I know, I know. I’ve already upset you by using a certain word in the title. I imagine some of you will be reaching for the whacking stick, if not for the title, then for my cheeky swipe at the industry.

I want to talk about the practice of Information Security, and something I find particularly troubling. We have industrialised the flight of our practitioners from a place of competence and cultivated a dependency on easy fixes. By this I mean the buffet of security frameworks. Take your pick and gorge yourself. It tastes good in the short term but as you consume it, it also consumes you.

The resolution of complex and abstract problems should be the mainstay of Security Practitioners. But this isn’t what we see. Security Practitioners have a specific set of problems defined by external influences, this could be regulatory pressure, client requirements, or senior leadership that mandate accreditation to certain frameworks.

Now, in of themselves these frameworks aren’t terrible, they have a place. There are some reasonable attempts to give a practical application of some level of competence. But we all know how easy it is to play sleight of hand with this stuff . . . but I’m not here to discuss why frameworks are good or bad. What I am saying is that they become a refuge for those who don’t know any better. Too often, the incompetent are refugees from competence towards these frameworks.

Are we using these frameworks thoughtfully and appropriately? I doubt it. I suspect many just download a free template off the internet and that forms the basis of their practice. But alas, the industry is awash with those providing free resources on the socials for the engagement. This is the sign of a vapid and hollow discourse within our industry. If that offends you? Be offended!

Frameworks have become the crutch that is used to mask incompetence. The perception then becomes that frameworks can be used to measure security posture against. But that isn’t true, it’s a measure of compliance to an arbitrary standard that is defined by incompetence and required by the incompetent. The tragic inevitability is that they will become part of the organisational standards and structure which then determine how security must be approached. It will become integrated incompetence.

What is the impact for the business here? Their aspirations become the thing that feeds the process of box checking. Measurement of adherence becomes their measure for competence. The very thing that was meant to ease the burden becomes an albatross around our necks.

Those in leadership positions must be mindful about the atmosphere and expectations they set within their teams. It can be too easy to anchor performance expectations to process execution and overly defined boundaries that are a natural outcome of the implementation of these frameworks. We need to be careful that we aren’t creating environments where the jobsworth thrives, and creativity is stifled, for it subverts the purpose of what we are here to achieve.

Frameworks have their place, but they need to serve our needs, we shouldn’t be serving the framework. But as a security practitioner, I presume my views on this will need to get added to the list of my major non-conformances.