OK, so Warren Buffet didn't really give information security advice. He gave investment advice. Risk management's objective, which I believe is the foundation of information security, is to make good investment decisions. We need to make decisions on how best to invest our time, resources and money to reduce risk to an acceptable level. And all of these are in limited supply and should yield a maximum return on investment.
I read recently an article on Warren Buffet's investment advice. And surprisingly I found much of it applies to information security. Maybe the advice is so fundamental or broad that it does apply to other domains. Or maybe some of the parallels I am drawing are just a stretch of my imagination. Nonetheless, I believe there are some lessons to be learned.
Osama Salah is the founder of the Abu Dhabi chapter of the FAIR Institute. This article originally appeared on LinkedIn. More about Osama.
Here's the article: Warren Buffett: If you invest this way, 'you can't miss'
"But if you can play out your hand, and you've got the right facts, and you reason by yourself, and you let the market serve you and not instruct you, you can't miss."
When we make information security decisions do we make an objective analysis using available data or reach a subjective decision using intuition and bias? Do we reason with ourselves or do we give the impression that we do (Risk Management Theatre)? Are we rational or rationalizing? Are we aware of our own biases and take deliberate steps to overcome them or do we ignore them and succumb to them? Do we deliberately activate "System 2" thinking or allow "System 1" to guide us astray? Are we influenced by the latest security marketing hype or do we clearly understand our problem and go back with an open mind to look for solutions that might not adhere to the latest marketing messages?
For anyone following my postings, you know where I stand. It's clear to me that quantitative risk analysis model like FAIR do address this while qualitative risk management does not.
"Your opinions and emotions aren't likely to help you. "Being contrarian has no special virtue over being a trend follower," Buffett says. Instead, the Oracle of Omaha suggests taking a pragmatic approach to investing decisions. First, gather all of your facts. Next, learn how to dissect them to find the pertinent information you need to make your decision. For Buffett, that means looking for the pieces that are "important and knowable."
"opinion and emotions": in FAIR, we work with as much data as is available and reasonable for the analysis. Calibration training, the FAIR model and the analysis process itself actively support to counteract our biases.
"pragmatic approach to investing decisions": The FAIR model and process are pragmatic and the purpose of the analysis is to reach an "investing decision". FAIR practitioners are pragmatic, they value the scoping process and use a quick triage to prioritize where to focus the analysis on. We don't take the "boil the ocean" approach and blindly apply it to everything. Despite all the misconceptions quantitative risk management isn't complicated and doesn't require much more time than qualitative risk management. But the comparison in terms of complexity and time would really be relevant only if qualitative risk management was actually known to work, however, there is no empirical evidence that it does.
"learn how to dissect": That's exactly what the FAIR model enables. It helps us to critically think about the risk scenario, break it apart i.e. "dissect" it into its parts and learn how they affect each other. We then set out to "find the pertinent information" we need.
"If something's important but unknowable, forget it," he says. "I mean, it may be important whether somebody's going to drop a nuclear weapon tomorrow, but it's unknowable.
Through a quick triage, FAIR lite etc. we make quick decisions on prioritizing the analysis. We don't waste time on scenarios that don't add value.
" Focus on the variables that you do have at your disposal. Once you've narrowed down your information, " then you decide whether you have information of sufficient value that — compared to price and all that — will cause you to act," Buffett explains.
FAIR practitioners are trained to decide how deep to go down into the model. We learn not to over analyze and find the right balance. We learn that measurements are a type of information and that the value of information after a certain point diminishes. We learn when to acknowledge that collecting more data is not necessarily going to improve the analysis and to realize that a little of accurate data is better than a lot of "inaccurate" data.
Whether or not you choose to invest in something should be based on your research, not on your reaction to what other people are doing and saying. As Buffett puts it, "what others are doing means nothing."
That's why Buffett recommends doing your homework beforehand and investing in solid companies that will last, rather than trying to time the market or react to your anxieties. Concentrate on the facts, not how you're feeling.
FAIR is all about "research" or "analysis". FAIR analysts don't decide to go one way or the other because that’s what the market is doing. We certainly look at market trends but as a source of information that needs to be analyzed. If "the perimeter is dead" and everyone is investing into "next generation endpoint solutions" we do take a breath and ask ourselves if we have overestimated the effectiveness of perimeter solutions. If new technologies emerge we re-analyze the relevant risk scenario and evaluate their contribution.
"You're right because your facts and reasoning are right," Buffett told shareholders. "So all you do is you try to make sure that the facts you have are correct. And that's usually pretty easy to do in this country. I mean, information is available on all kinds of things. Internet makes it even easier."
I don't know any other cyber or operational risk analysis framework but FAIR that produces logical and defensible decisions.
Yes, the information is available, and as Douglas Hubbard's useful measurement assumptions remind us:
- "You have more data than you think."
- "You need less data than you think."
So yes, Warren Buffet wasn't talking about information security but a lot of his investing advice is applicable to the information security domain.