You have a new security initiative? Great, here’s some advice…

I am getting frustrated with the never-ending stream of ‘new’ security initiatives being announced. Doesn’t matter if they are community driven, compliance-based, or ‘industry standards’. For twenty years, we’ve heard it over and over, yet things just aren’t changing.

Most of these initiatives flop. Some may make it months or even years, limping along with virtually no support. Even projects with hundreds of people involved or supporting represent such a tiny fraction on the InfoSec industry, let alone the general IT industry, to say nothing of the rest of the world. In a few cases, the ‘new’ idea might even make a slight improvement for 0.000001% of the world. At best…

Largely though, they are worthless. People sometimes even spend more time banging on the initiative war-drum than the end result. Worse, for every one announced that does any real and lasting good, another hundred end up wasting time and going nowhere.

So you want to announce a new initiative to save the world? Great! How about instead, skip the initiative name, the policy, the name, the graphics, and the rest of the things that take time from actually doing something. Don’t talk about the project day in and day out. Just do good.

If you really feel that a structured movement with lofty ambitions and a brand are required, then do good first. Show the world you are serious and capable. Announce your new initiative on the back of a big ‘win’ or change. That will demonstrate you have the drive and dedication. Come out of the gate on the back of something concrete, not fluffy bullet points that are indistinguishable from any for-profit security company or charlatan.

Yes, everyone knows you want to ‘help’ and ‘protect’ and ‘improve’ and ‘secure’. The exact same thing everyone else in the industry says, both good and bad. And like many of them, your new initiative may not deliver either.

One response to “You have a new security initiative? Great, here’s some advice…”

Leave a Reply