Gartner Blog Network


Enable the Business? Sometimes Security Must Say “NO”…

by Anton Chuvakin  |  June 24, 2015  |  1 Comment

Business: Saying NO is not an option. Security must enable the business! What is the next best option, apart from your current position of “NO, do NOT do this!!!”?

Security: There are no good options here; we did the analysis several times, consultants and Gartner GTP analysts confirmed our findings.

Business: Remember that bit about “enabling the digital business”?!! You cannot say “no” – you must deliver us the next best option to enable us.

Security: Well … you can try doing X or Y, with additional safeguards of Z and U implemented.

Business: OK, that’s better! What are the known consequences of using this approach that you are suggesting?

Security: A huge meteor swarm hits Earth, everybody dies.

Business: Uh…OK. Business has the right to accept the risks, right?! Risk accepted.

0-meteor-hits

BOOM!!! Everybody dies.

5,000 years pass by…

An alien spaceship finds the now-defunct Earth, lands, and alien archeologists – in a bout of deeply alien curiosity – decide to figure out “what killed Earth?”

1-ufo-lands

They find a record of the above conversation on a miraculously survived tablet device and an argument starts between the aliens: who killed everybody on Earth, SECURITY or BUSINESS?

So, who do you think did? Essentially, there are two camps of … ahem… aliens arguing:

  1. Security is at fault – they did not communicate the risks well enough, or…
  2. Business [government agency] is at fault – they were stupidly negligent and didn’t listen to clear and precise communication, backed up by facts and external experts.

Which one sounds closer to the truth, if there is such a thing here?

Of course, this is not a blog post about the OPM breach. It is a parable about the fine line we have to tread in our daily jobs. As a security technologist you may be asked to do the impossible. While I think optimism is a great belief system, sometimes the impossible is not just very difficult… it is actually frigging’ IMPOSSIBLE. And so-called “next best option” is that you all friggin’ die!

For example:

  • An enterprise-grade “APT-ready” SOC at $0 … no good options!
  • An in-house run SIEM with no personnel dedicated to it … no good options!
  • Patch as fast as possible – with no automation and fragile legacy systems … no good options!
  • Processing super-secret data on an employee-owned PC on public wifi … no good options!

Conclusion: sometimes, “NO” is the right answer! Well, that and digging a deep enough bunker or moving to a space station before the meteor swarm hits!

Select blog posts tagged “philosophical”:

Category: philosophy  security  

Tags: security  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Enable the Business? Sometimes Security Must Say “NO”…


  1. […] Enable the Business? Sometimes Security Must Say “NO”… […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.