Information Security and the Nirvana Fallacy
added: 10.31.2013, by Mike Spinney
Earlier this week while engaged in an online forum on the topic of mobile data security, I commented that educating users and raising their awareness of the risks inherent with data mobility must be the starting point of any information security program.
A fellow participant disagreed with me arguing that, even after twenty years of education users are still mishandling confidential information and causing data breaches. The answer, of course, was the development of better tools and technologies.
I was taken aback. By the same logic we might just as well throw up our hands, give up the fight and ignore information security altogether. After all, despite the many advancements and innovations in data protection technology, companies are still beset by data breaches related to technology glitches or hackers who have figured out how to defeat even the best security measures.
It reminded me of a statement I heard a few years ago while moderating a panel discussion on the topic of data protection, which I’ll paraphrase here:
“The lack of a perfect solution doesn’t mean we shouldn’t strive to find a better solution.”
Sadly, I’ve talked with too many information security professionals over the years who have balked at investing in better systems because they believed – and rightly so – that the better could not solve all their problems. They’ve fallen victim to the Nirvana Fallacy.
Understand, I’m not advocating for settling for less than you should, but information security evolves at a rapid rate and status quo is unacceptable. Status quo makes you a target and increases your risk. In fact, I don’t believe there is such a thing as status quo in the fight to protect data. You’re either advancing or you are falling behind.
But one of the most important things a company can do to enhance its data privacy and information security programs is to maintain a high level of awareness among employees in order that the people who create, use, and manage an organization’s data assets remain cognizant of their role in the process of data protection and vigilant in their day-to-day activities.
Corporations have made great progress in areas such as enhanced employee safety, reduced sexual harassment, and driving discrimination out of the workplace because people have come to recognize that these are important endeavors. Not to mention that the failure to do so can have a detrimental effect on the bottom line.
Unfortunately I don’t think we are at that point yet with attitudes toward data privacy, information security, and the protection of intellectual property even though these are critical issues in the digital age. That’s all the more reason why we need to continue this dialog and, more importantly, set individual examples.
We may not solve the problem, but we can certainly make progress.