Security 404 – Balancing Compromise

The test of a first-rate intelligence is the ability to hold two opposed ideas in the mind at the same time and still retain the ability to function. F. Scott Fitzgerald

While I can't speak to first-rate intelligence I feel like this quote perfectly describes my role in information security. I do not hold a high-level position, but still, when it comes to influence in business, information security is a topic where even a lowly analyst is given unparalleled access and opportunity.

Because technology is centric to most business functions, any threat to that technology direct impacts the bottom line. This threat cycle is all well known by now. At this point most organizations have methods to determine risk, and threat model certain business decisions. This is part of my job and the basis for this post.

Everyone likes a direct answer to a question. Everyone loves to be able to say, “This is how we need to do this”, or “That is how this is done”. It's even better to be able to back it up, like “Based on NIST SP.... we would need to do it like this”, or, “we're held to HIPAA to treat this information like so”. Not every organization is held to these types of regulatory standards though, and when they aren't the decisions made, and conversations had become more and more of a compromise of business vs. security objectives.

Being able to successfully meet out a balance of these two objectives is difficult. It requires leaving egos at the door, and realizing that true compromise is the line in between where each side feels like they have lost a little. As basic security practices become more mainstream, these harder conversations do too. It's not difficult to convince a business to fix a high-level critical vulnerability, but getting individuals on-board for limiting certain types of data sharing seem to be an uphill battle.

Of course this isn't always the case. There are “security conscious” organizations that drive security objectives like nails into the coffin of business strategies, effectively ignoring anything potentially going against their views of perceived risk.

On the other end there are businesses that show off security audits and personnel like baubles, while never really intending on letting any security-based decisions affect the organizational culture.

It doesn't take first-rate intelligence to see that any extreme method is incorrect, that balance is the correct approach. This leads to my personal InfoSec motto:

Information Security is simple. People are hard.

I'm biased toward this motto, being a bit shy and introverted. It still seems to be the case though. Regardless of their needs for compliance, their directives for cooperation (or even sometimes their own desires); sometimes people just suck.

Even though the above is true, people sometimes have a point. A business can't thrive if it's being bogged down by security controls, and could eventually be choked out by it. So....how to balance?

Balance itself is something, I think is seen of a static thing. The thing is though, I believe it is fluid. Balance can be achieved by a static setup at a certain point-in-time (like balancing on one leg), but it is not infinitely so. Over time you could get tired, pushed over, hit by lightening etc. Time throws off balance. So, if you're trying to keep your balance you have to keep shifting, keep stabilizing, the point-in-time you are actually balanced might be considered short compared to the time you are keeping yourself balanced.

So should balance between security and business objectives be the goal? Sure, I think the term “balance” is ok, so long as the concept of balance is not one of stagnation, but one of on-going evaluation and growth. This is not new and falls inline with the concept of compliance audits that range over a period of time (SOC type 2 audits are like this).

There might be a mind-shift in negotiations between security and business objectives where compromises are being sought out. Something may be considered a mid-level security risk, but desired by the business, so as long as there would not be any immediate due diligence concerns, a balance might be to agree to proceed with the business wishes for now, with a re-evaluation at a certain period of time to determine if the mid-level risk is the same, greater, or less.

This is flow, this is an open mindset where time is the balancing factor.