What follows is an analogy that I have been meaning to write for years, but, like all great procrastinators, I let life get in the way.
Be warned however, I have taken significant ‘poetic licence’, and generalised outrageously, so don’t be too upset with the glaring ‘plot’ holes. I have also written this from the perspective of my own experience running, not from a true runner’s perspective. Anyway, I’m still faffing…
A month ago I wrote the blog ‘Beware of the ‘Pet Rock’ Cybersecurity Vendors‘, in which I offered to give a day of my time away for free. I stated:
“Any organisation within a 1 hour train ride from London can have 1 day of my time for ‘free’ as long as the following requirements are fulfilled:“
And while those ‘requirements’ were as basic as there were necessary…:
I was asked the equivalent of the subject question the other day, and realised that perhaps the demonstration of compliance is not quite as obvious as I have made it out to be in previous blogs.
And by ‘obvious’ I don’t mean ‘simple’, because this has always been simple.
The word ‘appropriate‘ appears 115 times in the GDPR final text, and the word ‘reasonable‘ a further 23, but if you don’t know how to define those things in relation to compliance for your organisation, how do you know when you’ve done enough? Or too much? The balance is as important to your business as compliance itself.
I have lost count of the number of times I have stated the equivalent of; “Without good policies you’ll never have real security. “. Then again, security is what I do for a living, so it’s obvious to me, but clearly it’s not obvious to the thousands of organisations who think policies are just pieces of paper you use to tick a compliance box.
Then it occured to me that maybe organisations just don’t know how to take a policy and turn it into something that can be used to both demonstrate and validate adherence to a regulatory compliance regime such as GDPR or PCI. Or perhaps just as importantly, pass a due diligence audit for a potentially huge client.
…as long as WE are the ones who define success for ourselves. Otherwise 99.9% of the world’s population would fall well short.
Seems obvious, right? For example, if you take money as a measure of success, for every billionaire (~2,600 as of 2019) there are nearly 3,000,000 people who are just ‘getting by’. So for the vast majority of us, the chances of being a big success [in monetary terms] are very slim.
The same applies for any other success factor where you are comparing yourself to the world’s best, there is very little room at the top.