Tying Shoelaces and Information Security

Most of us have been tying our shoelaces incorrectly. We were taught the weaker form of the knot, probably because the stronger version is harder for children to master. As Terry Moore demonstrated in his 3-minute video, tying the stronger knot involves bringing the second loop of the shoelace around the other loop in the opposite direction from what we are used to.

There are two reasons I bring up the shoelace story on this security-focused site.

Lesson #1: Best Practices

First, we should remember that just because we’ve been following certain “best practices” for a long time, we shouldn’t assume that our approaches are the most optimal for the tasks at hand. The reliance on “best practices” is one of the addictions of information security professionals.

What if the security advice we’ve been passing along to each other as tribal knowledge isn’t good? Are there assumptions that we don’t question that prevent us from achieving stronger security or making more practical risk management decisions? What if we rely too much on the common security frameworks? Much about “best practices” is unproven and can probably be improved upon.

Lesson #2: Return on Investment

The second point I want to make involves Return on Investment (ROI). If someone were to offer to teach you a better way of tying shoelaces, how much would you pay for the lesson? The stronger knot comes untied less often, saving you valuable time and mitigating the risk of shoelaces coming untied when you’re being chased by robbers or when you’re rushing to cross the street.

It’s easy to conceive a formula that will put value on the secret of a stronger knot based on the cost savings or risk avoidance… Yet I doubt many of us would pay to watch the video that began this post. This is why I suggest being cautious of using ROI to justify the purchase of security technologies. Avoiding a potential loss is different from generating income.

But, back to the better way of tying shoelaces. The stronger form of the knot really works. I cannot tell you how many car accidents and robberies I avoided by investing 3 minutes to learn how to tie it. The stronger knot has become my new best practice.

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more