The Definition of Insanity
Albert Einstein's quote about insanity can be applied to a wide variety of industries and practices. However, inside of Information Security the sentiment is especially applicable to a maddening degree. I have given a number of speeches where people will push back on the content, some more forcefully than others, saying that "everyone already knows these things, they are basic best practices in Information Security." Yet, when I challenge those people and ask questions about the way they've implemented best practices in their environment, their lack of adoption of the principles they say are universally understood is appalling. The idea that these people know what they should be doing and continue to not do those things, all while railing against those who endeavor to provide them with methods to increase their success probability and adoption in the environment is negligent, in my view. Not knowing what to do is forgivable; knowing the right things to do and still not doing them is not. Some regulations have gone so far as to define such behavior as "willful neglect" and significantly increased the fines for organizations whose violations are deemed to fit that definition. The concept of corporate inertia, or the resistance to change inherent in organizations, is especially detrimental to Information Security programs. The threats are adapting and changing every day, yet their targets remain stagnant. As stated eloquently by Barrack Obama, and quoted in chapter 8, we must be the change we seek.