We are all very good at being Ostriches and ignoring problems that need fixing. Sometimes this is inevitable and is typically put down to lack of resources and have too many demands to satisfy. Other times it’s through arrogance or laziness. One of the more common reasons is the bystander effect or in other words it’s not my problem someone else will fix it.
Jack Freund describes this problem in his article on ISACA’s web site.
Despite the best efforts of our snowflake society most humans are still essentially competitive beasts and this trait tends to increase the higher you go up the management chain. So I have always been an advocate of encouraging competitive behaviour to fix security problems.
Whilst naming and shaming individuals often backfires, league tables that plot one team or department against another can work wonders. After all no team leader wants to see his or her team at the bottom of the league.
It’s good practice to develop simple evidence based metrics for the mitigation of security risks and publish them in a league table. Do the same for other statistics such as numbers of red risks, numbers of incidents etc.
It kind of sounds obvious and many of you may already be doing this. But I bet most of you passively publish them and sit back waiting for something to happen. But another part of human nature is ignoring the obvious even when it’s under your nose. I will talk about this in a future blog.
Thank you to Yathin S Krishnappa for use of the Ostrich photograph.