Essential Truths in Information Security: Better is worse than good enough
The essential truth that dictates most of my working day is better is worse than good enough.I had become aware of this phrase back in my college days, when one of my professors used it often; usually in the context of some form of process modeling or data modeling exercise.
The real value of this phrase is in understanding what you need and what you do not need. Implementing unnecessary controls is bad; try to become better is worse than accepting a situation that is good enough.
Making that determination is very hard; as security professionals we
are intimately familiar with the concept of layered security, which
revolves around the idea that more controls are generally better than
less controls.
I disagree with that to a certain extent; controls should only be
applied when the risk of a successful exploitation is large enough, and when the cost of that exploitation warrant the investment.
Of course, maintaining a minimal set of
controls is generally advisable, but for every new layer of defense
that is added after that, the question must be asked: is it really
necessary? Will adding a control, including all the cost associated with
it (hardware, software licenses, training, maintenance, staff, etc.)
really improve the overall level of security? Or is better worse than good
enough?
However, when the determination is made that the current situation is not yet good enough, and a new control will be added, another another essential truth must be respected: execute with precision and excellence.