The Importance of Being Earnest

Most of us have likely either seen the play or watched the movie "The Importance of Being Earnest" (http://en.wikipedia.org/wiki/The_Importance_of_Being_Earnest).  Although I am not an expert in theater or cinema, it would seem to me that one of the key lessons of this work is that of truthfulness. You might be asking yourself what this has to do with information security.  Well, I would say that there is an important lesson here that we can apply to the security realm.

Being truthful, honest, straightforward, and, well, earnest helps strengthen an organization's security posture, its overall security program, and its security operations function.  How so?  Let's examine this concept by each of the parties with which we can be truthful, honest, and straightforward:

• Ourselves: First and foremost, we need to be honest with ourselves.  Every security program has its strengths and weaknesses.  Acknowledging a weakness is not in itself a weakness.  Rather, it is the first step towards strengthening and improving that weak spot and should be regarded as a positive.  It may not be easy to take a look in the mirror and examine what we are not doing well, but it is extremely important.  After all, if we are not honest with ourselves, we cannot really be honest with everyone else.
• Management: Intentions matter.  Management does not expect perfection, but they do expect honesty and integrity.  If we misrepresent our capabilities, it may keep pressure off our backs in the short term, but in the long term, by hiding a weakness or shortcoming we are aware of, we are introducing unnecessary risk into the security posture of our organization.  Have a weakness or shortcoming that you dread raising to the attention of management?  Try formulating a plan to correct it before raising it to management.  I think you'll be surprised that what management really cares about is that you have a plan to do something about it, and not about the issue itself.
• Peers: We all learn and grow from constructive interactions with our peers.  In order for everyone to benefit from these interactions, everyone needs to approach them in a positive light.  Not doing so causes individuals to miss out on the potential to improve.  Most people want to be helpful.  If you are honest and sincere with people about the challenges you face in accomplishing your goals, they will usually try to help you.  If you attempt to deceive them, you are really only cheating yourself.
• Clients and Partners: We certainly want to show clients and partners that we have a serious and formalized approach to information security.  But, we don't need to be dishonest to do so.  Most clients and partners appreciate a fresh dose of honesty.  It shows that the organization is self-aware and has a list of priorities to attend to on the never-ending road of continuous improvement.  If one of my vendors or suppliers told me that everything was perfect and great, that would make me less comfortable, not more comfortable.  Think about it.
• Other Organizations: Organizations can improve by interacting with, sharing information with, and learning from one another.  Similar to the peer interactions amongst individuals, this requires approaching this undertaking honestly.  Otherwise, an opportunity for growth is forfeited.  Sure, there will always be individuals and organizations that will be fooled by fast talking double speak, but not as many as we might think.  People tend to see through that stuff, but they are often too polite to point that out.

It sounds counter-intuitive, but admitting weakness is actually a strength.  By being truthful, honest, straightforward, and earnest, we empower ourselves to grow and improve, both as individuals and as organizations.  This is an important cultural aspect that helps improve an organization's security posture, and it is one that is often overlooked.  If you are a security leader, you owe it to yourself and to your organization to create a culture that rewards honesty and truthfulness.  The importance of being earnest is clear.