‘Promise the earth and seek to deliver the sky’ was one piece of advice I recall being passed on to me by a much respected CEO some years ago. And, while such a modest pledge might not cut much ice with customers these days, is it such a bad philosophy?
The tendency with many businesses now is to overload customer expectations, proclaiming their ‘service excellence’, without anyone actually driving that culture through the organisation or even assessing whether it is remotely possible to live up to this. Sadly, often it is not the sky that gets delivered in the end , but the earth- and those making the inflated promises end up with mud on their faces.
So, what should be the position when it comes to security? There are exceptional solutions available that guarantee the 100% effectiveness of an organisations’ defence systems. They really do ‘walk the talk’. But is this what the customer actually needs, especially in this cash-strapped times? Yes, there is regulatory compliance to consider and the obligations this carries with it. But are we being forced into implementing rules and regulations prescribed by the powers that be (eg, Brussels), and therefore ‘good enough’ security, as opposed to adopting ‘good enough’ regulations according to the needs of the business and, as a result, the security solutions that then drive the business forward?
It would appear that the missing element in all of this is the perception and experience of the customers themselves. Surely, it is they who should be determining what level of security is ‘good enough’, rather than having to adhere to regulations that may well be inappropriate for their particular requirements? Is this simply shoehorning the CIO into making investment in areas that wouldn't necessarily be his priority?
When budgets are as tough as they are now, wouldn't a business want extra flexibility to cater for their perceived absolute priorities, rather than someone else's view of what those priorities should be. What if the current raft of regulations didn't exist? Would the demands they lay down still be seen as a priority?
Depending on your perspective, ‘good enough’ means very little per se; you have to have the context. Whatever the regulatory obligations, we all recognise that security is not an absolute end result of following good practices, because there’s always more that can be done to improve your security. Ultimately, perhaps you just have to stop worrying about how secure you are and get on with using what you’ve secured, in the belief that the level of security you’ve achieved is indeed ‘good enough’ for your purposes.
Behind all of this lies an assumption, of course: namely that you’ve assessed all of the risks involved, so that you can make an informed decision, and are aware that the security measures in place must serve your needs and not effectively replace them. In other words, at every point your security is underpinned by solid risk management policy.
As Gartner points out in its report, ‘Information Security — Establish a Strong Defense in Cyberspace’, a security-aware culture is alert to threats and knows what to do when they occur. Management establishes the foundation for such a culture by implementing sensible policy, training employees, and taking action quickly and visibly when threats arise.
As for ‘promising the earth and delivering the sky’, there’s still no reason not to reach for the latter every time.