The 12 Steps of Recovery: Data security style

I’m amused by a story CSO correspondent Taylor Armerding wrote yesterday about a life coach suggesting he’s doomed because there’s no way he can possibly meet the PHI security demands hanging over his shop. Thing is, I think he’ll be fine because he did the first thing a man must do before finding solutions: He admitted having a problem.

Taylor writes:

Nothing like a little morbid humor from a life coach. But given the difficulty of securing Personal Health Information (PHI) in the digital age, Anthony Centore, founder of the Virginia-based counseling and life-coaching firm Thriveworks, sounds like he could use a little counseling himself. On the Thriveworks website, he has posted a lament titled, “Counselors are Doomed: Client Privacy and PHI in the Electronic Age,” with a depressingly familiar list of reasons why those charged with protecting the personal information of their clients are in an almost impossible situation.

To be fair, Centore doesn’t believe he’s truly doomed. His points are meant to be somewhat tongue-in-cheek. But he says out front that it may not be possible to achieve 100-percent data security, and that’s some refreshing honesty.

Reading this, I couldn’t help but think of the 12 Steps of Alcoholics Anonymous. The first step is: “We admitted we were powerless over our addiction – that our lives had become unmanageable.”

That got me thinking further — Instead of  six reasons we’re doomed, why not have a 12-step list for people addicted to the idea that 100-percent data security is attainable and that compliance is THE answer? Please indulge me as I take a tongue-in-cheek crack at it.

Note: What follows is not meant as an insult to the 12-Step program many have used to achieve recovery from alcoholism, drug abuse and other addictions. I’ve been through that program myself and swear by it.

12 STEPS TO A MORE REALISTIC SECURITY PROGRAM:

• Step 1 – We admitted we were powerless over our data insecurity – that our lives had become unmanageable
• Step 2 – Came to believe that Compliance could restore us to sanity
• Step 3 – Made a decision to turn our will and our lives over to the care of our QSAs as we understood them
• Step 4 – Made a searching and fearless moral inventory of our security policies and found that they were based more on hope than reality
• Step 5 – Admitted to God, to ourselves and to another human being the exact nature of our wrongs, including the misguided idea that compliance alone could restore us to sanity
• Step 6 – Were entirely ready to have a handful of security vendors, contractors and a newly-hired CSO remove some — if not all — these defects of character
• Step 7 – Humbly asked our QSAs to remove our shortcomings on paper
• Step 8 – Made a list of all persons we had harmed, and became willing to get them all a year of free credit monitoring
• Step 9 – Made direct amends to such people wherever possible by posting a mea culpa on our website, except when to do so would injure them or others
• Step 10 – Continued to take personal inventory and when we were wrong promptly admitted it, in accordance with various data breach notification laws
• Step 11 – Sought through prayer and meditation to improve our conscious contact with our QSAs as we understood them, praying only for the knowledge to achieve true security and the budget to carry that out
• Step 12 – Having awoken from the nightmare that resulted from these steps, we tried to carry the message that 100-percent security is a pipe dream to others, and vowed to practice with more realistic security initiatives in all our affairs

Going back to Taylor’s article, I find it appropriate that Centore is a life coach. His profession — which is based in part on teaching people to go forth with a more realistic set of life goals — probably opened him to the notion that security is like everything else in life: You can manage your imperfections and make yourself a stronger and more effective human being. But you will never achieve perfection and should stop laboring under the delusion that it’s even possible.