My twins, at almost 21 months old, are absolutely in love with Curious George. If they’re ever having a bad day, in the middle of a meltdown, or it’s just too rainy outside to go play, we put on Curious George for an episode or two, and they love it. I recently watched one of the movies “Back to the Jungle,” and as they giggled and pointed along with the movie something caught my attention, too. The Man with the Yellow Hat has this brilliant quote that sticks with me – “I guess a map is only good if you know where you are.” My mind immediately made a quick parallel to security. No one should be shocked.
So, you’re probably asking yourself, what does the quote from the Man with the Yellow Hat have to do with security? It’s foundational, in fact. Follow my line of thinking for a second. In the jungle the map is being used as a way out of a situation or as a plan for success if you allow me to make that stretch. If we agree with this logic, then the parallel to security is in that magical thing we call a strategy.
Every good leader, security or otherwise, builds out a strategy to set a direction and goals, with guidelines for execution and maybe even a way to measure success. One of the key problems I’ve seen with organizations who develop a strategy is that they haven’t heard the Man with the Yellow Hat’s quote. These leaders of security organizations set goals and paths to achieve those goals without first taking the time to understand where they are located. That’s akin to agreeing that every workstation should be on the latest version of some anti-APT endpoint tool, except that half of the company is running Windows NT4 Workstation.
How do we avoid failing at strategy? We first have to assess, accurately, where we currently stand. The trick to building a solid strategy is that it must be based on a realistic view of ourselves. The challenges are numerous, however.
First, accurate assessments are difficult to execute. Accurate assessments require the assessor to understand the current environmental variables, which change rapidly (or sometimes are dinosaur-aged) for each scenario, and to have at least some level of proficiency in a very diverse set of technologies and programs. If you asked me to perform an assessment on a stage three racing clutch, I’m more than confident I’d get it right. If you want the same assessment done on a tank, I will definitely struggle, but this is the equivalent in the digital world. Accurate assessments are difficult but so crucial.
Second, like Dr. Gregory House used to say, “people lie.” I’m not sure what compels someone to provide a slightly untrue answer to an assessment question which is meant to understand their organization but I suppose it has something to do with human nature. No one wants to admit they’re not doing well, but that’s exactly what we have to do. It’s difficult to make the admission that we’re not optimal, but without this admission it’s impossible to improve the condition. I suppose the appropriate thing to do is start off each assessment reminding those being assessed that the reason for truth is to benefit them, and nothing else. The trick is to do this without sounding condescending, so it’s not a simple task.
So, there it is. I learned a good lesson I feel confident passing on to security leaders from a cartoon money named Curious George and his friend described only as “the Man with the Yellow Hat.” Even the best and most accurate map is relatively useless to plot a course forward if you don’t know where you stand on that map. This rings so true in the security industry, if only we listen.
