B-C-METOYX

The 12 Steps of Recovery: Web Security Style

Blog Post created by B-C-METOYX Employee on Feb 5, 2015

During my time as CSOonline's Salted Hash blogger, I wrote something I'd forgotten about until rediscovering it the other day. Three years after writing it, I think this post is still relevant.

In the post, I praised a security practitioner for admitting he can't stop every attack. After listening to so many vendors claiming that their products provided 100 percent bullet-proof protection, I found the man's honesty refreshing. Then, the first of The 12 Steps of Recovery popped into my head: "We admitted we were powerless over (insert addiction) -- that our lives had become unmanageable."

Having followed those steps myself, I couldn't help but compare the addicted personality to a lot of people in security who are hooked on the notion that they can stop every attack as long as they successfully cross off all the boxes on their compliance checklists. So I decided to have a little fun, creating a web security version of the 12 Steps.

 

Note: This is not meant as an insult to the 12-Step program many have used to achieve recovery from alcoholism, drug abuse and other addictions. I know many people who have been helped by the program. What follows is meant to be tongue-in-cheek, with the larger goal of making us review and reassess our typically stubborn thinking around security and compliance.

Thanks for indulging me again...

12 STEPS TO A MORE REALISTIC SECURITY PROGRAM:

 

  • Step 1 - We admitted we were powerless over our data insecurity - that our lives had become unmanageable
  • Step 2 - Came to believe that Compliance could restore us to sanity
  • Step 3 - Made a decision to turn our will and our lives over to the care of our QSAs as we understood them
  • Step 4 - Made a searching and fearless moral inventory of our security policies and found that they were based more on hope than reality
  • Step 5 - Admitted to God, to ourselves and to another human being the exact nature of our wrongs, including the misguided idea that compliance alone could restore us to sanity
  • Step 6 - Were entirely ready to have a handful of security vendors, contractors and a newly-hired CSO remove some -- if not all -- of these defects of character
  • Step 7 - Humbly asked our QSAs to remove our shortcomings on paper
  • Step 8 - Made a list of all persons we had harmed, and became willing to get them all a year of free credit monitoring
  • Step 9 - Made direct amends to such people wherever possible by posting a mea culpa on our website, except when to do so would injure them or others
  • Step 10 - Continued to take personal inventory and when we were wrong promptly admitted it, in accordance with various data breach notification laws
  • Step 11 - Sought through prayer and meditation to improve our conscious contact with our QSAs as we understood them, praying only for the knowledge to achieve true security and the budget to carry that out
  • Step 12 - Having awoken from the nightmare that resulted from these steps, we tried to carry the message that 100-percent security is a pipe dream to others, and vowed to practice with more realistic security initiatives in all our affairs

Outcomes