U.S. Navy Admiral Hyman Rickover once said: Good ideas are not adopted automatically. They must be driven into practice with courageous patience. Let this be a reminder when you’re leading information security initiatives. I come across a lot of people in the industry who are trying to meet this or that compliance or audit objective, or who have experienced a breach and so have realized they need to shore up their security. And they want to do it now, presumably so they can get it off their list and move on.
It's funny. When it comes to security we keep talking about the same old things—again and again. We need less complexity, more visibility, something else to purchase, implement, or desire. It's human nature to want more, more, more. That certainly impacts us in our day-to-day lives. But the reality is you're not going to “boil the ocean” all at once. You're not going to have a great security program immediately. You're not going to fix everything right now. It's foolish to assume that you'll be able to find and resolve every possible security challenge in the future, much less today. That would be like someone saying that they are going to get healthy and stay healthy and live to be 125. Unfortunately, the universe doesn't work that way.
There was a study from the CDC many years ago about how unsanitary the air-based hand dryers are in public restrooms. That story has since been revived by the MythBusters TV show and everyone started talking about it again, as if it's something new. We see it with “healthy whole grains”, exercise, and more. I think what we’re witnessing here—and it’s the very thing that’s impacting our security programs in negative ways—is that everything happens in cycles. You go through a period of doing well for your security program, not having any breaches – being applauded by customers business partners and management alike. Then disaster strikes. You get complacent and caught up in the day-to-day work and the big one happens.
But why? I don't think it's intentional neglect. I think it's just many people lose their momentum. They get so overwhelmed that they don’t (or can’t) keep up their pace. Instead of practicing what I like to call relentless incrementalism, it becomes more like, “We’ll get to it one day and hope everything works out.” It’s a fact that you're not going to have a 100-percent effective security program now—or ever. Why not properly set your own expectations (and the expectations of management) and work on incremental improvements instead? That is, doing small things day after day to get better so that the results show up a year or two down the road. Taking this approach can have a tremendous impact on your security program.
In security, and business in general, there's always more. There's always something that you can be doing, or stop doing, to make improvements. The thing is, you don't need to reinvent the wheel. All you need to do is execute on the basics that have been around for decades and get really good at them. That's the only difference between having an advanced security program and one that is waiting to be turned upside down.
Remember what Admiral Rickover said about good ideas not being adopted automatically. I'll add that they need not be revisited or rehashed unnecessarily. Stop searching for something new. Stop looking to the government for more "cybersecurity." Stop looking for different answers. You likely have everything you need at your disposal to build a reasonably good security program without having to spend a single dollar over the next year.
Author and philosopher Henry David Thoreau proclaimed: You must live in the present, launch yourself on every wave, find your eternity in each moment. Fools stand on their island of opportunities and look toward another land. There is no other land; there is no other life but this. Along the same lines, there is nothing better or different than you need to do to improve security other that what you already know. You know your security challenges and your risks. You also know what needs to be done about them. The hard part is getting started and seeing it through. That’s the magic of discipline that, if ignored, can come back to haunt you.