There is one unequivocal certainty in the world of security: There is no such thing as absolute security (defined as some strategy or system that will fully protect everything against everything all the time) – given sufficient resources, motivation and opportunity, any/every security strategy and system can eventually be breached.
So…since we know that even the best security may be
breached, how do we measure success?
For purposes of this commentary, we have to re-define some
terms that are usually pretty straightforward – “success” and “failure.”
Let’s begin with “failure.”
In the world of security, we can have occasional “failures”
(independent, isolated incidents in which the security plan was not fully
effective), without having “FAILURE” (a complete and continuing collapse of
protection due to an ineffective security strategy).
The same holds true for “success.” We can have recurring “successes” (times during which protection
efforts are adequate and sufficient to meet extant security needs), even while
realizing that we can never achieve “SUCCESS” (the continuous state of
everything being adequately and sufficiently protected against everything).
When trying to assess whether security has been a “success”
or a “failure” based on these definitions, we must also add another component
to the mix: "legal defensibility" (a security strategy that includes the elements
that a reasonable person would utilize to provide reasonable security at a
particular place and time under a given set of circumstances). The addition of this concept raises another
interesting conundrum: Even when
security efforts are occasionally “successful,” they may not be "legally
defensible" (because the security strategy may not withstand legal scrutiny when
an incident occurs).
So back to the original question: What is success in
security? The answer is really not
that difficult: Success in security is
the existence of a strategy which protects most things most of the time; and
which will endure legal/forensic analysis during challenges which result from
short-lived “failures.”
As always we should hope for the best, but we must plan for the worst.