Is 'Good Enough Security' Good Enough?

There's a name for security on a shoestring budget, where you're constrained by economic realities and so you delude yourself that the minimal steps you've taken are "good enough" to protect your organization against workaday threats. But the reality is, they're not good enough and you ain't protected.The phrase "good enough security" actually didn't originate as a derogatory designation. Rather, it was meant to denote a pragmatic approach to locking down your organization. (There's a 2003 paper in the journal IEEE Internet Computing entitled "Good-Enough Security: Toward a Pragmatic Business-Driven Discipline.")

Indeed, pragmatic is good. An organization can only implement so much security until it starts to impede its ability to actually do business. Add to this the fact that few (no?) security vendors can offer any meaningful metrics speaking to advances they've made in doing much beyond simply keeping pace with the rising tide of malware that's out there.

Then there's the well-known (and true) data point that the biggest threat to an organization's security isn't a hacker or virus. It's that disgruntled employee with a thumb drive or the careless one who left the laptop on the front seat of the car.

It's really a mess, isn't it? Even security pros tacitly acknowledge this. (The boldly honest ones will say it in public.) As I noted in an earlier post, security audits aren't the answer, because it's become widely accepted that all they do is train (in a Pavlovian sense) chief security officers to design their set-ups to pass audit, as opposed to being really and truly secure.

So what should you do? This is where we get into the gray area, and the realization that security is as much an art as a science. For argument's sake, let's say that there are three points on the implementation spectrum: no security, good enough security, and extreme security.

If you go with the first option, you're either an idiot or the average home PC user. But extreme security, as I've just noted, tends to impede one's main business objective (i.e., making money).

Which brings us back to where we started: "Good enough" security may not be good enough, but it's pretty much where most of us are stuck. So I guess my big question is, does it have to be this way, and, if so, why? What's your take? Let me know, by leaving a comment below or e-mailing me directly at [email protected].

Like this blog? Subscribe to its RSS feed, here.

For a mobile experience, follow my daily observations on Twitter.

Check out my tech videos on this YouTube channel.