Sunday, April 3, 2016

Security is really about Risk vs Reward

Every now and then the conversation erupts about what is security really? There's the old saying that the only secure computer is one that's off (or fill in your favorite quote here, there are hundreds). But the thing is, security isn't the binary concept: you can be secure, or insecure. That's not how anything works. Everything is a sliding scale, you are never secure, you are never insecure. You're somewhere in the middle. Rather than bumble around about your risk though, you need to understand what's going on and plan for the risk.

So this brings us to the idea of risk and reward. Rather than just thinking about security, you have to think about how everything fits together. It doesn't matter if your infrastructure is super secure if nobody can do their jobs. As we've all seen over and over, if security gets in the way, security loses. Every. Single. Time.

I think about this a lot, and I've come up with a graph that I think can explain this nicely.

Don't think in the context of secure or insecure. Think in the context of how much risk do I have? Once you understand what your risks are, you can decide if the level of risk you're taking on can be justified by what the result of that risk will be. This of course holds true for nearly all decisions, not just security, but we'll just focus on security.

The above graph puts things into 4 groups. If you have a high level of risk with minimal reward (the Why box), you're making a bad decision. Anything you have in that "Why" box probably needs to go away ASAP, you will regret it someday.

Additionally, if your sustaining operations are of high risk, you're probably doing something wrong. Risk is hard and drains an organization, you should be conducting your day to day operations in a manner than poses a low risk as the day to day is generally not where the high reward is.

The place you want to be is in the "Innovation" or "No Brainer" boxes. Accepting a high level of risk isn't always a bad thing, assuming that risk comes with significant rewards. You can imagine a situation where you are deploying a new and untested technology, but the benefits to conducting business could change everything, or perhaps using a new, untested vendor for the first time.

We have to be careful with risk. Risk can be crippling if you don't understand and manage it. It can also destroy everything you've done if you let it get out of hand. Many of us find ourselves in situations where all risk is seen as bad. Risk isn't always bad, risk is never zero. It's up to everyone to determine what their acceptable level of risk is. Never forget though, that sometimes we need to bump up our level of risk to get to the next level of reward. Just make sure you can bring that risk back under control once you start seeing the outcomes.

What do you think? Let me know: @joshbressers