Information Security as the Doctor of the Enterprise

Monday, September 05, 2011

Robb Reck


Information Security as the Doctor of the Enterprise

“You don’t have to floss all your teeth, just the ones you want to keep.”

I remember, as a child, going to the dentist and seeing that slogan on a poster on the wall. Between that and the serious questions about my brushing and flossing habits during the appointment, it would have been impossible to walk out of the dentist’s office without a full understanding of the importance of consistent oral hygiene.

I would leave the dentist’s office (greatly relieved to be free) but without any commitment to adding flossing to my plans. I just didn’t want to do it, no matter how many posters suggested I needed to.

As an adult, I try to make it to the doctor every year or so. The doctor will ask about my exercise habits (not enough), and my diet (not the best choices) and then go on to explain to me the importance of improving those habits. Then we do some blood work and call it a year. I’ve been fortunate enough that my tests have always been normal, and no cause for alarm. So I would figure, “The test results are okay, the diet and exercise must not be all that important for me. I’m good for another year.”

As much as I trust my dentists and my doctors, I take what they have to say with a grain of salt. It’s their JOB to tell me to focus more on their stuff. Of course they are going to give me a little lecture, it’s pretty much expected. And if my teeth were ever to fall out, or I was to ever develop a medical condition because I hadn’t followed their directions, I certainly wouldn’t blame them. It would be nobody’s fault but my own.

Does this sound familiar to anyone? Aren’t we, in information security, playing exactly the same role in our organizations that our doctor’s play in our healthcare? We in information security evaluate, diagnose, and treat our patients, just like our doctors do for us.

Our evaluations are often called risk assessments instead of checkups. And just like patients at the doctor’s office, our customers will skirt the truth, try to reduce the scope, and may outright lie to us to make themselves seem healthy. The perception persists that security exists to punish or inhibit rather than to help the enterprise better achieve its goals.

Just like the doctor’s recommendations, our patients are only going to follow our advice when it’s easy for them

Our treatments involve implementing controls to bring down the risk. Instead of prescribing a better diet, more exercise or the newest drug, we prescribe documented processes, improved configurations, additional training or technical systems. And just like the doctor’s recommendations, our patients are only going to follow our advice when it’s easy for them. Many doctors default to prescribing a drug because they know it’s the only thing most of their patients will comply with. In the same way, in information security we can get a business unit to implement a new IPS or DLP, but trying to get them to make a ‘lifestyle change’ (more secure processes, implementing security earlier in the SDLC, ongoing security training) it too much change to be easily accepted.

In the end, security only provides value when feedback is heard, accepted and integrated. We cannot force the business to eat their carrots and do their pushups, but it’s our job to keep reminding them.

See previous posts for more thoughts about getting the organization to buy in to the mission of security.

Tip of the cap to HackerOutfit for starting this conversation.

Cross-posted from Enterprise InfoSec Blog from Robb Reck

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Risk Management Risk Assessments Healthcare DLP Information Security IDS/IPS
Post Rating I Like this!
Leila M I agree to your statement highlightened in blue..It is said that the doctor knows best what is the best for the patient.But there are some instances like this...When given properly by an expert, fat transfer, Botox and similar therapies may help blur the visible lines of time. Janet Hardt of Homewood, Ill., is a sad illustration of how such things can go horribly wrong. As reported by the Chicago Sun-Times, Hardt perished after inserting hot beef fat into her face. Source of article: Woman dies after injecting hot beef fat into her face
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.