Wednesday, March 20, 2013

What Is “Success” In Security?

There is one unequivocal certainty in the world of security:  There is no such thing as absolute security (defined as some strategy or system that will fully protect everything against everything all the time) – given sufficient resources, motivation and opportunity, any/every security strategy and system can eventually be breached.
So…since we know that even the best security may be breached, how do we measure success?
For purposes of this commentary, we have to re-define some terms that are usually pretty straightforward – “success” and “failure.”
Let’s begin with “failure.”  In the world of security, we can have occasional “failures” (independent, isolated incidents in which the security plan was not fully effective), without having “FAILURE” (a complete and continuing collapse of protection due to an ineffective security strategy). 
The same holds true for “success.”  We can have recurring “successes” (times during which protection efforts are adequate and sufficient to meet extant security needs), even while realizing that we can never achieve “SUCCESS” (the continuous state of everything being adequately and sufficiently protected against everything).
When trying to assess whether security has been a “success” or a “failure” based on these definitions, we must also add another component to the mix: "legal defensibility" (a security strategy that includes the elements that a reasonable person would utilize to provide reasonable security at a particular place and time under a given set of circumstances).  The addition of this concept raises another interesting conundrum:  Even when security efforts are occasionally “successful,” they may not be "legally defensible" (because the security strategy may not withstand legal scrutiny when an incident occurs).  
So back to the original question: What is success in security?   The answer is really not that difficult:  Success in security is the existence of a strategy which protects most things most of the time; and which will endure legal/forensic analysis during challenges which result from short-lived “failures.”
As always we should hope for the best, but we must plan for the worst.