Frank Bernhard: The Art of Uncertainty

To hear Frank Bernhard tell it, economics is anything but the dismal science—and risk management is the key to a CSO's success.

1 2 Page 2
Page 2 of 2

But it also comes down to what we label the economic value proposition. You have to weigh the economic value being created by security before you invest in it. And I come back to this point of diminishing returns. Does doing all of thisgoing to the airport and having to show your ID five different times to get on board the airplaneeffectively mitigate the risk of an unknown passenger gaining access to get on that plane? What if the identity is forged? It seems you may have done nothing more than cause longer lines. You've certainly slowed productivity, and you've prevented people from doing the job they set out to do. Most security measures in some way or another harm the economic productivity of an organization or a customer base.But how do you spend just enough to protect yourself against the negative outcome of something that you're trying to protect against?Therein lies the ultimate economic equation. You only need to win the race by a nose. Basically you're trying to optimize the formula to say that if you put X dollars into security, you have Y risk that you feel comfortable with. And the investment sign should always be less than or equal to the amount of risk that's being borne.What do you tell the CEO who asks, So why should I buy security?Because you gotta have it. It's like, how do you sell the value of a dishwasher to a restaurant? You've got to have it because you've got to have clean dishes. Think of it not as an ROI problem but as an economic value discussion. What economic value does that dishwasher drive? Maybe it's a substitute for manual labor. We have to start with the conclusion that we want to have clean dishes. If you don't, that's a health-code violation.

I don't think people have a hard time understanding that security is something we have to offer because, if we don't, we're open to liability. That's a secondary outcome. And if we're open to liability, we may get sued. So we want to do those things that are obvious within man's control. That's the litmus testthat it's within a reasonable person's control to mitigate risk and ensure that they're not liable. They don't want to act with negligence, the way a restaurant doesn't want to have dirty dishes. It's a quality-of- life issue. If you don't have security, what happens when that worm annihilates your database? Then you've got a real problem.How do you sell that idea to a CEO?The CEO sits atop the jungle and looks at the landscape and says, Here's where we're going as an organization, and here are the risks that we're willing to absorb and thwart with appropriate security. The budget is almost formulaic to the extent that companies look at their annual revenue, productivity, assets that drive productivity within them, and they have to compute a value. Maybe it's a small percentage of their total revenue that they apply to security. It's almost like their marketing equation. How much do you spend on marketing? It's a percentage of sales. Some companies don't want to spend anything on marketing. Others spend in the double digits. What results are you trying to achieve and, in this case, what risks are you willing to mitigate, to bring it back to a cost basis? But no matter what, the CEO has to buy into the strategy. Think of the former U.S.S.R. and the Russian spending race in the 1980s to build a superior military presence, but a strategy that ultimately caused the demise of a bankrupt nation's inability to take care of its peopleon the homeland. Your competitors might invest in Star Wars as a defense strategy, but don't always mimic their behavior to secure your future.How do you measure the economic value being created by risk?Every time you have a restriction there's a consequence. And it's an economic consequence. We talked about standing in line at the airports. What does that mean? It's about business productivity. And when it's hampered, it really doesn't do you a lot of good, especially when you're in a recession.

There is no substitution for common sense. There is a rational human mind that wishes to counteract the devious human mind, and that's what you're dealing with when you think about risk. Not everything that happens as far as risk is human driven. You can have the risk of losing your data because the store server collapsed. If the mail server suffers a blow to its caching drivebasically that's a risk, right? How do we protect against that? Well, there's tape backup or there's a failover situation so that the system keeps working. So we want to look at risk in terms of probability assignment; you couple that to rational human thinking and common sense, and look what you get. You get something that's much greater than anything you can put together in a mathematical sense.So, if a structural balance between spending and just enough security is the goal in mind, then how effective is the whole mix?Let me answer this way: Travelers are reassured that flying aboard commercial aircraft is safe, but that's not exactly true. In reality, safety in flying is about managing risk. Likewise, security is about managing risk. While total protection from loss can never be achieved, we act with discretion toward spending appropriately to protect those assets at stake.

Copyright © 2002 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Make your voice heard. Share your experience in CSO's Security Priorities Study.