Kevin Beaver's Security Blog

Don’t let your security program fail like a bad relationship

TL;DR – Just like a relationship, a security program needs honesty, maintenance, and timely conflict resolution…or it will collapse under neglect. 

Success expert Brendon Burchard said that avoidance is the best short-term strategy to escape conflict, and the best long-term strategy to ensure suffering. I’ve seen it countless times over the years…companies that keep kicking security problems down the road. That is, until one day, those problems explode into things such as a failed audit, and incident, or an all-out data breach. It’s no different than a crumbling relationship. Ignore the warning signs long enough and you’ll end up facing issues that are no longer solvable. Communication breaks down. Trust erodes. Small things fester. Reality hits you like a two-ton heavy thing.

I’ve worked with a few businesses and heard about countless others where people in IT, security, and management know the issues – those security basics I keep going back to – they’re just not doing them. Why? I don’t know for sure…yet. I had started writing a book it all before my health crisis and I hope to circle back to those one day soon. In essence, the problem is people. Accountability is hard. Personalities (and personality disorders) get in the way. It’s easy to get distracted by quick fixes offered by vendors. Sometimes, people just can’t handle the truth. They’d rather walk away from their problems than handle them head on like mature adults.

The result is never good. In both security and relationships, you get a program (or partnership or marriage) full of blind spots and technical (or emotional) debt that people pretend isn’t there…until it hits them where it hurts. The longer the neglect, the harder (and costlier) the recovery. Be it infosec or toxic relationships, there are people or people-related forces undermining boundaries. They treat others as resources alone and ignore the need for mutual respect. Don’t fall into this trap!

Q&A: Security Programs vs. Relationships

1. Why compare security programs to relationships?
Because both need ongoing effort, honesty, boundaries, and dealing with problems head-on. Neglect breeds failure.

2. What happens when you avoid addressing the issues?
They compound. A minor weakness a major problem. Unresolved conflicts turn into resentment or disengagement and even total destruction of families.

3. Why do some people avoid facing the truth?
Maybe it’s because some people believe they know everything? The Dunning-Kruger effect does a great job explaining this “illusory superiority”. People also don’t want to acknowledge uncomfortable realities because it often reflects poor decisions, leadership gaps, and personality disorders. With this latter one, if you know you know. Of course, politics gets in the way as well.

4. How are people with personality disorders like security threats?
They ignore boundaries, manipulate access, and exploit weak points. To them, boundaries are just resources for ill-gotten gains, and you’re the delivery system. Criminal hackers…manipulators – they’re all the same.

5. What’s the mature way to fix a broken security program?
Be honest about what’s broken. Re-establish clear roles and boundaries. Invest in regular maintenance. And above all, act. Pretending it’s fine won’t protect anyone. As success expert, Brian Tracy, says the act of taking the first step is what separates the winners from the losers.

My final thought:

You can’t outsource maturity. Not in relationships and not when running an information security program. Security takes work. So do relationships. So does telling the truth. You’ll never build something that lasts by pretending problems don’t exist.