Home > Infosec Management Tips > Infosec Management Tip: There Is No Absolutely Secure Action

Infosec Management Tip: There Is No Absolutely Secure Action

August 30, 2012

There Is No Absolutely Secure Action

It is impossible to say whether any given action is risky or not, when viewed in isolation. Everything we do has a potentially positive or negative consequence, depending on the context. In other words, adding a firewall to your network may reduce or increase risk – you can’t say without more information. But most people – and I can’t blame them for this – want things to be instant and easy. “Just tell me the right way to do something,” is the common sentiment. So if somebody comes along, for example a vendor or a consultant, and feeds that desire they’ll get a lot of attention. But there’s a lot more subtlety to security and risk reduction.

Fortunately a larger and larger group of people are realizing that there is no one right or wrong way to do things. Over the last couple of years there has been a backlash against so-called best practices. Best for whom: The security organization? The company’s budget? The vendors who talk most about them? And if I can’t actually put this guidance into practice without hundreds of hours of work then are the guidelines themselves even effective at helping me reduce risk?

And who comes up with this conventional wisdom anyway – is there a group that just sits around and thinks up the absolute best way to do things? Most of the so-called best practices are simply the thing that most people do, whether it works or not. To get a guideline that is a best practice for anyone and everyone, it has to be so watered down that it is meaningless. Then trying to actually implement it there are more ways to get it wrong than right.

To circle back to the original point, everything you do could be a double-edged sword. You’ve got to think smartly and make good decisions about what is right and wrong in your circumstance. For more on that train of thought, see the tip on Principles and Decision Making.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!