We have all witnessed time and again how history has a tendency to repeat itself, especially as it relates to managing information security in the enterprise. It’s human nature to believe that nothing bad will happen to us, and therefore, we don’t need to be prepared. After all, bad things only happen to other people. From average employees to business executives, people keep doing what they’ve done and they get the same results.

Stein’s Law and Security

There’s an interesting corollary to history repeating itself called Stein’s Law. Named after Herbert Stein, former chairman of the Council of Economic Advisers under U.S. Presidents Nixon and Ford, the law states that if something cannot go on forever, it will stop.

When I first heard about this, I couldn’t help but think about how information security is often mismanaged in the enterprise through various predictable means. Some of these include:

  • Relying on paperwork (security policies) to minimize information risks;
  • Assuming that compliance equals security;
  • Redirecting information risks to outside parties such as contractors and cloud service providers;
  • Supposing that when things seem to be going well on the network (i.e., no alerts or confirmed issues) that they truly are;
  • Believing that just because patch management can be difficult, it can be ignored; and
  • Thinking that incident response planning is something that’s done after a breach has occurred.

The list is endless, but you get the point. If things cannot go on forever in your information security program then, simply put, they won’t. The consequences will inevitably arise. Incidents will happen.

Growing Threats

Unfortunately, things are going to escalate a few notches. It’s all just a matter of time. Not unlike lifestyle choices that impact your health, these information security issues will eventually catch up to you.

Luckily, the odds are good that poor security practices won’t kill you. However, they surely will make you look bad in the eyes of your leaders, peers and subordinates. As an IT or information security professional, a toxic CV is the last thing you need.

Take the time to acknowledge the problems with your information security program. You know what they are; you probably know how to fix them. What’s likely missing is the motivation and discipline to see things through on the part of everyone involved. Make a stand to make things right before Stein’s Law comes to fruition.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read