Tying Shoelaces and Information Security

Most of us have been tying our shoelaces incorrectly. We were taught the weaker form of the knot, probably because the stronger version is harder for children to master. As Terry Moore demonstrated in his 3-minute video, tying the stronger knot involves bringing the second loop of the shoelace around the other loop in the opposite direction from what we are used to.

There are two reasons I bring up the shoelace story on this security-focused site.

Lesson #1: Best Practices

First, we should remember that just because we've been following certain "best practices" for a long time, we shouldn't assume that our approaches are the most optimal for the tasks at hand. The reliance on "best practices" is one of the addictions of information security professionals.

What if the security advice we've been passing along to each other as tribal knowledge isn't good? Are there assumptions that we don’t question that prevent us from achieving stronger security or making more practical risk management decisions? What if we rely too much on the common security frameworks? Much about "best practices" is unproven and can probably be improved upon.

Lesson #2: Return on Investment

The second point I want to make involves Return on Investment (ROI). If someone were to offer to teach you a better way of tying shoelaces, how much would you pay for the lesson? The stronger knot comes untied less often, saving you valuable time and mitigating the risk of shoelaces coming untied when you’re being chased by robbers or when you’re rushing to cross the street.

It's easy to conceive a formula that will put value on the secret of a stronger knot based on the cost savings or risk avoidance… Yet I doubt many of us would pay to watch the video that began this post. This is why I suggest being cautious of using ROI to justify the purchase of security technologies. Avoiding a potential loss is different from generating income.

But, back to the better way of tying shoelaces. The stronger form of the knot really works. I cannot tell you how many car accidents and robberies I avoided by investing 3 minutes to learn how to tie it. The stronger knot has become my new best practice.

Updated

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more