Security is a hot topic today, at least partially thanks to the Internet.  It’s not that the Internet is good or bad – it’s neither – but rather because of the connectivity that the Internet provides.  Just as the car made it possible for criminals to seek out targets farther away than horses could carry them, the Internet enables criminals to seek out victims around the globe at the speed of light.

Over the past 15 years we’ve all had to learn about new methods of crime and how to protect ourselves.  That takes time.  And whether you live in an upscale urban neighbourhood, out in the country, or in a dangerous inner-city neighbourhood, to Internet fraud artists you’re just another potential victim.  That fact helps make security a hot topic.

Unfortunately security is also being used as an excuse, and I cringe whenever I hear the phrase, “It’s not secure.”  The problem is that we seldom talk about what security really means and we often misuse the word.  For example, we install a certificate on a web server and call it a “secure” server.  But is it?  An endless stream of vendors tell us that their products are “secure”.  Are they?

Part of the problem is that we’re not asking the right question: “Is it secure enough?”  There is no such thing as a secure building, a secure server or a secure application.  However, there are buildings, hardware, and software that provide high levels of security against specific threats. They are, in effect, secure enough for a specific purpose.

In some cases when you’re told at work that something “is not secure”, what the person means is, “that’s not secure enough” or “that doesn’t meet our security requirements.”  But it might also mean, “we just don’t want to do it,” and unfortunately there’s a lot of that going on. 

Security is a risk management discipline.  The goal of a security organization should be to help the business manage risk while embracing whatever technology the business needs to advance, compete, and thrive. We’re long past the day when simply saying “no” is an acceptable answer.

So next time you’re told that something “is not secure”, do us all a favour and ask questions.  What are the specific risks?  What can be done about them?  And next time a vendor tells you that their product is “secure”, “completely secure”, “absolutely secure” or other nonsense like that, call them on it.

Next week I’ll look at the topic of risk assessment and how we can determine risk levels and what to do about them.

Leave a Reply