Friday, November 21

Two Kinds of Security Threats

Rich Mogull said it succinctly (a few weeks ago). There are two kinds of threats....
  1. Noisy threats that break things people care about.
  2. Quiet threats everyone besides security geeks ignore, because it doesn’t screw up their ability to get their job done or browse ESPN during lunch.
I noticed it too, but haven't thought to call it out like this. I feel like the distinction between noisy and quiet will become a common part of my vocabulary. It explains why some people just don't care about very high-risk threats that are fairly likely to occur yet they'll dump their piggy banks to cover up threats that don't seem to carry all that much risk. Apparently, it's all about ESPN.

It also helps call out why some people throw money at compliance in a way that just quiets it down without really providing the best risk mitigation or value.

No comments: