The 7 Deadly Sins of Security
Early Christians were an organized bunch.
While other religions were floundering in banal castings of “good” and “evil”, Catholics were taking things to a whole ‘nother level. Although they didn’t become popular until the early 14th century, the 7 Deadly Sins proved to be a useful tool for theologians of the time. With such a variety of vices from which to choose, clergymen could condemn miscreants for anything from excesses to laziness. Who would have guessed that these same labels would have information security applications thousands of years later?
Now, I feel that I should clarify one point. While I did go to Sunday School as a child, I am not a religious individual. In fact, the last time I stepped foot into a church I was there to admire the architecture. My next visit should be along the lines of a bake sale.
All that being said, I too tend to be an organized person and categorizing things helps reduce the chatter in my mind. I also find that the 7 Deadly Sins have a rightful place in information security, as we find so regularly that businesses, practitioners and risk owners commit these “things that His soul detesteth”.
Without further ado:
- Lust – It continues to be proven time and time again that technology does not solve security challenges, yet there are individuals who find that shiny new piece of technology irresistible. It is the people and processes around your hardware and software that will determine how effective they are, regardless of what miracles they claim. It was not the sandals that allowed Jesus to walk on water.
- Gluttony – Some security practitioners and business owners do get it. In fact they get too much of it, and their employees pay the price. Your security controls should match your risks. And although we appreciate the intent of these enthusiastic individuals, please stop. You’re giving us a bad name. Security can be inconvenient for employees even when it’s done well, when it’s overdone it can be downright painful.
- Greed – Businesses will often claim that they can’t afford to spend money on security services. To this I reference the countless statistics demonstrating breached businesses that were unable to recover. The losses caused by cybercrime are increasing at a staggering rate. If you’ve got confirmation from a reliable source that it’s going to rain for forty days and nights, don’t build your Ark out of straw.
- Sloth – Inaction on the surface of a business may in reality be a symptom of other things, including lack of resources, lack of direction or lack of motivation. A healthy dose of awareness and education is typically needed at these organization, followed closely by good leadership. Executives should be setting the security “tone at the top”, and an effective Risk Management process should be defining security priorities. Information security is like religion, it’s a journey not a destination.
- Wrath – To be honest, I couldn’t come up with a good analogy for this one, but I can get a little feisty when Dunkin’ Donuts is out of hot chocolate. I confess.
- Envy – Information security is no place for blind faith. The business across the street may look like yours, but that doesn’t mean you have the same risks. And it doesn’t mean you should be implementing the same security controls. Understanding your own risks is the only proven method for protecting your business. Amen.
- Pride – “We’re well along with our security program, gentlemen.” “We’re audited all the time and we’re compliant.” “We’ve got that security thing under control.” The words of false prophets, these can be the most devious of all. Not only do these individuals deprive their people and organizations of objective assessment, advice and relief, their messages convey a false sense of security. These are the proverbial wolves in sheep’s clothing.
I was baptised at a relatively early age. Rocking a bowl cut and leisure suit, I even made Communion. And then through a little bit of hard work I learned that some assets are sensitive and need special security controls. It didn’t take an act of God.
If you are a business owner, a CFO or a security practitioner, or just know one of these individuals, I encourage you to re-read this list of mortal sins. If necessary, etch them into a stone tablet and carry them to the top of the nearest mountain.
It may just help you avoid the Apocalypse.