Business: Saying NO is not an option. Security must enable the business. What is the next best option, apart from your current position of “NO, do NOT do this”?
Security: There are no good options here; we did the analysis several times, consultants and Gartner GTP analysts confirmed our findings.
Business: Remember that bit about “enabling the digital business”? You cannot say “no” – you must deliver us the next best option to enable us.
Security: Well, you can try doing X or Y, with additional safeguards of Z and U implemented.
Business: OK, that’s better. What are the known consequences of using this approach that you are suggesting?
Security: A huge meteor swarm hits Earth, everybody dies.
Business: Uh, OK. Business has the right to accept the risks, right? Risk accepted.
BOOM. Everybody dies. Then, 5000 years pass by.
An alien spaceship finds the now-defunct Earth, lands, and alien archeologists - in a bout of deeply alien curiosity - decide to figure out “what killed Earth?”
They find a record of the above conversation on a miraculously survived tablet device and an argument starts between the aliens: who killed everybody on Earth, SECURITY or BUSINESS?
So, who do you think did? Essentially, there are two camps of, ahem, aliens arguing:
- Security is at fault – they did not communicate the risks well enough, or
- Business [government agency] is at fault - they were stupidly negligent and didn’t listen to clear and precise communication, backed up by facts and external experts.
Which one sounds closer to the truth, if there is such a thing here?
Of course, this is not a post about the OPM breach. It is a parable about the fine line we have to tread in our daily jobs. As a security technologist you may be asked to do the impossible.
While I think optimism is a great belief system, sometimes the impossible is not just very difficult; it is actually frigging’ IMPOSSIBLE. And so-called “next best option” is that you all friggin’ die.
- An enterprise-grade “APT-ready” SOC at $0 - no good options
- An in-house run SIEM with no personnel dedicated to it - no good options
- Patch as fast as possible – with no automation and fragile legacy systems - no good options
- Processing super-secret data on an employee-owned PC on public wifi - no good options
Conclusion: Sometimes, “NO” is the right answer! Well, that and digging a deep enough bunker or moving to a space station before the meteor swarm hits.
By Anton Chuvakin - Research Analyst, Gartner