I don’t know who coined the term “relentless incrementalism” but it’s very fitting when it comes to information security. In the context of what we do, relentless incrementalism means doing small things over time that add up to big outcomes in the long term.
All of us – management included – have to understand that security is not a one-time deal. Nor is it a product or a “compliant” status. It’s not something your network administrator is taking care of. It’s not something the compliance officer or CSO handles. Information security is a process that you, management and arguably everyone in your organization have to work on every single day.
This could be security assessments, system monitoring, quizzing employees, keeping your skills sharp by attending security conferences – you name it. Every situation is different. Whatever risks your business is facing, whatever regulations you’re up against, and whatever is important in your environment – those are the things you must address on a periodic and consistent basis.
It’s like keeping your body healthy. We all know that diets don’t work. We all know that nature will have its way if we remain inactive. Regardless of the hype and magic “fixes” related to dieting and exercise, any reasonably-minded person knows that the calories we burn must be equal to or greater than the calories we consume. It’s basic math. Yet we (myself included) get caught up in everything else and take this simple formula for granted.
We have to change our mindsets and our lifestyles if we’re going to make things happen. Information security is no different. Every action counts. Every choice you and you leadership make either serves to support information security or serves to get in the way of information security. Find what works and keep working at it…relentlessly.