Today to recover from yesterday’s efforts of putting together some submissions for this year’s COSAC security conference in Ireland, I was listening to an old album of Howlin’ Wolf Blues tracks.
And, as I was listening to “Built for Comfort,” it occurred to me that this was actually the perfect description of far too many security programs out there. So, I thought it would be a good thing to talk about since we’re getting to the end of Q1 and there’s still time (if not budget) to try and straighten this problem out.
After all, you wouldn’t want to be stuck with this problem for another year.
That’d be kinda like having “Yeah, but I’m GOING to go back to the gym next month” on endless repeat on iTunes.
Because everyone that hears it maybe 10 times or so will be like, “Yeah… sure you will, mate.”
And that’s just another way to lose credibility.
But I digress…
Back to those security programs walking around in the “comfortable shoes” of compliance.
Sure, it might keep you out of hot water during the external audit, but do you really think that compliance-driven security is going to keep you ahead of the bad guys?
No. Of course you didn’t.
That’d just be silly.
And yet, soooooooooooooooooo many people keep thinking that this is the easiest, lowest-hanging fruit to go after when building their security programs.
To understand why this won’t work, let’s take just a brief few words about what compliance is all about in the first place—in reverse order.
For “compliance” to be a requirement…there first must be a law or regulation.
…and there won’t be a law or regulation UNLESS there’s a really big number of people who’ve screwed up both often and at such a scale that a sufficient percentage of the voting public are either screwed out of their time, money or privacy…or someone dies.
And for those events to actually happen, there has to be a pretty big gap that everyone’s either:
- ignoring out of ignorance, or
- ignoring out of convenience,
Where option b) also often implies “willfully exploiting” due to short-term profit or market gains.
So, it’s really the last one that causes the most problems, giving the benefit to the doubt that option a) doesn’t come about because of lapses in leadership and organizational governance that conveniently skips the “due diligence” and “fiduciary responsibility” parts of the accountability of owning and operating a legal entity.
The key point here is that to get from even where we are right now in our reverse analysis to the point where “compliance” is even necessary takes…well…YEARS.
And, unless you’re talking about global warming or the rate of expansion of the sun, it’s pretty hard to equate any timeframe measured in years with the concept of speed.
But that’s really the requirement we have today of our security programs.
First and foremost, of course, the program needs to be aligned with the business, but a close second to this is that the program needs to actually be able to react, adapt and continue to deliver measurable value to the business quickly.
Sometimes in minutes.
Not hours.
Not days.
Not even weeks.
Minutes.
So today’s question is really about how you’d rate the speediness of your security program’s ability to respond to an ever-changing threat and business environment.
Are you a rabbit, a turtle…or a 3-toed sloth?
If you want to put a bit more zip in your security program than it has today, I can help you put everything in place you need to literally see up to a 10x improvement in the reaction time and delivery of your security services.
We only have a few days (and a few slots) left before we close this round of the exclusive Archistry High-Value, High-Speed Security Leadership Coaching Program, and I’d really hate to see you miss this chance to get the help you need.
Compliance-driven security might be more comfortable—or it might be a flat-out, frantic free-for-all…
…either way, it’s time has expired.
It’s time for a new approach that actually delivers what your organizations demands.
When you’re ready to talk about it, I’d like to help: https://archistry.com/go/SecurityLeader
…but don’t wait too long, because the offer won’t ever be this good again.
Hope to speak to you in time.
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. I mean it: Fast is the new black, which means the best way to start changing things is to click that link today—not at the end of the week…or the end of the month.
