May 9, 2023 By George Platsis 4 min read

Emphatically, no, it isn’t. But now that we have your attention, is that even the right question? Probably not. Your security can never truly be “too good”; conversely, neither can it be “too poor,” though it is possible to have “bad” security (more on that in a moment). If security is addressed in binary modes, there is a good chance the apparatus has been designed in isolation from other functions and processes.

If you have a problem with your security, it’s not that it’s “too good”. Rather, the issue likely lies with your risk management plan. Therefore, the “right” question is: Is your security apparatus aligned with your operational needs, risk tolerances and business resources?

“Remember that time when…?”

Almost every person reading this article has run into an information security technical challenge. The challenge could have come during onboarding and setting up accounts, such as an authentication step failing. Or it may have come during a device switch where some management system prevented new hardware from accessing resources.

There is always a reason — usually a good one — for a security hiccup, but that hiccup takes valuable time from other business needs. Sometimes, luck intervenes and a quick call to the help desk resolves it. Other times, your device ends up bricked and it is workaround-city until the new kit arrives.

We all have a story. And if you are in the information and cybersecurity spaces, the reasoning behind the security measures causing the issues can be easy to defend. But CISOs and other security and information officers have different interests from other users who just want to get their jobs done — jobs that are probably not security-related.

The necessity of risk management

Information and security officers have a simple mandate: secure the organization’s information and technology assets. But successfully delivering on their mandate is contingent on understanding operational and business driver requirements. And because business delivery has changed so much over the last 10 to 15 years, virtually all aspects of an organization’s business are integrated into, or dependent on, technology.

Need a retail payment processed? It’s likely going through an app. Need to access a document? It’s probably sitting with a cloud service provider. Need to analyze some data? There’s a good chance artificial intelligence is part of the process.

Do not forget, all of those functions happen over the internet: just another third-party service in the mix. If you are not asking, “Can we operate without an internet connection?” you are missing the boat in your planning. And if the answer is no, you better be sure to have some up-to-date and tested business continuity and disaster recovery plans.

The ability to do anything offline now is so increasingly low that information security leaders need to continually ask, “What operational impact are the security measures causing?” Three buckets to consider:

  • Security measures cause irregular inconveniences to users. This is a good place to be.
  • Security measures cause regular annoyance to users. Not the best, but not the worst.
  • Security measures result in constant prohibitions. Here, users cannot successfully complete their work. An organization in this situation is not doing well.

An organization in the last bucket is likely suffering from business and security functions not talking to each other, or if they are, they are not understanding each other. Moreover, it’s likely that risk assessments are being done in silos, or worse, that those risks are not well understood.

Mandatory requirement: The risk acceptance process

Assume for a moment the organization has understood its risks and completed informative assessments. Leadership has well-defined risk tolerances and the organization even has a very security-minded culture and workforce. Could an organization still trip up? Yes, if they do not have a formalized risk acceptance (or exception or exemption) process.

Consider this scenario for a moment: an organization makes a risk management decision that all traffic must pass through a VPN, prohibiting all other device connections. On the surface, this appears reasonable, but it also means an active internet connection is required. Now, imagine this same organization has a comparatively small business unit that often does work in remote areas where internet connections are not stable or unavailable.

Do you see the problem looming?

This is a scenario where the risk acceptance process is vital to operations. Business and security leaders need to come to an arrangement and document the risks, management, outcomes and recovery steps from potential fallout.

In this scenario, users could receive “remote only” devices with different configurations, such as restricted or segmented access when they do go online, limiting the potential blast radius if something goes wrong. This is a technology workaround.

Or perhaps the risks are too great and a process workaround is used. For example, users are expected to use manual tools while unable to connect and then transfer their work product when online. If this is the route to take, business leaders need to build in the operational lag this scenario could cause. All the more reason to encourage buy-in from everyday users.

Avoiding the road to “bad” security

We began with the question of whether your security could be “too good”. Chances are, you will never run into that situation. But you can certainly run into a “bad” security situation, likely as a result of mismatched operational and security needs. You can avoid this situation through sound risk management practices, but more importantly, by working with businesses and operations to learn their needs.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today