in pretty nicely. I see you've been our computer security manager for a couple of years now, and I made a new year's resolution that affects you. Frankly, Bob, I'd like to set some measurable goals for you. | |
| Measurable goals, sir? | |
| Yes. Now, I know my predecessor never did that with you, but I see he set goals for everyone else around here. I think it's time we raised the bar for you, Bob. | |
| What kind of goals did you have in mind, sir? | |
| I'm glad you asked, Bob. First, I'd like to set a goal of zero virus infections for our company this year. | |
| Zero?!? Sir, that's not a realistic— | |
| Now now, Bob. I know you've been a failure at stopping viruses— | |
| Sir, my team's not failing. It's just that we can't stop viruses from infe— | |
| There, Bob, you see? "We can't stop viruses." That's failure talk, Bob. Let me ask you something. Do antivirus firms get infected? | |
| Well, no. But that's becau— | |
| Global corporations like Symantec and McAfee can keep their own computers clean, but our company can't do the same for some reason? | |
| Sir, we're not an antivirus firm. | |
| "We're not an antivirus firm." Okay, Bob, I see your point. Zero's just not a realistic goal for you. So. What is a realistic goal? | |
| Sir? | |
| What's the minimum number of computers you'll fail to protect from viruses this year? | |
| Sir? | |
| Bob, it's simple. You tell me some of our computers must get infected. I tell you I want to keep it to as few as possible. What do you think is the minimum number of computers you'll fail to protect from viruses this year? | |
| Well, sir, I don't know the answer. Some years, virus writers don't do much. Other years, they do a lot. | |
| Okay then, Bob, let's start with last year's figures and work our way down from there. How many computers did you fail to protect from viruses last year? | |
| Sir? | |
| How many of our PCs did you disinfect last year? | |
| I don't really know the answer, sir. | |
| Why not, Bob? | |
| Because we don't keep track of it, sir. | |
| Waitaminit, Bob. You're the computer security manager, right? | |
| That's what I was hired for, sir. | |
| Our webmaster showed me all sorts of data & metrics to justify his job. {thud} There's his annual report. You mean to tell me you're not keeping vital data & metrics to justify your job? | |
| My team is constantly fighting viruses, sir. I hope you can believe me. | |
| I do believe you, Bob. But it sounds like I have to take you entirely on faith. You have no data about the viruses that got loose on our computers? | |
| No, sir. | |
| And you're telling me you can't keep our computer infections down to zero. | |
| It's just not possible, sir. | |
| It's not possible for you, Bob. Antivirus firms keep their own infections down to zero, right? | |
| We're not an antivirus firm, sir. | |
| "We're not an antivirus firm." But we do have an antivirus "solution," right? | |
| Yes. | |
| Then why doesn't it solve our virus problem, Bob? | |
| I— well, I don't have a good answer for that, sir. | |
| But you can at least help me to set some measurable goals for you, right? | |
| Sir, I just don't know how many computers will get infected with viruses this year. | |
|
OKAY, BOB. I'M running a little short on time here. Let me summarize our meeting. We pay big money for an antivirus solution that doesn't really solve our virus problem... | |
| Correct. | |
| ...and we can't stop viruses from infecting our computers... | |
| Correct. | |
| ...even though antivirus firms stop viruses from infecting their own computers... | |
| Yes. | |
| ...and this is why you're the only one on my team who operates without measurable goals. Right, Bob? | |
| Sir, I just don't know how to set a goal for you. | |
| Well, Bob, you can't really set goals without data or metrics, can you? | |
| No, sir. | |
| I hate to say it, Bob, but I'm disappointed by our meeting today. | |
| So am I, sir. | |
| Why don't you ask my secretary to schedule another meeting for us next week. I really do want to baseline some goals for you. | |
| That's fine, sir. | |
| I tell you what, Bob. Why don't you spend this week doing a little research for me. I want to know in general terms why our antivirus solution fails to solve our virus problem. | |
| I'll get right on it, sir. | |
| Now, Bob! As I understand it, you spearheaded this big antivirus solution years ago. Right? | |
| That's right, sir. | |
| And I think we both agree your "solution" doesn't solve our virus problem, right? | |
| Correct, sir. | |
| Okay, Bob. At least we agree there's a problem with your "solution." | |
| Yes, sir. I totally agree with you. | |
| Bob, is it possible your lack of data, metrics, and goals kept you from seeing the failure of your antivirus "solution"? | |
| It's entirely possible, sir. Data is very important. | |
| Actually, Bob, good data is very important. There's a lot of bad data out there. | |
| Very true, sir. | |
| Two more things, Bob, and then we'll wrap this up. | |
| Yes? | |
| First. When we meet next week, I want you to have a number in mind. I want to know how many computers you must fail to protect from viruses this year. My goal will be to keep you to that number. | |
| Understood, sir. And? | |
| Second. I want to know exactly how many computers your team disinfects this week. I want to know the names of the viruses and which computers here at the firm got them. | |
| I understand, sir. I'll ask your secretary to arrange our next meeting when I pass by her desk. | |
| Bob. | |
| Sir? | |
| I see your entire team received full bonuses each year since you were hired. | |
| Yes, sir. | |
| And your entire team received average-or-better raises each year since you were hired. | |
| Yes, sir. | |
| One of our people failed to meet his goals last year, Bob. My predecessor didn't give him a full bonus and he capped the team's raises. You had no goals, and your team got full bonuses and you all got a decent raise. | |
| I— | |
| Bob, can you think of any reason why I shouldn't tie your bonuses and raises to measurable goals like everyone else? | |
| —I can't think of any reason, sir. | |
| Can you think of any reason why you shouldn't keep data on your most important tasks, Bob? | |
| I can't think of any reason, sir. | |
| Heads up, Bob. Your team's bonuses and raises will be tied to data, metrics, and goals from now on. | |
| I understand, sir. | |
| I'm glad to hear it, Bob. I know we're both disappointed in the way this meeting turned out, but I do hope you have a good day. | |
| Thank you, sir. I hope you have a good day, too. I'll speak to your secretary on my way out... |