Due Care vs Due Diligence

After a few discussions this week, an information security governance topic that comes up often and creates confusion (especially with those learning about governance) is that of due care vs due diligence.

TL;DR: Due care is the thought put in to securing your environment by creating policy and procedure to protect it. Due diligence is the effort you put in to making sure those policies/procedures are enforced and utilized.

To be clear, these are not terms limited to information security. Anyone who has had to sit through countless compliance meetings when dealing with government regulation bodies like the Securities and Exchange Commission or health care governing bodies knows that these terms get floated around a lot in the compliance field. We just happen to be focusing on their relationship to security.

It can be difficult to grasp these terms since people explain them sometimes in ways that are confusing. You’ll hear that one is thought and one is action. One is feeling and the other is effort, etc. But it can still come out fuzzy in the wash so let’s actually look at the terms themselves. To do that we must look at what they both relate to in the first place: protection.

The ultimate mission is protection. Depending on your industry, what you’re protecting could be something different but ultimately, you’re trying to make sure that the thing you’re protecting is treated properly. So let’s look at the terms now…

They both begin with “due“. You may have heard a phrase in reference to ‘giving something its due’. Basically, that means you’re affording that item what it deserves. In this instance, if our goal is the protection of people, systems and data, we need to make sure that in both instances we’re giving them the amount of protection they deserve. So now we look at the unique terms: “Care” vs “Diligence”.

If you care about something, it matters to you. That means that you put thought into how you treat it and ultimately how you “care” for it. If you care about your child, you establish rules and guidelines for that child. You set boundaries for them because you want to protect them (even from themselves). If you care about the clients, personnel, data and systems you’re endeavoring to protect, then you take time to think about and create policies to protect them from harm, abuse, unauthorized access, accidental damage and destruction, etc. That’s the basis of “due care”: from a management/oversight level, taking the time to think about and create meaningful and useful policy for the protection of your environment.

Here’s the thing, though: care doesn’t do you much good if you don’t have follow-through. If you set boundaries, rules and guidelines for your child and never enforce them, what good have you done? That’s the purpose of diligence. Due diligence is the execution of due care. It’s the diligent effort placed into making sure that policies and procedures are utilized. When you exercise due care by enabling logging on a secure system, what good is it if you’re not diligent about reviewing those logs? Diligence is required to make the initial care you put in valuable.

The interesting thing about these terms to me is how distinct yet dependent they are. Due care is useless without the effort to make it worthwhile through diligence. But due diligence means nothing if you’ve not taken the time to establish the appropriate policy to protect what’s important to you. You can diligently push a rock up a hill all day but what good is that? These two concepts go hand-in-hand in the establishment and continued success of a strong security framework.

Comments are closed.
%d bloggers like this: