Emphatically, no, it isn’t. But now that we have your attention, is that even the right question? Probably not. Your security can never truly be “too good”; conversely, neither can it be “too poor,” though it is possible to have “bad” security (more on that in a moment). If security is addressed in binary modes, there is a good chance the apparatus has been designed in isolation from other functions and processes.
If you have a problem with your security, it’s not that it’s “too good”. Rather, the issue likely lies with your risk management plan. Therefore, the “right” question is: Is your security apparatus aligned with your operational needs, risk tolerances and business resources?
“Remember that time when…?”
Almost every person reading this article has run into an information security technical challenge. The challenge could have come during onboarding and setting up accounts, such as an authentication step failing. Or it may have come during a device switch where some management system prevented new hardware from accessing resources.
There is always a reason — usually a good one — for a security hiccup, but that hiccup takes valuable time from other business needs. Sometimes, luck intervenes and a quick call to the help desk resolves it. Other times, your device ends up bricked and it is workaround-city until the new kit arrives.
We all have a story. And if you are in the information and cybersecurity spaces, the reasoning behind the security measures causing the issues can be easy to defend. But CISOs and other security and information officers have different interests from other users who just want to get their jobs done — jobs that are probably not security-related.
The necessity of risk management
Information and security officers have a simple mandate: secure the organization’s information and technology assets. But successfully delivering on their mandate is contingent on understanding operational and business driver requirements. And because business delivery has changed so much over the last 10 to 15 years, virtually all aspects of an organization’s business are integrated into, or dependent on, technology.
Need a retail payment processed? It’s likely going through an app. Need to access a document? It’s probably sitting with a cloud service provider. Need to analyze some data? There’s a good chance artificial intelligence is part of the process.
Do not forget, all of those functions happen over the internet: just another third-party service in the mix. If you are not asking, “Can we operate without an internet connection?” you are missing the boat in your planning. And if the answer is no, you better be sure to have some up-to-date and tested business continuity and disaster recovery plans.
The ability to do anything offline now is so increasingly low that information security leaders need to continually ask, “What operational impact are the security measures causing?” Three buckets to consider:
- Security measures cause irregular inconveniences to users. This is a good place to be.
- Security measures cause regular annoyance to users. Not the best, but not the worst.
- Security measures result in constant prohibitions. Here, users cannot successfully complete their work. An organization in this situation is not doing well.
An organization in the last bucket is likely suffering from business and security functions not talking to each other, or if they are, they are not understanding each other. Moreover, it’s likely that risk assessments are being done in silos, or worse, that those risks are not well understood.
Mandatory requirement: The risk acceptance process
Assume for a moment the organization has understood its risks and completed informative assessments. Leadership has well-defined risk tolerances and the organization even has a very security-minded culture and workforce. Could an organization still trip up? Yes, if they do not have a formalized risk acceptance (or exception or exemption) process.
Consider this scenario for a moment: an organization makes a risk management decision that all traffic must pass through a VPN, prohibiting all other device connections. On the surface, this appears reasonable, but it also means an active internet connection is required. Now, imagine this same organization has a comparatively small business unit that often does work in remote areas where internet connections are not stable or unavailable.
Do you see the problem looming?
This is a scenario where the risk acceptance process is vital to operations. Business and security leaders need to come to an arrangement and document the risks, management, outcomes and recovery steps from potential fallout.
In this scenario, users could receive “remote only” devices with different configurations, such as restricted or segmented access when they do go online, limiting the potential blast radius if something goes wrong. This is a technology workaround.
Or perhaps the risks are too great and a process workaround is used. For example, users are expected to use manual tools while unable to connect and then transfer their work product when online. If this is the route to take, business leaders need to build in the operational lag this scenario could cause. All the more reason to encourage buy-in from everyday users.
Avoiding the road to “bad” security
We began with the question of whether your security could be “too good”. Chances are, you will never run into that situation. But you can certainly run into a “bad” security situation, likely as a result of mismatched operational and security needs. You can avoid this situation through sound risk management practices, but more importantly, by working with businesses and operations to learn their needs.