February 26

Protecting Information is Not a Seasonal Event

I’ve often said that we don’t achieve security through compliance. The only way to be compliant (with whatever) is to follow “good” security practices. It works into a nice mantra: Compliance through security. But recently, I’ve realized that while effective, it’s not good enough.

I still believe that, btw, but now I’d even say it differently. See, the more I think about things, the more I realize that “scale matters” (sorta like size matters, but different). See, when I tell someone I practice security, it leads to a host of responses and questions: alarms? security guard? background checks? firewalls?

So I started to explain that I help companies protect information – sometimes your private information. And that seems to bring clarity. Think about it – say out loud “1 Billion years” (it’s gets funny if you do this with your pinky next to the side of your mouth). Now – try to image how long that is. It’s so big we can’t actually picture it. Now, go tell someone you’re in security. Same effect. We have no practical scale by which to measure what it means to be in security. But when we talk about information and how we help protect important information – people immediately understand. It also explains better the processes we go through, education we must focus on and the role that technology plays.

Inherent in that way of explanation is the role that the individual plays. It brings what we do into proportion and gives it meaning.

Great! Now what?
Well, the next step is to help organizations start to realize that the protection of information is not a seasonal event. We’re all familiar with spring cleaning (whether we do it or not), the concept of skiing in the winter, swimming in the summer and enjoying activities that come with the seasons. I see a lot of companies that “rush” to “get security done” in time for an audit. We could argue the effectiveness of that approach short term, but long term it simply doesn’t work. By seeing security as an end state, we lose focus that security is a process. So better – protecting information is a lifestyle. Think about it.

I’m not the only one who thinks and writes about this. For a similar perspective, I highly recommend reading Alex Bakman’s Compliance should be integrated…not an event

Technorati Tags: ,


Tags


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

  1. Pingback: Compliance through compensating controls at PCI Compliance Demystified
Comments are closed.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!