Sunday, October 18, 2015

The Pareto Principle and the Pursuit of Perfect Internet Security – a Parable

Not so long ago, a bright security professional and a firm believer of the Pareto Principle, was tasked with designing and implementing an impregnable security solution for his company’s internet. He did his research and arrived at what he thought was an accurate total cost of $4M. Just prior to striding into his manager’s office for approval, he had a quick discussion about the project with a recent new hire reporting to him about the project.

“I’d be careful,” she advised. “At my last company, we found that each major phase cost 50% more than the previous phase. We had several discussions about ‘risk profiles’ and ‘perfect protection’ before getting buy-in on deliverables and budget on a less ambitious result.” 

The bright security professional thanked her and said, “I’m quite confident in my projections and will stake my job on this project. In fact, I will bring it in under budget.”

So, the bright security professional met with his somewhat parsimonious manager, and guaranteed the results. “In fact,” he said, “the first phase of the project will get us 80% there for only $800k."  The manager said, “Fine, but go over budget on this and your next position will have you saying, ‘Would you prefer a grande or a venti latte?’” and with that, the project was approved.

At the completion of the project, how much under budget was the confident security professional?

First, the Pareto Principle is named after economist Vilfredo Pareto (1848-1923), From Investopedia, “The principle states that, for many phenomena, 20% of invested input is responsible for 80% of the results obtained. Put another way, 80% of consequences stem from 20% of the causes. Also referred to as the "80/20 rule".”

The answer is – the individual left to “pursue other opportunities” when he found himself having exhausted the budget, told his manager  that he now felt that 100% was unobtainable and that  it would cost an additional $2.5M to get to 97.5% protection.

How did this happen?

Earlier, a factor (chosen by me) added by the wise new hire was that each phase of the project was that each phase of the project was going to cost 50% more than the previous phase.

Phase 1 - $800k spent (total $800K) to reach 80% of perfection

Phase 2 - $1.2M spend (total $2M) to reach 90% of perfection

Phase 3 - $1.8M spent (total $3.8M) to reach 95% of perfection

Phase 4 – Plug pulled on project. The estimate was $2.7M (total $6.5M) to reach 97.5% of perfection and you never reach 100%

Some morals of this parable

·         100% is tough, if not impossible, to achieve

·         Know your risk profile and your company’s risk profile when working on security projects

·         Know how to make coffee drinks

No comments: