A few fundamental security definitions are in order at this point:
- Perfect Security: doesn’t exist except possibly in Geek mythology; like a flying unixorn.
- Latest and Greatest Security: this is the latest hype that our favorite security vendors have cranked out for us; you don’t need to understand exactly what it does and what it doesn’t do because, anyway, you don’t know what assets you actually have and what they are worth, dead or alive.
- Good-enough Security: this separates the men from the boys. You really shouldn’t try this at home unless you understand security. This requires you to know what assets you have, at least the top ten of them, how much they’re worth to whom, what risks to those assets security tools and processes deal with, and how much risk is left over after implementing those tools and processes.
- WYSIWYG Security: this is “What You See Is What You Get” security; it’s the budget left over after allocating funds and resources for everything else your c-level executives can think of that you get for building secure defenses to protect your organization’s assets. It is usually considered to be enough for Perfect Security until something bad happens, in which case the CIO and CISO are fired.