An interesting discussion I had the other day raised the point:
What do we need for perfect security?
Defining perfect and security itself is difficult, but let us simply state…
- Perfect = zero events that cause competitive harm
- Security = operational integrity of environment
(note this is not restricted to a specific type of system, but directed towards the business concerns as a whole).
Over the dialogue we ended across the use of standards to establish the governance and security architectures; we delved into the pizza box kitchen, and of course serious amounts of detection / prevention activities. Ultimately though we ended at a higher level of abstraction that is far more important… at least initially.
Perfect Security is defined on what the business will permit to occur. How many breaches, of what severity (physical and in person), and by what individuals is acceptable? Understanding the risk tolerance on activity and operating at that state of operations is far more crucial, as the entire security-compliance program results from this level of acceptance.
Thus, as we enter the New Year, and the security summits / executive committees are coming together … ask:
- What is our risk tolerance
- What is the straw that will be unacceptable by the stakeholders, stockholders, and simply the community as a whole.
- Define the feeling of the event, detail the services that are being discussed, and equate possible outcomes.
The idea is to not have days of risk threat discussions, but determine the level of acceptance and allow the practitioners and SMEs in the business to execute. Similar to the hierarchy of documents – Strategy should be defined via policy and then allow the competency centers of excellence to do what they love and are paid to do at the business.