Seven deadly mistakes security geeks make before they get to be wise

Alternate Title: No no no!!  Pergatory sucks!!

Now that we have a sense of how we might look to our friends across the table, let's recap some common mistakes that we may have already made before we really dive in to making choices and strategies to manage risks.   Knowing our mistakes gives us another level of awareness that we'll need to be ready to negotiate.   Knowing your weaknesses is as important in negotiation as knowing your strengths.

We've all heard of the 7 deadly sins.  I thought this might be a great analogy to explain some of the most serious scenarios and mistakes that the novice security practicioner could fall into.

"The 7 Deadly Sins, also known as the Capital Vices or Cardinal Sins, is a classification of objectionable vices that have been used ... to educate and instruct followers concerning fallen humanity's tendency to sin."  Wikipedia 1   This makes it an excellent analogy to instruct you about mistakes to avoid and to recognize any that you made already.

Let's see what kind of trouble we security, audit and risk managers might make in their career.

• Wrath - Did you ever have one of those days where you find someone who is blantant in their distaste for security and their role in protecting the company's data?  How does that feel?  Makes you angry, right?  Save it for your friends over a beer.   In all likelihood they will  do the same.  At best this will help you both realize the common feelings so you both keep pressing on.  At least it will get you free of the moment without getting into trouble so you can survive to strive another day.
• Greed - Knowing when to call or fold is the key to negotiation.   When you're asking for somebody to do something and there are really 10 separate things that you need them to do, don't throw all 10.   Most managers only give their people 10-20 objectives.   Your stuff is only one of them.  So don't go for the goal out of the gate.   Prioritze, use the SMAART rules and lay the foundation for winning (not whining) down the road.
• Sloth - Maybe its just me, but there is only one person who I let walk faster than me at work.  That's the IT VP.   If I walk too slow, I walk around thinking I could have done more and have serious doubts when the auditors come knocking.  And we all know how they look for nervousness so they know where to dig.   Of course you don't want to walk too fast.  That's the path to the dark side too.
• Pride - The tough part about being a cost is that every win feels big.  And it is important to celebrate that.  Just celebrate with the team that got you there.   You would never have made it to the finish line without them.
• Lust - Now this is a tough analogy to make.  Hmmm...let's see.   For me this is about time management.  We all know what the "sexy" stuff is, right?   Never forget that you have to mow the lawn, take out the trash and wash the dishes.  If you know what I mean...
• Envy - You can't walk around saying that you have to address every new risk with every new tool that comes out.   There will always be new tools.  There will always be new risks.  Don't get jealous because your friends have bad enough risks to need those new tools.   You'll get there some day... ;-)
• Gluttony - Oh my...what can we say here.  It's not like we get a lot of anything besides trouble, so what can we be guilty of over-consuming?  How about people's time?   When people have to listen to you because their boss is saying "Security is important!", remember that they still have a lot more to do to feed their kids too.   Plan well, consume modestly, appreciate greatly.

I hope you now see why these are example "sins" of our practice.   Let's ponder the penalties so you can see why this is relevant.   Forgive the heavy quoting but I figured the meaning would be clear without further comment.   Just remember that I'm using this as an analogy to describe the reasons why you want to avoid the deadly sins of the security and audit profession.

'The Catholic Church divides sin into two categories: venial sins, in which guilt is relatively minor, and the more severe mortal sins. Theologically, a mortal sin is believed to destroy the life of grace within the person and thus creates the threat of eternal damnation. Mortal sin, by attacking the vital principle within us - that is, charity - necessitates a new initiative of God's mercy and a conversion of heart...'[1]   (Making mistakes damages the peace (grace) we may have felt before we made the mistake and puts us on a slope that we'll have to struggle to climb to return to that peace."

'The Deadly Sins do not belong to an additional category of sin. ...A "deadly sin" can be either venial or mortal, depending on the situation; but they are called "capital" because they engender other sins, other vices.'[2]  Wikipedia 1    (The sins above are deadly but may not mean our demise.  However, they can easily grow to cause our demise from bad habits/vices so we have to be careful due to the compounding nature of mistakes.)

'..a mortal sin is wrongful act that, unless forgiven and fully absolved, condemns a person to Hell after death. These sins are considered "mortal" because they constitute a rupture in a person's link to God's saving grace: the person's soul becomes "dead", not merely weakened.'   Wikipedia 2   (The mistakes that are most damaging can lead to the end of our career because our "trusted adviser" status is destroyed.)

'...a venial sin (meaning "forgivable" sin) is a lesser sin that does not result in a complete separation from God and eternal damnation in Hell. A venial sin involves a "partial loss of grace" from God.   (We can address these mistakes carefully and promptly to avoid the lost of our reputation or our career.)

'A venial sin meets at least one of the following criteria:
1.It does not concern a "grave matter",
2.It is not committed with full knowledge, or
3.It is not committed with both deliberate and complete consent.
As the above criteria are the three criteria for mortal sin stated negatively, a sin which met none of these extenuating conditions would necessarily be considered mortal.'  (We will make mistakes early in our career so don't get locked up trying to avoid every mistake.)

Each venial sin that one commits adds to the penance that one must do. Penance left undone during life converts to punishment in purgatory.'  Wikipedia 3   (Again, we will have to work to fix our early mistakes and if we don't, we'll remember every one after our career is over.)

So there we go.  All the elements of a classic moral story.  What not to do and why not to do it. 

Best of luck today and may all your risk management sins turn out to be Venial leaving room for Penance to keep your career on track to more wisdom and success.

UPDATED: Some folks said the end sort of drifted into a religious presentation.  Hopefully the clarification ahead of the quotes and the parenthetical bits will lead the confused through the vision.of the threats to avoid perhaps a little like Dante's allegory used Virgil to help people avoid the wrong path.