Do You “Do It” or Do You “Get It”?

Posted February 21st, 2007 by

In the circles I frequent, we have a saying that “Either you do it or you get it”.

The people who do it are fairly smart.  They have a stack of regulations that they are well-versed in.  They talk about matching 800-53 controls to implementation details.  They worry about SSP content.  They’re fairly competent.  They can accomplish most of the information assurance tasks out there.

But these people are only 75% of the solution.  We need more of the second type of people if we are going to succeed as a government with this security game.

There is a small subset of security people who get it.  You know who these people are within 3 minutes of talking to them.  They understand what the “rules” are, but they also understand where you have to break the rules because the rules contradict each other (have cost-effective security but implement this entire catalog of controls).

The difference between these 2 groups of people is that the people who get it understand one additional thing.  They know risk management.  They practice risk management on a minute-by-minute basis.  They are able to make cost/benefit/risk comparisons, which is something that you can’t really learn out of a book.

Doctors have the Hipocratic Oath: “First, do no harm.”  Why don’t security practitioners have the Smith Oath: “Above all, do risk management”?

Similar Posts:

Posted in FISMA, NIST, Rants, What Doesn't Work, What Works | 2 Comments »

2 Responses

  1.  h@lon73 Says:

    Amen Brother!

  2.  elamb Says:

    In the military IA world those who “do it” are all that matters. Those who “get it” are ok for tricky situations (they are usually technical). Then there is the “black & spooky” world in which those who “get it” are all that matter and those who only do just get in the way.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: