I had a employee in a security department that I was running come to me and say “We have a problem, and we need to take care of it right away!” Now we were in the midst of several major compliance initiatives, re-evaluating the business continuity plans, and basically trying to take on everything at once. Oh, and we only had three people to do all of this.
My answer to him was quite simple: “We can do five tasks right now. Here are the five that are our current priorities…..tell me which of these is less important than the problem you found.” He thought for a second, and said, “Well, none of them.”
We all struggle with what we think is urgent. Like this employee, we all (myself included) tend to be distracted by the issues that present themselves to us at any given moment. The real problem comes when we let these “distractions” take over our real goals.
Now lets enlarge this discussion to Information Security company wide. Too often I hear consultants, security engineers, and employees (usually in the Security Department) complain that “our company just doesn’t get security” followed by a long lecture on the things they don’t do and the long list of things that the company should do. At the risk of sounding trite, I would suggest that they stop (or have someone stop them…call me, I’ll do it) and ask themselves the same question, but on a larger scale.
“Of all the things that the company needs to do to be secure, and given all the limited resources at my disposal, what can I do?”
This plays out in my One-hundred-Zero-Fifty Rule:
Part I – The One-Hundred Theorem: There isn’t a company, organization, government agency or person who has, or who can have every security risk covered. No one is at 100% security. Not only could no one afford 100% security, but emerging threats wipe out 100% security before you’ve even finished getting your purchase order signed, and companies couldn’t survive with 100% security since it would make operations virtually impossible. There is not an executive anywhere who would accept 100% security since it would make the transmission of information impossible, the ability to offer goods and services rigid and unable to change, and the operations so cumbersome that labor costs alone would go through the roof. Business cannot accept 100% security since, I dare to say, it smothers business.
Part II – The Zero Theorem: Security professionals who try too hard (use revolution) end up at 0% security. Any security professional can tell you a story of a company, organization, government agency or person they know who is not very good at security. The right tools are not in place, people are not doing their jobs, and no one is aware or trained. So clearly these companies need to be educated. Yet I have unfortunately walked into too many of these companies after a security professional has taken on this task to find that these security professionals have high expectations of getting to their goal-line in a year (“Or maybe in two because there’s a lot of work to do!”) In some cases I have gone into smaller companies to find a security professional from a big company (bank for example) who thinks the same processes, tools, and methods apply. I’ve talked in my writings here and in my lectures about security awareness that moving people from zero knowledge to a secure organization is a cultural and behavioral change. Culture and behavior change does not happen overnight (Revolution vs. Evolution). Too many people try revolution. Too many people try to impose one model where it does not fit. Square peg, round hold. The efforts usually fail because they alienate those they need to appease – executives, the business, and everyone who needs to implement security in their jobs (that would be everyone – don’t worry, I’m still a security professional). The result – no budget, no support, no security. Any tools or processes they have put in place are in shambles because they have no support. The very thing they wanted to achieve is not achieved because of their tactics. So rather than racing toward their goals of good security, they stay at 0%. Hence why I have my second theorem.
Part 3 – the 50 Theorem: Settle for 50% because its better than the alternatives. Since we cannot get to 100% security, and because revolution and ill-fitting methods kill any support for security, what alternatives are available? Well, how about somewhere in-between. How about setting some simple expectations. How about focusing on basics (call it blocking and tackling). How about just getting simple security started; the things that any common sense person would do to protect the company; things that sometimes seem too obvious; things that answer the needs of the business and what keeps them up at night. Take the next step and build on the basics you just achieved, then when that is done, evolve some more…
I found my favorite term for this situation from the movie “What About Bob?”. Richard Dreyfus’s character Leo recommends that his patients take “Baby Steps” to solve big problems. I use that phrase all the time…just take baby steps. Stop trying to solve the whole problem at once. You may know how, but the organization, business, government agency or person is not ready for that. Show them how you can make them sleep better at night with basics (making simple things like anti-virus work better and having less impact on performance, or how configuration standards help improve reliability of systems). Watch them start to trust you because you make progress that impacts what they care about. Take them on the journey with you with Baby Steps and show them they can move forward. (And oh, how proud Bob would be of you!)
So the one-line version of my One-hundred-Zero-Fifty Rule: I would rather be at 50% security because 100% is unobtainable, and 0% is unacceptable.
Remember, you really have two alternatives – 50% or 0%. Pick the one that is better for you. It shouldn’t be too hard. You can always get to a bigger number later.