I got an email from a good client yesterday that had been quiet for a while. “Just wanted to update you on where we are and why we have been so quiet for the last 6 months,” it began. “When you presented us with the proposed Information Security Risk Management Methodology, we thought that it looked a bit simple, so we began researching other methodologies, which lead us to look at Risk Assessment Tools, which lead us to look at potential GRC [governance, risk management, and compliance] solutions. Long story short: we realized that six months have passed and we are no closer to achieving the two goals that started this all—becoming more secure and getting ISO 27001 certified. When can we pick up the work again using the Information Security Risk Management Methodology that you had proposed (which looks much better to us now that we are so much smarter than we were when you originally presented it :>) …”
I would say that it is remarkable how often we see this happen, except that we are all so often guilty of the same mistake. It is so tempting if you are going to put in the time and effort to do something, to want to do it to the highest level you can: ideally, perfectly.
However, Google wouldn’t auto-complete “perfection is” with “the enemy of progress” if there wasn’t some truth to the maxim. Which I think is even more true when dealing with information security disciplines like risk assessment and building an Information Security Management System (a Cyber Security Program), as they are as much art as they are science. Which essentially means there is no absolute best approach.
It gets further complicated by the fact that:
- Your understanding of “perfect” changes as your understanding of the art (and science) advances.
- External contexts (e.g., threats, laws/regulations, technologies, vendors, clients) constantly change, necessitating a tuning of your ever-closer-to-perfect approach, before it can ever get there.
I always preach a crawl, walk, jog, run, sprint approach for these reasons. Needless to say, judging from the email above not all of the customers I work with are complete converts to that way of thinking.