The slow, painful death of real information security

I’ve blogged before about the perils of best practices and standards, and the crippling effect of compliance on security programmes. The consequences, however, are getting more serious as these ideas progressively embed themselves across a world that is sleepwalking down a one-way street into an inescapable pit of bureaucratic treacle.

Experienced security practitioners (me included) have to accept the blame for this dreadful state of affairs. We have encouraged the growth of best practices, standards and compliance, without fully appreciating their consequences.

Let’s face the reality. Best practices are no more a snapshot of current practice that cannot defend our interests against future threats. Standards create a backward-looking monoculture that discourages innovation and enables attackers to anticipate our defensive measures. And compliance cements these standards into permanent demands that cannot be ignored, regardless of their cost, relevance or importance.

The most dangerous trend of all is the rapid growth in quality management concepts that place excessive emphasis on paperwork (generally cloned), and pay no attention to real thinking and initiatives. The reality is that any required paperwork can be instantly downloaded from the Internet. This is not real security. And this is not where our priorities should lie.

Over the last year I have seen dozens of enterprises implement thousands of pages of documentation that nobody will ever read. This practice is especially time-wasting in countries with cultures that do not generally follow written instructions. It is a bad British export.  

Unfortunately, today’s security functions cannot make a business case to do anything different than to follow these outdated rituals. The result is that security functions are bogged down in trivia. Their time is wasted in closing down forgotten audit actions, rather than addressing more serious, emerging threats. And their success is measured by auditors with little experience of real world security.

We have reduced security to a tick-box quality management function. It is wrong, and it’s killing innovation and enterprise. Where is the escape hatch?   

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Ah, Now that's a good question which merits a rich response. I shall make it the subject of my next positing.There is much that needs to be changed in our perception of what counts for good security governance. . David Lacey
I'm more concerned at the number of organizations that are still way below good security practice, and nowhere near best. Using free generic policies off the web without any effort to customize/adapt them is a classic example of mediocre practice, possibly no better than having no policies and in some cases worse.
I am really concerned about the number of unprotected and unsecured organizations too.None of them try to adapt their policies and to find a solution how to protect the information they need and use.