December 16, 2015 By Kevin Beaver 2 min read

We live in a gotta-have-it-now society. The desire for instant gratification is not only at the root of personal desires, but it also drives bigger, more impactful things in business and government. Quick fixes to problems that arise, often with little to no thought put behind them, are implemented and often politicized for the gain of an individual or group. The original need may have been satisfied on paper, but there’s often a slew of unintended consequences with this approach.

There’s Danger in Postponing Security Measures

We see this very behavior every day as it relates to information security measures. When an auditor reports that policies and procedures are missing, they’re downloaded from the Internet and tweaked to please. When a customer or business partner sends a security questionnaire to be completed before a business deal can be closed, someone in the organization — often a person who doesn’t have all the answers — runs through it, checking boxes and filling in blanks with words they know the other party wants to hear. When management discovers that a security assessment has never been performed, they assign the task to IT or security staff who, in turn, run a quick, external vulnerability scan.

There’s almost always an immediate need that is quickly fulfilled. But at what cost? How much additional risk is created by slapping things together at the last minute and considering it whole? It’s human nature to provide quick fixes with the intention of coming back later and making it better. But you know where the road paved with good intentions leads to.

Striking the Right Balance With Security

We live in a world of cause and effect. Everything we do in information security is cyclical and predictable. There are so many examples where the box is checked without thinking through the action; people assume they’ve succeeded because they threw together some quick-and-dirty security solutions.

They start to think that they’ve made it and can relax or move on to the next thing. They stop working on their craft, let their guard down and quick security fixes come back to bite them. You cannot afford to go down this path.

I’m not saying everything security-related must be long-term, dragging on through committee consensus and so on. There’s almost always a real need to implement something quickly. In fact, when things take too long, it can have the same negative consequences as doing things too fast.

You have to be careful with the quality of the end product. As the saying goes, “good enough” rarely is. If you need to fix something with security at the last minute, do what you need to do — but vow to make it better in the near future. Sooner than later, get it to the level of implementation or quality where you know it needs to be. Assign responsibility and deadlines to hold the right people accountable.

Start early doing the things you know you need to do. Work on them a little bit each week, reaching goals one security step at a time. This approach will not only keep things in check and keep your organization out of hot water, but it will help you stand out as a professional who sees the bigger picture and understands what it really takes to make security work.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today