Writing in Gold
James Bore
I make compliance a painless outcome of good bespoke processes instead of a storming headache of artificial cookie-cutter targets.
There's a quote which is deservedly well-known in health and safety circles. I've heard it multiple times over the years, and it carries an impact which sticks. It's been attributed to various people over the years, and finding the true source is not the point of this article.
"Those regulations are written in blood."
Another thing I hear more and more is that information security now is where health and safety was decades ago.
I'm sorry to say, that's untrue. In terms of maturity, maybe.
In terms of the future path of security? Not so much.
There's a fundamental problem. Health and safety progressed because enough people were directly harmed, and in some cases died, that there was a demand for improvement.
No matter what we may feel about the importance of information and cyber security, it is not life and death in enough circumstances to drive that level of demand.
领英推荐
Our regulations are not written in blood. The harms caused are too abstract to drive the same sort of movement, and that leaves us with a problem.
The simple fact is our regulations are written in gold. When information security breaks down, money is lost, and money simply doesn't have the same grip on humans as blood.
Regulatory frameworks are improving, but there's a limit to what fines can do, and there's little appetite to move beyond financial threats to try and enforce good behaviour.
Companies often see security risks as something to simply insure against, little more than a tax on operating as a business. Meaningful reductions of them, building secure systems and ways of working from scratch, takes effort and understanding that isn't seen as worthwhile - instead buying 'solutions' to patch over the cracks and insurance to cover the inevitable damage are the standard.
This is a problem, and it's one that will continue to worsen either until we change the narrative and generate sufficient demand for security, or until the damage gets bad enough that it becomes life-threatening.
I hope for the former, and there are organisations that work towards changing their systems, but most signs point to the latter.
If writing in gold isn't enough, then sadly writing in blood is inevitable.