Hi folks,
We just passed our summer solstice, and with more daylight comes more time to spend outside.
One guy who didn’t need extra sunlight to spend time outdoors was Henry David Thoreau – the great American essayist and transcendentalist. In 1845, the trappings of modern life had become too much, and he abandoned them for a small cabin he built on Walden pond near Concord, Massachusetts. He stayed there for two years, and used his time there as the inspiration for his masterpiece, Walden.
Walden is full of awesome insights and quotes, but I think this is one of the best:
It’s from a section of Walden where he’s literally describing the arrival of Spring – the return of birds, lengthening of the days, new vegetation along the banks of the pond. But the quote is powerful beyond his intent. It’s often used to support persuasive communications – to promote the notion that it’s far more powerful to convince others to take action through persuasion rather than compelling them through force or threat of consequences.
It’s a idea that we in security need to embrace. All to often, we defend a new policy or restriction by saying “because (we || NIST || OMB || whomever) said so” or cloaking our logic in inscrutable technobabble that we’re sure our audience can’t understand, let alone refute. So our colleagues reluctantly accept these impositions that we deliver via the barrel of a policy gun, never really understanding the “why” behind the change.
These are missed opportunities for us. By failing to explain the “why” behind our actions, we pass on a chance to convert our impacted colleagues into allies and evangelists for the change. Instead of declaring a new change by decree or fiat, we should take the time to convince others of the necessity of our actions, thereby reducing resistance and greatly increase the likelihood of successful adoption. And that’s all good news for accomplishing our mission.
For any change we make – in our policies, our programs, our procedures – we should present the justification not as “well, NIST/OMB/etc tells us to do this”, but as a means for become more effective or efficient in accomplishing our mission. So instead of saying
“we lock an account after 5 unsuccessful login attempts because NIST 800-53 AC-7 says we should”
we should say
“we lock an account after 5 unsuccessful login attempts because allowing unlimited attempts would increase the chances that an attacker could guess a password and gain access to the system. We chose 5 because it was a reasonable limit for the end user and it limits our risk appropriately.”
That’s a lot easier to get behind.
Will there be times that we need to say “we’re doing this because someone up the food chain asked us to”? Yes, but they should be rare, and if we’ve built a reputation for thoughtful, candid justifications of our actions over time, our colleagues should be understanding of those uncommon occurrences.
^ Yeah, let’s not be that guy.
Rex