Attending a recent meeting I heard one of the speakers say “You can’t change what you tolerate.” Apparently it’s a quote from Cesar Millan (the dog whisperer) but it really struck a chord in me regarding web application security and overall information risk management. How can we possibly expect to make things better when we aren’t even aware that changes need to be made?
So many people in management choose to ignore the realities of what’s taking place in their environments. Disregarding the law, industry regulations, fiduciary responsibilities and even “best practices”, many continue to tolerate poor security across the board resulting in abuse of their business systems. Then these same people wonder why they’re being targeted and bad things continue to happen day after day.
I agree with what Cesar Millan said: indeed, you cannot change what you tolerate. Nor can you fix what you don’t acknowledge. We see this in so many aspects of life in things like our jobs, our relationships and (especially) our health. Apparently it’s human nature. If we let this “sweep it under the rug and pretend like it’s not there” behavior affect us personally I can’t imagine how we’ll ever reach a point where we address this problem – without question – in/around application and information security. How long will we have to keep repeating these same mistakes? How many more years will those of us in IT and security have to cry out and beg for management to stop the bleeding? I remain hopeful but I suspect there’s a long road ahead of us. Good for our careers in IT and security but not so good for business in the long term.
Everything you do in your work – be it threat modeling, SDLC management, training, security testing or whatever – either moves you towards better security or away from better security. I’ve learned these lessons the hard way many times. If you’re in management or can somehow influence others in management, do what you can to move application security in the right direction. You may not see nor reap the benefits immediately but that’s okay. This stuff takes time.
Bottom line: don’t ever lose sight of the fact that security is not just a process, it’s also a choice.