Jurassic Plaque: The U-Curve of Security
Modernizing Authentication — What It Takes to Transform Secure Access
... R. Buckminster Fuller
The organizations that enforce the strictest corporate security are often the ones that are the least secure. With the exception of organizations whose very mission is security (say, the Coast Guard, intelligence agencies, banks or body shops that rent uniformed personnel as their mission), the more resources an outfit throws at security, generally the less likely it is they are getting any bottom-line value for it.
Unless you have an unlimited budget, every dollar spent on securing assets is a dollar subtracted from something productiveat best, dollars spent on successful security are resources you could have spent on R&D or marketing or customer service or dividends that are now lost to you forever.
Sometimes the complexity of an initiative that requires extremely secure systems makes it nearly impossible to succeed, even for a skilled organization with unlimited resources and a skilled SI. A recent example that serves as a perfect warning is the $104+ million bloodbath the FBI suffered in its Trilogy project, a perfectly straightforward case file management and sharing system so larded with the need for absolute security that essential parts of it won't ever be deployed.
If the FBIwith a mission that everyone recognizes as vital and with supplied resources to matchcan't get to the finish line, I suggest it's not going to be any easier for anyone with a less vital mission.
Subtraction by Addition
This doesn't mean you should try to lead your group into a zero-security zone. It just means that as you add technology and processes and procedures, the ability of predators to exploit your structures is a U-curve, an upside-down bell curve. When you're adding from zero, the first steps you take will decrease vulnerability the most. Incrementally adding more stringent procedures, updating porous system software, buying new locks to add to existing locks will improve protectionto a moment where people and systems can cope with the complexity.
You can asymptotically approach total security, but at some point, you get subtraction by addition and every new attempt merely weakens the stability of the system. Complexity overcomes your efforts, and every new endeavor merely weakens your protection.
The example you already know is mandating long, complex passwords that have no internal consecutive characters that have meaning. The organizations that force upon their users 10-character nonsense strings that blend numbers and both capitalized and lowercase letters and that change every month or so are the shops that have people writing down their passwords and sticking the keys to entry in a convenient location.
But that's merely the tip of the iceberg.
Next Page: Systemic failures.