Storytelling is a pastime that spans all of human existance. Famous stories like cultural parables or classics like Romeo & Juliet attempt to tackle complex or conflicting ideas and relate them to someone. We use it to pass information from place to place, to captivate audiences when delivering unexpected information (See TED talks), and to explain to a lay person why they should take some action. Pick a security standard or compliance initiative, and you will find hundreds of analogies that attempt to reduce their complexity to a tagline or short list of tasks. One in particular that is quite popular in the PCI DSS and information security space is comparing compliance with locking your front door. Of course you lock your front door when you leave your home or business, so of course you should comply with some standard? Right?
I really have come to hate this analogy because it doesn’t work. Physical security is easy to understand. Leave a door open and the chances of your expensive TV “walking” out the door are pretty good. Leave cash laying out on a counter and there is a probability that it won’t be there for long. The problem is that these are assets with fairly easy-to-determine values. If you ask a small business owner the value of his on-hand inventory, he will probably have a number for you. Now ask him the value of the information he keeps. Aside from getting funny looks, you probably won’t walk away with a solid answer to that question. Small businesses don’t see information in the same way they see a cash register or a neon sign. So why should we try to marry physical security concepts as basic as locking a door with information security?
We shouldn’t. Malicious hackers are invisible to these guys. Evil wizards, perhaps. They will prefer to stick their head in the sand and hope it happens to the next guy. So what kind of analogy should we use for this complex message?
I’d like to liken it to health inspections at restaurants, not locking doors. Restaurant owners must do certain things to ensure food is safe for consumption—and they are regulated by their municipality. Things have to be cooked a certain way, they can’t have vermin or bacteria outbreaks, and ingredients must be maintained at certain temperatures. Owners want their customers to feel safe about eating at the restaurant, otherwise customers will not return. If you are a customer, you don’t want to get sick from eating something. Chances are, you won’t know about it exactly at the time (unless there is a food allergy), you will suspect it after spending some time begging for relief.
Business owners have customer information entrusted to them. Even though most of us have limited- or zero-liability agreements with our banks, forcing your customers to deal with new cards after a compromise can be a hassle. It can get much worse if the disclosure includes more sensitive data.
QSAs are not the same as health inspectors (although I think some have nearly vomited when looking at an insecure environment), but the results of inspection from both groups have similar affects. Bad scores or a temporary halting of operations cause financial pain to the business owner. Inspection is regular, so controls should be built into the standard operating procedures. Small business owners should care enough about their customers to securely store or erase customer information entrusted to them.
So let’s put this “you wouldn’t leave your front door unlocked, would you?” nonsense to bed and focus on something that illustrates the point a bit more clearly. What analogies do you have? Drop them down in the comments below!