When having a discussion about digital security, it is important to keep in mind a few things. Perspectives, assumptions, definitions. In short, getting on the same page so that we can discuss properly, sort of like normalizing fractions so that you can compare them directly. Is 13/15ths greater than 41/45ths?
When it comes to security solutions, I increasingly find two different perspectives related to scale. In fact, I’m sure I have these sides as well. And no, I don’t have good names for these sides; microscopic and macroscopic didn’t seem to quite fit.
First, I have a side that looks only to what my finite organization needs in terms of security. What works for me may not work for others. These solutions only need to scale as far as I need for my org. They may even scale poorly to the cybersphere. For example, I like to use arpwatch on my local networks to spot rogue devices. This works for me, but may not work for a 10,000 node infrastructure. Another example would be my personal decision to use a seatbelt when driving.
Second, I have a side that I would show more often if I worked for an ISP, or some less finite organization looking for absolute or universal utility. These solutions need to scale only so far as…well…everyone and every system. An example might be trying to solve a universal cyber identity issue, or protocol issue (DNSSEC), or global security standard. Or the entire existence of seatbelts in cars.
Both of those sides can often be at odds, and each have good reasons. It is important to make sure discussors match their perspectives and scopes. It is also important to be consistent with our own application of these perspectives to our goals and projects.