by Simon Biles
I have, occasionally in the past, mentored people in (on?) Information Security – once for money (this is not a revenue stream that I’ve mastered by any stretch of the imagination!), but more often than not, informally and infrequently. What there is in common with most people who are keen, but still a bit wet behind the ears, is an idealistic world view where Information Security, as a totality, can be obtained. It sometimes seems a bit like kicking a puppy to have to break it to people that, irregardless of how long, how much money and how much technology you throw at something, it will still have vulnerabilities and risks. Even the proverbial “unplug it, stick it in a safe and throw away the key” is still vulnerable. I’ve seen “Oceans 11” – I know what can happen to a safe.
The reality is what we do for a living is to make security “good enough” – we are risk managers, risk mitigators, risk avoidance and risk acceptance professionals. We know what can happen, and then we decide if spending £x on it is worth it. Where we go wrong, inevitably, is that we sometimes have absolutely no idea about the value of the asset that we are protecting. How can you determine if a countermeasure or control is appropriate if you don’t know this figure? The real problem is that very often the business has no real idea either.
One of the most cited “losses” by us is “reputation damage” – but we say it with the same sort of suck in through the teeth used by plumbers when looking at a blocked drain – “I dunno exactly how much darlin’ but it’s gonna be pricey …” – we really haven’t got a scooby-doo.1 How can you assess the potential impact on reputation? A lot of the actual impact comes down to how it is handled after the fact. Bad examples are easy to come by – think Sony & Toyota – good ones a lot less so – so few in fact, that I can’t think of one …
The bottom line is that although no-one can predict it – however it isn’t the job of the InfoSec consultant to do it (ok, going armed with examples of similar size companies/sectors/etc. harms no-one…) – it is down to the business side to know the value of their data, reputation, availability etc. Only when this information is forthcoming can a management decision be made that a £25k firewall is worth protecting a £1million value asset, where as a £10k firewall to protect a £9k asset is a bad move. And this is where the “good enough” comes into play.
Good enough is the perfect balance point where the person who holds the purse strings sees the value in spending x to protect y. Good enough requires negotiation, compromise and understanding – but it is, at the end of the day, what is best for everyone.
So, next time you are specifying a security solution, consider not “Is this the best level of protection I can get?” or “Is this in line with industry best practice?” or even “I really want one of those” but rather “Is it good enough for the task in hand?” If it is then you are most likely to get your budget, and the respect of the business. Which, in the long run, means you may well get what you want !
About the Author Si Biles ( @si_biles ) is a consultant for Thinking Security in deepest darkest Oxfordshire, ‘cos he’s a CLAS consultant he spends quite a lot of time doing things for the Government, outside of that he has a particular interest in network security, vulnerability analysis, penetration testing and incident response & forensics. You can read more of his blogging on his own site and occasionally other places such as : Josetteorama