Risks come in many forms. Going too fast, being reckless, taking chances, etc. are easy to recognize warning signs. But what about the other end of the spectrum? Is going too slow ever bad? I say yes, especially when it unnecessarily impedes productivity, innovation, operational logistics and intentionally creates frustration of users.
Recently, an Indiana state trooper Sgt. Stephen Wheeles (@ISPVersailles) pulled over a slow driver in the fast lane. Well we have all been frustrated with situations on the road where people are in the fast lane, but going slower than the flow of traffic, which is why I love this story!
In accordance to a new state law that requires vehicles in the fast lane to move over if cars behind them are moving faster, officer Wheeles (such a perfect name) stopped a car for this violation as about 20 cars were stuck behind this slow vehicle. He has instantly become a sensation on Twitter! pic.twitter.com/tePjJ1Xigy
The lesson here, goes beyond finding justice for every time I am on the freeway and find myself behind someone who doesn’t understand the concept of a ‘passing’ lane, asit does apply to cybersecurity.
As security professionals we are here to find an optimal balance of risk. Far too often I talk with 2 opposing groups in the industry: security and product teams. Security wants complete perfection with the elimination of all vulnerabilities (which is impossible, by the way) while product teams just want to be free to innovate and rapidly share with the world without the burden of security assurance and oversight. Okay, that personification might be a little exaggerated, but neither positions are perfect.
The point is, what we all rationally want is to find that right middle ground. It is tough, which is why a risk person is needed in the mix as this goal is doable. Ultimately, we must find that optimal balance between security costs, residual risks, and end-user usability for any system. The security architects/engineers won’t inherently seek such a compromise and product developers won't pursue it independently. It takes a risk professional to bridge the gap, champion the cause, and show how the middle ground is best.
In the end, being too slow or inefficient can unnecessarily inhibit innovation that provides great benefits. I am not advocating ignoring critical risks, but rather understanding the big picture. Far too often we are preoccupied with what ‘could’ happen and not realistic in what ‘will’ happen. Just because there is a chance that a meteor could come spiraling from the sky and crush you, does not mean we should be looking into deploying meteor shields! (yes, by the way I was once in a risk meeting where that exact topic was discussed before I shut it down. I will save that for another blog)
Managing risk is about understanding the threats, as well as the likelihood of vulnerability exploitation, and potential impacts. We must all move forward in the best way possible realizing the ramifications of our decisions, both pro and con.
...and pulling over slow drivers in the fast lane is a GREAT start! Sgt. Wheeles is my hero for the week! Hey California legislature, time to pass a similar law and get the CHP to improve the flow of safe traffic across our highways.
Image Credit: Credit: Sgt. Stephen Wheeles / Twitter