As a security professional today is it better to see the world in black or white and have a firm view on what is needed to be secure or is better to take a risk based approach, explain the trade-off's and allow someone else, say the business to make the decision?
To generalize, I would say current thinking is that the latter is a far superior view. The former represents the world view before we became enlightened security professionals that rather than saying "No", worked with the business and IT to find an amicable solution. The security equivalent of getting to yes.
Now while this is a great interview answer, impressive in a PowerPoint deck or in a speech by the CISO does it really work well in practice? More importantly does it provide the best long term security posture for the organization and even society?
My experience is that this enlightened approach runs across some major issues, the key ones being:
- The hardest thing in business and in projects in particular tends to making decisions. There is rarely enough information and even less certainty therefore people are very nervous to stick their neck out and make a decision. However with deadline pressures and people like developers or outsource partners needing those decisions, they need to be made. So while you may want to discuss the relative risks of sending URL's in emails and whether it would result in a material increase in phishing vs the loss of usability; the project just needs a decision
- The difficulty of quantifying security risks and the subjectivity also amplifies this problem. I have talked at length in previous posts about this, there is no way currently you can objectively calculate the risk of a decision like that above and even less chance there will be a simple risk appetite score that you can compare against to say sure we can accept that risk or no you can't
- The business is paying you for your expertise. In virtually all other areas an SME is asked a question and a clear answer is returned. Not well... it depends... Strong clear and confident positions are respected and gain influence, not wishi whashi risk based answers. This is why still something as arbitrary and not specific to the situation the Company Policy or the Regulation is brilliant. It is difficult to challenge and the univocally black and white. Congratulations you are now needed for the ability to press Control F on a document
- Providing the options and describing the risks simply moves the responsibility away from the security professional to the business or IT person. Potentially this is correct if that person actually should be accountable for such a decision. Regardless it is rare they will appreciate putting their neck on the line!
It is also interesting to consider the outcomes this approach yields. Why are there so many major new systems developed today still use username and password? Why is two factor authentication not the norm rather than the exception? Why is federated access and data loss prevention not baked in? Why isn't the risk based approach of message security spurned for transport? Because it is difficult to justify the incremental decrease in residual risk of these measures when faced with the cost, time taken and increased complexity they add for example to developers who know how to implement a username and password. Would it not be better to simply take the view that is more secure and confidently state because our Policy or Regulation requires it? This is of course until they go to the person above you who will provide the “risk based view”.