Measure Twice, Cut Once

Oct. 27, 2008
Security practitioners need to ensure their analysis of the risks to organizational data and information technology resources are clearly spelled out and measured before investing the time and money to implement solutions.

Mark is a really talented builder. Lately, he’s reminded me of that at least three times a day during the week and a couple of times each weekend. Mark is in the process of demolishing a condominium I recently purchased. I hope the talented builder part comes in later, because right now, all I can attest to is his skill with heavy hammers, crowbars, and other implements of destruction. The condo is a mess.

I bought the place last week, sight unseen, while on a business trip to Canada. I had already lost out on three other units that were on the market fewer than two days each. One even went for 15 percent above the asking price. Welcome to D.C. real estate.

So when my realtor called me on my mobile phone with the news that another one-bedroom unit had just been listed, I told him to immediately contact the seller with a full-price offer and no contingencies. He asked me if I wanted to see it. I told him it wouldn’t really matter, since my wife had designs on improvements in any case. The seller accepted our offer with the express expectation of a quick settlement. The unit was on the market for less than half a day, and we closed on it two weeks later.

After we came back to Washington, my wife and I dropped by to see our new purchase. When the realtor opened the door, my wife almost passed out. She was staring in disbelief at what looked to her like an abandoned crack den. The carpeting was decaying and grimy, the walls scarred and dirty, and the bathroom—I don’t even want to say what the bathroom looked like.

My wife and I had stayed in old housing when I was in the service, but it had always been clean by military decree. This was both old and poorly maintained. After my wife regained her composure, she held her nose, walked inside, and took copious notes while making diagrams. As she walked out, she said this would be the last time she would cross the threshold until the place was gutted.

That’s when Mark came into our lives. We hired him on the recommendation of my realtor. When we first met with him to discuss the project and the price and sign the contract, Mark told us how talented he was. My wife left him with detailed descriptions and stock numbers for everything he would need at the home improvement store, including bathroom fixtures, flooring, and appliances.

Since Mark started the project, he has brought my wife and me into his world to a degree we both find tedious, if not scary. He thinks out loud to us over the phone. He shares his indecisions, his fears, and his financial situation. He also wants us to know he’s a talented builder.

Mark has had difficulty remembering what we asked him to do. He lost the list my wife had given him. Fortunately she had made a copy. He called me once last week to say he couldn’t find the tubes of caulk he had purchased when I went with him to pick out the bathroom fixtures. He called me three hours later to tell me he found them under some trash in his van. He also told me he was a very talented builder.

Today is Sunday, and my wife and I were relaxing this afternoon with family members poolside in North Carolina. The phone rang. It was Mark. He wanted us to know he couldn’t get us the special under-mount sink for the kitchen we had requested. He also needed to explain that a rather expensive piece of granite he had cut for the countertop had to be discarded because it was not cut properly. I asked what had happened, knowing I would regret it once Mark started his long-winded answer.

He began by reminding me that his wife and daughter had the flu. He then said that an old customer of his was astonished at how talented a builder he was. When he finally got around to explaining what happened to the granite countertop, he went through several sentences of explanation before I stopped him.

“So in other words,” I said, “you failed to measure the counter surface correctly.” I could hear the wheels in his head turning as he softly exhaled into the phone. I braced myself for another onslaught of rapid-fire verbiage. Instead, he seemed to deflate a bit, and his voice dropped an octave as he replied, “Yes, I suppose that’s basically what happened.” “Well, I’m sorry to hear that,” I said, “but even the most talented builders can make a mistake.” I wanted him to feel better about himself, but I also wanted him to know I was not responsible for reimbursing him for this error. After several more minutes of quibbling, he finally rang off.

I am reminded of a bit of builder’s philosophy my father—a truly talented furniture maker—imparted to me as I was growing up. He always reminded me to measure twice and cut once. A wise (if not talented) builder spends a little extra time ensuring the measurements are accurate before making that irreversible cut.

Security practitioners have a similar responsibility. They need to ensure their analysis of the risks to organizational data and information technology resources are clearly spelled out and measured before investing the time and money to implement solutions. That may mean some extra effort up front, but the payoff should be obvious.

I have yet to find an organization that has nearly unlimited resources to spend on security. That’s coming from someone who once worked for one of those three-letter government agencies. Even they had to prioritize and carefully manage their IT security investments. The best way to make sure you are husbanding these resources wisely is to put in the time necessary to measure before you cut.

This week I will go back to Washington to see how Mark is coming along. I hope we’ve turned the corner from demolition to renewal. I want to smell fresh paint and see the new fixtures on the gleaming Italian tile. I want to see the light oak flooring where the nasty carpeting once was. I want to see that granite countertop, and I know that this time, he will have taken the time to measure more carefully, like a talented builder should.

John McCumber is an IT security professional and the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology, from Auerbach Publications. He can be reached at [email protected].

About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].