Why Perfect is the Enemy of Progress in Information Security

July 12, 2016

Last Updated on January 14, 2024

I got an email from a good client yesterday that had been quiet for a while. “Just wanted to update you on where we are and why we have been so quiet for the last 6 months,” it began. “When you presented us with the proposed Information Security Risk Management Methodology, we thought that it looked a bit simple, so we began researching other methodologies, which lead us to look at Risk Assessment Tools, which lead us to look at potential GRC [governance, risk management, and compliance] solutions. Long story short: we realized that six months have passed and we are no closer to achieving the two goals that started this all—becoming more secure and getting ISO 27001 certified.  When can we pick up the work again using the Information Security Risk Management Methodology that you had proposed (which looks much better to us now that we are so much smarter than we were when you originally presented it  :>) …”
I would say that it is remarkable how often we see this happen, except that we are all so often guilty of the same mistake. It is so tempting if you are going to put in the time and effort to do something, to want to do it to the highest level you can: ideally, perfectly.
However, Google wouldn’t auto-complete “perfection is” with “the enemy of progress” if there wasn’t some truth to the maxim. Which I think is even more true when dealing with information security disciplines like risk assessment and building an Information Security Management System (a Cyber Security Program), as they are as much art as they are science. Which essentially means there is no absolute best approach.
It gets further complicated by the fact that:

Your understanding of “perfect” changes as your understanding of the art (and science) advances.
External contexts (e.g., threats, laws/regulations, technologies, vendors, clients) constantly change, necessitating a tuning of your ever-closer-to-perfect approach, before it can ever get there.

I always preach a crawl, walk, jog, run, sprint approach for these reasons. Needless to say, judging from the email above not all of the customers I work with are complete converts to that way of thinking.

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

Why Perfect is the Enemy of Progress in Information Security

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

What is Cyversity and How Can It Improve Diversity on My Cybersecurity Team?

How can we help you?

Services

Compliance

Insights

Pivot Point Security