Over the years I’ve heard various experts assert that “such and such is the enemy of security” as in “complexity is the enemy of security.” They say it with such conviction as if to remove all doubt that there could be any other enemies to security.
The problem is, I’ve seen different experts propose different enemies for security. In fact, there are three enemies of security that appear so frequently that I thought I’d do a little investigation to see if I could determine which one was the real enemy of security.
Here they are in no particular order:
Complexity. Bruce Schneier, on of the world’s foremost security experts, declared that “complexity is the enemy of security. As systems get more complex, they get less secure.”
And this makes perfect sense. We know systems are getting more and more complex and security is becoming more challenging because of that. So maybe complexity is the true enemy of security.
Change. But then I saw that ESG Global, an IT analyst and business strategy firm, stated “Let’s face it, IT is in a constant state of change and change is the enemy of security.”
Likewise, security vendor nCircle has a white paper called “Change is the Enemy of Security & Compliance” where they say “changes chip away at your security posture, causing your network to drift away from its most secure state.”
Change being the enemy of security makes a lot of sense. If you set up a system to be highly secure and nothing ever changed, you’d be right to expect that system to remain highly secure indefinitely. But once changes are introduced, then you can no longer rely on the security of your system.
So perhaps it’s change that’s the real enemy of security.
Convenience. This one is my favorite because I’ve often thought it: “convenience is the enemy of security.” That’s because I’ve lost track of the number of times I’ve explained to someone the extra steps good security requires only to have them reply, “Yeah, but that’s inconvenient.” I’ll then think to myself, “Yes, because security isn’t about convenience.” But I suppose that’s just my security wonkishness kicking in and I should be more sympathetic to the average user who just wants to get their job done.
Security almost always involves additional steps in even the most routine processes which translates into more time and cost to get tasks done. The quest for convenience, time-saving, and cost-cutting usually works in opposition to security. And I’m not the only one to think so. In fact, an article titled “Why Convenience Is the Enemy of Security” appeared in PCWorld.com a few years ago.
So here we have three enemies of security, all of which coincidentally (?) start with “C”: Complexity, Change, and Convenience. They can’t all be the enemy of security, but I believe they are all legitimate foes to creating more secure solutions. As security practitioners, we regularly battle increasing complexity, unmitigated change, and the quest for convenience as we strive for better security.
So the answer is, there’s not just one enemy of security, there are at least three. And the next time you hear someone say “such-and-such” is the enemy of security, you can say: “don’t forget the other two.”
Photo credit: Michael Mol