Analogies are like.....

Often, it can be a challenge to explain to the Powers That Be’ exactly why the organization needs a particular security initiative. Next time you are confronted by this, try using analogies.

 Merriam-Webster defines analogy as:

 a: a comparison of two otherwise unlike things based on resemblance of a particular aspect

b: resemblance in some particulars between things otherwise unlike : SIMILARITY

 The analogy can be industry-specific but tends to work best when it is something more familiar to your audience. If possible, draw on more general ‘real-world’ common knowledge. If it feels like you and your audience are speaking different languages, you need to find a shared reference point. Below are a few of my ‘go-to’ analogies for some of the sticking points I run into most frequently.

 Q: We don’t need (PCI/GDPR/HIPAA/etc.) compliance because we outsource everything.

A: Sensitive data is like your money; you can hire someone else to manage it for you, but they are still managing YOUR money. Trust but verify.

Q: This (PCI/GDPR/HIPAA/etc.) compliance requires too many controls!

A: This is just basic best practice, there’s nothing in there that you wouldn’t insist of someone else if they had your personal or financial data.

Q: Do we need to do vulnerability scanning AND pen testing?

A: Regular scanning is like exercising and eating right, all the things we do to stay healthy; Annual or Semi-Annual pen testing is like a comprehensive physical with a stress test.

Q: If we do all of this, we will be safe then, right?

A: Your data is like your car, if someone really wants to steal it, they will find a way; The key is to make your car less attractive to the thieves than the one parked down the street.

Do you have a favorite ‘go-to’? 

Are you in need of an analogy?

Post here, share the knowledge.