Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Life Between Absolutes – The Challenge of a Security Professional

Security has never been about being ‘secure’ or ‘insecure’; I think we as an industry of professionals can broadly agree on this. What we don’t seem to agree on, pretty much ever, is how to strike the balance of good enough security.

Security has never been about being ‘secure’ or ‘insecure’; I think we as an industry of professionals can broadly agree on this. What we don’t seem to agree on, pretty much ever, is how to strike the balance of good enough security.

In what feels like a never-ending struggle, I bear witness to the results of this on a daily basis working on the provider side of the problem. Over-engineering solutions leads to resentment and distrust from the business side. Under-engineering leads to situations of blame and catastrophe. I don’t think either end is a good result.

So, where’s the middle?

That, my friends, is the billion-dollar question. The magic formula for figuring out what is “good enough” is nowhere to be found. In fact, what we’ve been seeing is the result of a lot of trial and error—and it’s not been good. And yet, I still hear of security professionals talking in absolutes. Phrases like “that project was not secure” or “doing this makes us insecure” and so on. Frankly, it’s time to face the music.

There is no “secure.” The minute you think you can reach that place, you’re already wrong. Worse, you’d doing yourself and your organization a disservice.

Strive for a defensible result. In other words, when things go wrong, and you’re faced with a bad day, make sure you can defend your strategy and approach in front of a court of law and public opinion. Do not only what the bare minimum calls for but what is necessary and proper. It’s that last word that will get you into trouble, I think.

Lawyers will tell you that “necessary and proper” is a legal term. It’s a way to protect yourself, your customers, your shareholders and executives. It’s doing things “just right.” It’s acknowledging that there will be mistakes and accounting for them. When you have a communications breakdown and someone misses a patch or makes an unauthorized change, it’s critical to know how fast you can catch it and what you do about it.

Friends, we live between the absolutes. It’s just like how you can do your best to protect your children, but eventually they have to go into the real world where there are things beyond your control—our jobs are to prepare the business to the best of our abilities. We should teach our constituents and leaders to defend themselves, provide developers with tools that allow them to be smart about writing code, and implement processes that finally and truly “build security in.”

Security doesn’t scale with humans. Never has, never will. The new paradigm you’re seeing over the last 5-7 years has been a slow drive towards security being less operational and more governance-focused. This is the only way I can see that we get beyond survival and into thriving. Everything else will end badly. Trust me, I’ve been there.

Now is as good a time as any for reinvention. Let’s get it right this time—maybe. Let’s start working towards a better state of security so that we can defend well, in a well-thought-out manner. Prevent what you reasonably and responsibly can. Detect and respond to the rest so you can restore critical businesses processes. Let’s drop this secure and not secure nonsense… it’s time to grow up.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

SecurityWeek speaks with two leading CISOs in the aviation industry – Mitch Cyrus of Honda Aircraft, and Mark Ferguson of Bombardier.