The Risk of Doing Your Job Too Well
- Crime figures are down to their lowest level since 1981.
- The police budget is likely to be reduced, leading to up to 60,000 job cuts by 2015.
Of course, the second item was a worst case scenario, but the juxtaposition of news items points to an interesting quandary for the security professional: the better you are at eliminating security incidents, the more likely your budget will be cut; the worse you are at eliminating security incidents, the more budget you will be given.
This phenomenon isn’t, of course, restricted to security and crime. Inefficient project managers often get given more resources, and good project managers sometimes get resources taken away to help projects in trouble.
Life isn’t fair when it comes to the allocation of resources.
With project management its easy to see the effects of inadequate budgets or poor decisions. Even with policing, the law of large numbers comes into effect.
But consider the plight of business continuity and disaster recovery planners. BCP / DRP is concerned with low-probability high-impact events. The failure to allocate adequate resources to plan for a major fire or flood won’t be seen until it is too late. Conversely, spending too much on planning and preparation for unlikely events isn’t obvious. Even when a disaster occurs, we don’t really know whether too much or too little was spent on preparation.
Worse still, responsible practitioners who are realistic about risks may have their budgets cut so that their preparations are rendered ineffective: scaremongers may get excessive budgets by inflating the risks each year.
These factors make it difficult for a company to spend the “right” amount on business continuity and disaster recovery each year. There’s no substitute for a combined threat analysis / business impact analysis to show the real picture.*
[*Small Disclaimer: Threat analysis and business impact analysis is what I do for a living. ]
Michael Z. Bell