Bram's Blog

View on GitHub

Start with Why

Is security a mandatory compliance thing or are you committed to a security culture in your company? Security is an infinite game. Be an athlete. Play the infinite game and get better one step at a time, step by step, each day.

Note: this article is geared more towards stakeholders and decision makers, but suitable for everyone working with assets of value, digital or otherwise.

Why do security

The question you should ask yourself is this: why would I actually want to do security anyway? What is my drive to pick up this gauntlet? Am I forced to, because of compliance regulations? Or do I want to protect my assets and create high quality services or products for my customers?

Compliance

Some (or most) companies will have to deal with compliance regulations one way or another. Whether it’s PCI-DSS (payment industry), HIPAA (Health sector), GDPR (EU Privacy), MiCA (EU Cryptocurrency) or any of the gazillion other ISO, NIST or many, many other security standards. These regulations are designed to help you assess the security of your company on this particular topic.

However, regulations don’t cover everything, sometimes you can game the regulatory rules or they are simply ineffective at assessing the actual security of your organisation. For instance, a simple rule may require you to perform a penetration test on your product, website or application. If there are no requirements based on the outcome of the penetration test, you can pass that rule with little effort. But if the outcome of the penetration test indicates a large number of issues, big and small, what does passing the regulation say then?

To quote @Viss (Dan Tentler): “Paperwork says: You have to get a pentest […] you don’t have to do anything else […] Compliance isn’t security” (source: Hack5 on Youtube )

Commitment

The other way to approach security, is by making it a core value or core commitment to you company. Are you committed to the best quality, the best service, the best value for your customers? Then security is part of that as well. Security simply is an integral part of quality. Don’t agree? Or do you want to know what other aspects are part of the quality of software products? Have a look at the ISO-25010 standard

Now I could make a few comparisons to food quality and hygiene in a restaurant, to non-functional aspects of your dream house or how the Eisenhower Matrix divides aspects into short term and long term goals. However, I’ll come back to each of those another time.

Finite vs. Infinite

On theme with the Olympics that started this weekend, I’ll compare security (and quality in general) to a game. And not just any game. This blog isn’t called Start with Why for a reason. Simon Sinek popularised the theory of Finite and Infinite games, a theory defined by James Carse in the mid-80’s. Sinek explain it best in these 2.5 minutes

The Finite game

A football match or tournament has a clear goal and a clear set of rules, time limit etc. Within that set of rules, there will be losers and winners, typically one (eventual) winner and all the other competitors per definition will be the losers.

A security compliance regulation is similar to that finite game. If you pass the regulation, you’re done, right? Wrong: as soon as you stop playing the game, you loce.

The Infinite game

Let’s compare this to athletes at the olympics. An athlete does not consider their event to be a finite game. They consider their sports as an infinite game. While they train, they strive to become better, jump higher, run faster,during their training each single day. Because the rules do not define an end-goal. High-jump doesn’t have a rule that says: “Whoever jumps height X is the winner”, high-jump is an infinite game, where you win if you are the best. This means that as long as each athlete stays in the game, the game gets tougher. We increase the height and try again, until only one player remains. Athletes know that, so the best athletes don’t set an end-goal.

Let’s map this to security, where we compete with malicious attackers. As long as we stay in the game and we try to get better each day, we can’t lose. Yes, we might be attacked and sometimes an attacker might get in. But that’s not a defeat. You can let it be defeat by accepting your loss. But as long as we keep getting better, and use those hick-ups as learning opportunities, we stay in the game and we don’t lose. That’s why companies with high security standards and reputations grow a strong security culture. They know how important it is to get everyone on board and to strive to be better each day.

Be an athlete. Play the infinite game and get better at the game one step at a time, step by step, each day.