undefined | Better HN

0 pointsgonzo414y ago0 comments

Maybe it is enough. What sort of market do you work in? And what sort of real attack is coming your way.

An internet air-gap is probably enough for a vast majority of use cases.

There's lots of talk about engineering here along the lines of "good engineering is knowing how to make a bridge barely stand up", but in Security, especially IT sec there's often little discussion about real risk and impact. And striking a reasonable balance.

Places I've worked consider their product and information high security whilst embargoed (mostly financial). The IT security at these companies matched that posture. But people all drank together, shared everything over drinks and had terrible personal security.

I'm not a security skeptic at all, I just think that the simple stuff goes a long way and that it's somewhat unhelpful to compare regular IT use to CIA style IT use.

0 comments

NoPicklez4y ago

That's right, businesses should have security controls in place commensurate with the size and extent of its threats and vulnerabilities. It is not pragmatic for most organisations to spend enough money to implement the most protective security possible. Traditionally we call this determining your risk appetite.

Overall, my experience from auditing the cyber security of many organisations is that they're not actually taking a risk based approach. They're not identifying their IT & Cyber Security risks and they're not identifying their specific threats and vulnerabilities. This leads to many organisations make poor security decisions by implementing technology controls that either aren't mitigating any of their risks or isn't reducing their residual risk to a comfortable level.

j / k navigate · click thread line to collapse