Image by pshan427
In both health and information security it’s easy to become conceptually constrained by external advice, recommendations, and standards. The numbers of entities available to tell you what you should–or must-do is legion, and such wisdom is often coupled with dire warnings if you don’t listen.
In infosec we’re told by credit card companies that we must use x, y, and z types of controls to protect a, b, and c types of data. The government tells us we must do a whole set of things to protect health information, and that you must ensure nobody in your company is committing fraud. Examples of repercussions include anything from fines to criminal prosecution.
With health advice it’s much the same. We’re consistently hosed down with what to avoid and what to embrace. So and so leads to diabetes, which leads to heart disease, which leads to death, etc. Overeating leads to x, which leads to y, which is associated with z. Watch the carbs. Don’t eat too much fat. Control your portions. Get your vegetables, but don’t skimp on the protein. And whatever your path, don’t forget to get enough vitamin E, and fish oil, and garlic, and vitamin D, ad infinitum.
While health and information security are obviously different worlds, they’re similar in one key way:
If you adhere to solid fundamentals you don’t have to worry much about checklists for “healthy” or “secure” behavior. Fundamentals largely remove the need to obsess about external validation.
If you’re worried about heart disease and diabetes and vitamin deficiency and high blood pressure and…(you get the idea), try eating small amounts of healthy food–mostly raw vegetables with some fish and other meats thrown in sometimes. Take a simple, high-quality multivitamin. Get 30 minutes of exercise every day.
If you do those things you soon won’t have to worry much about your next physical.
And it’s the same for information security. Open a book on security fundamentals and you’ll find the analogs to living a health lifestyle. Unique identification., proper authentication, authorization, and accounting. Conduct security monitoring. Ask yourself if you’re secure, and keep asking yourself.
Do these basics and notice that all of your PCI, SOX, HIPPA, and other requirements simply become non-issues. It’s not that they go away per say, it’s just that by behaving properly in the first place you will have satisfied them automatically.
Mastering fundamentals the effortless method for achieving high standards. Focus on excelling at the basics and leave the need for checklists and endless advice for those who refuse to do so.
[ Feb 13, 2012 ]