I’ve often said that we don’t achieve security through compliance. The only way to be compliant (with whatever) is to follow “good” security practices. It works into a nice mantra: Compliance through security. But recently, I’ve realized that while effective, it’s not good enough.
I still believe that, btw, but now I’d even say it differently. See, the more I think about things, the more I realize that “scale matters” (sorta like size matters, but different). See, when I tell someone I practice security, it leads to a host of responses and questions: alarms? security guard? background checks? firewalls?
So I started to explain that I help companies protect information – sometimes your private information. And that seems to bring clarity. Think about it – say out loud “1 Billion years” (it’s gets funny if you do this with your pinky next to the side of your mouth). Now – try to image how long that is. It’s so big we can’t actually picture it. Now, go tell someone you’re in security. Same effect. We have no practical scale by which to measure what it means to be in security. But when we talk about information and how we help protect important information – people immediately understand. It also explains better the processes we go through, education we must focus on and the role that technology plays.
Inherent in that way of explanation is the role that the individual plays. It brings what we do into proportion and gives it meaning.
Great! Now what?
Well, the next step is to help organizations start to realize that the protection of information is not a seasonal event. We’re all familiar with spring cleaning (whether we do it or not), the concept of skiing in the winter, swimming in the summer and enjoying activities that come with the seasons. I see a lot of companies that “rush” to “get security done” in time for an audit. We could argue the effectiveness of that approach short term, but long term it simply doesn’t work. By seeing security as an end state, we lose focus that security is a process. So better – protecting information is a lifestyle. Think about it.
I’m not the only one who thinks and writes about this. For a similar perspective, I highly recommend reading Alex Bakman’s Compliance should be integrated…not an event