Driving down the road the other day I did something I often fuss about regarding information security.
I was cruising along next to a police officer minding my own business. I wasn't concerned about my speed, but it did cross my mind that maybe I was following the car in front of me a little too closely. Given our speed, I don't believe I was, but I still didn't want to draw attention to it, so I backed off a bit.
You have likely done this very thing yourself and witnessed others doing it as well. Think about it - what's the common reaction to a police officer cruising along with traffic or running radar on the side of the road? People tend to slow down, right? Whether they need to or not, the mere sight of a police officer reminds them of the rules and how they need to behave.
Then it occurred to me: why is it we feel like we all of a sudden need to be "better" drivers simply because a police officer is around? Why not follow the rules all the time, every single minute of the day? Do we suddenly fall in line because we don't want to get into trouble? On top of that, suddenly focusing on becoming a safe and obedient driver without being in touch with what's going on around us can end up creating more hazards than it prevents. How ironic is that?
If you think about it, the same goes for information security. Why do people feel like they should all of a sudden beef up their networks, applications and IT operations because of some regulation or because an auditor says they should do this or that rather than doing what's right all along?
I see this reactive mode of operation all the time. It's an interesting study in human behavior and risk aversion.
I strongly believe that deep down we all understand right from wrong. Be it in our personal lives abiding by the law or in business managing information risks, we, by and large, have that compass that keeps us on track or helps us get back on track. But it gets more interesting.
Why is it that not too long after such an event (i.e. a police officer driving next to us or an auditor pointing out our security gaps) we tend to become complacent...yet again? We fall back into our old ways getting caught up going with the flow paying less and less attention to the things that should be important.
The essence of the issue here is that we need to be constantly reminded of what needs to be done so we don't forget the rules. Be it speed limit signs on the highway, information security regulations from the government, or periodic employee training on what they should and shouldn't do on their computers. I believe our lack of ongoing attention to these things - our complacency - is at the root of the continued security breaches that businesses are experiencing.
There's just something about how we perceive what's important, assume all's well, end up becoming complacent, and ultimately break the rules. Subsequently, customers, business partners and the government get involved trying to tighten up the rules and the cycle of constraints, and the risk aversion continues. That may be good for those in the information security field, but it is not so good for business.
The important thing is to realize that nothing that you do regarding information security is a one-time deal. Your security architecture will evolve, your policies will need to be tweaked, and your assessments and audits will have to be repeated over and over again. You not only have to change the way you think about information risks but also how you address the issues on a daily basis. Once you get your arms around things and get a good pace going there's no doubt that something will fall out of line every now and then. Just learn from it and vow to improve - over and over again.