Change happens. When it does, someone, somewhere has to figure out what the implications of that change are. Little, seemingly innocuous changes can have long-lasting and far-reaching ripple effects.
Take my friend Ivan, a Security Systems Engineer for a manufacturing and service company. He works in an environment where change to the current products and services he's charged with protecting is only half of his problem. The other half is the fact that about every 9-13 months he has a new boss he has to re-educate thanks to the constant mini-reorg's that ripple through large companies. It's hit or miss for Ivan, and lately his latest string of bosses don't have a clue as to what he does nor the value of the role he fills. His latest manager has hamstrung and marginalized his contribution and seems to think that what Ivan does should be some other groups responsibility. That's the bad news. The good news is that he's probably due for a new manager in a couple of months.
Here's a short quiz to get the conversation started:
1. When you board an airplane, are you more secure in the knowledge that:
A. the fact that there are now locks on the cockpit doors, or
B. you bought trip insurance
2. When you visit your doctor or clinic, are you comforted by the idea that:
A. your personal data is encrypted on their computers and thumb-drives or
B. the fact that the clinic has you sign a HIPAA disclosure form?
3. When you log in to your bank, brokerage, or retirement account, do you pay more attention to the fact that
A. you have to select a personal image, a phrase, possibly validate the computer you're on, answer a few questions the first time if you haven't used this computer before -- or
B. are you just glad that the website shows that your deposits are FDIC insured?
If you answered "A" above, you can thank a Security Systems Engineer like Ivan!
Security, as embodied in the "holy trinity" of C-I-A : Confidentiality, Integrity, and Availability, has to be "baked in, not bolted on." It's about understanding the first principles of Systems Engineering and that change has consequences.
From the six-sigma/lean world:
"You can't inspect quality into a product"
The same is true of security in terms of Information Risk Management. You have to consider the people, the places, and things that touch and interact with the system under consideration. It's about understanding situated context.
Today's Big Idea: Systems are complex and any change requires thoughtful analysis to understand the butterfly effects.
It's not about compliance. You can't buy an insurance policy big enough to cover your loss of goodwill.