Information Security as the Doctor of the Enterprise
“You don’t have to floss all your teeth, just the ones you want to keep.”
I remember, as a child, going to the dentist and seeing that slogan on a poster on the wall. Between that and the serious questions about my brushing and flossing habits during the appointment, it would have been impossible to walk out of the dentist’s office without a full understanding of the importance of consistent oral hygiene. I would leave the dentist’s office (greatly relieved to be free) but without any commitment to adding flossing to my plans. I just didn’t want to do it, no matter how many posters suggested I needed to.
As an adult, I try to make it to the doctor every year or so. The doctor will ask about my exercise habits (not enough), and my diet (not the best choices) and then go on to explain to me the importance of improving those habits. Then we do some blood work and call it a year. I’ve been fortunate enough that my tests have always been normal, and no cause for alarm. So I would figure, “The test results are okay, the diet and exercise must not be all that important for me. I’m good for another year.”
As much as I trust my dentists and my doctors, I take what they have to say with a grain of salt. It’s their JOB to tell me to focus more on their stuff. Of course they are going to give me a little lecture, it’s pretty much expected. And if my teeth were ever to fall out, or I was to ever develop a medical condition because I hadn’t followed their directions, I certainly wouldn’t blame them. It would be nobody’s fault but my own.
Does this sound familiar to anyone? Aren’t we, in information security, playing exactly the same role in our organizations that our doctor’s play in our healthcare? We in information security evaluate, diagnose, and treat our patients, just like our doctors do for us.
Our evaluations are often called risk assessments instead of checkups. And just like patients at the doctor’s office, our customers will skirt the truth, try to reduce the scope, and may outright lie to us to make themselves seem healthy. The perception persists that security exists to punish or inhibit rather than to help the enterprise better achieve its goals.
Just like the doctor’s recommendations, our patients are only going to follow our advice when it’s easy for them
Our treatments involve implementing controls to bring down the risk. Instead of prescribing a better diet, more exercise or the newest drug, we prescribe documented processes, improved configurations, additional training or technical systems. And just like the doctor’s recommendations, our patients are only going to follow our advice when it’s easy for them. Many doctors default to prescribing a drug because they know it’s the only thing most of their patients will comply with. In the same way, in information security we can get a business unit to implement a new IPS or DLP, but trying to get them to make a ‘lifestyle change’ (more secure processes, implementing security earlier in the SDLC, ongoing security training) it too much change to be easily accepted.
In the end, security only provides value when feedback is heard, accepted and integrated. We cannot force the business to eat their carrots and do their pushups, but it’s our job to keep reminding them.
See previous posts for more thoughts about getting the organization to buy in to the mission of security.
Connect with Robb on Google+