When considering security in your organization, how do you reconcile the competition between the desire for perfection and the need for "good enough?"
In a previous article, The meaning of good enough, I offered a couple of examples of how the term "good enough" might be used in a discussion of security. My purpose was to explain how the term "good enough" is not, in and of itself, good enough to make a clear statement. The speaker's intent in using the term "good enough" must be further explained for it to have any relevant meaning.
The subject of how the term "good enough" might be used bears further discussion, however. Toward that end, I offer two clever platitudes often used to make a point in discussions of development philosophy and methodology.
"Perfect" is the enemy of "good enough"
As far as I'm aware, the oldest formulation of this statement comes from Voltaire, who said, "The perfect is the enemy of the good." In some contexts, it suggests that if you set out to make something perfect, and will settle for nothing less, you will never finish it at all. As a result, the desire for perfection may lead you to fail to produce anything of value.
In some respects, this is the philosophy conveyed by a common open source development motto, as stated by Linux kernel creator Linus Torvalds: "Release early, release often." The idea is that, the moment you have something complete and effective enough to solve someone's problem and spark interest in it, you should make it available to others. This will attract people who want to contribute to it, and help make it better, rather than letting it stagnate because you're afraid to make something public before it's "perfect." It encourages peer review, more thorough stress testing, and more helpful contributions from the user base, all of which should (if handled reasonably well) add up to faster, better improvement than could be achieved in isolation.
Some, such as Paul Buchheit, even take this concept so far as to suggest that "good enough is the enemy of at all," suggesting that requiring something be "good enough" might induce one to never produce anything of value at all. This is really just the addition of a new way of saying the same thing, though, as an attempt to shake people loose from too high a standard of "good enough" — a standard that may be approaching Voltaire's unapproachable "perfect" again.
In a security context, "perfect" is not only the enemy of "good enough" because it may result in never improving security at all, but also because too much focus on the technical aspects of security may lead one to neglect the social aspects. For instance, requiring too strong a password, and requiring passwords to be changed monthly, leads to users having to write down their passwords on sticky notes and keep them in their desk drawers, under their keyboards, or even stuck to the edges of their monitors — an obvious security no-no. The solution to a security problem must be socially effective as well as technically effective, and sometimes achieving that requires a balancing act.
"Good enough" is the enemy of "perfect"
This is not as commonly quoted a concept as the idea that "perfect" is the enemy of "good enough," but it is just as important. Just as striving for, and requiring, perfection can lead to never producing anything that is good enough, so too can something that is "good enough" stop people from striving for perfection. Because it is a striving for perfection that often produces the greatest advances, that striving is important, and should be encouraged and nurtured.
While we need to be willing to choose "good enough" from time to time in order to get anything done, we should never really be satisfied with it, because something can always be done better — and, given some reasonable time and effort, it should be done better. This is even more important in the realm of security than in most other contexts, because as long as your systems remain secure there will be malicious security crackers working on penetrating the security measures you have in place. As their efforts force advancement toward perfection, so too must yours if you wish to continue to be adequately protected against them.
Having something "good enough" can induce lethargy of a sort, and discourage ongoing improvement. In some contexts, this approach may itself be "good enough," such as when you are working on behalf of a market dominating corporation that can afford to rest on its laurels, only putting significant effort into security when it becomes necessary to play catch-up and try to undo the damage to marketability caused by a recent spate of security breaches.
In others, however, it is most vehemently not good enough, as in the case of a small company whose survival depends upon keeping its database of customer information private and secure. In that context, you must proactively work to improve security as a constant, consistent part of your business plan. Solely reactive security under those circumstances is a recipe for disaster.
Is it good enough for now?
The moral of the story is a simple one: employ a philosophy of "good enough for now," where you don't let the desire for perfection keep you from using what's good enough, but you don't let the existence of "good enough" prevent you from always improving things in search of perfection. Security, after all, is more a process than a goal, and more a journey than a destination; it is more a practice than a product. Security is never "done," in other words.