Posts RSS
Subscribe via Email
Do You “Do It” or Do You “Get It”?
Posted February 21st, 2007 by rybolov
In the circles I frequent, we have a saying that “Either you do it or you get it”.
The people who do it are fairly smart. They have a stack of regulations that they are well-versed in. They talk about matching 800-53 controls to implementation details. They worry about SSP content. They’re fairly competent. They can accomplish most of the information assurance tasks out there.
But these people are only 75% of the solution. We need more of the second type of people if we are going to succeed as a government with this security game.
There is a small subset of security people who get it. You know who these people are within 3 minutes of talking to them. They understand what the “rules” are, but they also understand where you have to break the rules because the rules contradict each other (have cost-effective security but implement this entire catalog of controls).
The difference between these 2 groups of people is that the people who get it understand one additional thing. They know risk management. They practice risk management on a minute-by-minute basis. They are able to make cost/benefit/risk comparisons, which is something that you can’t really learn out of a book.
Doctors have the Hipocratic Oath: “First, do no harm.” Why don’t security practitioners have the Smith Oath: “Above all, do risk management”?
Similar Posts:
Posted in FISMA, NIST, Rants, What Doesn't Work, What Works | 
2 Comments »
June 19th, 2007 at 1:24 am
Amen Brother!
June 19th, 2007 at 9:19 am
In the military IA world those who “do it” are all that matters. Those who “get it” are ok for tricky situations (they are usually technical). Then there is the “black & spooky” world in which those who “get it” are all that matter and those who only do just get in the way.