If Your GPS Worked Like An Information Security Team
… it would fend off dangerous drivers from hitting you.
… it would give you regular statistics on the number of accidents on your daily route, so you could make decisions to avoid newly bad parts of town.
… it would help you plan your route to avoid the sorts of areas that have bad accidents, so that you would not be a part of one.
… it would give you hints on how to be a better driver, and train you every so often to keep your driving skills sharp.
… it would observe other accidents and gauge trends, to advise you what previously safe driving habits to avoid.
… it would co-operate with you in planning a trip, to help you choose the quickest, safest route to your destination.
… it would teach you how to read maps, so you could make safe routing decisions for yourself.
… it would work with your mechanic, so that every time your car went in for a service, it would come back safer.
… it would work with the police to let them know where the bad parts of town are, so that they could be cleaned up.
… it would let you know any time you were about to run a stop-light or exceed the speed limit, so that you could make an informed decision, rather than accidentally break the law and get pulled over.
Yes, it’s another argument by analogy, which is something I dislike in general – but I see too many times when the Information Security Team is perceived as a “STOP” sign. The Security Team is employed by the same organisation as you, and therefore has the same business goals – just a different focus. Its focus is to ensure that the company can carry on doing business without interruption by hackers, crackers, viruses, spyware, regulatory and contractual damages, or public relations disasters caused by inappropriate data disclosure.
I think a GPS is a better analogy, then – if you follow the Security Team's advice, or at least listen to it, you’ll be aware of the risks of the different ways to your –our- destination.