When it comes to security, the human quest for perfection can end up muddying our thinking. We act as if we don’t know that, on any given day, even the lowly Cubs can beat the mighty Yankees, and that a lucky hacker might be able to break into the most secure business system. We demand perfection, and we’re continually disappointed. And that makes it harder to think clearly and objectively about actually reducing our company’s security risks.
Guest author Nathaniel Borenstein is chief scientist at Mimecast.com and has contributed to numerous Internet RFCs relating to MIME as well as authoring three software patents on early work on Internet payments in the mid-1990s.
The quest for perfection obscures the tradeoffs inherent in risk reduction. It encourages businesses to scamper down rabbit holes trying to perfect security techniques rather than declaring them “good enough” and looking for the next low-hanging fruit.
If businesses want to achieve their security goals, step one is to choose goals that are achievable and realistic. With that philosophy, businesses can devise security policies driven by two achievable goals:
- It may sound cynical, but avoiding legal liability for security negligence is an excellent goal. Not only does it protect your business, but it generally requires your organization to take advantage of the best practices and policies that are widely agreed upon. Security quality standards and independent auditors are the best protection against being found negligent, and they put businesses at the same starting line as everyone else.
- Create a culture that pays attention to security, but doesn’t obsess about it. Everyone should understand what they can do to promote security, and then move forward bravely in the face of the unknown.
Of course, it’s common nowadays to say that “security is everyone’s business” but far less common to translate that idea into actionable “good enough” responsibilities for each employee. A few commonsense guidelines can help:
- Make realistic rules. If you’re not realistic, employees will tune you out. If you say “don’t ever do X,” but someone turns out to have a good reason to do X, they will take the rules less seriously. It’s far better to explain why an employee shouldn’t do X, list some alternatives, and give mitigating advice for the times when X is unavoidable. For example, when extremely complex password requirements result in passwords no one can memorize, they end up on post-its near the desk. Such a complex password policy should be accompanied by advice on how to manage an unmemorable password. (For example, “Keep it in your wallet, not on the wall.”)
- Actively engage everyone. Every employee is potentially the weakest link in a business’ security perimeter. They are less likely to slip if they have duties they are actively encouraged to pursue. It scarcely matters what their duty is; if they can be convinced to take it seriously, they will be more diligent about security in general.
- Delegate. If you’re not a security expert, you have no chance of making good decisions about policies and priorities. Find someone more knowledgable than you, trust them, empower them, and give them as many resources as you can. Additionally, newer, cloud-based solutions can give your business more control and visibility while taking advantage of the additional resources and expertise of the cloud provider.
- Regularly bring in fresh blood. No security expert is perfect, and everyone must work to stay current. Encourage the security team to participate in conferences, online forums and other events that will expand their horizons. If your team is very small, bring in consultants now and then – preferably not always the same ones – to shed light on their blind spots.
- Plan for failure. Since security is never perfect, yours may fail some day. You need to make sure that if it does, your PR, sales, legal and technical/disaster recovery teams know what to do and can act fast.
Just as modern medicine prolongs the life of incurable geriatrics at great expenses, too often modern security pursues an impossible goal of perfection while neglecting simpler organizational measures that can cost-effectively improve the odds. It’s time to stop thinking of security as a mathematical problem with a perfect solution, and instead to think of it as a shared responsibility, with everyone in your team knowing how to play a part.