via Robert Graham's well-crafted Errata Security blog, comes this insightful piece on a fundamental lack of expertise in the Information Security racket.

To wit, the inability of information security professionals to quantify risk successfully, and communicate the results to the apropos stakeholders - an activity crucial to providing the fodder necessary to formulate decisions regarding risk avoidance, transfer, mitigation, or acceptance. Something insurance companies have been accomplishing regularly (with a certain level of acceptable success) for centuries....

Todays' Must Read, and a Hat Tip to PhoneBoy.