The New Year is always a good time to wipe the slate clean and start afresh. On a personal level many of us vow to make big changes in our lives. Spend more time with the family, lose weight, climb that mountain we’ve always wanted to climb and so on.
This year however, I’ve decided that I should make some specific professional resolutions with regards to information security.
Once I sat down to think about it, I realised it wasn’t an easy task. In order to make a resolution, you have to first admit there is a deficiency that needs correcting to begin with. So when someone asks you “what’s your resolution” what you’re really telling them is what you think is wrong with you.
Information security is not unlike most professional industries. Whenever anything goes wrong, it’s never really our fault. With a large number of people to point the finger at, it’s almost too easy to shift the blame. If there’s a security breach, you can blame the “lazy” developer for coding it wrong, the “incompetent” IT department for not patching it on time, the “ignorant” manager for not doing anything with the risk report you issued them with, or if all else fails, simply blame the “dumb” user.
So, this year, I’d like to set off on a more positive and accountable route. Not just personally, but hopefully something that my friends and colleagues in information security will also adopt:
If you’ve heard me talk about security but still don’t think it’s important.
That’s my fault not yours.
If you’ve seen my solution but don’t endorse it.
Then I haven’t understood your problem correctly
If you’re bored of my presentation
That’s due to my lack of passion and engagement.
If I fail to persuade you to implement a policy
That’s my fault too.
If a system is so secure it reduces your efficiency.
Then I need to design solutions that meet your business needs.
Wishing you a happy and prosperous 2011.
Javvad Malik 