Business: Saying NO is not an option. Security must enable the business! What is the next best option, apart from your current position of “NO, do NOT do this!!!”?
Business: Remember that bit about “enabling the digital business”?!! You cannot say “no” – you must deliver us the next best option to enable us.
Security: Well … you can try doing X or Y, with additional safeguards of Z and U implemented.
Business: OK, that’s better! What are the known consequences of using this approach that you are suggesting?
Security: A huge meteor swarm hits Earth, everybody dies.
Business: Uh…OK. Business has the right to accept the risks, right?! Risk accepted.
BOOM!!! Everybody dies.
5,000 years pass by…
An alien spaceship finds the now-defunct Earth, lands, and alien archeologists – in a bout of deeply alien curiosity – decide to figure out “what killed Earth?”
They find a record of the above conversation on a miraculously survived tablet device and an argument starts between the aliens: who killed everybody on Earth, SECURITY or BUSINESS?
So, who do you think did? Essentially, there are two camps of … ahem… aliens arguing:
- Security is at fault – they did not communicate the risks well enough, or…
- Business [government agency] is at fault – they were stupidly negligent and didn’t listen to clear and precise communication, backed up by facts and external experts.
Which one sounds closer to the truth, if there is such a thing here?
Of course, this is not a blog post about the OPM breach. It is a parable about the fine line we have to tread in our daily jobs. As a security technologist you may be asked to do the impossible. While I think optimism is a great belief system, sometimes the impossible is not just very difficult… it is actually frigging’ IMPOSSIBLE. And so-called “next best option” is that you all friggin’ die!
- An enterprise-grade “APT-ready” SOC at $0 … no good options!
- An in-house run SIEM with no personnel dedicated to it … no good options!
- Patch as fast as possible – with no automation and fragile legacy systems … no good options!
- Processing super-secret data on an employee-owned PC on public wifi … no good options!
Conclusion: sometimes, “NO” is the right answer! Well, that and digging a deep enough bunker or moving to a space station before the meteor swarm hits!
Select blog posts tagged “philosophical”: