Do as I Say, Not as I Do

Andrew Hay has authored a good article entitled "Do as I Say, Not as I Do" on the Security Catalyst blog. He argues that security folks often ignore their own advice. Here is my reply (also posted on link below):

I like what you have to say and agree with many of your points. However, I believe you’re mixing two different concepts in order to make your points: 1) security pros in the work vs home environment and 2) how others react to security controls/policies.

Regarding 1) security pros are people just like anybody else and have to manage their own time/lives given the risk environment. Indeed, it means that home security practices are not as thorough as they are at work. But I would argue that this is just the way it should be. At work, you are paid for your time (and your security input), presumably to help the business in its profitable endeavors. At home, you are primarily liable only to yourself and your family for food & shelter. If your spouse or your family could pay your security salary to monitor and enforce enterprise-class controls at home, why would you go to work at all. The level of security needed at home cannot be the same as required at work as both the risks and the users are vastly different.

Regarding 2) security pros are people just like anybody else and have to lead the way by acting within the confines of well established security parameters (i.e. policies). Of course, as you pointed out, if those parameters are too strict, you will often find that the IT and/or security folks grant themselves shortcuts which potentially weaken security of the entire organization.

As a faculty member, I have the unique privilege of being able to shape young minds by providing insights into security best practices. I never pass an opportunity to cover the meaning of good governance and the necessity for balanced security controls that work for everyone, including IT.

Src: Do as I Say, Not as I Do | The Security Catalyst

No comments: