But we already knew that. I mean, with shows like the Big Bang Theory and Two & A Half Men, who can deny his genius?

Anyway…

For those of you that own televisions and have already realized his genius, you probably know that at the end of his shows there is a 2-4 second blip where he displays his vanity card. Every episode has a unique one, and as most things, the first ones were pretty tame, and they get more and more out there with each passing week (see this blog and Herding Cats in the ISSA Journal for additional examples).

Vanity card #221 struck me as something we see in the compliance and security industries. The first part, anyway, it goes off on a tangent that is unrelated.

We have once again arrived at a moment in history where the truth can be defined as “that which you can make other people believe.” The methodology for creating that belief is repetition. Say something enough times and it becomes, for millions of people, the truth.

Think about your last compliance or security assessment. Two plus two equals three. Did you expect to find everything totally peachy, but in reality found some nasty holes that nobody really knew about? Two plus two equals three. Did Joe the firewall engineer go on vacation and while he was out, an auditor happened by to review some active firewall configurations? Two plus two equals three. No problem, right? Two plus two equals three. We’ve passed these types of reviews before without an issue. Two plus two equals three. But after further review, you find several suspicious firewall rules that open up certain ports for certain individuals in certain sensitive areas.

Or how about this? Two plus two equals three. You walk into an assessment meeting with an assumption about a process because you have been told by multiple people that X process works Y way. Two plus two equals three. But then a savvy assessor (or maybe just a bored one) starts asking questions in a certain way that ends up revealing a major gap that went undetected for months, or years. Two plus two equals three. How did this happen? Two plus two equals three. Exactly like Chuck Lorre said it would. Two plus two equals three. Truth became what one person could get another to believe. Two plus two equals three. Why? Two plus two equals three. Maybe it’s apathy? Two plus two equals three. Maybe it’s a lack of understanding? Two plus two equals three. Every situation is different.

While Chuck refers to things that are not related to information security, the basic principle of his post rings true. Trust, but verify. The phrase, “But, I didn’t know!” only goes so far, and won’t help you after a breach.

By the way, how much is two plus two?

This post originally appeared on BrandenWilliams.com.

Possibly Related Posts: