If you’ve followed SSWUG.org for any time at all, you probably know I tend to incorporate security issues like encryption, protection, access controls, all of that – as often as I can. Heck, I’ve been know to make things up just to make sure it’s included in a discussion. To me, it’s that critical.
But I was talking with a small group of people about this and the topic came up and was sort of summarized by the statement “wait, we’ve done x, y and z – when is it good enough?”
I had to stop and think about it a little, frankly. I mean, to me, the initial answer, and I think what I may have muttered to myself is, “you’ll never be done with it.” I feel like it just never stops deserving the attention. Data privacy and security, control, all of that. I have never really felt like the whole project of doing what’s needed was “done.”
But in the real world, rather than the strict conversational world where everyone has unlimited budgets and time to spend on every project, is there a point when you’re done?
I have to say I don’t think so. Sure, I think you can take your foot off the gas a little and sort of go with what you have every now and then, but the threats and ingenuity of those trying to gain access to your information keeps getting better. And I think too that certain technologies start to give you more “coasting” time – things like encrypted storage, ubiquitous SSL and always-encrypted technologies. These all help immensely at establishing a higher barrier to entry.
I do feel, though, that nearly every time it seems we have a handle on the threats and opportunities for information to be accessed, new things come along. Not in a paranoid way, but in a real-world way. From socially-engineered “hacks” and access to network segments that are shared that shouldn’t be to insider access. All of those and so many others morph on such a regular basis.
So, in sort of answering my own question, I don’t think we’re done-done. But I do think there are pause points, and triage points where the pendulum swings back and forth on the time required. The people that I’ve seen stung the worst are the ones that implement decent protection, then never look back. They never make sure things haven’t out-evolved their protections.
Don’t let that be you. At the same time, if you feel like indeed security can be “enough” – chime in below in the comments. I’d love to hear your thoughts.