Incomplete Thought: Compliance – The Autotune Of The Security Industry
- Image by Getty Images via @daylife
I don’t know if you’ve noticed, but lately the ability to carry a tune while singing is optional.
Thanks to Cher and T-Pain, the rampant use of the Autotune in the music industry has enabled pretty much anyone to record a song and make it sound like they can sing (from the Autotune of encyclopedias, Wikipedia):
Auto-Tune uses a phase vocoder to correct pitch in vocal and instrumental performances. It is used to disguise off-key inaccuracies and mistakes, and has allowed singers to perform perfectly tuned vocal tracks without the need of singing in tune. While its main purpose is to slightly bend sung pitches to the nearest true semitone (to the exact pitch of the nearest tone in traditional equal temperament), Auto-Tune can be used as an effect to distort the human voice when pitch is raised/lowered significantly.[3]
A similar “innovation” has happened to the security industry. Instead of having to actually craft and execute a well-tuned security program which focuses on managing risk in harmony with the business, we’ve simply learned to hum a little, add a couple of splashy effects and let the compliance Autotune do it’s thing.
It doesn’t matter that we’re off-key. It doesn’t matter that we’re not in tune. It doesn’t matter that we hide mistakes.
All that matters is that auditors can sing along, repeating the chorus and ensure that we hit the Top 40.
/Hoff
Related articles
- Auto-Tune Really Is The Devil’s Favorite Tool (dlisted.com)
- Auto-Tune: Why Pop Music Sounds Perfect (time.com)
- Simon Cowell’s X Factor Fesses to Auto-Tune Use (omg.yahoo.com)
- What T-Pain Sounds Like Without Auto-Tune: Not That Much Better Than Sasha Frere-Jones [Sasha Frere-jones] (gawker.com)
- Navigating PCI DSS (2.0) – Related to Virtualization/Cloud, May the Schwartz Be With You! (rationalsurvivability.com)
- What’s The Problem With Cloud Security? There’s Too Much Of It… (rationalsurvivability.com)
Hmm… I like the comparison to autotune, but what without it? I think most people will sing organically out of tune.
Another way of viewing it is that compliance makes people feel, look, and sound secure when really they may not be. Let's take this to the next level and say that autotune is much like "compliance validation."
You go into the studio and for a short while you look and sound secure, but then you leave to lead the rest of your life and you are very much out of tune.
People who focus on compliance are many times only compliant a few months before and a few weeks after the "compliance validation." Whereas those who focus on a capability and maturity model (with compliance as a natural side effect), taking the time to incrementally improve their security posture and sound, end up with a more naturally existing security program.
I really like this analogy since it shows that like autotune, focusing on validation instead of continuous compliance or a more stable security program is no way to maintain that pristine voice of reasonable security.
I really like this analogy, but like all analogies it breaks down eventually. Here's where this one does.
In the case of people "singing" with autotune, we'd all be better off (including them) if they just didn't. Leave it to people who can actually sing.
In the case of infosec if people feel the need to autotune their security compliance program, that's still better than if they had done nothing.
I'd rather they sing along in tune, but if they can't and only autotune (compliance) will get them to participate so be it. It's much better than nothing.
Look out for those live performances…or any situation where they can't rely on the autotuning (singing and security alike!).
But I do think this comparison is a good one, because auditing really does hide lots of issues.