"Shun advice at any price. That's what I call good advice." Piet Hien (Scientist and poet)
Many people offer advice, and not all of it is good or appreciated.
As you have gone down the road of Infosec, what "lessons learned" can you share with others? (Of course, neither infringing the Code of Ethics Canons, nor impacting any tenets of confidentiality, integrity and availability.)
Thanks for your thoughts or opinions.
Thanks for asking . I appreciate the opportunity to preach to the choir.
Something sticks in the back of my mind from about 15 years back when I was starting out in InfoSec:
"I know more wrong ways to do things than right ways..."
This was quite powerful, as it articulated a number of challenges that are true of infosec, software development, system design, service delivery etc:
Will it ever be ideal? No, but while there is black and white in many things as complexity scales up you start to see more inherent conflict and points of friction, and ultimately these areas are where we earn our keep.
Errors can be costly; but sometimes no errors can even be costlier. The issue with "error free" and "worry free" is complacency; and complacency is a one-way ticket to catastrophe.
I wonder how to ease the notion to the see-no-evil types that they should be even more alert if everything is copacetic?
Someone told me once,"If you can't see flaws, you're not looking hard enough!" I thought they were just being unpleasant then, but an older and wiser me now thinks, "Yep. That's true."
I love horses. Beauty, intelligence, grace. A lovely and powerful creature to be sure. I think your analogy is spot one. When the horse is loose, people try to patch the paddock. Sadly, maybe they weren't being too kind or careful to the creature in the first place..
Another one about horses:"You can lead a horse to water, but you can't make him drink." To me, this means, you can perform due diligence and and take due care and calculate all the risks and provide for all the threats, but there's always someone who will find a way not to comply or willfully to circumvent countermeasures.
Ironically, sometimes they may even be in the choir!
So preaching to the choir is always appreciated.
Not quite along those lines, but I remember when I raised a security issue in a proposed process, the CFO of the organization said to me, as the other stakeholders looked on, "I think you're telling us something we'd rather not hear."
Lol! Classic, and so true.
I wonder what off-the-cuff response one could make? "Better the devil you know than the devil you don't?"
There is a truism in science:
No experiment is ever wasted. It can always be used as a bad example.