Protecting Information is Not a Seasonal Event
I’ve often said that we don’t achieve security through compliance. The only way to be compliant (with whatever) is to follow “good” security practices. It works into a nice mantra: Compliance through security. But recently, I’ve realized that while effective, it’s not good enough.
I still believe that, btw, but now I’d even say it differently. See, the more I think about things, the more I realize that “scale matters” (sorta like size matters, but different). See, when I tell someone I practice security, it leads to a host of responses and questions: alarms? security guard? background checks? firewalls?
So I started to explain that I help companies protect information - sometimes your private information. And that seems to bring clarity. Think about it - say out loud “1 Billion years” (it’s gets funny if you do this with your pinky next to the side of your mouth). Now - try to image how long that is. It’s so big we can’t actually picture it. Now, go tell someone you’re in security. Same effect. We have no practical scale by which to measure what it means to be in security. But when we talk about information and how we help protect important information - people immediately understand. It also explains better the processes we go through, education we must focus on and the role that technology plays.
Inherent in that way of explanation is the role that the individual plays. It brings what we do into proportion and gives it meaning.
Great! Now what?
Well, the next step is to help organizations start to realize that the protection of information is not a seasonal event. We’re all familiar with spring cleaning (whether we do it or not), the concept of skiing in the winter, swimming in the summer and enjoying activities that come with the seasons. I see a lot of companies that “rush” to “get security done” in time for an audit. We could argue the effectiveness of that approach short term, but long term it simply doesn’t work. By seeing security as an end state, we lose focus that security is a process. So better - protecting information is a lifestyle. Think about it.
I’m not the only one who thinks and writes about this. For a similar perspective, I highly recommend reading Alex Bakman’s Compliance should be integrated…not an event
Technorati Tags: catalyst, security
If you enjoyed this post, make sure you subscribe to my RSS feed!
Posted in Information Protection |
Print this post
|
Permalink
This Just In! Office Crashes, Your Firewall is Swiss Cheese, and You Can’t Manage By Compliance | RiskAnalys.is said,
February 27, 2007 @ 8:56 am
[...] I’m not sure if it was Michael J. Santarcangelo or another contributors, but I thought this post, called, Protecting Information is Not a Seasonal Event from Security Catalyst was worth pointing you to. Again, as much as you’d like to, you can’t manage by compliance. Compliance buys you nothing but a paper trail, and business owners understand that. [...]
Compliance through compensating controls at PCI Compliance Demystified said,
February 28, 2007 @ 5:19 am
[...] I agree with Michael that security is not seasonal but feel a little education is needed for the other Mike when it comes to his views on compensating controls. I used to be in the criticize-and-critique camp, but that was before I spent so much time with PCI that I taught it to others. (Am I sounding like a religious convert?) [...]