Last Updated on March 16, 2023
What’s the most prevalent—and thus the most harmful—misconception about cybersecurity? It’s the idea that we can potentially be “100% secure.” This just isn’t possible, and believing in “true security” undermines making good decisions that balance risk with the value of taking the risk.
Dr. Eric Cole, well-known author and Founder/CEO of Secure Anchor Consulting, makes this point on a recent episode of The Virtual CISO Podcast. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.
Balancing functionality and risk
“What I always tell folks is 100% security only exists with zero functionality,” Eric reframes.
For a system to be “100% secure,” it needs to be disconnected and isolated from all networks and other systems, and reside in a highly secured physical environment. But then… it’s probably not super useful.
“It’s just like the law of gravity,” Eric continues. “Whether you acknowledge it or not, the law of gravity is there and will impact you. The law of cybersecurity, whether you want to acknowledge it or not, is anytime you add functionality, you’re decreasing security. Anytime you’re adding functionality, you’re increasing risk.”
Are you asking the right questions?
“There are always exposures,” explains Eric. “The trick is the balance. Now the problem is, most people only ask one question when they’re making a decision: What’s the value and benefit? If there’s a value or benefit, they’re going to do it.”
The problem, of course, is that people don’t ask second question: What’s the risk? You need that information to make an educated decision.
Eric uses the example of Alexa, a system with significant security and privacy vulnerabilities: “People will always say, ‘Eric, is Alexa secure?’ I say, ‘Let’s look at the data. Here’s the value and benefit. Here’s the weakness and exposure. Is the value and benefit worth the weakness? If the value is worth the risk or exposure, then do it. If it’s not, then don’t do it.’”
What’s Next?
If you’re concerned about cyber risk for yourself or your company, don’t miss this illuminating podcast episode with Dr. Eric Cole.
To hear this episode all the way through, subscribe to The Virtual CISO Podcast on Apple Podcasts, Spotify, or our website.