Don't ask how we got here, but...
There is a great post over on Gunnar Peterson's blog (OK, there are a boatload of great posts over there, but for now I would like to focus on a single, unexpected one, mkay?) It turns out that Gunnar was Hunter S. Thompson's webmaster (and you think you have special clients) and the post I mention is about HST's passing.
Thompson's piece on security quoted at the end of the post is pretty interesting; it is easy to write it off as irrelevant to our day jobs, though- he is talking about personal security, adventure, and risk after all, not information security risk in a business environment. Dismissing that attitude from the way you approach security would be a big mistake, however. First, because we need to look at new ways to do things because our environment is constantly evolving- but that is "adventure" and "risk" we can manage (or, at least we tell ourselves we can).
There is a much more important reason to consider Thompson's words on security, especially in opposition to "accomplishment", because of one special group of people- entrepreneurs. You know, the folks who start and grow businesses which then hire us. There is a real risk/reward mindset with many entrepreneurs, and if they didn't gamble a bit, they wouldn't get where they are. Think about that when dealing with them, and trying to sell security to them. It is another case where the way we market security needs to be aligned with the audience.
"You can't do that because it is dangerous"
is not going to get the reception you want. Even
"You can't do that unless you do this to protect yourself"
probably won't do it, either. On the other hand,
"We can provide protection for you so that you can do what you want, but with less risk"
should get their attention. Just don't say it if it isn't true, sometimes you do have to be the voice of reason, or at least caution- and accept that some decisions are not yours to make.
Jack
