security really can stifle business initiatives

Posted on by michael

(Sometimes I do some thinking on my walk to my car for lunch; sadly, the time when I usually don’t have anything upon which to take notes…)
Since I openly contrasted my latest two jobs earlier, I was thinking about their differences. My previous job preferred to get things done, and think about security later. My current job has a few people who prefer to wave security around as a business barrier.
But perhaps that is just something security will very often be. Something tacked on only after it is known that something will work. Why stifle a business or initiative with security when you don’t even yet know if the business or initiative is even viable?
I think this is why developers and programming instructors have such a hard time with security in applications. Functionality is the key component. If it has security but is too late to save the business, what good is it? If it can be delivered on time and let the company flourish, but with less security, is that not better?
But how far do you go with security or insecurity? Therein is the art of risk (which I truly think is an art, and more difficult than anyone really expects). Do you kill a business by paralyzing it with security paranoia and control? Do you let it run rampant with zero security and not even any locks on the doors? Do you do just enough to satisfy negligence? Do you fling up stop signs or just directional cones?
Like every discussion on security, there are exceptions, there are varying levels and tolerances between technologies, companies, managers, and so on. Not only do we not have a silver bullet device to provide security (and never will), but we also don’t have silver bullet methodologies or even approaches that can cover all those differences. Therein also lies friction between finance/auditors, management, and IT/security. It can be artful, subjective, which flies in the face of objective approaches…
One thing we do need, as security practioners, is the constant harping of media about security issues, whether accurate or not. Too often security is only focused upon after an incident or after some insightful awareness presented to management in dreams of angels and fire…but at least media can help keep the minds that be where they ought be.