What follows is an analogy that I have been meaning to write for years, but, like all great procrastinators, I let life get in the way.
Be warned however, I have taken significant ‘poetic licence’, and generalised outrageously, so don’t be too upset with the glaring ‘plot’ holes. I have also written this from the perspective of my own experience running, not from a true runner’s perspective. Anyway, I’m still faffing…
A month ago I wrote the blog ‘Beware of the ‘Pet Rock’ Cybersecurity Vendors‘, in which I offered to give a day of my time away for free. I stated:
“Any organisation within a 1 hour train ride from London can have 1 day of my time for ‘free’ as long as the following requirements are fulfilled:“
And while those ‘requirements’ were as basic as there were necessary…:
I have lost count of the number of times I have stated the equivalent of; “Without good policies you’ll never have real security. “. Then again, security is what I do for a living, so it’s obvious to me, but clearly it’s not obvious to the thousands of organisations who think policies are just pieces of paper you use to tick a compliance box.
Then it occured to me that maybe organisations just don’t know how to take a policy and turn it into something that can be used to both demonstrate and validate adherence to a regulatory compliance regime such as GDPR or PCI. Or perhaps just as importantly, pass a due diligence audit for a potentially huge client.
In April 1975, Gary Dahl had an idea. A genius idea as it turned out, particularly when you consider that he made roughly $28 million dollars (adjusted for inflation) from something that was, to all intents and purposes, completely useless.
The Pet Rock was just that, a rock. No paint, no googly eyes, nothing, just a rock taken from Rosarito Beach, packaged up and sold for $20 each.
He sold 1.5 million of them.
According to the Tinterwebs, to ‘recommend’ means to; put forward (someone or something) with approval as being suitable for a particular purpose or role.
So you might argue that this is exactly why you hire a consultant in the first place. In some professions I would absolutely agree. A doctor [for example] would not just recommend that you quit smoking, they would – and should – bloody-well insist. However, everyone on the planet already knows that smoking is stupid, so they are doing so with full knowledge of the possible consequences.