Can you have too much security? How to be in the "Goldilocks" zone

By Sourya Biswas, Technical Director, NCC Group

As cyber security consultants, we typically help clients determine where their cyber security gaps lie and how to bridge them. This can include detecting issues with respect to best practices and recommending solutions, as well as understanding current level of cyber security maturity and guiding towards a desired target state. To that effect, we solve the problem of too little security. In this blog, however, I want to discuss the opposite point of view – the problem of too much security, or rather, what is often perceived as too much security

Even as children, we have been warned about the perils of “too much of a good thing”, especially in the context of candy and bellyaches. But is this applicable for security as well? I will explore this question from both personal (non-work) and official (work) points of view.

In our personal lives, we secure ourselves in our homes – we lock the main doors, shut the windows, activate alarm systems, etc. We don’t, however, lock each and every door inside our houses unless specifically required, such as for privacy. Not only will doing so be overkill, it will also be inconvenient for the residents. Even though the proverb says “Every man’s home is his castle” we don’t secure our homes like the castles of old. We don’t have moats, outer and inner walls, and watchtowers; usually, the standard ADT system is enough. As is obvious, we have already decided in our personal lives that there’s such a thing as too much security.

Let’s explore this topic in the work environment via a couple of use cases. If the Security team mandates a 16-character password, there’s a high probability either of the following will happen: 1) users will start writing down their passwords on paper, lest they forget or 2) they will start using easily re-callable sequences like “1234…” or “abcde…”. The first makes the passwords easily discoverable and the second, easily guessable. Here you can see how “too much security” actually led to “too little security”.

The second use case involves the use of security monitoring products. With myriad choices available, some companies go in for multiple products in the mistaken belief of implementing defense in depth. However, they fail to put in the proper mechanisms or appropriate resources to consume the results and act on them, resulting in existing processes being overwhelmed by the proliferation of monitoring data. In such a situation, using one or two products well could have been more helpful, but instead, “too much security” again led to “too little security”.

The third use case, also work-related, discusses the use of encryption. With new breaches hitting the headlines on a regular basis, it’s not surprising that companies will want to encrypt their data. Encryption is a mathematical function that requires computer processing power; ergo, there’s an additional workload involved. Double that when you include decrypting the encrypted data. Add to that the extra information being transmitted when encrypting data in transit, and it is obvious how encryption can affect system and network performance. If a company decides to encrypt all its data without classifying them differently and choosing what to encrypt, business is likely to be adversely impacted. The way I see it, there are two problems here – firstly, organizations have too much data, not all relevant, and secondly, all that data is considered critical to business, when that’s definitely not the case. There’s a strong parallel to the common idiom, “If everything’s a priority, nothing is.”

The above use cases illustrate why security decisions should be driven by business needs, specifically to reduce risk to an acceptable level. This decision depends on applicable threats, current vulnerabilities and controls in place, likelihood of a threat exploiting a vulnerability to realize a risk, and impact if the risk is realized and the cost of additional controls. Costs pertain not only to dollars but the user experience as well. Too much security, and you end up setting controls that are too stringent and the people in your organization will have trouble completing basic business tasks. Too little, and the controls will be too lax to address relevant threats.

Drawing from the fairy tale about Goldilocks and the Three Bears where a particular bowl of porridge is neither too hot or too cold but “just right”, the Goldilocks Zone refers to the habitable zone around a star where the temperature is just right for liquid water to exist on a planet. With respect to our current discussion, companies need to be in their individual Goldilocks Zones where security is concerned.

However, finding your own Goldilocks Zone is not easy. You would be best served by contracting an outside expert who can offer impartial advice on what you should protect, how much you should protect, and how you should protect your assets. 

By Sourya Biswas