Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why seeking perfection in security actually increases risk

Michael Santarcangelo | June 9, 2016
Lance James shares experience and insights on the often hidden risk of chasing perfection with steps security leaders can take to avoid common mistakes

I often explain that security leaders face demands and pressures no other leader in the organization has - or understands.

The constant stream of negative headlines and fixation with breaches (just a symptom) increases attention on nearly every action security leaders take. That causes a lot of security leaders to try to meet an unrealistic expectation that they know everything. A suggestion that perfect security exists, and they can offer it.

That chase of perfection is unattainable; it carries an increase in risk.

Lance James (LinkedIn@lancejssc) Chief Scientist at Flashpoint has some insights on how we can do better. I met Lance at InfoSec World this year. He presented the opening keynote. He was on the DTSR podcast (listen here), too. We had a series of good chats - fully of energy, optimism, and ideas for how we can advance the security industry.

Prior to joining Flashpoint, Lance was the head of cyber intelligence with Deloitte. He describes himself as "an infosec executive in the board room, a scientist in my mind, and a hacker at heart." With 16 years of experience as a practitioner, Lance invests in the next generation through mentoring.  Where he shares his experience and learns. He currently heads R&D innovation efforts at Flashpoint.

During our recent conversation, we focused on the risk of perfection. More importantly, Lance offers insights on the positive outcomes of setting perfection aside and working to get things done.

Here are five questions with Lance James:

How does the expectation of perfection actually cause harm and create risk for security leaders?

First, you can start with the expectations and pressures in hiring the CISO and other vital security leaders.  We already are starting in wrong. Yes, do we want to hire someone that comes in confident, and can tell us what we need to do? Of course we do. But I've personally seen it go too far too fast - which then turns into the Superman-Complex - both on the expectation side to the CISO, and the expectations from the CISO's mind outwardly.

When was the last time you heard a security leader say "I don't know."

And this is where we forget to begin...

Taught in some of the traditional martial arts such as Aikido and Karate-do, there is a concept called Shoshin meaning literally "beginner's mind".

"In the beginner's mind there are many possibilities, in the expert's mind there are few." ~ Shunryu Suzuki

This concept is practiced by many of the great leaders that are in our history books. The idea that we are open, eager, and carrying no preconceptions when studying a subject even if it's advanced or something we have done a million times before. As I like to think of it, a child's mind in some ways - as children often don't view things as hard or easy at the early stages in their life, but instead they only see opportunity.


1  2  3  4  5  6  Next Page 

Sign up for CIO Asia eNewsletters.