Warren Buffett’s 20-Slot Rule for CISO Success

I read an article this weekend that talked about Warren Buffet’s 20-slot rule and think this applies to CISOs’ cybersecurity projects and risk mitigation strategies. Warren says, “I could improve your ultimate financial welfare by giving you a ticket with only 20 slots in it so that you had 20 punches—representing all the investments that you got to make in a lifetime.

“And once you’d punched through the card, you couldn’t make any more investments at all…Under those rules, you’d really think carefully about what you did, and you’d be forced to load up on what you’d really thought about. So, you’d do so much better.”

What if that applied to cybersecurity investments or projects driving mitigation decisions. You may say, I don’t have financial resource constraints. Maybe true, but do you have unlimited time? Absolutely not. CISO’s that I work with realize that the time required to implement effective mitigating controls becomes a bottleneck to meeting defined annual objectives. Whether it’s financial or time-based constraints, consider applying Warren Buffet’s 20-slot rule.


Steve Tabacek is President and Co-Founder of RiskLens


Warren’s key point is that you will improve your odds of success when you are forced to direct all your energy and attention to fewer tasks. So far, I’m sure you’re tracking and agreeing that this all sounds very logical and can be applied to CISO purchase and mitigation prioritization.

But most enterprise CISO’s have personnel who manage a risk register with hundreds and sometimes thousands of entries derived from sources like incident management, SOC findings, policy exceptions, and internal/external audit findings. How do you filter and focus hundreds or thousands of items down to 20 significant tasks that will make a difference? Can you make the 20-slot rule work here?

This is where Factor Analysis of Information Risk (FAIR)  and the RiskLens platform comes in. FAIR is an Open Group International Standard for quantifying IT/cyber risk into financial terms. If you’re a CISO and are just now learning about FAIR, respectfully you’re a bit behind the curve. The non-profit FAIR Institute includes over 5000 members representing 80% of the Fortune 10, 75% of the Fortune 50, and nearly 30% of the Fortune 1000. FAIR and RiskLens software based on FAIR are being used by organizations to efficiently sort through the myriad of risk register entries allowing you to focus on the top 20 most important issues.

For good, and well publicized reasons, CISO’s are an integral part of nearly every business operation today. Board directors, risk committees, and C-suite executives depend on CISO’s to understand the most significant sources of opportunity (revenue) and technology/cyber risk to the business. Prioritization of hundreds or thousands of risk register entries needs to be filtered-down to the most significant risk to the organization. Can you filter this down to the top-20 and focus your mitigation resources on scenarios that pose the highest financial risk to the organization? Absolutely!

Aligned with Warren Buffet’s 20-slot rule, before selecting your top 20 projects for the year, consider a little deeper analysis up-front to select your mitigation projects very carefully. With FAIR and RiskLens, you can manage an acceptable amount of risk while positioning your company to take advantage of business opportunities.


Sharpen Your Focus – Define Your Organization’s Risk Appetite…

A great way to sharpen the focus on your 20 slots is to set a risk appetite for your organization, based on FAIR analysis. In the FAIR approach, risk appetite is set for specific loss-event scenarios. For instance, “Less than a 5% (or, “Very Low”) probability in the next 12 months of a disclosure of > 1M customer PII records.” For a how-to guide on setting risk appetite, see the webinar by Jack Jones, the FAIR model creator and my co-founder at RiskLens: Defining a Cyber-Risk Appetite That Works (requires a free membership registration on the FAIR institute website).


If you would like to learn more about how organizations are using FAIR and RiskLens, consider reading some FAIR Institute blog entries, attending the FAIRCON conference this September, and reading some of the RiskLens use cases.