What is good enough security?
Finding appropriate levels of security.
- Good enough is good enough.
- Good enough always beats perfect.
- The really hard part is determining what is good enough.
— Ravi Sandhu
Although true, it is trite to speak these days about the importance of security to an organization. Even famously news-unaware members of the general populace are aware that their data has probably been compromised at their bank, an online retailer, a dating site, or, as 21 million people discovered, the Office of Personnel Management. They know that hackers and hacktivists consistently thumb their noses at authority and deliver a sharp stick to the eye of multinational corporations and nation state-level players.
Many people are aware that foreign governments are attacking power utility infrastructures, other governments, overseas corporations, and are (questionably) being blamed for attacks on movie studios.
Awareness is not enough
On the surface, this widespread awareness has not translated into any detectable improvement to the security posture of the average organization. The reasons why are varied, but it largely comes down to the fact that there is no single group to whom the responsibility of security falls. The solution requires a sophisticated, iterative dance of executives, managers, software security experts, developers, testers, and operations teams. Without understanding this, there is going to be little progress. Unfortunately, very few organizations understand that security is not someone else’s problem, that it is, to some extent, everyone’s problem.
Everybody wants security (whatever that means to them), but nobody wants to pay for it. Budgets are already strained by the failure of the software industry to deliver quality software on time and under budget. Now, the increased attention on security adds significant new costs and tasks to teams that probably lack the skills to perform them. Organizations’ defeated response is often quietly ignoring the problem and hoping for the best. Even if they are attacked, it appears to many that the consequence of paying the fines, apologizing to their customers and then joining the ranks of the Breached is a cheaper, easier option.
Security is not something you decide to have (or purchase). It is something you work for. Continuously. It is a multi-step process involving the stakeholders I mentioned above. It will often require a rearrangement of responsibilities to align both the protective and productive parts of the company to work together. It requires embarking on a voyage of discovery to determine why someone might attack you. How might they attack you? Which attacks should you address first? Then what? How do you gain confidence in your solutions to these attacks? How do you learn to detect and respond to future, unanticipated attacks? It is easy to imagine that the costs associated with answering these questions and providing relevant solutions would be astronomical. But, do they have to be?
Finding “good enough”
The answer can be explored by revisiting the old fairy tale of Goldilocks and the Three Bears. We imagine an information security expert with valuable skills looking at three companies as potential employers.
The first organization does not take security seriously. It is not a priority and is not likely to become one. They understand that they should care more, but their budgets are being slashed and they think they are unlikely to be targeted any time soon. Our security pro sees that this company doesn’t understand the threats they face and therefore clearly have no plans to thwart them. The question is not if they will be attacked, but rather, when. The consequences of such an oblivious approach are likely to be devastating, if not fatal, to the company and she wants nothing to do with them. Without organizational support, she determines that she cannot be successful there.
The second company is hyper-paranoid and has the stated goal of protecting against all possible attacks. Security is their priority at the expense of everything else. They tell her that they demand a perfectly secure environment. This is as unsatisfactory a position as the first one. There is no such thing as a perfectly secure environment. It is a quixotic goal destined to consume all available resources. Even just a “highly secure” system can be unusable for many clients. Prioritizing security over features and usability is rarely going to prove a winning strategy. Despite the very avid support from above (and commensurate budget), she determines that the expectations are unrealistic and the company may not be around for long.
Finally, her prospects are buoyed by the third company. They explain the risks they face and how they prioritize their responses accordingly. They stay on top of developments in their threat models but also balance their time with usability and feature enhancements. This requires a coherent and collaborative organizational structure. It takes time and effort, but in the end they are merely addressing additional requirements that the various stakeholders need to understand, schedule, support, and test. She decides that she has a good chance of being successful here by collaborating with the development teams to produce high-quality, secure and useful software.
The three organizational responses can be categorized as:
- Not enough
- More than enough
- Good enough
Walking the tightrope
Fairy tales are intended to be simplifications of existential, psychological or moral quandaries to highlight the appropriate solution. In this case, the answer is balance—a correct, but perhaps useless, distillation of the problem. In order to strike a balance, an organization still has to have a framework for evaluating risk and to use that as the basis of their decision-making. This requires people who can evaluate potential threats, identify potential vulnerabilities and translate these compound potentialities into impacts to the business. From there, it is possible to evaluate security choices against other business activities as part of a software development process.
We are seeing shareholders begin to hold business executives accountable for security failures. This will help organizations like our first example (not enough) prioritize security higher. Market forces will take care of the second type of organization (more than enough); a security focus that starves out value-added features or makes a system painful to use will not survive.
Becoming the third type of organization (good enough) is not a given, however. It takes a commitment, an investment, and an awareness of a wide variety of potential threats to find a suitable balance.
“Good enough” is not something that can be defined outside of the context of a particular entity. It demands a level of engagement throughout to determine what it means. It is certainly possible to get clues as to what it means by comparing yourself to similar types of organizations (the Building Security in Maturity Model (BSIMM) is useful for such comparisons), but these will still only be guidelines. Your specific threats, business impacts and prioritized remedies are going to be unique and therefore must be understood.
Security has never been more critical as new threats and technologies meet the worlds of cloud computing, microservices, big data, bring your own device (BYOD) initiatives, and the complexity of government-mandated regulatory compliance. Simply existing in this space puts an organization in danger even as it learns what those risks are. This self awareness is a necessary but insufficient response. Technologists must have sufficient training in software and network security. They must produce flexible solutions that respond to rapidly changing security challenges. Project and technical managers must expand the activities of the teams to address these requirements with an agility that matches the volatility we face. The testing and operations teams must assume new responsibilities for validating and enforcing policies. The executives must make decisions about where to spend resources. For any of this to work, incentives must be aligned.
“Good enough” in security is not easy and it changes all of the time. Fortunately, we have begun to understand what it can mean and how it can be achieved. It’s up to you to learn what this means specifically in your world.