the tone of checklist security

Articles like this one on the IRS in NetworkWorld (channeling a GAO report) often leave me shaking my head in disgust. And no, it’s not because the IRS has security issues (we all do!).

“The GAO said the IRS had mitigated 49 of the 115 information security weaknesses that the GAO reported in early 2008.”

Fine, I agree we need to keep nipping at the heels of the people who should be securing digital assets.

But I disagree with the general tone of this article that implies three unhealthy things to me:

1. “Let’s hire contractors to knock away these final 49 items, and that will be when we release them.” – I don’t like this because it implies what much of business thinks: Put in the time, and then it’s done, game over, let the contractors all go. Yes, some things in security require time and then you’re done for that technology cycle, but too much has to be ongoing. It is dangerous to put too much emphasis on a milestone like this. People and oversight and maintenance are probably more important than the initial implementation. There’s really less breathing easy after you check those last 49 things.

2. “Man, just do those final 49 things. All it takes is to just flip that switch and turn those things on.” – Security often takes time, especially in a large, critical entity that likely cannot absorb long downtimes or huge sweeping changes. Even in small companies, relatively “simple” things like permissions can result in dramatic business changes. They may be necessary, but they are not often quick.

3. “There are only 49 weaknesses left, and then we don’t have to worry anymore.” – This gets back to point 1, but is a slightly subtle difference. Rather than saying the checkmarks are a milestone, but rather assuming the checkmarks are all you ever need to do.

The article may mean well, but I find it implies a dangerous, unhealthy tone and attitude. It really is not just the article, but all checklist-driven security eventually reaches that tone when overemphasized.