Select Page

Security theory – security will break stuff

Security theory – security will break stuff

Security theory

It is funny how the job of IT Administrators is to help users getting to everything they need, while Security Administrators will try to restrict the user’s access.  Someone I know told me once “You got access denied ?! Good, the security is working“! At a basic level, that means that security administrations at its core is fundamentally opposed to network administration – they have in fact conflicting goals. This creates the trade-off that we need to consider in this security theory post.

I think that technology should be transparent to users. At the end, users should be able to do their job, and bring some money to the corporation they are hired in.

Since end users are not IT people, then the technology should also be easy to use  and useful. This is sometimes called Usability. In other words, the trade-off is between security and usability. Makes sense right?! Keep reading please.

You can make any technology more secure, but by doing so we will make it less usable. So how do we make it more secure and more usable? This is were the third axis of the trade-off comes into play. Any good engineer is familiar with the principle of “Good, fast, and cheap. You get to pick only two“.

You can make something more secure and more usable, but you it will cost more in terms of money, time and human resources. This is why nowadays security cost a lot of money.

Returning to the security theory argument (security will break stuff), many organizations, especially small ones, will not invest or care a lot about security. Maybe they think that they are small enough to care about attacks or security. Those are the first to get attacked!

Medium and some big organizations that are not dealing with money saving (like banks) and secure government projects, will not consider high security measures most of the time until they get hit by an attacker. They took security for granted. Sadly speaking, most of those organizations will invest money on how to serve customers and preparing the infrastructure for that, ignoring the security side of their network. One day, they get attacked somewhere, and they will wake up shocked, and immediately start considering security. This already costs them a lot (may be this may cost them their reputation also).

I guess that any organization nowadays should start with security in consideration, by applying the Secure Enough principle.  They should invest in the minimum amount of security as a starting point and build up from there. After that, they should invest on hiring a security administration team to keep an eye on their network and make sure to gradually implement a security baseline, and following up with security audits. Finally, a complete threat modeling for their network can help them move to the correct place. It is not a bad idea to take an advise from external body to evaluate where they stand on terms of security and network protection.

Going back to the initial l question in our security theory, does security break stuff?! I guess that depends on the business. If you are a bank, then lowering usability to increase security is something you should do. On the other hand, investing more in terms of money and resources, will give you both security and usability. Always ask your self this question “What I will lose if i get attacked? will i lose my reputation on the market? and what will happen if all my published services get shutdown because of DoS attack?“. if you do not like the answers, then start working on security more seriously.

About The Author

Ammar Hasayen

Ammar is a digital transformer, cloud architect, public speaker and blogger. He is considered a trusted advisory with the ability to quickly navigate complex multi-cultural organizations and continuously improve and motivate cross-functional teams to achieve higher productivity, collaboration, revenue gain and cross-group knowledge sharing. His contributions to the tech community helped him get awarded the Microsoft Most Valuable Professional. Ammar appears in a lot of global conferences, and he has many publications about digital transformation and next generation technologies.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Hi, I’m Ammar Hasayen


About Me

Cloud Architect | Cybersecurity | CISSP | Microsoft MVP | Pluralsight Author | Book Author | International Speaker | World Explorer | @ammarhasayen


LinkedIn Profile

My Pluralsight Course

Speaking at Microsoft Ignite Dubai

Ammar Hasayen Speaker Ignite

Recent Posts

Be The First To Know

Be The First To Know

Be the first to know about my new YouTube videos and hot blog posts. Don't worry, I will not spam your inbox and even better, you can unsubscribe anytime.

You have Successfully Subscribed!

Pin It on Pinterest