From the always-excellent Economist’s View, a link to a fascinating study on medical overtreatment:

Vermont has one of the most homogenous populations in the country… Yet medical practice across the state varied enormously, for all kinds of care. In Middlebury, for instance, only 7 percent of children had their tonsils removed. In Morrisville, 70 percent did. …

The children of Morrisville weren’t suffering from an epidemic of tonsillitis. Instead, they happened to live in a place where a small group of doctors — just five of them — had decided to be aggressive about removing tonsils.

But here was the stunner: Vermonters who lived in towns with more aggressive care weren’t healthier. They were just getting more health care.

This sounds a lot like the information security industry. We’re relatively homogenous (Dan Geer’s Windows Monoculture is alive and well), and for the most part, the results of our efforts are pretty much the same–consistently mediocre, with high opportunity costs and lots of unrecognized externalities.

Spending varies hugely between organizations, no matter how you try to measure it. Most attempts at survey or measurement is really just comparisons of product inventories: “Do you run anti-virus? check. Do you have IDS? check.” The quality, coverage and effectiveness of the deployment never really comes to bear. To make matters worse, the focus of most IT Security is all-too-often prioritized toward protecting the technology, rather than the information and processes which are the real assets*.

Finally, we live in a Tyranny of the Vocal where a small group of experts or analysts will tell us that something is “essential” or a “Best Practice” and now we’re all expected to run out and do or (more likely) buy it or be accused of negligence by everyone from those same analysts and experts to a chorus of worst-case scenaro FUD-Meisters.

How’s this approach working for the US healthcare business? Going back to the study…

“We spend between one fifth and one third of our health care dollars,” writes [Shannon] Brownlee, [author of Overtreatment] … “on care that does nothing to improve our health.” Worst of all, overtreatment often causes harm, because even the safest procedures bring some risk. …

Once again, more is not necessarily better. In other words, don’t solve problems you don’t have. Not only will it not make things better, but it might make things worse. Sounds just like InfoSec again.

So how do you figure out which problems you have and which need solving? It’s not FUD, frameworks, checklists, best practices. It’s Risk Management.

* Yes, I know that I will probably get at least one comment from someone saying, “That’s not true! I consider asset value.” Great. Now there are two of us. What about the tens of thousands who still don’t?