I’m certain that at some point in your life you made a decision that caused someone to ask you this question. “Well if Johnny jumped off a bridge would you follow him?” It’s in our nature to compare ourselves to those around us. We want validation, acceptance, respect.
Often people want to know how their organization’s information security posture stacks up against others in their industry, size bracket or geographic region. I’m usually polite and give them some mild comparison while emphasizing that it’s not a competition. What I really want to say is “Who cares!” Who really cares what anyone else is doing? You’re supposed to be making decisions based on the risk factors unique to your business. If everyone else took excessive and dangerous risk would or should you? If everyone else spent exorbitant amounts of money to secure something and it was bankrupting them would you follow suit?
Now I know there is some value to understanding the marketplace and how you fall into it. But that’s typically not what people want to know. They want to know if they can avoid security and still be a major player. After asking how they compare to their peers, never once have I heard an executive tell me “That’s ok…we’re going to do it anyway because it’s the best decision for us.” They are always looking for an excuse not to do something.
If you’re responsible for information security and IT risk management let me give you a bit of advice. Make decisions based on your organization, its needs and its culture. Maybe Johnny’s a bit crazy for jumping off the bridge. Maybe he’s just too chicken and needs to live a little. Are you going to live your life according to what Johnny’s doing? Put your organization is a position to succeed regardless of what others think is the best way. That’s called innovation. Try it…you might like it!