May 9, 2023 By George Platsis 4 min read

Emphatically, no, it isn’t. But now that we have your attention, is that even the right question? Probably not. Your security can never truly be “too good”; conversely, neither can it be “too poor,” though it is possible to have “bad” security (more on that in a moment). If security is addressed in binary modes, there is a good chance the apparatus has been designed in isolation from other functions and processes.

If you have a problem with your security, it’s not that it’s “too good”. Rather, the issue likely lies with your risk management plan. Therefore, the “right” question is: Is your security apparatus aligned with your operational needs, risk tolerances and business resources?

“Remember that time when…?”

Almost every person reading this article has run into an information security technical challenge. The challenge could have come during onboarding and setting up accounts, such as an authentication step failing. Or it may have come during a device switch where some management system prevented new hardware from accessing resources.

There is always a reason — usually a good one — for a security hiccup, but that hiccup takes valuable time from other business needs. Sometimes, luck intervenes and a quick call to the help desk resolves it. Other times, your device ends up bricked and it is workaround-city until the new kit arrives.

We all have a story. And if you are in the information and cybersecurity spaces, the reasoning behind the security measures causing the issues can be easy to defend. But CISOs and other security and information officers have different interests from other users who just want to get their jobs done — jobs that are probably not security-related.

The necessity of risk management

Information and security officers have a simple mandate: secure the organization’s information and technology assets. But successfully delivering on their mandate is contingent on understanding operational and business driver requirements. And because business delivery has changed so much over the last 10 to 15 years, virtually all aspects of an organization’s business are integrated into, or dependent on, technology.

Need a retail payment processed? It’s likely going through an app. Need to access a document? It’s probably sitting with a cloud service provider. Need to analyze some data? There’s a good chance artificial intelligence is part of the process.

Do not forget, all of those functions happen over the internet: just another third-party service in the mix. If you are not asking, “Can we operate without an internet connection?” you are missing the boat in your planning. And if the answer is no, you better be sure to have some up-to-date and tested business continuity and disaster recovery plans.

The ability to do anything offline now is so increasingly low that information security leaders need to continually ask, “What operational impact are the security measures causing?” Three buckets to consider:

  • Security measures cause irregular inconveniences to users. This is a good place to be.
  • Security measures cause regular annoyance to users. Not the best, but not the worst.
  • Security measures result in constant prohibitions. Here, users cannot successfully complete their work. An organization in this situation is not doing well.

An organization in the last bucket is likely suffering from business and security functions not talking to each other, or if they are, they are not understanding each other. Moreover, it’s likely that risk assessments are being done in silos, or worse, that those risks are not well understood.

Mandatory requirement: The risk acceptance process

Assume for a moment the organization has understood its risks and completed informative assessments. Leadership has well-defined risk tolerances and the organization even has a very security-minded culture and workforce. Could an organization still trip up? Yes, if they do not have a formalized risk acceptance (or exception or exemption) process.

Consider this scenario for a moment: an organization makes a risk management decision that all traffic must pass through a VPN, prohibiting all other device connections. On the surface, this appears reasonable, but it also means an active internet connection is required. Now, imagine this same organization has a comparatively small business unit that often does work in remote areas where internet connections are not stable or unavailable.

Do you see the problem looming?

This is a scenario where the risk acceptance process is vital to operations. Business and security leaders need to come to an arrangement and document the risks, management, outcomes and recovery steps from potential fallout.

In this scenario, users could receive “remote only” devices with different configurations, such as restricted or segmented access when they do go online, limiting the potential blast radius if something goes wrong. This is a technology workaround.

Or perhaps the risks are too great and a process workaround is used. For example, users are expected to use manual tools while unable to connect and then transfer their work product when online. If this is the route to take, business leaders need to build in the operational lag this scenario could cause. All the more reason to encourage buy-in from everyday users.

Avoiding the road to “bad” security

We began with the question of whether your security could be “too good”. Chances are, you will never run into that situation. But you can certainly run into a “bad” security situation, likely as a result of mismatched operational and security needs. You can avoid this situation through sound risk management practices, but more importantly, by working with businesses and operations to learn their needs.

More from Risk Management

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

How I got started: Ransomware negotiator

4 min read - Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses.Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations.Ransomware negotiators possess a unique blend of technical expertise, psychological insight and negotiation skills that allow them to navigate the high-stakes environment of ransomware…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today