Security: Compliance or Contribution?

Compliance is quite different from contribution.
Organized bureaucracies thrive on compliance. It makes it easier to tell people what to do.
But contribution is the only way that tribes thrive, the best way to make change happen and the essence of being part of a community. It’s a shame that we spend so much time teaching our children (and our employees) to comply. 
Far better to seek out contribution instead.
Posted by Seth Godin on July 02, 2016

Here Comes Seith

Seth Godin is always a fantastic source of inspiration for marketing and management. He recently wrote the piece above. So what would compliance or contribution be like in the security sphere?

Everyone Can Make a Difference in tough moments

Compliance”: Not staying late off hours when the office is even closed when it is required to finalize a report or a proposal for tomorrow early morning. Telling the business “you cannot do this” because it breaks security rules without trying to challenge the requirements or re-engineer the solution or trying to find a workaround or even initiating a long term solution.

Compliance”: Not doing something for security motives or “not my business” reflection when it would have had very positive impact on business or on the society as a whole. I will always remember the story of this guy in Paris in November 2015. He noticed guys seated in a car, not properly parked, looking strange. He thought they could be burglars but did not notify the police. Probably he thought “attacking a bank, who cares?”. He complied to his own behavior standards and worldview. A few hours later, this group was part of the suicide gunmen at the Bataclan.

Security: a catalog or a tool for risk management?

Compliance”: Implementing IT security policies with a high level of details when it is a widely known fact physical security is a major risk (and not properly handled).

Contribution”: prioritizing security projects, actions and even rules based on business risk and opportunities.

Who is the responsible person in charge for urgent security issues?

Compliance”: Not alerting the right level of management when other channels have not been responsive. Not speaking with the president or CEO and alerting him on a potentially serious matter when you come across him because you are not expected to do it. Could be because his/her door is not kept open.

Contribution”: preparing a one-page memo on one issue you consider as serious and recommending a course of action and alternatives. Of course, starting with the regular channels.

Should Security Stay in a Box?

Compliance”: Staying in your silo because “security is not your responsibility” or “you don t have formal training in this matter” when your contribution could have positive impact, even if only to identify and handle an issue.

Compliance”: waiting to be called by a low cost airline after your last flight has been cancelled. “Contribution”: gathering all other passengers in the same situation, all queuing in the first open desk and asking for a solution. Obtaining an additional flight scheduled to take care of these 80 passengers.

Security Challenging Client Requirements and Enabling new Business

Contribution”: Challenging the client requirements for its packaging in order to reduce the number of losses (thefts) during parcel delivery.

Contribution”: Within one business project, recommending to consider even stronger authentication and detailed access privileges management because it could a market requirement in the near future and an advantage in between.

A Suggested Take Away?

Just like satisfying the customer or being compliant, security is everyone’s responsibility. No one can hide behind his or her job description. To be successful, it requires dedication and a right balance of applying rules and taking initiatives. It relies on the dedication and morale of employees, who would ideally behave just like if it would be their own business.

Your comments are welcome!