For those that don’t know, my wife and I have lead several groups though Dave Ramsey‘s Financial Peace University (FPU). Very cool stuff; YOU should look into it. That something like 70% of Americans, regardless of income level, live paycheck to paycheck is horrible. The group that we just finished up with had two folks in the medical field. At one point we got to talking about the long term cumulative effects incremental changes and small efforts can have (positive or negative) in your life from both a health and financial perspective.
That got me to thinking about InfoSec and if the line of thought and other FPUisms translated over. I came up with a couple ideas.
If you want to be 'adjective', do 'adjective' stuff. Ramsey listeners might recognize the line and you can insert whatever adjective you want: strong, skinny, fast, wealthy. The point is a change of thought process leads to different decisions which leads to different habits. Over time you end up at a destination different than if you hadn’t made those relatively minor decisions on a day to day basis. This is key because changes like this, even small effort changes, will usually take you out of your comfort zone. Your comfort zone has gotten you where you are. It reminds me of the one definition of insanity – doing the same thing over and over and expecting different results. If you want to lose 10 pounds you will have to do things differently than what you have been doing. If you want to be more ‘secure’ then you have to start taking a look at where you have sacrificed a level of security for a level of convenience and re-evaluate those decisions. How many places are you using the same password? Do you employ 2 factor authentications? Do you use good ACLs that are reviewed periodically? And the list goes on.
The snowball effect. Relative to FPU the snowball effect is used to describe the methodology for getting out from under your consumer debt. You get momentum from paying off your debts, lowest to greatest, by rolling the payment amounts from those you have paid off into the next debt on your list. In effect you are getting quick wins. Quick wins are a good way to begin the effort of tackling your security issues. From them you gain confidence, credibility, and if applicable start to iron out communication paths and related processes. The problem from starting at the other end and tackling the big stuff first is you can get bogged down. Besides – low hanging fruit tastes yummy. I wrote more on this in how to boil the ocean.
The tide has to come all the way in before it can start to go out again. Ok this is one of mine but I use it a lot in FPU. I forget where I first heard it but I like it because of the mental image it conveys relative to the bigger picture. Generally speaking there is a level of inertia that is already in motion. That isn’t to say making a change won’t have an immediate effect but many times when it comes to InfoSec changes they have to be socialized and propagated through your environment and ultimately baked into the culture. That takes time.
According to the Ramsey organization it takes on average 18-24 months for folks to get out of debt (other than the house). Depending on the state of your security operations, the size of your shop, and the size of the enterprise that same time frame probably isn’t too far off the mark in an InfoSec perspective.
Thoughts?
No comments:
Post a Comment