The light switch is on or it’s off.
The stereo is on or it’s not.
My child is screaming or he’s not.
Our assets are secure or they are insecure.
On the surface, it appears to be an easy call – are you vulnerable, have you been breached, is data being exfiltrated? Most organizations, most of the time, are likely to fall into the insecure column. The information security team is responsible for creating a secure environment, protecting the data, and communicating back to their executives that security has been achieved.
But a light switch isn’t kind of on. Unless you’ve done something silly like install a z-wave dimmer so you can find that perfect amount of illumination for every time and mood through an mobile app…but generally speaking, a switch or a stereo or anything defined as binary doesn’t have grey areas.
Security, however, has grey areas. Big, fat grey areas. Are you secure if attackers haven’t found your vulnerabilities? Are you secure if YOU haven’t found your vulnerabilities? Are you secure if data is unusable once extracted due to encryption? Are you secure if you’re compliant? (Just making sure you were still reading)
Security is not binary.
Risk teams have accepted this. Fraud teams have accepted this. Loss Prevention teams have accepted this.
Yet absolutes still get used when discussing information security. “How can we secure this?” vs. “How can we make this more secure?” “When will the new environment be secured?” “We will be secure once we implement the new, shiny controls framework.” They get used because it’s easy. Actually measuring how secure you are is relatively hard.
As security professionals, we need to begin to set expectations that doing a good job of security means understanding our risks and using the tools at our disposal to reduce them to a pre-established level. Adopting good methods of measuring our security that includes all members of the organization who can help or hinder. Reporting regularly on how our efforts have helped reduce the chance of security incidents to help the organization gain an understanding of the true task at hand. As we get better at providing this explanation, it will help avoid the expectation that we can make everything perfectly secure and allow us to manage the business of security appropriately.