Connect with us

Hi, what are you looking for?


Management & Strategy

The House Always Wins

Recently, at an event in Las Vegas, one of the speakers polled the audience.  When he asked the question, “How many people lost money gambling?”, about 90% of the hands in the room went up.  When he asked the question, “How many people won money gambling?”, about 10% of the hands in the room went up.  To anyone who understands basic probability and the busin

Recently, at an event in Las Vegas, one of the speakers polled the audience.  When he asked the question, “How many people lost money gambling?”, about 90% of the hands in the room went up.  When he asked the question, “How many people won money gambling?”, about 10% of the hands in the room went up.  To anyone who understands basic probability and the business model of Las Vegas, this is not a surprising result.  A casino would not stay in business long if it didn’t win most of the time.

Given this, why is it that we often find ourselves interacting with people boasting of their gambling wins, while we almost never find ourselves interacting with people telling stories of their gambling losses?  It would seem to be a contradiction to what we know to be the truth, wouldn’t it?  The answer to this question, of course, is that our sample is biased.  If I were to win $10,000 gambling, I would be quite proud and would want to share my success with others.  But if I lost $10,000 gambling, I would likely be quite embarrassed and keep it private.

Rolling the DiceThat’s all well and good you might say, but what does this have to do with information security?  That’s a great question.  As an answer, I would offer that the sample bias inhibits organizations from truly progressing towards their ultimate goals and an improved security posture.  Allow me to explain.

In information security, the sample bias results in statements like “all of our people are above average”, “our false positive rates are quite low”, “the maturity of our security program is amongst the most mature in our vertical”, and others.  For some organizations, these statements may be partially or wholly true.  But, as the law of large numbers teaches us, it simply cannot be that these statements are true for the majority of organizations.  Instead, the sample bias can trick an organization into thinking its security is better than it really is.  Or, alternatively, the pressure to exude good security and confidence in one’s security program can cause an organization to be dishonest with itself, its leadership, its board, its peers, its partners, and its customers.  In the end, this can have dire consequences, as anyone who reads the news can see.

Given this, what can organizations do to counter the sample bias and its effects to ensure they continue to progress and improve their security posture?  While there are a number of topics one could discuss, I’ve picked out a few of them that I suspect will be relevant to many organizations.


 First and foremost, an organization that successfully counters the sample bias and its effects is one that shies away from groupthink and encourages honesty.  This allows the organization to constructively identify weaknesses in its security program and confront them head on.  Most organizations want to encourage this type of culture, but it is easier said than done.  It’s important to consider that this type of culture must exist at every level within the security organization.  Even one bad pocket can radically change the dynamic.

It likely comes as no surprise that every security program has its strengths and weaknesses.  It’s important to remember that acknowledging a weakness is not in itself a weakness.  Rather, it is the first step towards strengthening and improving that weak spot and should be regarded as a positive.  It may not be easy to take a look in the mirror and examine what we are not doing well, but it is extremely important.  After all, if we are not honest with ourselves, we cannot really be honest with everyone else.

Advertisement. Scroll to continue reading.


Self-awareness is an organizational trait that builds on the organizational culture mentioned above.  Realizing and acknowledging that capabilities need to improve is often half the battle.  Self-awareness comes with a dose of humility that allows us to learn from others that have come before us.  There are a lot of lessons that others have learned in the past.  We can and should leverage these lessons, but in order to do so, the listener needs to be receptive to the input.  There is no shame in acknowledging the need to improve.  Quite the contrary — it is to be applauded.

Self-awareness can often be a challenge inside a security organization.  Sometimes we become so busy with the day to day that we forget to come up for air and evaluate where we are strategically.  Other times, we become so familiar with our processes and procedures that it becomes difficult to identify areas for improvement.  Yet other times, we become insulated from external influences, preventing us from accurately assessing the maturity of our own security programs.  Whatever the reason, maintaining organizational self-awareness is extremely important when looking to counter the sample bias and its effects.


Of course, identification of issues and weakness inside the security organization is no guarantee that they can be remedied.  As the saying goes, the devil is in the details. 

In my career, I’ve noticed that a little humility goes a long way towards successfully improving areas marked for improvement.  Why is humility so important?  There are likely many reasons, but among them is the acknowledgement that the organization is not performing a given function as well as it could be.  There is nothing wrong with this acknowledgement – in fact, it’s a positive and the first step on the road to improvement. 

Letting one’s guard down and retracting one’s puffed out chest is important when looking to improve.  That allows for internalization of constructive criticism and the implementation of ideas that can improve the organization’s security posture.

It may sound counter-intuitive, but admitting weakness is actually a strength.  By being truthful, honest, straightforward, and earnest, we empower ourselves to grow and improve, both as individuals and as organizations.  This is an important cultural aspect that helps improve an organization’s security posture, and it is one that is often overlooked.  If you are a security leader, you owe it to yourself and to your organization to create a culture that rewards honesty and truthfulness.  Otherwise, the house always wins.  That’s good if you’re a Las Vegas Casino, but not so good if you’re looking to build a winning security organization.


Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...