I recently listened to a wonderful science program on National Public Radio discussing a book called Better: A Surgeon's Notes on Performance along with its author, Dr. Atul Gawande. The book discusses the reasons why some practitioners excel while others just meet the standards or perform poorly.
Its hypothesis and conclusions can be universally applied in business and even life. It was easy for me to draw connections to my own experiences and relate the lessons to computer security.
Here are some of the excerpts and the corollaries I drew (I apologize to the author in advance for any inaccuracies or misinterpretations):
The number one indicator for above-average medical care was often simply consistency. In the story related on NPR, the author discussed how one doctor was able to have significantly longer survival rates for his cystic fibrosis patients (47 years) as compared to the national average (33 years). The secret? Consistency. The doctor determined that many patients simply were not taking the recommended medicines consistently and timely. Once he realized this, he focused on making his patients more consistent, especially stressing that they should continue to take the medicine during the majority of the time when they felt well. The outcome was significantly longer living patients.
How many of us work in computer security environments where basic security recommendations are not applied consistently? I think it is nearly impossible to find a company that consistently and universally applies basic security tenets. So, we have inconsistencies, cracks in the system, and bad things are allowed to occur. The very human nature of purposefully allowing inconsistency as a norm leads to below-average outcomes. Taking a personal and institutionalized interest in applying basic security principles consistently will mitigate more risk and lead to a more secure environment.
Another conclusion was that improving the existing system often provides better outcomes than just adopting new technology. In the book's example, it talked about how the U.S. Army was trying to improve the survival rate of wounded soldiers in Iraq. Prior to the recent Middle East conflicts (say WWII and Vietnam), wounded soldiers died 25 percent of the time. The Army spent half a billion dollars developing new medical aids, technologies, and treatments, but found out that improving the basics -- and applying them consistently -- provided better outcomes.
For example, by ensuring that soldiers always wore their body armour, instead of removing it when it was hot, more soldiers lived. Moving the medical tents closer to the battlefield saved more lives. By focusing on better meeting the "golden hour" rule, they saved even more. They even experimented with essentially going against standard medical practices in some instances (for example, allowing field personnel more leeway to make medical decisions and to apply treatment without waiting for absolute test confirmation), and in doing so saved even more lives. The result was that now only about 10 percent of our soldiers die from their battlefield wounds even in a time of conflict where the average injury is much more serious.
This is not to say that new medical inventions and techniques don't help decrease the death rate; I'm sure they do. The key takeaway point is that much of the success is due to the re-application of existing systems.