Waiting Until the Last Minute to Implement Long-Term Security Measures

We live in a gotta-have-it-now society. The desire for instant gratification is not only at the root of personal desires, but it also drives bigger, more impactful things in business and government. Quick fixes to problems that arise, often with little to no thought put behind them, are implemented and often politicized for the gain of an individual or group. The original need may have been satisfied on paper, but there’s often a slew of unintended consequences with this approach.

There’s Danger in Postponing Security Measures

We see this very behavior every day as it relates to information security measures. When an auditor reports that policies and procedures are missing, they’re downloaded from the Internet and tweaked to please. When a customer or business partner sends a security questionnaire to be completed before a business deal can be closed, someone in the organization — often a person who doesn’t have all the answers — runs through it, checking boxes and filling in blanks with words they know the other party wants to hear. When management discovers that a security assessment has never been performed, they assign the task to IT or security staff who, in turn, run a quick, external vulnerability scan.

There’s almost always an immediate need that is quickly fulfilled. But at what cost? How much additional risk is created by slapping things together at the last minute and considering it whole? It’s human nature to provide quick fixes with the intention of coming back later and making it better. But you know where the road paved with good intentions leads to.

Striking the Right Balance With Security

We live in a world of cause and effect. Everything we do in information security is cyclical and predictable. There are so many examples where the box is checked without thinking through the action; people assume they’ve succeeded because they threw together some quick-and-dirty security solutions.

They start to think that they’ve made it and can relax or move on to the next thing. They stop working on their craft, let their guard down and quick security fixes come back to bite them. You cannot afford to go down this path.

I’m not saying everything security-related must be long-term, dragging on through committee consensus and so on. There’s almost always a real need to implement something quickly. In fact, when things take too long, it can have the same negative consequences as doing things too fast.

You have to be careful with the quality of the end product. As the saying goes, “good enough” rarely is. If you need to fix something with security at the last minute, do what you need to do — but vow to make it better in the near future. Sooner than later, get it to the level of implementation or quality where you know it needs to be. Assign responsibility and deadlines to hold the right people accountable.

Start early doing the things you know you need to do. Work on them a little bit each week, reaching goals one security step at a time. This approach will not only keep things in check and keep your organization out of hot water, but it will help you stand out as a professional who sees the bigger picture and understands what it really takes to make security work.

Share this Article:
Kevin Beaver

Independent Information Security Consultant

Kevin Beaver is an information security consultant, writer and professional speaker with Atlanta-based Principle Logic, LLC. With over 28 years of experience in IT and 22 years specializing in security, Kevin performs independent security assessments and helps businesses uncheck the boxes that keep creating a false sense of security. He has authored/co-authored 12 books on information security, including the best-selling "Hacking For Dummies" and "The Practical Guide to HIPAA Privacy and Security Compliance." In addition, Kevin is the creator of the Security On Wheels information security audiobooks and blog providing security learning for IT professionals on the go. You can learn more and link to Kevin's articles, blog posts, videos and more at his website, www.principlelogic.com.