The security community is well trained at selecting which controls mitigate which risk. Unfortunately, that is only part of the equation, where we often fail is also determining the cost or impact of those controls. By impact I'm not just talking about the $$$ to purchase a solution, but the cost to maintain those controls, the impact due to lost productivity or employee time, and even the damage to your culture (ever wonder why people hate the security team?). Believe it or not, organizations do not exist to be secure, they exist to get something done. As such, perfect security is not our goal, good enough is our goal. And good enough means not just risk mitigation, but taking impact into account. Here are two recent examples I ran into where our community gets "Good Enough" wrong.
- Password Expiration: We recently published a blog on why its time to kill password expiration. Every time someone argued for password expiration, they focused on just risk mitigation - But in situation X it is possible for password expiration to stop an attack! Unfortunately these same people failed to also take into account the impact to the organization, the lost man hours, the growing resentment against security, etc. Trust me, the cost is very high. The hardest part of our job is often not deciding what controls to use, but deciding what controls not to use. The problem is too few security professionals include cost/impact in their risk management process. As Bruce Schneier has been telling us for years, security is compromise, we tend to forget that.
- Password Managers: Security professionals also forget that there is no perfect solution. Password managers are a great example. Are password managers perfect? No. Can they be a single point of failure? Yes. However, are they better than simply telling millions of people around the world to use really complex passwords that must be unique for every account and then never write them down? Absolutely.
Ultimately what makes security so hard is defining "Good Enough", which is different for every organization. Every organization has different goals, requirements and tolerance for risk. However, we have to stop focusing on "Absolute or best security" and focus on "good enough", and we can't achieve that unless we take into account both risk mitigation AND impact.
PS: Shouts out to Marcus Ranum who first beat this wisdom into my head over beers many, many years ago. I'm simply repurposing his wisdom for others as I still find myself running into this.