Every once in a while something from the real world gives us in the Information Security world a peek into the 'real world'.
As I read about the various hacking groups out there trying to force better security I can't help but think back to a book I read way back in high school.
The book is called "Bartleby, the Scrivener" and it was written by Herman Melville, back in 1853 and it offers remarkable insight into the perceived fight that we all feel we're fighting to force our enterprises to adopt better security.
The book "Bartleby, the Scrivener" is remarkable book, and a disturbing story. It's an interesting illustration of the phrase "You can lead a horse to water, but you can't force it to drink"... in fact, you can extend that phrase to add "you can even drown it in water, but you still can't force it to take a drink".
As with Bartleby, no matter what you do, you simply can't force someone to do something they don't have an ambition, or reason, to do.
What does this have to do with Information Security? The story line that carries through "Bartleby, the Scrivener" echoes through corporate hallways today.
"I prefer not to" is heard in the office of the CIO, the project manager and all over enterprises as frustrated Information Security practitioners try to push better security throughout the business.
The moral of the story is this - sometimes no matter what you do, no matter what you say, your enterprise or organization simply doesn't have better security as a goal.
There are a number of reasons for why the enterprise simply doesn't care about better security but at the end of the day - you get frustrated and wonder why no one cares.
Maddening as it may seem, sometimes poor security practice and results are acceptable - and even a way of life - in many of your organizations... and you can't do anything about it.
There are lots of places you can point the finger of blame... at poor management, at yourself, or at your peers who value profit and release dates above your customers' safety - but the fact of the matter is it really doesn't matter.
I suggest everyone in Information Security take a lesson from Melville. I suggest we all take a deep breath and recognize that sometimes the decision to take on risk goes against everything you know to be right and smart.
If you do your job, explain the risks, and your organization's leadership still insists that they "prefer not to" do anything about that risk - then it's OK. Know this - you don't get to make the decisions.
You the information security practitioner, CISO or "security guru" don't get to call the shots. It's really not your decision and you get to do nothing more than advise your organization, and then you must make your peace with their decision on risk.
Melville may have been speaking to a different age, to a completely different group of people and to a completely different mindset but the lesson still rings true today.
Sometimes your organization's decision makers simply "prefer not to" do the right thing for the sake of better security... and that's the business decision. Whether it's right is debatable, but it's the decision.
Bottom line is, you won't be able to force change no matter how much you yell, scream, or try to scare the leadership. Better security is a cultural change, it's a change that must be adopted for a purpose or organizational goal. Otherwise... you're throwing rocks against a brick wall.
I recommend you go read Bartleby, the Scrivener. Take the lesson to heart - and change your point of view. I think it's critical that in order to get past the constant battle with the business over security, we just need to accept our role as advisors and get over ourselves.
Until you're confident that you understand the business, and the role you play - do your best to advise and push for change and accept that sometimes you can't force it... and the business will "prefer not to" implement security.
Cross-posted from Following the White Rabbit