I’m a huge Seth Godin fan. Technically, a marketing guru, but he’s so much more than that. His wisdom easily applies to all facets of business and life. A few days ago, I read a post of his, “But do you want to get better?”
…Better means change and change means risk and risk means fear. So the organization is filled with people who have been punished when they try to make things better, because the boss is afraid.
I wonder if Godin ever worked in Information Security.
Some days it seems as though the practice of Infosec is more about how it sounds and looks to outsiders and very little about actual reduction of risk. Most of the time, real improvement to an information security program doesn’t arise from exciting changes or innovative new tools. It often comes from making better policies, standards and procedures. It could mean that you really don’t need five extra staff members or a Hadoop cluster. Maybe it means you learn to operationalize controls, automate and collaborate better with your peers in apps and infrastructure. Worrying less about kingdom building and more about what helps the organization.
But this kind of change is a gargantuan shift in the way many infosec leaders operate. Often, they’re so busy cultivating FUD to get budget, they can’t or won’t stop to ask themselves, “Do I want to make it better?”