The Struggle of "Good Enough" in Information Security

After decades in the trenches of I.T. and Information Security, I grapple with a concept that goes against everything I've learned and believed in throughout my career: the notion of "good enough" security. When I started in this industry, our mantra was simple: you fix it until it's fixed. Period. Whether it was a glitchy computer, a faulty motherboard, or a faulty CAT5 cable, we would only rest once we found the root cause and implemented a solid solution. "Good enough" was not in our vocabulary. We were problem solvers and perfectionists, always striving for the best possible outcome.

This mindset served us well. It pushed us to be thorough, to understand systems inside and out, and to take pride in our work, ensuring everything ran smoothly and securely.

Fast-forward to today, and the landscape has dramatically changed. The rapid pace of digital transformation, the ever-expanding attack surface, and the increasing sophistication of threats bring many security challenges. At the same time, organizations continue to grapple with competing priorities:

• Maintaining legacy systems while adopting cutting-edge technologies

• Navigating complex regulatory environments

• Managing costs in an uncertain economic climate

• Addressing talent shortages in cybersecurity

Senior security professionals often find themselves caught between a rock and a hard place in this high-pressure environment. Not only are they tasked with protecting increasingly complex ecosystems with limited resources, but budget constraints often mean choosing between critical initiatives. Every security decision must be weighed against its impact on business agility and the bottom line. Moreover, the traditional security mindset of "prevent at all costs" is being challenged. With the realization that breaches are almost inevitable, there's a shift towards resilience and rapid response. It means making tough calls about where to allocate resources – prevention, detection, or response.

Also, as you move higher up the security and technology ranks, you are made aware, whether directly or indirectly, that "good enough" is the new gold standard. Unfortunately, this idea of "good enough" often feels like we are compromising quality and neglecting potential threats. It's a constant balancing act between baseline security practices and the practical realities of running a business.

Example Scenario: Legacy System Vulnerability

Consider a large financial institution that relies on a legacy mainframe system for its core banking operations. The InfoSec team identifies a critical vulnerability in this system that could allow unauthorized access to sensitive customer data. They propose a comprehensive system upgrade to address this vulnerability, estimating it would take three months to remediate.

The InfoSec team's risk assessment highlights:

1. There is a high likelihood of exploitation within the next 12 months

2. The potential for significant data breaches affecting millions of customers

3. Regulatory non-compliance risks and potential fines

4. Reputational damage if exploited

However, when presented to the business leadership, they accept the risk and feel it is optional to implement the fix. Their reasoning includes:

1. The system has been running without incident for 20 years

2. The upgrade would require significant downtime, disrupting operations

3. The cost is seen as too high for a "theoretical" risk

4. They believe existing network security measures provide adequate protection

5. The business is planning to replace the entire system in 18-24 months

Despite the InfoSec team's strong recommendations and detailed risk analysis, the business decides the current state is "good enough." They opt to document the risk in their risk register and continue operations as usual, effectively removing any ability for the security team to address the vulnerability. This decision leaves the InfoSec team in a difficult position:

• They are aware of a significant vulnerability but are unable to mitigate it

• They must continue to monitor and report on a known risk they can't address

• They need to find alternative ways to enhance security around the vulnerable system without directly fixing it

• They have to adjust their security strategy to account for this accepted risk

This scenario highlights the struggle with "good enough" in Information Security. InfoSec teams, trained to identify and mitigate risks, must now operate in an environment where a known, significant risk is deemed acceptable by the business. While understanding that perfect security is unattainable and some level of risk is acceptable, it can be challenging to go against your instinct.

I get it. As security professionals, especially at strategic levels like that of a CISO (Chief Information Security Officer), we primarily advise on security matters. However, the final decision on accepting or mitigating risks lies with the executive leadership, such as the CEO, CFO, and Executive Board. This shared responsibility is crucial in understanding and navigating the 'good enough 'mindset in information security.

But knowing this doesn't make it easier to accept that we can't always fix what's broken.

Modern Business and Information Security: Risk Management, Not Risk Elimination

Sometimes, "doing the right thing" can mean doing nothing at all, also known as avoidance. Security has become all about risk management, not risk elimination. This shift makes sense from a business perspective.

• Resources are finite

• Perfect security is an illusion

• The threat landscape is ever-changing

• Business operations need to continue

But for those who have built careers on fixing things correctly, it can often feel like a compromise of our core values.

From Internal Struggle to Shifting Your Perspective: The Need for Continuous Adaptation

It's a constant internal debate. The ambitious part of me, the part that is constantly pushing for excellence, pushes back against the idea of settling for just good enough. It feels like giving up, like admitting defeat before we have even started.

But the seasoned professional in me understands the realities of modern business and information & cyber security, that perfect security is unattainable, and that chasing it can lead to paralysis or ignoring real, manageable risks.

So, where does this leave us? How do we reconcile our drive for excellence with the practical realities of business?

1. Ruthless Prioritization: If we can't do everything, we need to be smart about what we tackle. Focus on the highest-impact areas and do those well.

2. Focus on education: Our role increasingly involves educating business leaders about risks and potential impacts. The better they understand, the more likely they are to make informed decisions. However, this approach assumes a receptive audience. In reality, we often face stakeholders who are resistant to learning or understanding how security risks impact the business or who may be intentionally avoiding understanding to maintain plausible deniability. Recognizing this challenge is crucial – we must adapt our communication strategies for those who may be actively disinterested or even hostile to security discussions.

3. Embrace continuous improvement: "Good enough" doesn't mean static. We can continue to  push for ongoing enhancements within the constraints we're given.

4. Continue measuring and communicating value: Show the business the value of security investments. They're more likely to support further initiatives when they see the ROI. If after consistent effort, leadership remains unresponsive or dismissive of security concerns, recognize that the responsibility ultimately lies with them. At this point, your best option may be to document your recommendations, ensure your concerns are logged in the risk register, and consider pivoting your career elsewhere. Remember, "you can lead a horse to water, but you can't make it drink" – and you shouldn't stake your professional fulfillment trying. 

Conclusion

The shift to "good enough" security isn't easy for those who have built their careers on excellence and thoroughness. While this shift can challenge our professional identities and core values, it can also be an opportunity for growth, pushing us to think more strategically and align more closely with business objectives.

We may not always get to fix everything to perfection, but we can still make a significant impact. By adapting our mindset and approaching problems with a growth mindset, we can protect our organizations effectively, even if the path looks different than we once imagined. The key is never to let "good enough" become an excuse for complacency. After all, isn't solving challenging problems what drew many of us to this field in the first place?

References: 

• ISC2.org “Cybersecurity is a subset of information security that deals with protecting an organization's internet-connected systems from potential cyberattacks. On the other hand, information security is a broader term that relates to protecting all information assets, whether in hard copy or digital form." Source: (ISC)² Official Blog https://www.isc2.org/Resources/Blog/Information-Security-vs-CybersecurityThese terms are often used interchangeably, especially as more information becomes digital. 

• You Can Lead a Horse to Water, But You Can’t Make It Drink - https://dailystoic.com/remember-you-can-lead-a-horse-to-water-but-you-cant-make-it-drink/