A major Wall Street securities ratings firm ignores the recommendations of a consultant report it paid for on rating collateralized debt obligations (CDOs)–contributing to the collapse of the mortgage industry, near-collapse of the banking industry and a multi-year global recession requiring $trillions in government (tax payer) dollars to avoid a full-blown Depression.
A major video game maker has millions of user IDs and credit card numbers pilfered, and spends many times more than was actually lost in revenue on bolstering its online security.
Thousands of credit cards belonging to Israeli citizens are exposed resulting in an actual military build-up in response.
A major retailer gets slammed by a Twitter and Facebook barrage then decides to implement a social media program.
A shipping line suffers numerous attacks by pirates off the Somali coast. They spend millions paying ransom, beefing security and reconfiguring routes.
The US Post Office continues to borrow from government coffers to run at a financial loss without making changes to its business model. Raising postage rates only exacerbates the problem.
And a an online shoe retailer announced yesterday the potential exposure of account information for as many as 24 million customers. What level of investment will they have to make to prevent this kind of event, let alone to identify and tie-up other loose ends?
True, major snafus are a part of business life, but knee-jerk budgeting in their immediate aftermath to prevent similar future incidents shouldn’t be. In a recent online discussion of the topic I referred to this kind of behavior as “blunderfunding.” So let’s make it official:
1. basing the level of investment in a business initiative upon the amount of loss incurred from a recent mistake or mishap
2. making a hasty outlay for a project to deflect or cover up for those responsible for a mistake
3. allocating monies or budget to fix a problem symptom rather than its actual cause
Tweet by Gartner analyst Doug Laney on 13 Jan 2012
“blunder”: n. a mistake, v. to make a mistake
“funding”: [fund] n. a collection of money for a specific purpose, v. to allocate money for a specific purpose
While examples of enterprise-scale blunderfunding make regular headlines, it is also pervasive throughout lower levels of most organizations. E.g. Buying “caution cones” to place when recently washed floors may be slippery–only after a hurried person or two did a back-side plant, or the overhaul of server farm air conditioning after overheating resulted in degraded online customer response times.
Some of these blunderfunded investments may be perfectly justified. That is the outlay is less than the risk-adjusted cost of their re-occurrence, and addresses the actual cause. In other cases the risk-adjusted loss (financial loss X the probability of re-occurrence) is much lower than the budget allocated to prevent any such problems in the future. Worse, and perhaps more frequent, money is allocated to fix, repair or even hide the symptom rather than resolve the root cause of the problem.
Organizations tend to compound the damage by neglecting to:
- calculate the actual economic loss
- estimate the likelihood of re-occurrence
- identify similar possible incidents
- compute the risk-based loss potential of future incidents
- discover the factors that led to this incident
- deal directly with the root cause(s), and avoid funding their resolution
What we’ve got here is also a recipe to avoid blunderfunding.
So why is it that we tend to see most blunderfunding is related to information mishandling, misappropriation and misuse? I believe this is because information asset are more easily accessed, more often in-movement, more easily transported. In addition, since information “theft” or “usage” almost never actually involves its depletion in any way (I.e. it’s merely copied not deleted), instances of information breach are that much harder to recognize. Finally, because information assets are not regularly covered by property rights laws, perpetrators if caught can get off easier than if they’d stolen actual “balance sheet” assets.
Just imagine, if you’re a criminal, what kind of loot would be better to heist than one in which:
- You steal it by sitting at your desk rather than scaling walls, dealing with armed guards or blowing up safes
- After you steal it, it still remains in place (as if nothing happened)
- You don’t need a fast truck to carry it off
- It is the kind of asset that increasingly makes up a large part of a company’s overall valuation
- Companies don’t measure its economic value, so they typically fail to manage or secure it with the same discipline as their traditional assets
- You can sell it multiple times to multiple black-market buyers (even on Amazon-like marketplaces)
- The courts only sometimes consider it to be covered under property laws
I’m not advocating cyber crime, just merely stating why organizations need to be proactive rather than reactive in securing their information assets, and to do so based on these assets’ actual computed value. The alternative is blunderfunding…and potentially more unwelcome headlines.
You can follow Doug on Twitter @doug_laney