In Peter Thiel’s book Zero to One: Notes on Startups, or How to Build the Future, he talks about the best interview question. The question is this: “What important truth do very few people agree with you on?”
Something I’ve had a gut feeling about for a while without any justification is this: The information security industry is causing more harm than good.
This is a bit of a thought experiment but bear with me.
Okay, what if your information security organization decided to disband. Yep, no more security org except for maybe compliance and some other folks that you’re contractually required to employ.
Now imagine if before you did this, you told everyone that security is up to them. Here are the standards that we as a company promise to our customers and stakeholders. Don’t mess it up. And also, we now have some extra budget you can put towards whatever you’d like.
What would happen?
I recently read “Parenting with Love & Logic” by Foster Cline and Jim Fay. The entire idea behind the book is to be the consultant parent and at the same time, not a “Helicopter Parent”, or a “Drill Sergeant Parent”. Foster Cline and Jim Fay call this the Love and Logic Technique.
Let’s define those types of parents:
Helicopter parents make excuses for the child and then complain about mishandled responsibilities. They take responsibility for the child and make all the child’s decisions. The helicopter parent also uses words and actions that indicate that the child is not capable or responsible.
Drill Sergeant parents make many demands and have many expectations about responsibility. They tell the child how he or she should handle responsibility and provides absolutes “This is the decision you should make!”. The drill sergeant parent demands that jobs or responsibilities get done now. Typically, the drill sergeant parent uses many harsh words, but very few actions.
Now, if we replace parent with security org and child with the business, we start to see some parallels.
If you’re still with me here, let’s go on to explain the “consultant parent”.
The consultant parent very rarely mentions responsibility. They provide alternatives and then allow the child to make his or her own decisions. They make sure the child owns the problem and helps the child explore solutions to his or her own problems. The consultant parent uses many actions but few words and allows the child to experience life’s natural consequences.
Let’s replace parent with security org and child with the business. Now we are getting somewhere.
In the book “Parenting with Love & Logic”, one subject is dealing with a child’s report card. This has an excellent parallel with information security.
Foster remembers how his father handled his report cards. Every time Foster brought home a report card with bad grades, his father would ask him: “Are you proud of this?”. Foster remembers answering “No”. And this ritual continued during the duration of his school years. Had his father detected that Foster was okay with the poor grades, he likely would have been enrolled in all sorts of tutors and private schooling.
Let’s be concerned when teams feel good about their poor security assessments. But otherwise, life is good.
So, instead of disbanding your security org, turn them all into consultants and stop mandating. Provide guidance but let teams own their security. Let them fail if that’s what it takes.
Also, singing the “uh-oh” song when someone gets breached probably won’t go over well, so not all of the lessons may apply.