But what does it really mean and what good does it really do when the majority of your IT processes and controls are in place just for show? If anything, such an approach to information security can create more liabilities than it mitigates. Furthermore, what if you found out that you are doing too much? Spending more time and money than necessary and creating more hassle just because it seemed like the right thing to do are sure signs of a failed approach to information security. Such reliance on "best practices" is a great way to set your business up for long-term failure.
Do not fall into the myrmidon mindset. Think for yourself. Look at your own requirements and your own needs in the context of which you are doing business. It is OK to take the advice of others - just don't forget the fact that no one knows your organization's culture, politics and means of operation better than you and your peers.
Show reasonable effort to minimize security risks relevant to your organization and document why you are not falling in line with the masses for everything else. You can save money, time and a whole lot of effort and still please the regulators and auditors who ask the tough questions down the road. In fact, stepping back and looking at the big picture could be the very formula you need to finally get on the right track and obtain the buy-in and visibility you need to make security work.
Kevin Beaver is an independent information security consultant, author, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent information security assessments in support of risk management and compliance. He has authored/co-authored seven books on information security including the brand new "Hacking for Dummies,3rd edition" and "The Practical Guide to HIPAA Privacy and Security Compliance." He is also the creator of the Security On Wheels information security audio books and blog. For contact info and links to his blog and Twitter account, visit www.principlelogic.com.