Recently my 8 year old son had a soccer game where the ref didnt show up. Fortunately both coaches from his team were certified refs for the age group and one volunteered to help. The game was a tough match up but things went smothly, until the opposing teams goalie trapped the ball and then kicked it all the way into our goal. This was clearly not a goal based on league rules yet the opposing coach faught against the rule stating “other refs have counted those.” In the end our coach gave in and allowed the goal to stand as to not put the coach reffing in an awkward position.

Funny, when I was an auditor I used to hear this all the time. “The last auditor allowed us do do that.” My response always went something like “well I am not the last auditor.” I know this excuse is used a lot, not just in games or audits. How many times in infosec have you heard the phrase “we haven’t had to do THAT before.” So the question becomes is it wrong to enforce now?

We can’t and shouldn’t live by others judgements or mistakes. As information security proffesionals we have to do what is best for our organization. The basis for that are the policies and stanards that have been put in place. Sure there are times when we will accept risk because the bussines needs to opperate, but each situation must be evaluated individually. Risk acceptance should be understood by all parties each time a risk is introduced. Accepting it once will only lead to risk being aggregated above tollerable levels.

The coach on the opposing team was an adult and should have followed the rules. Instead he was more focused on winning. In the high stakes business world do we think adults make the right decisions? Running in a relaxed controls environment only leads to loss events and audit findings. Being an impartial ref is tough, but that is what makes us professionals.