January 26, 2009

By Ron Simmonspeople

During the last few weeks I had the opportunity to meet and speak with a very diverse group of people. In the process, I learned some important lessons. When it comes to lack of security there are many varying opinions on the subject. Some people suggest “people are stupid,” while others say “there is no accountability or ownership,” and still some say it is a lack of education or knowledge, then there is the “oh well, I will accept that risk”. The challenge is, knowing which one you are dealing with at that moment in time and how to best resolve the issue and move forward in a secure low risk environment.

People are stupid – (not a chance)

I am a firm believer that people always mean well. However, some of them can have warped definitions of meaning well. This is where education, responsibility and accountability come into play. If there definitions are “off” then it is up to a mentor, friend, co-worker, Webster’s, or whoever to help and assist them in changing their paradigm.

Lack of Education/Knowledge

Easy to work with, as long as the person you are working with understands this. Hopefully you have chosen a person for the job that knows their limits and will stand up and say “I don’t know”. If not, one of the best ways to work around this is the power of suggestion. Simple…..


There is too much accountability running around today. For every problem it seems that the government(s) needs to put down some law that requires accountability. Had it worked so far – I think NOT. Let’s try moving this paradigm from accountability to enforcement of the laws that are already on file. It is not always understood that it is the spirit of the law that matters, not what is typed on the paper. I have even seen government auditors fail in this. I will leave it to the legal peeps to fight over this one.

Risk Acceptors – Nothing but $$$$$$

These are the types of decision makers that should be smacked upside the head. It doesn’t matter how much the $$ is, it’s just not the right thing to do. However I will admit that some risks, ones that do not affect other lives, can be acceptable.

The point is simple 

We, as a diverse group of professionals, need to look at each situation and attempt to change our focus from blame to responsibility. There is no silver bullet to solve these situations. Your path can only be determined by you — taking into consideration the situation, the people responsible and accountable for the data. What it all boils down to is people and change… plain and simple.

I know I have missed a few of the “reasons” that are used when moving a production system into production with “risks”, but hopefully this short list can stir up some more conversation about this topic. What do you think?

About the Author Michael Santarcangelo

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.