Everyone wants information security to be easy. Wouldn't it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don't try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.
Common Sense
I think the key to fortune cookie advice is ‘common sense' in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.
Here is my Fortune Cookie advice for June:
A perfect security program does not make your environment invincible! It would be astronomically too expensive. The 'perfect' security program achieves the optimal balance of spending, loss prevented, and acceptable losses (residual loss).
Now if I can just figure out how to stuff these little cookies...
Am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.
Fortune Cookie Security Advice - May 2008
Tags:
security,
roi,
value,
rosi,
information_security,
optimal_security,
model,
risk,
matthew_rosenquist,
rosenquist
I think there's also an element of performance impact, and general ease of use/administration.
Securing your world needs to be easy. It can't be multiple programs with thousands of configurations or no one will bother (or only the most nerdy of system administrators ;-)). It also can't impact performance substantially.
I won't trade off the ability to get my work done for an extra gram of security. For example, many virus shield programs are complete resource hogs. I get rid of them. I'm smart about my browsing and I don't open emails that come from unknown sources. I run a web-based virus scan every month and so far have never found a single virus on my system after trying this "pilot" for 6 months of not having a daily scanner running.
Simple, easy to configure, catches MOST things. Plus smart computing. That's really the most important aspect - smart computing. Be aware of where you are on the internet and what you are interacting with.