Richard Carlson, author of Don't Sweat the Small Stuff, said “It's critical to remember that if you go on doing what you've always done, you will go on getting what you've always gotten.” You've no doubt heard the saying “everything happens for a reason”. It's true and something we've all experienced. It's called the law of cause and effect. It's an irrefutable law – especially at it relates to information security.
The law of cause and effect says that your thoughts, choices, and actions (the causes) create the conditions (the effects). In terms of security, every effect can be traced back to a cause. For example:
- You're minimizing your efforts running vulnerability scans and exploiting flaws because you invested in good security tools.
- You found a vulnerability in your test environment before it ever went into production because of your SDLC security standards and processes.
- Your business remains compliant with PCI DSS because management invests significant energy into supporting what's needed.
On the other hand:
- You're struggling to get buy-in from your users because you're having trouble getting your points across and gaining the respect you need to form the right relationships.
- You don't have the proper visibility into your network because you're continually struggling to sift through your own log files to find questionable behaviors.
- You experienced a breach because the free Web vulnerability scanner you're using missed that SQL injection flaw in your Web application.
Winston Churchill once said “Want of foresight, unwillingness to act when action would be simple and effective, lack of clear thinking, confusion of counsel until the emergency comes…these are the features which constitute the endless repetition of history.”
You create your own circumstances in security by the choices you make.
As you proceed in your work in IT and security, remember that both actions and inactions will generate results. Call it the law of cause and effect or simple sowing and reaping. Whatever you do – or fail to do – will determine your results and the ultimate outcome of your security program.
Make sure everything that does happen, happens because you made it happen for good reasons with clear intent and vision. If you focus on this approach, you will be the one in control of what happens.