This week I read an article on ESPN about college basketball coaches and recruiters doing pretty much everything they can to find loopholes in regulations and otherwise leverging the questionably unethical grey areas of the rules. A couple passages caught me as being applicable beyond just college basketball:
“People are always going to work the gray areas,” Georgetown coach John Thompson III said. “Most people if they’ve had any success in life have learned how to work the gray areas.”
Here’s the one thing everyone can agree on: No one wants more NCAA rules. The reason the NCAA rulebook has swelled to its current 439-page girth is because of chronic rewrites and amendments necessitated by clever rule interpretation.
There was a time when the rules only mandated how many and how often a coach could call a recruit. And then along came text messaging. Lo and behold, a new rule was born.
This is true with digital security in the enterprise. Riding the grey area between regulations/policy and negligence (and often citing ignorance when caught). Why deal with the roadblocks that security erects when you can just get things done at a higher risk?
I’m finding that there are really only four ways to combat the tendency towards insecure practices: 1) Be informed and an expert at explaining security and insecurity such that you can defend your position with an extremely high degree of credibility, 2) Suffer an incident that exposes the weaknesses, 3) Regulations and laws, 4) and having management that is capabale of realizing the risk and being conservative about it (i.e. not diving into risky practices).
It is a particularly thick shade of grey in the area of compliance and auditing, especially if you can Deceive, Inveigle, Obfuscate them or your environment (Shh, don’t tell them about that network cabinet over there). Or you just simply (hah!) have systems that are too complicated for anyone to truly examine or tackle (Microsoft SQL Reporting Services permissions anyone?).