Whether you’re looking to get fit, learn a new language or improve your information security, starting any improvement process can be difficult. You’re going to have to learn skills, understand new concepts, think about things differently and, most importantly, put the effort in. It’s not going to be easy, but with consistent effort in the right areas, improvements will follow.
However, for many, improvement efforts aren’t consistent. Many do the hard work of getting started, achieve some of the desired benefits and then think it is time to ease off, to take a foot off the accelerator and continue the same process. Improvements will surely continue, right? Wrong – that’s where the improvement process slows down or even comes to a grinding halt.
Improvement never stops
The truth is that the improvement process never truly stops. One week you’re riding high, feeling like you’ve mastered it, the next week you realise you’ve barely scratched the surface. Perfection is unattainable. That ‘perfect’ body is always just out of reach, fluency in a second language doesn’t mean that you know everything and being 100% secure just isn’t possible.
The improvement process should never be about achieving perfection. It’s about having a growth mindset, one that embraces challenges and effort, striving for progress, rather than perfection. You only have to look at some of the world’s top-performing teams and organisations to see this mindset in action. Yes, they demand results, but it isn’t about seeking perfect results; it’s about challenging themselves to do better, time and time again. If they’re not moving forward, then they’re falling behind.
When it comes to information security, this progressive mindset has been one that has been developing, albeit slowly. For many years, information security was seen as a ‘nice to have’ and, if you didn’t have dedicated security personnel, or a large security budget, then the chances are security was seen as an afterthought. But times have quickly changed; end users are now increasingly aware of their data and how it is protected, clients and suppliers are now demanding robust security assurances before entering into contracts, there is increased awareness of the impact successful breaches can have and regulations such as GDPR have quickly pushed information security up the agenda.
‘Tick-in-the box’ exercise
But there is still a lot of work to be done; many organisations still see information security as a tick-in-the-box exercise and many have plateaued when it comes to their improvement efforts. Any security improvement work is better than none, but basic checks and comfortable well-worn processes won’t deliver major improvements or supply the continuous assurances that many now need.
Progressive companies are now demanding more, in terms of their security: from themselves, from suppliers and from security partners. And it’s these companies that will see the greatest improvements. So, you have to ask yourself, have you got the right mindset when it comes to your information security improvement efforts and, if not, are you up for the challenge?
Article first published in Computing Security Magazine