What Can’t Go On With Security: How Stein’s Law Impacts Your Information Security Program

We have all witnessed time and again how history has a tendency to repeat itself, especially as it relates to managing information security in the enterprise. It’s human nature to believe that nothing bad will happen to us, and therefore, we don’t need to be prepared. After all, bad things only happen to other people. From average employees to business executives, people keep doing what they’ve done and they get the same results.

Stein’s Law and Security

There’s an interesting corollary to history repeating itself called Stein’s Law. Named after Herbert Stein, former chairman of the Council of Economic Advisers under U.S. Presidents Nixon and Ford, the law states that if something cannot go on forever, it will stop.

When I first heard about this, I couldn’t help but think about how information security is often mismanaged in the enterprise through various predictable means. Some of these include:

  • Relying on paperwork (security policies) to minimize information risks;
  • Assuming that compliance equals security;
  • Redirecting information risks to outside parties such as contractors and cloud service providers;
  • Supposing that when things seem to be going well on the network (i.e., no alerts or confirmed issues) that they truly are;
  • Believing that just because patch management can be difficult, it can be ignored; and
  • Thinking that incident response planning is something that’s done after a breach has occurred.

The list is endless, but you get the point. If things cannot go on forever in your information security program then, simply put, they won’t. The consequences will inevitably arise. Incidents will happen.

Growing Threats

Unfortunately, things are going to escalate a few notches. It’s all just a matter of time. Not unlike lifestyle choices that impact your health, these information security issues will eventually catch up to you.

Luckily, the odds are good that poor security practices won’t kill you. However, they surely will make you look bad in the eyes of your leaders, peers and subordinates. As an IT or information security professional, a toxic CV is the last thing you need.

Take the time to acknowledge the problems with your information security program. You know what they are; you probably know how to fix them. What’s likely missing is the motivation and discipline to see things through on the part of everyone involved. Make a stand to make things right before Stein’s Law comes to fruition.

Share this Article:
Kevin Beaver

Independent Information Security Consultant

Kevin Beaver is an information security consultant, writer and professional speaker with Atlanta-based Principle Logic, LLC. With over 28 years of experience in IT and 22 years specializing in security, Kevin performs independent security assessments and helps businesses uncheck the boxes that keep creating a false sense of security. He has authored/co-authored 12 books on information security, including the best-selling "Hacking For Dummies" and "The Practical Guide to HIPAA Privacy and Security Compliance." In addition, Kevin is the creator of the Security On Wheels information security audiobooks and blog providing security learning for IT professionals on the go. You can learn more and link to Kevin's articles, blog posts, videos and more at his website, www.principlelogic.com.