the delicate dance of availability

Quick article over at InformationWeek where there are two points that caught my eye (that part where my pet peeves lounge).

The study queried more than 200 security professionals about their organization’s ability to detect and deal with advanced, persistent threats.

I’d like to hear why Random Corp ABC needs to worry about APT. I can tell you why Boeing or Google or PayPal may care about APT, but some nebulous, possibly SMB-sized, company shouldn’t by default be caring about APT. That makes this question useless.

Interestingly, when it comes to responding to security incidents, what respondents fear most of all isn’t intellectual property theft, corporate brand implosion, or recovery costs, but downtime. Indeed, 93% of respondents said that network or system outages were their primary post-incident concern, and 92% said they feared excessively long cleanup times.

It’ll make a smart security geek wince, but it’s true. That A in CIA (Availability) may mean the least to security, but it means the most to organizations. Down systems are very obviously and clearly resulting in lost productivity or customer frustration and loss. Disclosure of C or I (or other security incidents) are not usually so obvious and in-your-face.

Should we fear downtime the most? I guess it doesn’t matter, since the business is going to force us to fear downtime the most, in many cases. Which is doubly fun because not only should you avoid downtime caused by attackers (read: sec incidents), but also downtime caused by implementing security controls or security tools disrupting things. It’s often like threading a tiny needle with fluffy yarn!