May 9, 2023 By George Platsis 4 min read

Emphatically, no, it isn’t. But now that we have your attention, is that even the right question? Probably not. Your security can never truly be “too good”; conversely, neither can it be “too poor,” though it is possible to have “bad” security (more on that in a moment). If security is addressed in binary modes, there is a good chance the apparatus has been designed in isolation from other functions and processes.

If you have a problem with your security, it’s not that it’s “too good”. Rather, the issue likely lies with your risk management plan. Therefore, the “right” question is: Is your security apparatus aligned with your operational needs, risk tolerances and business resources?

“Remember that time when…?”

Almost every person reading this article has run into an information security technical challenge. The challenge could have come during onboarding and setting up accounts, such as an authentication step failing. Or it may have come during a device switch where some management system prevented new hardware from accessing resources.

There is always a reason — usually a good one — for a security hiccup, but that hiccup takes valuable time from other business needs. Sometimes, luck intervenes and a quick call to the help desk resolves it. Other times, your device ends up bricked and it is workaround-city until the new kit arrives.

We all have a story. And if you are in the information and cybersecurity spaces, the reasoning behind the security measures causing the issues can be easy to defend. But CISOs and other security and information officers have different interests from other users who just want to get their jobs done — jobs that are probably not security-related.

The necessity of risk management

Information and security officers have a simple mandate: secure the organization’s information and technology assets. But successfully delivering on their mandate is contingent on understanding operational and business driver requirements. And because business delivery has changed so much over the last 10 to 15 years, virtually all aspects of an organization’s business are integrated into, or dependent on, technology.

Need a retail payment processed? It’s likely going through an app. Need to access a document? It’s probably sitting with a cloud service provider. Need to analyze some data? There’s a good chance artificial intelligence is part of the process.

Do not forget, all of those functions happen over the internet: just another third-party service in the mix. If you are not asking, “Can we operate without an internet connection?” you are missing the boat in your planning. And if the answer is no, you better be sure to have some up-to-date and tested business continuity and disaster recovery plans.

The ability to do anything offline now is so increasingly low that information security leaders need to continually ask, “What operational impact are the security measures causing?” Three buckets to consider:

  • Security measures cause irregular inconveniences to users. This is a good place to be.
  • Security measures cause regular annoyance to users. Not the best, but not the worst.
  • Security measures result in constant prohibitions. Here, users cannot successfully complete their work. An organization in this situation is not doing well.

An organization in the last bucket is likely suffering from business and security functions not talking to each other, or if they are, they are not understanding each other. Moreover, it’s likely that risk assessments are being done in silos, or worse, that those risks are not well understood.

Mandatory requirement: The risk acceptance process

Assume for a moment the organization has understood its risks and completed informative assessments. Leadership has well-defined risk tolerances and the organization even has a very security-minded culture and workforce. Could an organization still trip up? Yes, if they do not have a formalized risk acceptance (or exception or exemption) process.

Consider this scenario for a moment: an organization makes a risk management decision that all traffic must pass through a VPN, prohibiting all other device connections. On the surface, this appears reasonable, but it also means an active internet connection is required. Now, imagine this same organization has a comparatively small business unit that often does work in remote areas where internet connections are not stable or unavailable.

Do you see the problem looming?

This is a scenario where the risk acceptance process is vital to operations. Business and security leaders need to come to an arrangement and document the risks, management, outcomes and recovery steps from potential fallout.

In this scenario, users could receive “remote only” devices with different configurations, such as restricted or segmented access when they do go online, limiting the potential blast radius if something goes wrong. This is a technology workaround.

Or perhaps the risks are too great and a process workaround is used. For example, users are expected to use manual tools while unable to connect and then transfer their work product when online. If this is the route to take, business leaders need to build in the operational lag this scenario could cause. All the more reason to encourage buy-in from everyday users.

Avoiding the road to “bad” security

We began with the question of whether your security could be “too good”. Chances are, you will never run into that situation. But you can certainly run into a “bad” security situation, likely as a result of mismatched operational and security needs. You can avoid this situation through sound risk management practices, but more importantly, by working with businesses and operations to learn their needs.

More from Risk Management

Water facilities warned to improve cybersecurity

3 min read - United States water facilities, which include 150,000 public water systems, have become an increasingly high-risk target for cyber criminals in recent years. This rising threat has demanded more attention and policies focused on improving cybersecurity.Water and wastewater systems are one of the 16 critical infrastructures in the U.S. The definition for inclusion in this category is that the industry must be so crucial to the United States that “the incapacity or destruction of such systems and assets would have a…

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today