Last night I attended a vendor presentation about cloud-based risk and the threat from nation state attacks. Unfortunately, due to a busy schedule and a difficult journey, I arrived just as the final presentation moved to its Q&A stage. Listening to a Q&A session when I had no idea what the content of the presentation had been was actually quite an interesting experience, unfortunately not for all the best reasons. A section of the audience immediately dived into the detail and tried to find fault with the solutions that had evidently been outlined. They poked and prodded the presenter until she admitted that no solution was 100% and, yes, there were ways to mount a successful attack even with her recommendations in place. At that point, the questioners sat back in their seats, triumphant – they had won. There seemed little interest in continuing the conversation to figure out ways to minimize the remaining risk, and their body language suggested that they had mentally discounted everything that had been said.
I was a little disappointed by this. Some S&R pros seem to treat information security as an academic exercise, a challenge where the best argument wins and security is a mere footnote. These folk are often also the ones who overreact to very complex, and very unlikely, technical threat scenarios while overlooking behaviors and processes that may be fundamentally flawed. They appear unhappy with any security solution that isn’t perfect. I had hoped that we all recognized that good security was not about hitting a home-run; it’s much more about applying the 80/20 rule over and over again, iteratively reducing the risk to the organization.
Some firms are having difficulties filling security positions and I can understand why this sort of theoretical approach to risk management could be a limiting factor – above all else, security must be practical or it will be circumvented. As S&R professionals, we should have the word “pragmatism” associated with everything we touch.