Today I woke up to a beautiful, gorgeous spring morning…sunny, low 60’s (abnormally high for March), gentle breeze, the grass seemed to have gotten green over night, the birds are singing, the geese and ducks have come back after being gone for the winter and are swimming on our pond, a cute little chipmunk is eating from the birdseed and nuts I scattered on the patio outside my office door, what a great day! And then, after a nice walk outside, I come back inside, first to do some chores along with my family; my sons doing their assigned cleaning.
Well, they are young, so I can understand why they have missed some of the trash getting taken out to the trash bin, and why some of the floors and carpets still have some spots visibly missed, and…you get the picture. They are doing their chores, but they have a tendency to do the minimum amount they can get away with when it comes to work; a typical 7- and 9-year-old perspective.
I then looked at some emails, reviewing some project work some colleagues asked me to check over for them, and started grading student work. The project work has a good start, but it is clearly lacking; in details, in editing, in clarity, in comprehensiveness. However, this was intended to be the final product. It probably meets the minimum requirements for their clients or companies, but is missing components that would make it significantly more valuable and useful. And then on to grading student discussions and essays. Some are outstanding, but others just barely meet the minimum requirements (if any of my students are reading this, you know who you are); not showing any thoughtful analysis, lacking spelling checks, no integration of reading assignments, examples or outside references, or anything that seems to go beyond a quick top-of-the-head writing flurry.
Is it just me, or does it seem like the trend is growing for some folks to do the minimum necessary with regard to work, school, and general responsibilities? Is it old-fashioned and out-of-style to want to do your very best effort and go above and beyond the minimum necessary just to squeek by?
I never have enough time to give my house a good, thorough cleaning. A couple of years ago I hired someone to come in once a month and really put some elbow grease into making the rooms in my house sparkle with cleanliness. She said she paid high attention to detail and took pride in doing “immaculate” work. She also had a habit of talking to herself. I worked downstairs in my office while she was upstairs working. I would occasionally go upstairs to go to the kitchen or do some laundry. I would hear her mumbling. I though it was kinda cute. The third time I went upstairs I was in the room next to where she was cleaning in the shower. I heard her say to herself, “Well, it’s still got a long ways to go…but it’s better than it was. I’d say it’s good enough!” And while I was still in the next room she walked by and went outside to take a cigarette break, and never returned to the shower. Good enough! I looked at the shower and she had barely made a dent. Since when is doing substandard “good enough” work the same as being immaculate? I was not paying for “good enough”! No, she did not come back again.
Many of my information assurance colleagues and friends who are CISOs and CPOs work extremely hard, and long hours. They go beyond their minimum hourly requirements. They often arrive at the office at 6am or 7am and stay until 6pm or 7pm, in addition to working on the weekends. I hear a common theme from many of them, their disappointment that many of the folks they work with show up right at 8am and leave at, or just shy of, 4pm, and in fact often early, regardless of the work that was due that day. More than one of them have told me how frustrated they are with folks who have been given projects to do, months in advance, say they are going to have them done on time when asked for progress along the way, and then on the due date walk out the door at 4pm with considerable amount of work left to do on the project. No looking back. No apologies. No regrets. Their failure to meet the deadline justified in their minds by their right to leave at a specific time.
So many of the vendor products I’ve seen seem like they add what they want to call security or privacy features without really thinking the product features through thoroughly. There always seems to be a “planned upgrade” to address the shortcomings. However, what they offer is “good enough” to help information assurances pros meet their “compliance challenges.”
I know that securing information is tougher than it has ever been before. That is to be expected considering the advances in technology, globalization of locations where business occurs, multiples laws and regulatory requirements, and an increasingly mobile and remote workforce. However, just because there are more challenges than ever before doesn’t mean that you can start settling for something over nothing and just resign yourself to being a “good enough” security slacker. Just think of the many times organizations settle for the least amount of security they can “get away with” and then have to deal with the resulting incident consequences. Things such as:
* Deciding it is “good enough” to just use a login password instead of encrypting personally identifiable information (PII) on mobile computers used by the workforce. And then notebook computers and storage devices are lost or stolen and PII is subsequently compromised.
* Sending out a poorly written memo and calling it “information security training” because it is “good enough” to meet training requirements, and then having personnel not know that they weren’t supposed to send clear text PII files as email attachments, and PII ends up being sent to people who should not get it.
* Allowing all the network admins to share one ID, and making them to promise to keep track of when each person uses it, because it is “good enough” to keep track of who is doing what. But then, when the admin ID is used inappropriately and leads to an incident, you cannot determine who was using the admin ID at the time of the incident and cannot establish accountability. But then recall, sharing one ID and logging the use by hand was “good enough” instead of establishing separate admin IDs, that are not shared, for each of the folks doing administrative work.
* Making weekly backups is “good enough” for mission critical databases because making more would take significantly more backup media, time and human resources, and then having an incident occur the day before the scheduled backup and losing a week’s worth of data.
* Deciding to print store flyers on recycled paper from that has PII on the other side because it would save money for the paper, and does not specifically break any data protection laws (that the organization knows about), so it is “good enough” to address any legal concerns.
* And so many, many more examples…
All of these are actual incidents that have happened, and there are an infinite number of others.
We know from many different reports that a majority of incidents originate inside organizations. How many of these security incidents happen just because of security slacking or slackers?
Am I being too harsh? Are my expectations of information assurance professionals and vendors too high? Can’t we expect that our personnel, vendors, consultants and others with whom we work will try to do more than just the minimum that is “good enough” to get by?
Well, this was a good thing to think about on a Sunday; I guess I needed to get this security sermon out of my head.
Now I’m going to talk with my sons about the importance of not being a slacker…with their house chores and in life. And then I’m going to go for a nice long run and clear my mind of this…well, for at least a while.
Tags: awareness and training, encryption, information assurance, Information Security, IT compliance, policies and procedures, privacy, risk management