We have all witnessed time and again how history has a tendency to repeat itself, especially as it relates to managing information security in the enterprise. It’s human nature to believe that nothing bad will happen to us, and therefore, we don’t need to be prepared. After all, bad things only happen to other people. From average employees to business executives, people keep doing what they’ve done and they get the same results.
Stein’s Law and Security
There’s an interesting corollary to history repeating itself called Stein’s Law. Named after Herbert Stein, former chairman of the Council of Economic Advisers under U.S. Presidents Nixon and Ford, the law states that if something cannot go on forever, it will stop.
When I first heard about this, I couldn’t help but think about how information security is often mismanaged in the enterprise through various predictable means. Some of these include:
- Relying on paperwork (security policies) to minimize information risks;
- Assuming that compliance equals security;
- Redirecting information risks to outside parties such as contractors and cloud service providers;
- Supposing that when things seem to be going well on the network (i.e., no alerts or confirmed issues) that they truly are;
- Believing that just because patch management can be difficult, it can be ignored; and
- Thinking that incident response planning is something that’s done after a breach has occurred.
The list is endless, but you get the point. If things cannot go on forever in your information security program then, simply put, they won’t. The consequences will inevitably arise. Incidents will happen.
Unfortunately, things are going to escalate a few notches. It’s all just a matter of time. Not unlike lifestyle choices that impact your health, these information security issues will eventually catch up to you.
Luckily, the odds are good that poor security practices won’t kill you. However, they surely will make you look bad in the eyes of your leaders, peers and subordinates. As an IT or information security professional, a toxic CV is the last thing you need.
Take the time to acknowledge the problems with your information security program. You know what they are; you probably know how to fix them. What’s likely missing is the motivation and discipline to see things through on the part of everyone involved. Make a stand to make things right before Stein’s Law comes to fruition.
Independent Information Security Consultant