Skip to content ↓ | Skip to navigation ↓

A few years back, I knew a guy who had a mole on his forehead, which started to grow and change shape.  As a survivor of melanoma, I know this is not a good thing.

Some friends and I urged him to go to the doctor to have it looked at, but he refused.  “I don’t want to go to the doctor – it might be cancer.”

Sounds ridiculous, doesn’t it?  But that argument is similar to what I hear from information security professionals all the time.

They don’t want to confirm the issues they already know they have (through vulnerability scans, pen tests, security assessments, configuration audits, etc.) because they know it will likely turn up a list of things they don’t want to deal with.

One of the big inhibitors is resource limitations – time, money, people, tools.  I get it – we all have constraints. To me, this is why risk-based security is so important.

By integrating elements of risk ranking, business-oriented value mapping, and objective prioritization you can stack rank the problems you’d like to solve and apply your resources against the biggest or most impactful items first.

Another problem is the fact that you can’t “un-know” something once you know it, and you might have to report it to your boss, a regulator, your board, etc.  Doesn’t this sound a lot like what the guy with the mole used to say?

Remember, just because you know about an issue doesn’t mean you have to do anything about it.  The choice of how, when, and where to act is yours — but pretending a problem doesn’t exist doesn’t help anyone.

SANS White Paper: Security Basics
  • philA

    Plausible deniability can no longer be a defensible approach to security.

    Organizations need to have a basic understanding of their security maturity and need to demonstrate due care or else suffer the consequences. Until more organizations are penalized for negligence, this attitude will persist.

    • @ThatDwayne

      I agree, Phil – that's the only way people will feel the appropriate sense of urgency. The Wyndham lawsuit got the conversation going, but we're not done with this yet.

  • Is this bringing us back around to discussing a standard of care for infosec Phil? What's the worst an organization can perform and still be considered compliant or diligent? If we look at the very best organizations, how close do we have to come to their performance? Is this a moving target because the pace technology changes at? Lots to discuss here, but you are correct for sure in saying that having your head in the sand is no longer a viable excuse…