Waiting Until the Last Minute to Implement Long-Term Security Measures
We live in a gotta-have-it-now society. The desire for instant gratification is not only at the root of personal desires, but it also drives bigger, more impactful things in business and government. Quick fixes to problems that arise, often with little to no thought put behind them, are implemented and often politicized for the gain of an individual or group. The original need may have been satisfied on paper, but there’s often a slew of unintended consequences with this approach.
There’s Danger in Postponing Security Measures
We see this very behavior every day as it relates to information security measures. When an auditor reports that policies and procedures are missing, they’re downloaded from the Internet and tweaked to please. When a customer or business partner sends a security questionnaire to be completed before a business deal can be closed, someone in the organization — often a person who doesn’t have all the answers — runs through it, checking boxes and filling in blanks with words they know the other party wants to hear. When management discovers that a security assessment has never been performed, they assign the task to IT or security staff who, in turn, run a quick, external vulnerability scan.
There’s almost always an immediate need that is quickly fulfilled. But at what cost? How much additional risk is created by slapping things together at the last minute and considering it whole? It’s human nature to provide quick fixes with the intention of coming back later and making it better. But you know where the road paved with good intentions leads to.
Striking the Right Balance With Security
We live in a world of cause and effect. Everything we do in information security is cyclical and predictable. There are so many examples where the box is checked without thinking through the action; people assume they’ve succeeded because they threw together some quick-and-dirty security solutions.
They start to think that they’ve made it and can relax or move on to the next thing. They stop working on their craft, let their guard down and quick security fixes come back to bite them. You cannot afford to go down this path.
I’m not saying everything security-related must be long-term, dragging on through committee consensus and so on. There’s almost always a real need to implement something quickly. In fact, when things take too long, it can have the same negative consequences as doing things too fast.
You have to be careful with the quality of the end product. As the saying goes, “good enough” rarely is. If you need to fix something with security at the last minute, do what you need to do — but vow to make it better in the near future. Sooner than later, get it to the level of implementation or quality where you know it needs to be. Assign responsibility and deadlines to hold the right people accountable.
Start early doing the things you know you need to do. Work on them a little bit each week, reaching goals one security step at a time. This approach will not only keep things in check and keep your organization out of hot water, but it will help you stand out as a professional who sees the bigger picture and understands what it really takes to make security work.