My thanks to Mike Rothman who last week gave me credit for “fighting the good fight”.  I’d like to think he’s right — it has been a bit of a struggle over the years, I’d like to think I’m winning (or at least managing a draw) as I continue the struggle, and I’d like to think it’s worthwhile.  Mike does seem to continue to question the pragmatism of my approach though, which is what this post is about.

Don’t get me wrong.  I greatly admire the work Mike does and wish he and his book had been around when I started out as a CISO.  Would have saved me significant pain and suffering.  On the other hand, if I’d had Mike’s P-CSO I might have become complacent and ended up believing that’s all there was to being a CISO.  Not that I think Mike is advocating complacency — he’s not.  I also don’t think he discounts risk analysis concepts.  He’s simply focused on helping that component of our profession who’s just getting started or who faces other practical constraints in dealing with our very complex problem space.  His is a necessary and highly valuable contribution, and he provides it in an entertaining way that’s too rare.

Let me set this discussion in a medical analogy context.  If I was in the middle of nowhere or didn’t have the resources for a physician, then a medic who’s skilled in lifesaving basics would do just fine.  However, if the situation called for a deeper understanding of the complex, sometime subtle health considerations, then I’d prefer a physician.  Someone who didn’t say;  “Boy, this anatomy and physiology stuff is complicated.  I’m just going to stick with ‘The hip bone is connected to the back bone…’”   My physician may, of course, choose to follow a pragmatic, commonly-used course of treatment, but they’d be able to do so with a deeper understanding of the problem space, greater (but not perfect) certainty that the course of treatment would work, and a better ability to explain to me, the patient, why I had to swallow this bitter pill, undergo the knife, or have this long tube snaked into one of my orifices.  

Yes, I realize that physicians sometimes get it wrong, sometimes get wrapped up in fancy and even unnecessary procedures, and can drive up costs.  That’s just as true as what can happen at the other end of the spectrum — the shaman who operates entirely by superstition, faith, FUD, and intuition.  The point is, there’s absolutely a need for both medics and physicians (and levels in between).  We, as professionals, can choose where we want to be within that continuum.  With this in mind, a few things to consider are:

• In the heat of battle, when resources are limited, or when it just makes sense, physicians always have the option of behaving as medics and sticking with the bare essentials (the reverse isn’t true).  In fact, the best physicians I’ve encountered are pragmatic in their approach but have the deeper knowledge to leverage when need arises
• Medics might effectively deal with 80+% of our problems, but that remaining ~20% can be critical 
• A person can start out as a medic and then become a physician later, as need and resources dictate  
• Physicians tend to be paid more

Bottom line — knowledge and understanding are never a bad thing, but it requires extra effort to acquire them.  And, as Mike points out, the simple approach is often good enough and may be all we can hope for given our individual circumstances.  For myself though, I prefer a deeper understanding of our complex problem space.  I want to be able to answer the hard questions about why and how.  But that’s just me.

BTW - I was amused at Mike’s characterization of risk analysis as Black Magic, as this phrase would also have been used in the past to describe medical and scientific concepts/practices we take for granted today.