Security is too often seen as an inhibitor of our ambitions — ambitions to fluidly develop innovative, efficient and pleasant products for users.
Particularly in large complex organisations, the purpose and practice of security can become isolated from the organisation’s core mission to meet user needs as pleasantly and cost effectively as possible.
Instead security becomes a law unto itself, possessing power and decision making beyond question.
This is dangerous. There must never be any function which is beyond challenge and beyond justification. That way lies a black hole sucking in money and crippling innovation with no explanation.
Users Do Need Safe Services
Users want services they can trust are safe. They don’t want unsafe services. Losing users means you’re not realising value, and a loss of trust can mean very final consequences for your organisation.
So you do need security to offer safe services — but you need to get it right.
Compliance Is Not Risk Management
Look at the following list of imaginary compliance security “things to do”:
Now ask yourself three questions:
- Which of the above is too much (or too little) security?
- If you had to reduce costs by 20%, which would you remove?
- Should I be using that new whizz-bang security tool everyone is raving about?
These are good questions you should always be asking. But you can’t answer them. And this is the fundamental problem with security by compliance. Unordered lists of “security things to do” don’t allow you to do genuine risk management.
Back To Basics
Lets go back to fundamentals because too many people, particularly security tool enthusiasts, don’t understand security as part of a wider picture.
- What you’re trying to protect is the valuable currency of your service to users — information — its integrity, confidentiality and its availability to users as part of a service.
- There are sources of threat to that information — some of them are people with malintent, some are environmental and accidental.
- But not all of these threat sources will have an interest in compromising your information, and even if they do, they might not have the capability.
So we need to first understand the value of the information we might want to protect. Only then can we paint a picture of the impact of failed security. And only then can we start to justify proportionate “security things to do” to mitigate the risks.
Of course, you can’t mitigate every risk, spending endless money on security, and driving users away through terrible user experience.
So the organisation must accept a level of left-over risk. You can’t pretend this will be zero. Understanding and acknowledging these risks in plain English would be the biggest first improvement for many enterprises.
Don’t pretend you can operate without risk.
Two Dimensional Security
Let’s do better than the simplistic set of “security things to do” by drawing connections between threat sources, methods of compromise, and attempts to mitigate these.
Immediately this map is vastly more useful:
- You’ve made things visible and easy to question — a good thing compared to the Byzantine and impenetrable security guides typical of enterprises.
- You can see which threat sources are in scope — perhaps you’ve missed some out, or perhaps you included too many. Maybe you don’t need to include alien ninja-cyber-warriors from Mars?
- You make explicit which methods of compromise you are thinking about. Again, perhaps you left some out, or perhaps you attributed more capability to a threat source than they actually have.
- You are transparent about which risks you will attempt to mitigate, and how. The proportionality of your measures is clearly open for all to test.
- You expose risks with multiple mitigations. These might be wasteful duplication, or intentional if you can explain why a single control isn’t sufficient.
This approach brings your rationale and decisions into the open for anyone to test and challenge.
Genuine Risk Management
A traceable security model allows genuine informed risk management.
You can see the impact of deciding not to implement some measures. You can see the impact of no longer worrying about some threat sources. You can justify the costs and impact on user experience of security. You can see and explain the left-over risks in plain English, and accept them in an informed way.
Too many enterprises can’t explain their security practices. They do what they’ve always done, or what everyone else is doing, or whatever is currently fashionable.
Don’t Forget Your People
Enterprises grow to mistrust their own people. They displace trust from people to process.
If you recruit for responsible people, you don’t need to implement cumbersome, expensive, and ultimately debilitating security — to prevent access to some websites, for example. Instead trust users, and verify behaviour, keeping out of their way. Don’t let a minority spoil it for the majority — trust people and deal with the isolated incidents.
People are your most efficient security tool. Only implement technical measures where it is not reasonable for an individual to deal with the risks on their own.
Trust people and verify behaviour.
User Experience Is Critical
Historically, user experience has not been amongst the factors weighed in security calculations. This is a disastrously narrow view of security.
The reality is this — in the face of bad user experience, users will find alternative ways of getting things done — like water finds cracks. That might be your competitors’ services. Or it might be to use convenient, but insufficiently secure services — “hotmail”, “dropbox”, “paper printouts”, “memory sticks”.
Bad user experience damages overall security.
It is shocking that so many enterprise risk assessments are still blind to this.
Security measures requiring an interaction with the user should be seen as an undesirable interruption, and as such, their necessity vigorously tested and justified. Good service designers will make security as invisible to users as possible.
The best security is invisible security.
The basic elements of security are in constant flux, and sometimes disruptively so.
Over time threat sources themselves change, their methods change — sometimes drastically and market innovation improves the cost and effectiveness of mitigations.
Even an organisation’s appetite for the amount of risk it wants to operate at can change.
This means waterfall fire-and-forget approaches to security are doomed from the outset to fail — fail by not constantly refining the footprint of security, but also fail by not keeping up with inevitable emerging risks.
It is plain — you have to continuously iterate your security. This is not a problem for organisations that are accustomed to agile iterative development of services for users. For those not, the difficulty of iterating security is too often insurmountable.
Fire-and-Forget Security is Failed Security
The right security mindset is not about fetishising compliance, seeking out every hypothetical monster hidden in shadows, or making mountains of molehill risks. It is not about a command and obey culture. It is not about being tougher than the next guy.
All that is easy, and actually pretty dumb.
Instead it is about asking “why?”, “how?” and “how far?” — and insisting on plain English answers.
And that’s more effort, and requires actually thinking about security.