My undergrad is in Marketing.  I sometimes call myself a marketing guy, but only right before I rip on one that hypothetically might do something causing a technical guy to lose his weekend.  One of my favorite marketing guys is Seth Godin, and every once in a while he posts something that works not only in the Marketing world, but in our world.

Equilibrium: force, by felipe_gabaldon

On Friday, his post “It’s easier to teach compliance than initiative” reminds me of how our business works.  Isn’t it WAY easier to talk about some kind of security-related compliance versus actually talking about security?  Think about your past interactions with information security.  Did you have a chance to create a 3-5 year plan detailing how you would markedly improve security in your organization?  Or did you react to someone pushing a compliance initiative in your face?

The majority of the discussions I’ve had around security in the last five years have been primarily in support of a larger compliance related initiative.  Not just because I’ve been living and breathing PCI DSS for most of them either.  Even with PCI DSS, assessors look to basic security measures as a way to measure compliance.

How do we change this behavior?

Marketing guys (here I go) sometimes like to resort to something widely known as the FUD ((Fear, Uncertainty, and Doubt)) factor.  Because of that, information security was largely referred to as an insurance policy to prevent the world from coming to an end.  That is, until widespread virus and worm outbreaks took away someone’s precious email or webpage.  Then it was immediately a priority ((Until systems were humming nicely again.  What have you done for ME lately?)).

Senior management’s general response to this priority was something like, “I hate spending money, so you are only going to get a tiny amount to do your job.  Now get it done, we’re all counting on you.”  FUD will create a perceived need, but without the education it quickly dissipates.

Don’t take this the wrong way—I’m not an advocate of overspending for security.  That behavior has a life span, and it does not tend to live very long.  On the other hand, many of us did not do a good enough job describing exactly what we needed in order to live up to the edict handed down.  Think back to every single published major breach or malware annoyance to date.  Was it preventable?

I think the overwhelming answer in most cases is “YES!”

As security practitioners, we must put down the stick, and embrace the carrot.  Compliance as a security stick will get you short term gains, but will not afford you the long term support you want and need to be successful.  Sure, it’s harder to answer the question “Why?” when the answer isn’t “Because I told you so!”

But isn’t that the fun part of the job?

This post originally appeared on

Possibly Related Posts: