Security Paralysis

Fear is our body's response to a perceived threat. Deeply ingrained in our survival instincts, fundamental to our human nature, it's designed to protect us from harm by prompting a response-- fight, flight, or, as in the case of this topic - freeze. While each of these reactions has its evolutionary purpose, in the realm of security, the freeze response is problematic.

Nowadays, you'll be hard-pressed to find practitioners or executives who openly oppose the implementation of security controls. People generally agree on the need to address an issue or risk, but the method or its impact becomes a point of contention. Without an in-depth evaluation of the control and a clear understanding of the risk being mitigated, this disagreement can spiral into security paralysis, where the control simply doesn't get implemented.

I often witness this phenomenon as an organization matures its security program. Take the commonly accepted practice aimed at ensuring elevated privileges aren't used for day-to-day operations, or the introduction of multi-factor authentication and hardware tokens. These are widely accepted as best practices. Yet, almost without fail, there's resistance. You'll hear, "Developers can't work without root!" or "Hardware tokens are hard and expensive!" or maybe just "That's too much work." People nod and shrug and the effort just fades. The controls remain unimplemented, risks unevaluated, and informed decisions are left unmade. This is security paralysis.

Interestingly, the concerns raised might indeed have merit. The worry that the controls could impede the business operations may be realistic. In certain situations, the proposed control might even be more problematic than the risk it's meant to address. However, without a formal risk evaluation and a comprehensive grasp of the control's implications, no substantial decision is made. In this indecisiveness, not only is the organization left vulnerable, but it also lacks any rationale for its security decisions or lack thereof.

In the end, decisions, right or wrong, need to be made. A formal evaluation of both the risk and its proposed control will help an organization to make the best choice with the information at hand– and a documented, intentional, decision is always easier to defend than a choice left unmade out of fear.