Data on the Markets

I've been interested in the markets for some time, but only recently have begun reading about methods for selecting investing ideas in earnest. One of the books I got was JJ Cramer's Real Money. Overall, I found it a great book; extremely enjoyable and pragmatic. Of particular interest was a graph on page 115, which shows a nice graph of GDP annual growth. The purpose of the graph is to demonstrate the cyclical nature of established economies.

In a nutshell, GDP growth as a percentage is an indicator of which phase our economy is in, waxing or waning, etc. In Cramer's graph, a sine wave is shown oscillating between 4-5% and -1%. At different phases of the economy, different sectors come in and out of favor. As an example, as we move from -1% to 5% (coming out of a recession) paper and chemicals come into favor as medicine and supermarkets go out of favor. On the reverse side we sell the chemicals and paper and pick up those staple stocks again.

Pretty simple, we should all have a picture of this on the wall and use this as a base mid-risk strategy for a portion of our portfolio. So lets get started....where are we on the graph?

First thing is to find some data. After poking around the Internet for a while I came across http://www.bea.gov/national/index.htm. From there I was able to get some data into excel, and graph out 2000 chained dollar annual GDP. Being a bit naive I eagerly anticipated my nice sine wave with a little maker for "You are Here".

Instead, I got the following:

Eh, crap. So the next step is to take the baskets of stocks that should represent the correct cycles and map them against this curve. Hopefully it'll smooth things out, but that's an excercise for another day.

On the plus side, I think this is was worth doing, and something I'll continue to do. Without looking for myself, I might have been tempted to believe things were a lot simpler, and because of that, be a lot more willing to take someones statement "we're on the up side of the curve".

Now a reasonable and informed response will be, "Really? Why do you think that?"

Information in Modern Enterprises

It was late. A long day of talking and thinking and meeting had brought us to a nearly empty airport terminal with nothing much to do for a couple of hours before our flight. A coworker of mine and I started talking about the day, which led to the company, which led to our position in the world as GRC pundits and thought leaders.

We debated GRC a bit. What is it exactly? We debated our current offerings a bit. Are they still relevant and why do companies keep failing at the same things over and over? Eventually we came to the core question. What is the purpose of security in the modern enterprise. Why should anyone care about security at all?

The discussion ended up sparking the following:

Q: What is the core currency of security as we refer to it? What is the key asset that we are concerned with?

Information. We are concerned with all elements or systems that create, process, transmit, store, or consume information. We also understand that all information is not equally valuable.

Q: What are the key criteria to determining the value of information?

Actionable. Can the information directly lead to decisions or actions? The closer the information is to readily triggering an action, the more valuable. There may also be a concept of potential here. Particular bits of information may be unprocessed, and like ore turns to metals turns to tools, you may consider some unprocessed information more valuable based on its potential to drive decisions or actions.

Accurate. How well does the information you have represent the system you are making decisions about? We can also refer to this as internal or external integrity, depending on whether or not the information concerns a system outside of your own.

Timely. How close is the information being consumed relative to the time it would take to make a decision and execute. Answering this question will likely create one or more windows or ranges that represent varying value. If the information is about a decision in the distant future, it may be nearly useless. If it comes so close to an event you can take no action, it is equally useless. Interestingly, nearly all information about events in the past contains some value if it can be trended and correlated with events and outcomes.

Proprietary. How widely known is the information? The value that comes from information being proprietary is derived from the advantage any possible decisions or actions can have over other actors. Even if the information is completely exclusive, if it provides no advantage it is of limited value.

Q: How do these attributes relate to work that needs to be done?

The actions related to information; creation, processing, transmitting, storing, and consuming; all impact one or more attributes. The systems used to perform these actions become the concern of information security specialists. Specifically, identifying key criteria for the confidentiality, integrity, and availability of these systems.

Q: Is there a single framework or mapping that can overlay these concepts onto an organization?

Currently, no. In fact, there likely isn't going to be one in the future either. This is largely due to the specific requirements of individual organizations. Each business treats their information in a somewhat specialized manner. They perform unique operations on unique bits of data. Because of these differences each organization will have different weights and tolerances related to attributes and systems related to their information.

Q: Can we at least begin to group enterprises together along commonalities?

Perhaps. The first attempt at this is listed below. The application to operations and practices is where work still needs to be done.

• Corporations: Primarily concerned with the internal and external integrity of their information. Corporations will rely largely on internally generated information or public information. In order to manage and adhere to regulations they need to be sure information about themselves is accurate. In order to determine appropriate actions they need to be able to have an accurate view of the world in which they operate.
• Intelligence Services: Sourcing seems to be a huge concern. While integrity is an issue, it seems to be most critical during the aggregation and correlation phases. Given the amount of information someone has to sift through to create a picture, which items the concentrate on and which they ignore is critical. Once an actionable work product is created, ensuring the proprietary nature of that work is key.
• Government Agencies: Each one seems to have unique needs. However, all of them need to ensure compliance with regulations. Unfortunately, regulations are derived from policy or law, and as such suffer from the issues of applying a lowest common denominator to all groups, or a once size fits all approach that does not create the maximum benefit for anyone.

Of Pundits and Bandits; Justifying Consulting

I got a request from a friend recently who is working on her Master in Information Services. As part of one of their projects, she needs to analyze the pros and cons of outsourcing, in sourcing, and of course, consulting. In trying to get to exactly what she was looking for the core question seemed to be, are the fees that consultants charge worth it.

I hesitated. Not because I doubt for a second that the good ones are, but because of the complexity of the question. However, speaking specifically for the type of work I do the argument goes something like this.

While security work is commonly considered highly specialized, there are a number of activities that can be done by someone internally. Vulnerability scanning, running MSBA against a host, etc.

However, you still need someone who can interpret the results, prioritize them, level set them against business risks and goals, fit solutions into operations, and overall, be a trusted advisor in the process of keeping up your security posture.

Add to this the relationships in the modern enterprise between compliance requirements, security best practices, PII, governance, and IT efficiency, and well, things get complex.

We're still in scope for an in-house resource, but we're probably talking about someone that has a full time job related to these tasks. If they're going to be in house, you may have a training program in place. If you do, starting salary around 65-70K a year in metro areas is reasonable. If you don't, you're looking at 100K - 150K for an experienced person, or a bit less if you have significant work/life benefits. Figure the average employee costs the company 150% to 200% of salary including health, stock, insurance, etc.

Unfortunately, you might not have 40 hours of work queued up if you're a smaller organization. So, you're paying a lot for some part time work. Even at 150$ to 250$ an hour, it may be more cost effective to hire a contractor for point engagements.

But what if you are a larger company. You do have in house training. You have way more than 40 hours a week of work. Occasionally you may want to double check. Especially in security, occasional validation that you're as good as you think you are isn't just prudent, it's necessary. In these cases bringing a group in for point engagements is still a good idea.

In the end it's the trade off between paying to keep an expert on staff versus renting an expert's time when you need it. Also keep in mind that security experts have a large body of knowledge that needs to be refreshed continuously. If you have someone work on the same problems continuously their skills may need refreshing.