Richard Bejtlich has a blog that I read ever so often. His focus is primarily on security, but the topic in question here reaches into the financial sector. Mr. Betlich illustrates a valid point concerning the complexity and uncertainty of Infosec in general. In a nutshell, a CIO (or IT deparment) is at a disadvantage in quantifying the financial performance of his/her department.
I agree with him. Financial professionals can rely on various models to make assumptions/predictions with varying degrees of accuracy. However, Information Security professionals are inherently at a disadvantage. Its our job/nature not to make assumptions as we attempt to protect assets against a largely unquantifiable threat.
