Eating your own dog food
Following a post about Gromit the Dog last week, I'm wondering, does Wallace feed Gromit a home-made recipe made by a Food-O-Matic machine?
Thinking about responsibility in cybersecurity "eating your own dog food" is an expression about our level of comfort and trust in ourselves. It's about our ability to meet the standards we set, particularly those we would have others follow.
If for example we set a password policy, do we stick with it ourselves? Even when we have admin rights and can choose to bypass the rules? Even when its really inconvenient, do we stick to what we preach?
For key accounts I make myself remember hard passwords and keep only an inconvenient coded record for prompting myself. It's a thing of mine. First week back after Christmas of course I'd forgotten some passwords. Especially newer accounts. So I get angry at my own password security policy. When something like this happens its easy to start blaming other people that the dog food tastes shit even though I cooked it, at least by my own choices.
When we make rules we get tested by them, and our integrity is how much we stick to what we commit to. Blaming ISO27001 or NIST isn't going to help. Blaming the application interface isn't going to help. Caving in to the convenience but added insecurity of a shortcut, whether it be a centralised password policy or single-sign-in authentication tool, would be easy, but I'd specifically set out a policy for those accounts - an act of will for myself to follow. This boundary setting should feel not too far away from the logic of boundary making when you're doing it for others, just put yourself in thier shoes, because soon enough you will be in them.
/https://public-media.si-cdn.com/filer/9f/61/9f610676-9962-4627-ae89-bf59fc6cb735/lod_mosaic_lower_register_web.jpg)
