The "RISKY BUSINESS" Blog

A colleague of mine recently forwarded the following list of “security maxims” compiled by the Argonne National Labs.  Highly recommended if you need a quick smile or two.

We have a maxim here that I was surprised was not on the list:  ”The information security posture of a system is often inversely proportional to the revenue it generates. ”  or alternatively, "The information security posture of a system is often inversely proportional to its business criticality".  On first blush, that may sound crazy, but if you think about it it makes a tremendous amount of sense.

Companies are often hesitant that a fix or upgrade will cause a problem, so the more critical the system is the more likely it is that we will hold off “for a bit”.  The next cycle we hold off a bit again, until eventually the situation is hopeless.

Consider the following examples from assessment projects we have performed;

• An online application that processes $8B a year of transactions that was running on a seven year old codebase and servers.  Virtually the only change made in seven years was the implementation of IPS in front of the solution to protect the solution from web application attacks.
• A "media" company that derives billions in revenue from a system that is dependent on PDP11, OS2, and DOS.  They scour eBay to find old 286 machines with clock speeds below 12Mhz because the code gets “flaky” on higher speed processors.

What to do if you recognize yourself in this blog?

Well-contemplated compensating controls can help you make the best out of a bad situation.