Like many fans of Dan Brown’s character Robert Langdon, I was one of the first to tear through The Lost Symbol last month.  Symbology in ancient and modern cultures is fascinating, and somehow while I was reading the book, I made a parallel between this final lost symbol (no spoilers here, you need to go read the book!) and the quest for security and compliance nirvana.

In the book, Mal’akh is searching for what he believes is the final piece to a puzzle that will make him an all powerful, deity like creature.  His quest began while imprisoned in a Turkish prison (yes he HAS seen the inside of a Turkish prison, Clarence) with the son of a prominent 33rd degree Freemason.  From there, he traveled the world, ending up in Washington DC, to find and follow the clues that lead to the “Lost Symbol.”

Compass on deck of derelict fishing ship, by mikebaird

Compass on deck of derelict fishing ship, by mikebaird

Sometimes I think security and compliance professionals follow a similar path.  Sure, we don’t start our lives imprisoned in a Turkish correctional facility (well, most of us anyway), but we do begin our quest without knowing much about security.  Our curiosity grows with each new nugget of knowledge we net, or with every mistake we make, in the process that leads to a security breach or a dirty scan report.

Deep down, the people passionate about security are all on a quest like Mal’akh. We are compelled to find that single symbol or phrase we can use to get the enlightened view of our security situation, complete with a path to nirvana, laid out in front of us.  Maybe it’s something we need for ourselves to fully grasp our situation, or maybe it’s something we need to use on others, so THEY understand why security and compliance are important.

I truly believe the good apples among us want our companies to fully grasp and understand why security is important, and how they can leverage the seemingly endless assessment and audit activities to their advantage.  A red mark on a report should not be viewed as the event that could cost you your job, but as the leverage you need to do your job better.  Sure, you’ve been hounding your management for months to deploy Wireless IDS/IPS in your satellite locations to help you defend against rogue wireless access points (sometimes installed by Ted in Marketing so he can sit in the conference room and totally work hard on his laptop).  That red mark in a report may just end up as the leverage you need to get it!

The danger lies in abusing this power.  Instinctively, most businesses do not trust their information security group.  They group us into the same hated army as auditors, and live in constant fear that we will be the ones to crush their latest project destined to earn them their bonus or promotion.  We want the business to reach out to us BEFORE they go to production, and help our associates earn that bonus or promotion without potentially bankrupting the company in a breach.

We can’t over assess everything and scream to management with every minute finding those assessments produce.  That’s irresponsible and arguably close to crying wolf.  Instead we should pick the issues carefully that we take to the Chief.  Not every finding is CODE RED DEFCON 1.

The Lost Assessment is that magical mix that security and compliance professionals endlessly search for that would cover all of their compliance needs, as well as apply security to stop the right attack at the right time.  We all know that you can overspend on security trying to prevent a single catastrophic event, but are we spending enough to prevent even basic attacks?  PCI DSS is a great start when looking for The Lost Assessment, but it’s narrowly scoped and does not broadly apply to all systems that may contain mission critical or other sensitive data on them.

Of course, if you are not set to handle the results from an assessment that wide and reaching, what’s the point?

This post originally appeared on

Possibly Related Posts: