I have heard this statement many ways. Another way is “In the long run you hit at what you aim at”. I have also heard it in shooting sports they say “Aim small, miss small”. It all means the same thing. The best way to explain it is in the field of shooting sports. That’s where I learned it a long time ago, when I was learning to shoot. But the concept is so apropos to the goal of data security.
Remember with data security we are looking for success not perfection. We want to be safe, we want to be protected. But it is unrealistic to expect to be completely impenetrable. Perfection is not an option. But we can try to get really close. But if you don’t know where you are aiming at, if you do not have a target to try to hit, then you are going to miss every time.
What’s Your Target
So let’s go back to shooting sports. You are at the range, weather is nice a clear and sunny. You have all your safety gear on. And there is a 12 inch target down range. At 100 yards it looks about the size of a black colored pea. You pull your rifle up into position and aim. You feel the hard butt of the rifle wedged into your shoulder and your cheek. Your sights come into view; you place them over the bullseye. But wait a minute you can’t see the bullseye. It is too small. Hell you can barely see the target. You sights are in comparison look about a big as the moon. How are you going to put an object the size of the moon over an object the size of a pea and hit it in the center?
Now here is where the strategy comes in. You now have a choice. Your first inclination is to think I am just going to aim for that small little target down range. Then you think no that’s just mailing it in. I want a good score. I want what they call in shooting a good grouping. This means that not only do your shots hit where you are aiming. But they are consistently close together. So you choose a second option. And that is to not aim for the target. Aim for the center of the bullseye of the target. Even though you barely can see it, and a funny thing will happen.
Check Your Aim
The man who aims at the target will get some in the target and some off of the target. The man who aims at the dead center of the bullseye, will consistently get shots in the bullseye. But even his misses will still be on the target. You see what happens there? There will always be misses nothing is perfect.
But its better if the misses are just off the bullseye and still in the target. In data security it is the same thing. IT spends a lot of time fighting battles after an attack has already occurred. But little time fighting the battle they should be. And this is simply because they have never been given the direction on where to aim.
What is your security posture? Your security posture is your bullseye. If you are not aiming at it how will you ever get on target let alone the bullseye? What are the results you want to see in your security implementation? Think about this for a minute. You are in business to get results, and these results are your objectives that you want to see. This is not about security for security’s sake. You want to see these results. Well those results are your target. Know your target, and know how you are going to get there.
Eat Your Own Dogfood
How do you want your employees to treat security issues? Your employees need to know what the target is also. If you do not give them a target to shoot for they will not be able to hit it either. Spell it out, show them the objectives and what your expectations are of them.
Do your employees know you’re thinking on this issue? If they don’t they will never be able to help you reach your corporate objectives. So it is incumbent upon you as a leader to communicate this to your employees. This communication must be done in word as well as in deeds. Tell your employees what you are doing and why it is important to both of you and them. This communication can take the form of policies, public presentations, and emails to employees. Then you need to show them. Show them how you will follow the policies as well.
Talk about how you have to follow the same password policies as everyone else. How your laptop is subject to the same level of scrutiny as all other employee’s laptops. Even conspicuously carry your two factor authentication key fob so people can see it. Believe me they will notice it. I will never forget seeing Michael Dell walking the halls of the Dell offices with a Dell laptop in his hands. He would clutch it to his chest like a high school girl carrying her books to class. This was was communicating to his people. He was saying I eat my own dogfood (a colorful Silicon Valley expression that says we use what we make).
Do you have policies built around this? Your policies should spell this out. Not just a dry policy saying what to do. But talking about the why and how it specifically helps the company overall. This is imperative to get to the center of the target. People will follow what you do not what you say. So do the right things and you will hit the target. Aim for the center and your people will follow your aim. And from this comes a secure environment.