Do you have SOCD? (Security Obsessive Compulsive Disorder)

Are you SOCD?

You have it if:

  • You feel the constant need to force drastic security measures.
  • You say: “This company really needs to revise all the (SOX) controls.  There’s absolutely no reason to have management involved in the process.”
  • You threaten “We need to just block everything and then open up stuff when something breaks.”
  • You believe that technology can solve all security problems.
  • You use biometrics or RSA tokens to access your blog.

Look at this statement:

“Security is about eliminating risk.  Business is about taking risk to make money.  See how they are a perfect match?” – @sh*tmycsosays

Which sentence do you examine and have the greatest curiosity about?  Which sentence makes you roll your eyes?

Security Obsessive Compulsive Disorder is an obsession with imposing security in the face of competing requirements for accessibility to the asset you are trying to protect.  In simple English, you won’t let anyone near anything despite other people needing it.

Now, what are your real desires.

Deep down do you really want to be appreciated? (Probably yes.)
Do you wish someone in the company would listen to you?
Do you wish people stopped avoiding looking you in the eye when you pass them in the hallway?
Do you wish you were invited to the big meeting when the new project design was being discussed?

Then I would recommend some treatments.  Don’t worry, I promise to not make you lie down on a couch and tell me about your sordid relationship with your RSA key fob, or late night googling of awk and sed scripts.  Promise.

A. Deep Breathing Exercise

1) Giving attention fully to your stomach, slowly draw in two deep breaths.  As you inhale, allow the air to gently push your belly out.  As you exhale, consciously relax your belly so that it feels soft.  If it already feels soft, that’s okay too.  Too much time staring at EnVision consoles will do that.

2) On the third breath, bring to your minds eye an image of a user with good intentions and a desire to just do a good job for their boss.  Imagine the happiness when they receive their bonus for having completed their project on time, or for becoming more efficient in their job.

3) Take a forth breath, and imagine the CEO of the company talking to the board of directors about how the money they invested in the company is producing profits because everyone could do their job, efficiency was up, and the new products could be released on time.

Now close your eyes and imagine what you can do to make these two people happier, more successful.  Think of what things will protect their goals of getting that bonus, or satisfying the investors who have made this company possible.  Remember that security can be part of this equation, but you have to consider their happiness too.

B. Unenforceable Rules

If you are still struggling, I’d like you to think of something Frederic Luskin calls Unenforceable Rules.  Unenforceable rules are rules that we might currently expect others to adhere to, but which aren’t really in our control, and we do not have the power to “make them right”.  Are the rules about security you think are necessary really unenforceable?  Let me counter the question with another question: how many of your rules have been implemented?  How many have not met significant resistance?  You might ask if that means their aren’t any rules that others will share?  There will be, trust me, but let me share a little secret.  No security expert ever shares the same rules about security with everyone in their company.  Even the best and most respected CSO will find disagreement on tactics or rules they may think are perfect.  The difference is their ability to recognize that they are unenforceable.

Think then about what your hope is – your goal, your real focus for what you are trying to achieve.  Then look at the rules you want to enforce.  Do you think someone might object to them? (Notice I don’t say they are wrong, just that someone else might not share them.)  Now think about why they might not agree.  What might their objectives be?  What might their goals or focus be?  How do the unenforceable rules violate their goals?

Now you will likely find yourself much more able to understand their goals.  Now you will find yourself able to design new rules – rules and associated actions that users and that CEO will find appealing because they support their goals too.  These new rules and actions can achieve security goals without requiring SOCD.  Recognize you still may not be able to exercise the level of control or security you wished for.  You may not have solved the level of security you wish for, but you likely will have made an impact that you otherwise would not have if you had held to your unenforceable rules.

Credit to Frederic Luskin, with absolutely no malicious intention to parody his incredible work.

About Daniel Blander

Information Security consultant who has spent twenty plus years listening, discussing, designing, and creating solutions that fit the requirements presented. President, Techtonica, Inc.
This entry was posted in CISO, CSO, Information Security, Information Security Governance, InfoSec, InfoSec Governance, IT Risk Management, Security Governance, Uncategorized. Bookmark the permalink.