Last year i had the hapiness to complete 10 years working with information security field, and since the beginning, i have always worked with GRC (Governance, Risk and Compliance).
As any other field in security, working in GRC requires a lot of things and one of them is to known how to evaluate a process and, based on that assessment, identify gaps or risks that can prevent the process results but, mainly, compromise the information security principles (confidentiality, integrity, avaliability) in some way.
Without exaggerations, in all my professional experiences i have had this years in the field, when arrived the moment to observe how a specific process is executed or interview the involved actors in the activities, when asked by me about something that caught my attention, i always came across someone saying something similar to “but i always done it this way”
The "but I've always done it this way" attitude is the one where I keep doing it because it has never been a problem, there has never been an incident, i do only my part but don’t think about my partners, i don’t care if the way i am executing it can harm my team, other departments and the company.
Most of the people i have encountered who expressed that speech have always been open to understanding what the the correct way is, why the way they were executing was wrong and along with the information security risk they were generating to the company. In other words, they were open to improve, to do the right way.
However, what about the less portion who is more resistant? Those who don’t want to admit fault? Those who wants to continue executing in the same way?
Obviously, i am a strong defender that we should insist like i already discussed here in awareness, using varions means through repetition. But it is a fact that even after receiving orientations and inputs, employees and/our service providers continues to be repeat offender, for example, making changes in productions servers without following change management process, storing corporate information in unauthorized locations, granting access without following the established process, and so on. I have absolutely sure disciplinary measures will be applied.
The way i wrote it above sound like i want to create a controversy or discuss if apply disciplinary measures to all repeat offender is right or wrong, doesn’t it? But please, don’t understand it that way. The real message that i want to give for you, who is reading and who interacts with someone who say But i Always done it this way” is that independent where we are, whe should have responsability, ethics, proactivity, a desire to improvement and to be open to correct our mistakes. Here, it goes far beyond being responsible for the information of the company or clients you work for, it involves how you want to be recognized in your personal and/or professional life.