un-earthed

A good security expert likes to get right down into the root cause of an issue, and though I am not as technical as I once used to be, I still feel a burning sensation to satisfy curiosity and delve in as deep as I can to learn the answer to the age old question – Why?

Today’s mission was to understand the underpinning reason for why so many CIOs seem to be compelled to be compliant with regulatory requirements rather than the need to be secure. PCI compliance is the quintessential example of compliance budgets being signed off and security budgets being turned down.

Apart from the obvious reasons such as laziness to go the extra mile or not being paid enough to care, I knew there had to be more pressing reasons why compliance, instead of security, seems to be enough for the average CIO.

And then with very little research I found the answer. School has failed us.

In case you were not expecting that answer, I’ll emphasize it again – school is the reason why a minimalist approach such as compliance reigns over the responsible act or practising good security.

From day one, we are taught to listen carefully for instructions and not to question authority; Compliance is just that – a list of instructions that we can not question. We are taught to learn step by step, module by module – from first grade to second grade… all the way to twelfth grade. 12 grades of school; and 12 modules in PCI compliance: how surprising! We are taught to learn the bare minimum to pass a test or exam. If we fail, we go back and try again until we pass. Have you ever failed a compliance audit? – you can’t move on until you get it right. I remember being scolded for over delivering at school and distinctly remember being told to only do what was in the assignment; Compliance doesn’t  reward you for overachieving either – if anything it just costs more time and money and results in the CFO going on a rampage to question your motives. And then at the end, we get a high school certificate, pat ourselves on the back, perhaps celebrate with a few too many drinks and look ahead to the next chapter in our lives; much like the certificate of compliance that gets framed at best, otherwise tossed into a drawer to gather dust and then the next big non security related project sees the light of day.

Therein lies the root cause. It is the way we are taught to deal with problems at school that blinds us from the pursuit of going just a few steps further – those all important steps that take us from being compliant to being secure.