The Sponge
I was examining a bath sponge one evening and thought about the journey taken by this particular genus of sponge. From it's exciting life as a sea dwelling, multi-celled, animal to an item hanging from a hook in a bath and body shop, this little sponge had been around. Like most of you I empathize with any creature that ends up on the bottom of my shopping basket, but understanding my place on the food chain, I quickly move on with my life. For some reason, this sponge was different... I felt compelled to give serious consideration to the unfortunate events leading to such a humble end. To really understand where this sponge came from I had to "become the sponge".
At some point this sponge was living a happy if somewhat solitary life under a sunlight-streaked warm tropical sea. Swaying to and fro under the gentle pressure of the underwater currents with delightfully colored fish swimming by to nibble and groom their neighbor... the sponge, then dashing off leaving it alone again to sway to and fro... to and fro....
Fast forward five years and some chubby guy in Dallas, Texas is in the shower using the same sponge to exfoliate his butt. Sad... so very sad.
If there is any moral at all to this story, it's this; Don't become complacent and take things for granted. Now I'll try to tie this into an information security analogy, but don't expect much... I really just wanted to share that story.
Information Security Programs can range from a simple set of controls and practices for the neighborhood coffee shop to a complex and comprehensive multi-national solution based a formal Information Security Management System aligned with international standards and industry best practices. The former of those solutions can be designed and implemented for a few hundred dollars by a pretty smart high school student. The latter will require months of planning, extensive resources and funding, and often generates a virtual cross border range war between the security implementation team and the legacy network and system administrators. A bit of advice here, work for consensus prior to implementation or become intimately familiar with Sun Tzu's Art of War.
Once an information security management system is in place, change adoption and communication programs have more or less been successfully conducted, and budget blown for the next five years, a worn out and battle scarred security team may allow themselves to settle in and become complacent. It's interesting that complacency is defined as:
"pleased, esp. with oneself or one's merits, advantages, situation, etc., often without awareness of some potential danger or defect"
I am a firm believer in basking in the sunshine of success when deserved, however the problem with becoming complacent is found toward the end of the definition "often without awareness of some potential danger or defect". Security professionals, if we possess any character flaw at all, may at times exhibit signs of hubris. We don't like to admit that we may be wrong, or worse yet, lacking in technical proficiency. So here you are, new security program in place, enjoying the adoration of the security neophytes within your organization and taking a working holiday that will last until you become conscious of your condition or fate steps in and creates an emotionally significant event tailor made just for you. It's not likely that if you've been lacking in self awareness or a work ethic prior to this you will suddenly achieve some level of enlightenment. I'm thinking many will go the other route. and we all know the type of emotional event I'm referring to here. Hackers! Those mean spirited pirates of the net. Eventually we all have that one security experience that we will bring up in conversations for years to come. Whenever security, the Internet, or any mention of pirates come up in casual conversation, you begin to retell the story of the great security breach of 2010 (The story tells much better if it doesn't start out with "I really screwed up once"). Worst case; you don't have to tell people about it because they read it in the newspaper.
So back to the moral of this missive. Build your program, enjoy the rewards that come with a successful launch of an information security management system, but never stop evaluating and improving your program. Threats change with technology, business objectives will introduce new risk, and the attack vectors continue to shift. Challenge yourself daily and you might avoid ending up like the sponge.