Home > Compliance, Governance, Risk Management & Compliance (GRC), Information Security > Incomplete Thought: Compliance – The Autotune Of The Security Industry

Incomplete Thought: Compliance – The Autotune Of The Security Industry

November 20th, 2010 Leave a comment Go to comments
LOS ANGELES, CA - JANUARY 31:  Rapper T-Pain p...
Image by Getty Images via @daylife

I don’t know if you’ve noticed, but lately the ability to carry a tune while singing is optional.

Thanks to Cher and T-Pain, the rampant use of the Autotune in the music industry has enabled pretty much anyone to record a song and make it sound like they can sing (from the Autotune of encyclopedias, Wikipedia):

Auto-Tune uses a phase vocoder to correct pitch in vocal and instrumental performances. It is used to disguise off-key inaccuracies and mistakes, and has allowed singers to perform perfectly tuned vocal tracks without the need of singing in tune. While its main purpose is to slightly bend sung pitches to the nearest true semitone (to the exact pitch of the nearest tone in traditional equal temperament), Auto-Tune can be used as an effect to distort the human voice when pitch is raised/lowered significantly.[3]

A similar “innovation” has happened to the security industry.  Instead of having to actually craft and execute a well-tuned security program which focuses on managing risk in harmony with the business, we’ve simply learned to hum a little, add a couple of splashy effects and let the compliance Autotune do it’s thing.

It doesn’t matter that we’re off-key.  It doesn’t matter that we’re not in tune.  It doesn’t matter that we hide mistakes.

All that matters is that auditors can sing along, repeating the chorus and ensure that we hit the Top 40.

/Hoff

Enhanced by Zemanta
  1. Mike
    November 20th, 2010 at 08:09 | #1

    Hmm… I like the comparison to autotune, but what without it? I think most people will sing organically out of tune.

    Another way of viewing it is that compliance makes people feel, look, and sound secure when really they may not be. Let's take this to the next level and say that autotune is much like "compliance validation."

    You go into the studio and for a short while you look and sound secure, but then you leave to lead the rest of your life and you are very much out of tune.

    People who focus on compliance are many times only compliant a few months before and a few weeks after the "compliance validation." Whereas those who focus on a capability and maturity model (with compliance as a natural side effect), taking the time to incrementally improve their security posture and sound, end up with a more naturally existing security program.

    I really like this analogy since it shows that like autotune, focusing on validation instead of continuous compliance or a more stable security program is no way to maintain that pristine voice of reasonable security.

  2. November 22nd, 2010 at 08:03 | #2

    I really like this analogy, but like all analogies it breaks down eventually. Here's where this one does.

    In the case of people "singing" with autotune, we'd all be better off (including them) if they just didn't. Leave it to people who can actually sing.

    In the case of infosec if people feel the need to autotune their security compliance program, that's still better than if they had done nothing.

    I'd rather they sing along in tune, but if they can't and only autotune (compliance) will get them to participate so be it. It's much better than nothing.

  3. November 26th, 2010 at 07:49 | #3

    Look out for those live performances…or any situation where they can't rely on the autotuning (singing and security alike!).

    But I do think this comparison is a good one, because auditing really does hide lots of issues.

  1. November 20th, 2010 at 11:13 | #1
  2. November 20th, 2010 at 11:23 | #2