Hoaxes, myths,
urban legends




About us


Truth about computer security hysteria
Truth About Computer Security Hysteria

Rob Rosenberger

Goals? For computer security? Get real!

Rob Rosenberger, Vmyths co-founder
Monday, 3 January 2005

BOB! I'M GLAD you could see me. Come in. Shut the door. Let's talk security.  
  I hope you've been able to settle in as our new CIO, sir. What can I do for you today?
As a matter of fact, Bob, I've settled in pretty nicely. I see you've been our computer security manager for a couple of years now, and I made a new year's resolution that affects you. Frankly, Bob, I'd like to set some measurable goals for you.  
  Measurable goals, sir?
Yes. Now, I know my predecessor never did that with you, but I see he set goals for everyone else around here. I think it's time we raised the bar for you, Bob.  
  What kind of goals did you have in mind, sir?
I'm glad you asked, Bob. First, I'd like to set a goal of zero virus infections for our company this year.  
  Zero?!? Sir, that's not a realistic--
Now now, Bob. I know you've been a failure at stopping viruses--  
  Sir, my team's not failing. It's just that we can't stop viruses from infe--
There, Bob, you see? "We can't stop viruses." That's failure talk, Bob. Let me ask you something. Do antivirus firms get infected?  
  Well, no. But that's becau--
Global corporations like Symantec and McAfee can keep their own computers clean, but our company can't do the same for some reason?  
  Sir, we're not an antivirus firm.
"We're not an antivirus firm." Okay, Bob, I see your point. Zero's just not a realistic goal for you. So. What is a realistic goal?  
What's the minimum number of computers you'll fail to protect from viruses this year?  
Bob, it's simple. You tell me some of our computers must get infected. I tell you I want to keep it to as few as possible. What do you think is the minimum number of computers you'll fail to protect from viruses this year?  
  Well, sir, I don't know the answer. Some years, virus writers don't do much. Other years, they do a lot.
Okay then, Bob, let's start with last year's figures and work our way down from there. How many computers did you fail to protect from viruses last year?  
How many of our PCs did you disinfect last year?
  I don't really know the answer, sir.
Why not, Bob?  
  Because we don't keep track of it, sir.
Waitaminit, Bob. You're the computer security manager, right?  
  That's what I was hired for, sir.
Our webmaster showed me all sorts of data & metrics to justify his job. {thud} There's his annual report. You mean to tell me you're not keeping vital data & metrics to justify your job?  
  My team is constantly fighting viruses, sir. I hope you can believe me.
I do believe you, Bob. But it sounds like I have to take you entirely on faith. You have no data about the viruses that got loose on our computers?  
  No, sir.
And you're telling me you can't keep our computer infections down to zero.  
  It's just not possible, sir.
It's not possible for you, Bob. Antivirus firms keep their own infections down to zero, right?  
  We're not an antivirus firm, sir.
"We're not an antivirus firm." But we do have an antivirus "solution," right?  
Then why doesn't it solve our virus problem, Bob?  
  I-- well, I don't have a good answer for that, sir.
But you can at least help me to set some measurable goals for you, right?  
  Sir, I just don't know how many computers will get infected with viruses this year.

OKAY, BOB. I'M running a little short on time here. Let me summarize our meeting. We pay big money for an antivirus solution that doesn't really solve our virus problem...
...and we can't stop viruses from infecting our computers...  
...even though antivirus firms stop viruses from infecting their own computers...  
...and this is why you're the only one on my team who operates without measurable goals. Right, Bob?  
  Sir, I just don't know how to set a goal for you.
Well, Bob, you can't really set goals without data or metrics, can you?  
  No, sir.
I hate to say it, Bob, but I'm disappointed by our meeting today.  
  So am I, sir.
Why don't you ask my secretary to schedule another meeting for us next week. I really do want to baseline some goals for you.  
  That's fine, sir.
I tell you what, Bob. Why don't you spend this week doing a little research for me. I want to know in general terms why our antivirus solution fails to solve our virus problem.  
  I'll get right on it, sir.
Now, Bob! As I understand it, you spearheaded this big antivirus solution years ago. Right?  
  That's right, sir.
And I think we both agree your "solution" doesn't solve our virus problem, right?  
  Correct, sir.
Okay, Bob. At least we agree there's a problem with your "solution."  
  Yes, sir. I totally agree with you.
Bob, is it possible your lack of data, metrics, and goals kept you from seeing the failure of your antivirus "solution"?  
  It's entirely possible, sir. Data is very important.
Actually, Bob, good data is very important. There's a lot of bad data out there.  
  Very true, sir.
Two more things, Bob, and then we'll wrap this up.  
First. When we meet next week, I want you to have a number in mind. I want to know how many computers you must fail to protect from viruses this year. My goal will be to keep you to that number.  
  Understood, sir. And?
Second. I want to know exactly how many computers your team disinfects this week. I want to know the names of the viruses and which computers here at the firm got them.  
  I understand, sir. I'll ask your secretary to arrange our next meeting when I pass by her desk.
I see your entire team received full bonuses each year since you were hired.  
  Yes, sir.
And your entire team received average-or-better raises each year since you were hired.  
  Yes, sir.
One of our people failed to meet his goals last year, Bob. My predecessor didn't give him a full bonus and he capped the team's raises. You had no goals, and your team got full bonuses and you all got a decent raise.  
Bob, can you think of any reason why I shouldn't tie your bonuses and raises to measurable goals like everyone else?  
  --I can't think of any reason, sir.
Can you think of any reason why you shouldn't keep data on your most important tasks, Bob?  
  I can't think of any reason, sir.
Heads up, Bob. Your team's bonuses and raises will be tied to data, metrics, and goals from now on.  
  I understand, sir.
I'm glad to hear it, Bob. I know we're both disappointed in the way this meeting turned out, but I do hope you have a good day.
Rate this column!
  Thank you, sir. I hope you have a good day, too. I'll speak to your secretary on my way out...

Click here for ''You're an addict'' bumper stickers!