NCSAM 2011–Post 21–Failure is always an option
For my last post in the National Cyber Security Awareness Month, I’d like to expound on an important maxim for security.
Failure is always an option – and sometimes the best
If you can’t handle a customer’s credit card in a secure fashion, you shouldn’t be handling the customer’s credit card.
If a process is too slow when you add the necessary security, the process was always too slow, and can not yet be done effectively by modern computers (or the computers you’re using).
If you enable a new convenience feature, and the rate of security failures increases as a result, the convenience is more to the hackers than to the users, and the feature should be removed or revisited.
Accept your own failures and deal with them
Sometimes there’s nothing to do but to say “Oops, that didn’t work”. Find something else that does.
If you’re writing software code, expect to encounter failing conditions – disk full, network unresponsive, keyboard stuck, database corrupt, power outage – all these are far more common than software developers anticipate.
Failure is not the exception, it is a part of life in an uncertain universe.
Handle other people’s failures gracefully
Other people will fail you.
This is not always their intent, nor is it necessarily something that they will recognise. Do not punish unintentional failure as if it was an intentional insult. Educate, where possible, redirect otherwise.
Where failure is intentional, be firm and decisive. Do not allow deliberate failure to continue unhindered.
Failure is always a necessary part of innovation
Innovation is doing that which has never been done before.
As a result, no one knows how to do it correctly. You will fail, a lot. If you are always right, it is because you are doing something that you already know.
Because failure is ubiquitous, look for it everywhere
Part of being a security expert is the ability to see where people, process and technology are likely to fail, and how someone might take advantage of that, or cause you disadvantage.
Turn “I can’t imagine how that might fail” into “I can see seven different ways this could screw up, and I’ve got plans for eight of them”.
And yes, I failed to finish writing this in National Cyber Security Awareness Month.