Like ‘Good Enough’ Parenting
Is ‘good enough’ security a viable option? Much has been written about ‘good enough’ parenting, the idea that it’s not possible to be perfect but we can be good enough and provide a stable, secure and loving home. This in turn allows our children to flourish and grow and become useful members of society. Lately we’ve seen articles about ‘good enough’ security. Is it a valid comparison? Is it a reasonable approach? What is good enough when lives and property are at stake? And what is the main idea underlying good enough security?
First, good enough isn’t a general standard but rather a relative term that depends on the setting. It depends whether it’s a building, a campus or even a city. ‘Good enough’ for a local convenience store would be very different from good enough for the White House or an airport. In security, more readily than in parenting, we can specify our priorities and, in some cases, these are dictated to us by regulatory requirements. Meet the regulations, it’s good enough. Sometimes that is the case. Sometimes not. It depends on the case and the company’s priorities.
Great Security Chiefs
Great security chiefs are those that really understand the business they are in – not the security business, but rather the business of their company. They are working for the corporate goals and culture, and the direction in which the business wants to grow and develop. With these parameters, you as security chief, can actually measure what you need and why you need it. You can determine the cost of risk by understanding the cost of the potential breach.
This level of professionalism requires real involvement in the business so that as the security leader, you have the knowledge needed to align your security priorities with the business priorities. In doing so, you can do your research and offer your company the products that fill the gaps you have identified and also prepare for the future needs.
Evaluating Viable Options for Improving Security
Now it starts to get interesting. With this knowledge and with your security expertise, you can present optional technologies, configurations and parameters. How these would work with your current system? What are the associated costs and any redundancies – and why those redundancies might be relevant. You can point out the limitations of the current system and those of the augmented system. Ultimately you can propose the solution that you recommend. And you can explain why it is good enough, given the company’s priorities, goals and even budget limitations.
Good enough also means that you aren’t turning your offices into Fort Knox or a prison. Every system can be made impenetrable but sometimes redundancies aren’t just beyond budget constraints. Perhaps they just are too much when compared with your company’s needs. By now considering the details when you explain why your proposed system is good enough, you gain credibility for yourself. You inspire confidence from your colleagues. In the end, good enough might be exactly the option that you and your company need.