Blog post

Enable the Business? Sometimes Security Must Say “NO”…

By Anton Chuvakin | June 24, 2015 | 0 Comments


Business: Saying NO is not an option. Security must enable the business! What is the next best option, apart from your current position of “NO, do NOT do this!!!”?

Security: There are no good options here; we did the analysis several times, consultants and Gartner GTP analysts confirmed our findings.

Business: Remember that bit about “enabling the digital business”?!! You cannot say “no” – you must deliver us the next best option to enable us.

Security: Well … you can try doing X or Y, with additional safeguards of Z and U implemented.

Business: OK, that’s better! What are the known consequences of using this approach that you are suggesting?

Security: A huge meteor swarm hits Earth, everybody dies.

Business: Uh…OK. Business has the right to accept the risks, right?! Risk accepted.


BOOM!!! Everybody dies.

5,000 years pass by…

An alien spaceship finds the now-defunct Earth, lands, and alien archeologists – in a bout of deeply alien curiosity – decide to figure out “what killed Earth?”


They find a record of the above conversation on a miraculously survived tablet device and an argument starts between the aliens: who killed everybody on Earth, SECURITY or BUSINESS?

So, who do you think did? Essentially, there are two camps of … ahem… aliens arguing:

  1. Security is at fault – they did not communicate the risks well enough, or…
  2. Business [government agency] is at fault – they were stupidly negligent and didn’t listen to clear and precise communication, backed up by facts and external experts.

Which one sounds closer to the truth, if there is such a thing here?

Of course, this is not a blog post about the OPM breach. It is a parable about the fine line we have to tread in our daily jobs. As a security technologist you may be asked to do the impossible. While I think optimism is a great belief system, sometimes the impossible is not just very difficult… it is actually frigging’ IMPOSSIBLE. And so-called “next best option” is that you all friggin’ die!

For example:

  • An enterprise-grade “APT-ready” SOC at $0 … no good options!
  • An in-house run SIEM with no personnel dedicated to it … no good options!
  • Patch as fast as possible – with no automation and fragile legacy systems … no good options!
  • Processing super-secret data on an employee-owned PC on public wifi … no good options!

Conclusion: sometimes, “NO” is the right answer! Well, that and digging a deep enough bunker or moving to a space station before the meteor swarm hits!

Select blog posts tagged “philosophical”:

Comments are closed