The reason we wear our seat belts is not to avoid getting a ticket from the police, but rather to avoid a potential injury in a car accident. This analogy is an easy way to describe the difference between box-checking security and real security, and it's instantly understood regardless of technical knowledge. This message resonates with executives, because they typically prefer to “get to the point” and correctly protecting their data is “the point” of cybersecurity.
As a compliance auditor, much of my job is comparing compensating controls against an industry or legal standard (think HIPAA, NIST, PCI, COBIT, CSF, etc.). Compliance standards may seem intimidating, but their purpose is to ensure that we’re thinking about the whole picture—instead of focusing our efforts to protect the “crown jewels”, time is spent filling out the appropriate documentation and going for that “seal of approval.”
Collectively, businesses have all sorts of sensitive and private data. Often, the data that business holds belongs to someone else, and there's an obligation to make sure the appropriate measures have been taken to protect it. The mindset should be anchored in doing what is right to protect that information. That’s the mentality. That’s the mode.
Chasing different compliance lists can be a little like riding the dragon’s tail. As the dragon goes up and down, every movement and fluctuation are amplified, and we feel all of it, with our energy spent holding on. A wiser alternative is to simply have a solid and mature security program based on industry specific risks that is enforced over time. This way, when new laws or regulations come out, you’ll find that you’re already 95% of the way there. Sure, you might have to firm up some documentation over here or tighten up a process over there, but none of it should be foreign to what you’re already doing. That’s what “real” security looks like.
If you’re just starting down the path of info-sec or feel like your security program may not have gotten the traction that you’ve wanted, consider your company’s security culture. There might be pockets within your organization that believe that security is just good for business, but the info-sec habit and focus lost power among the day-to-day tasks. A fantastic starting point is the mindset that real security is what we’re striving towards, and that the future can be better.
Ready to get started on your real security plan?