Security has never been about being ‘secure’ or ‘insecure’; I think we as an industry of professionals can broadly agree on this. What we don’t seem to agree on, pretty much ever, is how to strike the balance of good enough security.
In what feels like a never-ending struggle, I bear witness to the results of this on a daily basis working on the provider side of the problem. Over-engineering solutions leads to resentment and distrust from the business side. Under-engineering leads to situations of blame and catastrophe. I don’t think either end is a good result.
So, where’s the middle?
That, my friends, is the billion-dollar question. The magic formula for figuring out what is “good enough” is nowhere to be found. In fact, what we’ve been seeing is the result of a lot of trial and error—and it’s not been good. And yet, I still hear of security professionals talking in absolutes. Phrases like “that project was not secure” or “doing this makes us insecure” and so on. Frankly, it’s time to face the music.
There is no “secure.” The minute you think you can reach that place, you’re already wrong. Worse, you’d doing yourself and your organization a disservice.
Strive for a defensible result. In other words, when things go wrong, and you’re faced with a bad day, make sure you can defend your strategy and approach in front of a court of law and public opinion. Do not only what the bare minimum calls for but what is necessary and proper. It’s that last word that will get you into trouble, I think.
Lawyers will tell you that “necessary and proper” is a legal term. It’s a way to protect yourself, your customers, your shareholders and executives. It’s doing things “just right.” It’s acknowledging that there will be mistakes and accounting for them. When you have a communications breakdown and someone misses a patch or makes an unauthorized change, it’s critical to know how fast you can catch it and what you do about it.
Friends, we live between the absolutes. It’s just like how you can do your best to protect your children, but eventually they have to go into the real world where there are things beyond your control—our jobs are to prepare the business to the best of our abilities. We should teach our constituents and leaders to defend themselves, provide developers with tools that allow them to be smart about writing code, and implement processes that finally and truly “build security in.”
Security doesn’t scale with humans. Never has, never will. The new paradigm you’re seeing over the last 5-7 years has been a slow drive towards security being less operational and more governance-focused. This is the only way I can see that we get beyond survival and into thriving. Everything else will end badly. Trust me, I’ve been there.
Now is as good a time as any for reinvention. Let’s get it right this time—maybe. Let’s start working towards a better state of security so that we can defend well, in a well-thought-out manner. Prevent what you reasonably and responsibly can. Detect and respond to the rest so you can restore critical businesses processes. Let’s drop this secure and not secure nonsense… it’s time to grow up.
