CISO Concerns: Security vs. Usability, Affordability

Thursday, October 25, 2012

Rafal Los


Recently in New York city we hosted a CISO-level event where we discussed various issues experienced during the life of an enterprise security program.  CISOs brought up various topics from budgeting to being overwhelmed with constantly evolving threats - but one in particular caught my attention.

One of our Fortune 100 CISOs from the technology sector brought up the issue of "security versus".  What he was talking about is when security clashes with usability and affordability.  It may seem like something we've all talked about at one point or another, but these two are critical things that often stand in the way of 'great' security and force us to figure out what we're comfortable with being "good enough".

It's sure as daylight that a poorly thought-out security strategy will clash with usability, and be unaffordable - but why is that?

Security vs. Usability

Security is one of those things where the old-school way of doing things required us security professionals to make things difficult.  We found ourselves asking the user to do new and difficult things in order to achieve 'better security'.  Think about how difficult it was to exchange secure email "back in the day" ...heck think about how difficult it is to use PGP today!  Even security professionals complain about the usability of some of the things meant to keep us safe.  The problem with all these usability challenges is that they are counter-productive to adoption of security controls.  If you want someone to encrypt their email you have to either make it completely transparent to them, or make it so simple they don't have to think about it much to do it.

Usually we can get the end-user (whether this is an enterprise user, or a home user, or whom ever) to agree to a minimal amount of discomfort and inconvenience if it's in the name of security.  I'll bring up the seat belt thing again here, since we InfoSec people are notorious for mis-using the example.  Look at how simple a seat belt is to use in your car, or in an airplane.  They even drill it into your head every time you sit down to take a flight, how to buckle, unbuckle, etc ... it's absolutely super-duper easy.  Same with your automobile seat belt ... you're not being asked to strap into a 5-point safety harness (although that would probably be a lot safer) because most people would simply bypass it - too difficult, too much of a hassle.

That magic word - "hassle" - is what makes security so difficult.  Truly good strategic security programs and principles aren't so much a "hassle", while the things that we prescribe that fail are the more complex, difficult things.

As a perfect illustration of this, take software security.  It was relatively easy in the program I put in place at my previous Fortune 100 employer to get a end-of-SDLC "security scan" put in place... aside from the cost.  Once the developers were done security stepped in to 'scan the app' ...which involved the development organization minimally.  We all can agree this isn't the most effective way to do software security, but it's easy to implement because it inconveniences the developer the least.  Once we started talking static analysis tools the first thing that was on every developer's evaluation criteria list is "Is it easy to use?"  I can't blame the developers, or anyone else for wanting 'simple' and 'usable' security.  If security means 10 passwords of varying complexity just to get to the point where I can function in the morning at the office, I'm going to write them down and make sure they're simple to find... I'm just trying to get my work done, as are all the users out there.

Usability is critical and it must be balanced against the risk level (security).  It takes time, consulting the user (again, no matter who that may be) and trial and error before we've found a good balance between being secure and usable - but today's CISO is struggling with this.  A note to us vendors... if your products aren't usable they'll probably fail or at very best gain begrudging adoption... neither of those are good.

Security vs. Affordability

Affordability is unfortunately a foreign dimension to many security professionals, even today.  Hearing stories of security analysts proposing security solutions that were entire orders of magnitude larger than the asset's net value brings me back to the fundamental misunderstanding of risk many of us still have.  To hear a CISO talk about this problem, it just reminds me that there is a lot of work yet to be done in InfoSec before we've raised the bar sufficiently.

What's interesting about the security vs. affordability discussion is that it really entirely hinges on the question "How much risk can you afford to take out?"  Earlier in my career I always thought I needed to push the envelope on how much I could spend (or propose to spend) on every security related thing before someone told me no.  These days I realize that was approaching it completely wrong - because that way simply doesn't make sense.

Every dollar spent needs to have some risk-reducing value, and understanding where we run into that law of diminishing returns - that's critical.  There is always a point where spending double the current investment won't but move the needle slightly, and the sooner we all come to grips with this, the better.  Finding the 'tipping point' (pun intended) is critical to understanding how much is rational spend, versus when we're just throwing money into a bottomless hole.

Like in the movie "The Money Pit" sometimes you're just throwing money away.  This is all, of course, predicated on the fact that we as a collective of professionals understand risk properly.  It's not about the "OMG hax0rz!" from reading the news every day and trying to mitigate the threat to the last hacked company's about what matters to your way of doing business.

Can you afford a strategic security program?  I think the answer is largely "yes" but there are caveats.  You can afford a strategic security program that decreases your risk level to ...something less than it is today, hopefully.  You can't (and no one can) afford one that removes risk entirely.  I hope that makes sense.  Rather than approaching it from the perspective of how much money we have to spend, let's perhaps look at what level of risk we're comfortable with, what it takes to get there and then ask what we can do with the available financial means to get us as close to that as possible.


In the end, security only works if it's usable and affordable.  We determine that through trial and error, and experience.

I won't argue that usability trumps security, but I will argue that security that's unaffordable is worthless.  Finding a healthy balance between usability, affordability and risk tolerance ("security level") separates the good security professional and leader, from those just "doing security".

I'll keep writing up some of the lessons learned from last week over the next few weeks. Good luck out there.

As always, you're encouraged to leave your thoughts here in the comments section, but please do leave your Twitter handle so I and others can respond to you...and if you'd like to discuss on Twitter, please use the hashtag #SecBiz.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Budgets Security Strategies CISO
Post Rating I Like this!
Marc Quibell Seamless email encryption would be to negotiate B2B TLS encryption, at least make it negotiable. You check a box on your email servers. It's that simple and no one even notices.
Rafal Los @Marc - Another fine suggestion! thanks!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.