Seth Godin's book Tribes makes many points that are worth noting, When re-reading the book, the following passage especially caught my attention.


The Easiest Thing

The easiest thing is to react.
The second easiest thing is to respond.
But the hardest thing is to initiate.
Reacting, as Zig Ziglar has said, is what your body does when you take the wrong kind of medicine. Reacting is what politicians do all the time. Reacting is intuitive and instinctive and usually dangerous. Managers react.
Responding is a much better alternative. You respond to external stimuli with thoughtful action. Organizations respond to competitive threats. Individuals respond to colleagues or to opportunities. Response is always better than reaction.
But both pale in comparison to initiative. Initiating is really and truly difficult, and that's what leaders do. They see something others are ignoring and they jump on it. They cause the events that others have to react to. They make change.

It is almost uncanny to see how well this passage applies to the daily work of an information security leader. The hardest part about our job is to initiate change. Change that will realign business processes with goals, and change that compels people to make decisions that expose our most valuable resource only at acceptable levels.

When our first line of efforts fail, and we may be confronted with a potential information compromise, the next line of efforts comes into play, and we respond to a situation at hand. That response should be premeditated, planned, and carefully executed. Things go wrong when people (sysadmins?) react, without seeing the full scope of what unintended side-effects their actions may have.

Initiate, respond, react.