J.S. Bach\u2019s sublime \u201cFugue in C-sharp-minor,\u201d from Book One of Das Wohltemperierte Klavier (BWV 849) was published in 1722. It has five voices and three subjects, so it is a triple fugue. Let\u2019s take a look at what Bach and his excellent work can teach us about building a rock-solid information security program.\n1. Keep it simple\nThe slow and stately four-note subject is simple but pregnant with possibility. Through each iteration and each addition of a new component, the piece becomes a lovely, dense mesh of darkness and light. Ultimately, the thrilling climax can send emotional waves through your body leaving you weeping, emotionally drained and forever changed. Each element is simple in itself, but when combined, an extraordinarily complex web of sound is created.\nIf your perimeter firewall has 5000 rules, you\u2019re probably doing something wrong, especially if you are a relatively small organization. Likewise, if your policy documents are incomprehensible to the average end user, there is a problem. One IT staff on which I was doing an assessment claimed their policy was secret, and when I finally got hold of it, it turned out it wasn\u2019t a policy at all \u2013 it was simply a copy of a federal agency\u2019s policy framework written in govspeak. There was nothing there that would communicate performance and behavioral expectations to management, end users or the IT staff.\nPrinted music, a score, is simply a set of instructions for a performer. It\u2019s not music until a performer brings it to life. Bach\u2019s scores provide the minimal amount of information required to do just that and they leave a great deal of the interpretation to the performer (assuming good taste and common sense, of course).\nYour information security plans and documents are similar; they\u2019re just documents until you bring them to life and put them into practice. In many enterprises, these documents exist only on a shelf and are never used. Dust off those documents if you have them and make sure they have been implemented, followed and enforced. If you don\u2019t have the documents, you had better get to work. Follow Bach\u2019s lead and keep it all as simple as possible. Don\u2019t count on common sense, though.\n2. Layers\nBach chose a five-layer framework for this fugue. How many layers does your security program have? Comprehensive policy, procedures, guidelines, technical controls, administrative controls, physical controls, awareness and training are all part of the mix.\nThe common mistake I have seen in audits is that organizations often depend on only one layer \u2013 technical controls. Many security programs, probably in the majority of enterprises, consist of a firewall and some antivirus software but policy, procedure, guidelines and training are often non-existent. If you depend on technical controls alone, your score is 80-90% incomplete.\n3. Resilience\nMusicians learn resilience, often the hard way, as soon as they begin doing recitals. The only way to be prepared for anything is to over-practice and over-rehearse so that no matter what happens, your fingers keep going even if your brain shuts down. You have a great amount of time to prepare, but only one chance to get it right when it actually counts.\nPracticing and planning for the inevitable information disaster is the only way to survive it. If you\u2019ve done this well, you can keep performing without anyone but an expert noticing the glitch. If you do it badly, the show is interrupted and you may never get a second chance.\n4. Continuous improvement\nA good music teacher shows you how to practice using mindfulness rather than rote repetition. Each iteration should be made better than the last by analyzing every aspect of what you\u2019re doing. Walter Giesking wrote about this sort of approach in his book and he might be considered music\u2019s version of W. Edwards Deming.\nWhat sort of program for continuous improvement do you have in place? It doesn\u2019t happen by itself unless you had a great teacher, coach or mentor. Great performers analyze every aspect of every performance and do a root cause analysis so they don\u2019t make the same mistakes again. Well run organizations and great managers do the same, but the majority keeps making the same mistakes over and over again. Public humiliation in front of colleagues and coworkers doesn\u2019t often seem to be a motivating factor in the business world, but it definitely is in the world of musical performance.\n5. Listen\nListen to the voice of your network and your end users and pay attention to logs and metrics. Too many IT directors are tone deaf to the voices of their customers and I have seen many organizations that pay no attention to security logs and metrics at all. \u00a0They can\u2019t distinguish between the sound of a perfectly tuned network and an out-of-tune one. Don\u2019t be that patronizing, know-it-all ass of a CIO \u2013 listen to everything and everyone.\nIf you are unfamiliar Bach\u2019s c-sharp-minor masterwork, you can listen to H\u00e9l\u00e8ne Grimaud\u2019s performance in which the fugue begins at about 3:15. For a different approach, Sir Andr\u00e1s Schiff\u2019s version begins at about 2:40. There is no accounting for taste and everyone has their favorite.\nIf you are fascinated by the music and want to learn more, my favorite recording of the entire set is Angela Hewitt\u2019s, which is part of my car mix for long trips. If you are new to Bach, it can be a life-changing experience. \u00a0\u00a0\nIf you want to improve your information security program, there are numerous resources from which to choose. IS0\/IEC 27000, NIST, and COBIT 5 for Information Security all provide great starting points. Which is your favorite?