What is perfect security? Does it mean that there can be no break-ins, no stolen credentials, no lost data? Is that a good goal?
One of the first things we discuss in Learning Tree Course 468, System and Network Security Introduction is the goals for organizational security. A colleague once said his company’s goal was to be “very secure”. He wasn’t sure what he or they meant, but it at least involved something close to perfect security. Most security professionals with whom I’ve spoken don’t believe that perfect security is achievable or even desirable.
To illustrate that last point somewhat graphically, imagine a company where its data is so important that it will go to great lengths to ensure employees don’t divulge the data. They monitor the office phones, scan email, and even check backpacks and brief cases when people exit. But when a security guard mentioned that folks could tape flash drives to their chests, the company got so paranoid they decided to do a physical pat-down search on every employee with access to sensitive data when he or she left the office each day.
That’s extreme, of course, but the idea is that “perfect security” may not be desirable because it may require, among other things, onerous measures. And a small flash card could be hidden where a pat-down would be very unlikely to find it. The company could have used airport-style body scanners to find the data, and that would have been more expensive and possibly less intrusive. Or it could have just used metal detectors and been a tiny bit less secure and far more employee-friendly.
There are ways around virtually any scheme to secure data. At some point there is a financial trade-off: spending more money to protect something than it is worth is not a good solution. The law of diminishing returns comes in to play in cybersecurity. So before looking at how to protect some asset, we need to assess its value and what the risk to that asset is.
The assessing of value generally involves more than just computing the replacement cost. If someone were to access an organization’s data, they could release it to the public, create a competing product, or otherwise diminish the organization’s value. Even public entities have a “value” in that sense. So the assessment of value needs to be done carefully. It needs to take into account at least the value of theft of the data, modification of the data, or wiping out of the data.
Likewise assessing risk is a major task. There are risk management specialists who are taught to analyze risks and the likelihood of specific threats. Many of those analysts are not well versed in cybersecurity, so it is important to use one that is.
Rather than trying to be “completely secure” or “really secure” or buying the latest shiny security gadget, look at the value of your assets and at the associated risks. Please use the comment section below to share any enlightening risk assessment stories with us that you can.