May 2, 2016 By Kevin Beaver 2 min read

We have all witnessed time and again how history has a tendency to repeat itself, especially as it relates to managing information security in the enterprise. It’s human nature to believe that nothing bad will happen to us, and therefore, we don’t need to be prepared. After all, bad things only happen to other people. From average employees to business executives, people keep doing what they’ve done and they get the same results.

Stein’s Law and Security

There’s an interesting corollary to history repeating itself called Stein’s Law. Named after Herbert Stein, former chairman of the Council of Economic Advisers under U.S. Presidents Nixon and Ford, the law states that if something cannot go on forever, it will stop.

When I first heard about this, I couldn’t help but think about how information security is often mismanaged in the enterprise through various predictable means. Some of these include:

  • Relying on paperwork (security policies) to minimize information risks;
  • Assuming that compliance equals security;
  • Redirecting information risks to outside parties such as contractors and cloud service providers;
  • Supposing that when things seem to be going well on the network (i.e., no alerts or confirmed issues) that they truly are;
  • Believing that just because patch management can be difficult, it can be ignored; and
  • Thinking that incident response planning is something that’s done after a breach has occurred.

The list is endless, but you get the point. If things cannot go on forever in your information security program then, simply put, they won’t. The consequences will inevitably arise. Incidents will happen.

Growing Threats

Unfortunately, things are going to escalate a few notches. It’s all just a matter of time. Not unlike lifestyle choices that impact your health, these information security issues will eventually catch up to you.

Luckily, the odds are good that poor security practices won’t kill you. However, they surely will make you look bad in the eyes of your leaders, peers and subordinates. As an IT or information security professional, a toxic CV is the last thing you need.

Take the time to acknowledge the problems with your information security program. You know what they are; you probably know how to fix them. What’s likely missing is the motivation and discipline to see things through on the part of everyone involved. Make a stand to make things right before Stein’s Law comes to fruition.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today