logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

Rise up against Mediocrity

By Mike Rothman
Created 2008-09-08 08:42

A few folks (Emergent Chaos [1], Risk Analys.is [2]) pointed to probably the best Dilbert I've seen in a long time. A lot are funny, but this one really struck home.

[3]
When people asked me what I did for a living for a long time my standard response was: "Fight against mediocrity." And that's kind of how I fancied myself. A crusader against all lameness. Someone who wouldn't just accept "that how we do it," when doing it that way was just stupid.

Part of it is naive idealism. Another part is actually wanting to make a difference.

But over time, you get beaten down. Many incentive systems reward for mediocrity. For doing just enough. And if you consistently don't get rewarded for going the extra mile, after a while you'll stop. No one is so self-motivated that they outperform their peers and blast expectations for an extended period of time without some kind of reward and recognition.

That's why I think change is so important. Changing what you do, maybe who you do it for, what your goals and aspirations are, who you hang out with - anytime you start to feel stale. Stale = mediocre.

We in the security business are particularly guilty of accepting mediocrity. Our brand of mediocrity flies buy under the term compliance, which are basically the best practices that we should adopt - or have our executive officers suffer the mythical perp walks.

One of the things I mention in the P-CSO is the importance of thinking differently and not doing what everyone else is doing from a defense standpoint. Dilbert makes the risk of the lowest common denominator approach abundantly clear. If you do what everyone else does, then your adversaries know what that is, thus THEY KNOW HOW TO BEAT YOU. [4]

I love those old movies like "Home Alone," where the bad guys stumble and bumble into every trap. The little kid set a bunch of non-traditional traps and the bad guys didn't know what to do about it. That's exactly how we need to start thinking about computer security as well. As fun as it would be to spray a hacker with honey and then dump them into a pile of feathers, we need to find the digital equivalent of that.

That's why I continue to beat the drum for Security FIRST! as a mantra. If you do security correctly, then I'm pretty confident you won't have much trouble with compliance.

It's too easy just to push the compliance button and figure everything will be OK. To figure that compliance is the end goal, the finish line. Folks we work in security, THERE IS NO FINISH LINE. Compliance is the lowest common denominator. It's something that everyone is doing (or should be doing) and it represents mediocrity.

And who wants to go through life settling for mediocrity?

Photo: "mediocrity" courtesy of Despair, Inc. [5]

Source URL:
http://securityincite.com/blog/mike-rothman/rise-up-against-mediocrity

Links:
[1] http://www.emergentchaos.com/archives/2008/09/quoting_dilbert_is_a_best.html
[2] http://riskmanagementinsight.com/riskanalysis/?p=409
[3] http://dilbert.com/strips/comic/2008-09-03/
[4] http://www.despair.com/med24x30prin.html
[5] http://www.despair.com/med24x30prin.html