I like contrarians. Andre Durand posted a note on Warren Buffett that jogged my memory of something I have been meaning to post, I have basically learned more about security from studying Buffett than anywhere else including infosec books. For one thing Buffett does not confuse risk with volatility, rather he defines risk as permanent capital loss. This is a critically important distinction that is missed by most infosec groups.
Buffett studied with Ben Graham (the story is that he is the only student to ever earn an A+ from Graham) and learned to buy cheap stocks, e.g. stocks that were trading for less than they were worth. Later on Charlie Munger joined up with Buffett and they moved away from the pure Graham approach - focusing more on the quality of the business. Munger famously said "a good business at a fair price beats a fair business at a good price" this proved true when Buffett paid up for Coca Cola, Amex and others and still made billions.
A couple of weeks ago I was in Omaha, it is a really nice town, I had a great time and the training session was fun and collaborative. I ate steak at Gorat's. The book I would recommend to learn about Buffett's approach from an investing standpoint is The Warren Buffett Way by Robert Hagstrom who is a fund manager at Legg Mason. Interestingly, Hagstrom claims he is 100% invested in his own fund which is refreshing in this age of financial shenanigans.
For some deeper thought, I highly recommend that you read Poor Charlie's Almanack by Buffett's partner Charlie Munger. It would take a year's worth of blog posts to scratch the surface of what I have learned from this book. Munger recommends that you build a latticework of mental models that incorporate ideas across disciplines
"You've got to have models in your head, "and you've got to array your experience-both vicarious and direct-on this latticework of models."
This, of course, is a one sentence illumination of everything that is wrong with security. Security is a one off and yet it relates to everything in the enterprise.
Munger also has important advice that relates to metrics
Overweighing what can be counted
A special version of this “man with a hammer syndrome” is terrible, not only in economics but
practically everywhere else, including business. It’s really terrible in business. You’ve got a
complex system and it spews out a lot of wonderful numbers that enable you to measure some
factors. But there are other factors that are terribly important, [yet] there’s no precise numbering
you can put to these factors. You know they’re important, but you don’t have the numbers.
Well practically everybody (1) overweighs the stuff that can be numbered, because it yields to
the statistical techniques they’re taught in academia, and (2) doesn’t mix in the hard-to-measure
stuff that may be more important. That is a mistake I’ve tried all my life to avoid, and I have no
regrets for having done that.
Anybody, gonna be in Omaha in May?