The Relativity of Wrong… in the security industry.
Randy Raw, my professional mentor (not that I pay him, but I look to him for guidance in my profession… although he probably deserves to be paid for putting up with me) sent me a link to an article by Isaac Asimov on the relativity of wrong.
Reading it got me thinking about how security people see the security industry and Asimov hits it out of the park with this quote:
The basic trouble, you see, is that people think that “right” and “wrong” are absolute; that everything that isn’t perfectly and completely right is totally and equally wrong.
We do this all time. If someone doesn’t have perfect security they have no security. Next time a major company is breached watch the articles and tweets flow about how lax their security is. No matter how they were attacked someone will put out the boiler plate article about how their security sucked.
Asimov closes with a line that I think is awesome:
What actually happens is that once scientists get hold of a good concept they gradually refine and extend it with greater and greater subtlety as their instruments of measurement improve. Theories are not so much wrong as incomplete.
I love a paraphrase to this quote and need to get it on a shirt….
Security is not so much wrong as it is incomplete.
In security we are always gradually refining all of our security theories and policies. If you look back at your companies security policies 2 years ago they weren’t wrong they were just incomplete.