Tuesday, October 1, 2013

Things That Make Me Crazy: "We've Always Done it This Way"

   There aren't many things about our InfoSec and IT industry that really bug me.  There are certainly things we can do better.  We're really just starting to get the idea of connecting with the business and that business leads technology (not the other way around).  Or that security controls and technology have to work for people.  These ideas are part of our evolutionary process.

   But there are some things that do get to me.  Call them pet peeves (what a strange phrase!),
annoyances, complaints... whatever.

   Right at the top of the list is when someone says "We've always done it this way".

   Now, it's not just the phrase, but the situation that is the problem.  This typically happens when I'm trying to find out why a certain process is followed, or a technology is used.  "We've always done it this way" turns out to be code for: "we don't know why we do this".  And that's the problem!

   The process or technology used might well be a great choice.  It might be the best choice (I'll talk about that one another time!).  But that should never be taken at face value.

   We know that things are constantly changing in the security and technology field.  We talk about the changing threat landscape, periodic risk assessment, changing attack and defense methods.  Yet all or organizations have processes or technologies that are in place, but haven't been looked at in ages.

   When I hear this phrase, I usually go into question-mode:
  • why?
  • why was it done this way originally?
  • what situation existed?
  • how was this a solution?
  • what else was considered?
  • who did it help?
  • how do you know it is still effective?
  • how is it measured?
  • does it fit with the current strategic direction?  (if one exists!)
  • when was it last reconsidered?
   It's not unusual to find that the people originally involved are gone and that the process or tool has been sustained by inertia.

   This is not to say that people are being lazy!  We're asking some tough questions here.  And, like with all projects, there are many considerations including costs, time, resources and expertise.  But we need to ask these questions... we need to think!

   One note... I'm not trying to mess with tradition or culture here.  There may be organization traditions or overall culture that provide good reasons for what is done.  But it's still fair to ask the questions and get the answers.

   Does this resonate with you?  Have you run into this at your organization?  How have you countered "we've always done it this way"?  Or are you the one saying it???

   Try asking questions and let me know how it goes!

No comments:

Post a Comment