Why starting from scratch with security is delusional

Blog Post created by kevinbeaver on Aug 4, 2014

There’s nothing really new in the world in which we work. Every problem you face in information security has already been solved by someone else. Why not use that to your advantage? There’s no time for baby steps in security. Sure, you need to “walk before you run” by thinking before you act. That comes in the form of knowing your network, understanding your risks, and getting the right people on board. But not taking the time to learn from other people’s mistakes and developments in information security is downright bad for business.


You can’t attend an IT or security conference anywhere today without hearing a speaker quoting Sun Tzu's The Art of War. These people decree “Know your enemy, that’s the key to security.” Not really; it’s part of it, but not all of it. Threats aside, you need to know the shortcomings and risks associated with your own network and fix what needs to be fixed – once and for all. But you can’t start from scratch.


It’ll take time and effort to learn what’s working in the world of security. I have a book written by James Martin titled Security, Accuracy, and Privacy in Computer Systems that has most of the answers. It was written in 1973. You might have to bring in an outsider or two who can provide a fresh perspective and share insight learned from other organizations they work with. The important thing is to do something – even if it means changing things up. Odds are good that your current approach to information security needs work. It may need complete retooling, as many of these people have discovered. But, again, no baby steps allowed.


Managing your time is critical to all of this. Yet, given how complex everyone’s network is and how fast things are moving in business, no one is good enough or smart enough to build out everything in a reasonable manner. If you start from scratch, you’ll only make yourself look bad. Taking it easy without taking great leaps forward in a timely manner will ultimately result in a security breach.


You do have to be careful. I’ve seen people who take a "just get it from Google and be done with it" approach. When they need a policy, disaster recovery plan, security mission statement or whatever, they download the text, change a few words and then hand it over to their auditors or post it for everyone to see and claim it as their own. This is not for you.


Motivation trainer Brendon Bruchard said: “People often fool themselves into the comfortable life by reasoning that taking baby steps are sufficient." Rather than feeling like you have to justify your existence by dragging things out to fill up each day like many people do, get rolling with the proven techniques, documentation, and tools that are known to work. There will be plenty more work to do after that.


In the end, if you’re going to be an effective security professional, you have to maximize the value of your work while minimizing your efforts and learning from others.