OPINION: Why Perfection is the Enemy of Progress in Cybersecurity

By Muhammad Chbib [ Join Cybersecurity Insiders ]

By Muhammad ChbibCEO of Autobahn Security

Is your organization suffering from cybersecurity paralysis? Many businesses are in cybersecurity panic-mode due to the steady stream of alarming news that ‘nobody is safe’ from hackers. While it’s true that all businesses are technically ‘hackable’, it’s important to see the bigger picture – cybercriminals tend to focus their efforts primarily on high-yield targets. That means striving for cybersecurity perfection is unnecessary for most companies.

In fact, perfection is the enemy of progress in cybersecurity. Striving to be ‘perfectly secure’ is ultimately an unrealistic and unachievable goal that comes at a massive detriment to innovation and productivity. Rather than aiming for perfection, businesses should take a pragmatic approach to making themselves less vulnerable — and focus their efforts only on the risks that matter most to the hacker. Taking a measured, strategic approach to cybersecurity will have the most impact where it counts, and this approach will also protect a business’s capacity for innovation and productivity.

Most companies don’t get hacked, most of the time

Hackers are rational and will pick the easiest targets in terms of snatching cash or stealing information. For example, unless a new website generates a certain amount of revenue, there’s no urgent need to keep it ‘perfectly secure’, because hackers are most likely not interested in small, unprofitable targets.

Using benchmarking to ensure a business remains above the industry average for ‘hackability’ helps decrease the likelihood of an attack. Companies can set milestones in the lifecycle of new apps and products they’re developing to reveal the correct time to introduce robust cybersecurity measures. This can help businesses prioritise their cybersecurity efforts and make the most impact where it counts.

Balancing ‘healthy paranoia’ with innovation

Security is not the most important part of a business – a statement which may come as a shock from me, a security practitioner. Yes, cybersecurity threats are rising, and a solid security strategy should be implemented in every organisation, however it’s vital that overzealous cybersecurity practices don’t threaten the ability of companies to innovate, take risks and embrace new technology. Unfortunately, this is something I see happening every day. 

CSOs, CISOs and IT leaders today are pulled in multiple directions within organisations, often expected to juggle overwhelming volumes of information and make rapid decisions to ensure all vulnerabilities are addressed. Many are overwhelmed enough to leave the workforce entirely, but others are simply fighting the growing number of security threats with ‘healthy paranoia’ and being extra forceful with their input. This approach is using a sledgehammer to crack a nut: a disproportionate reaction that can have unintended negative impacts on other parts of a business. 

Going overboard with security can stifle the unique cultural elements that propel companies to global success, which is ironic since business leaders investing in cybersecurity are doing so with the best interests of their company in mind. But tunnel vision security doesn’t care about innovation; it’s only interested in preventing total disaster. As a result, striving for security above everything else often means taking fewer chances on new ideas, or losing the appetite and capacity for innovation. It can create a demoralised workforce with lower productivity, and it can make companies fearful of taking potentially worthwhile risks – all of which are detrimental to a company’s future and broader market opportunities. 

The good news is that there’s no need for businesses to panic when faced with a huge volume of cyber-threats, because in most cases – and for most businesses – the risks are very low. Security experts see threats everywhere, but this needs to be compensated for by regularly stepping back and regaining a sense of perspective on which risks are real now, and which may become real in the future but don’t require immediate attention. However — that’s easier said than done! Luckily, there are tools out there to help you assess risk and get advance warning of your biggest threats.

By thinking rationally (and from a hacker’s perspective) about which risks will result in actual harm, and which are purely theoretical, businesses can find a more balanced perspective on cybersecurity which can empower them to pursue opportunities and innovate as normal — without unnecessary fear. A healthy dose of paranoia is always a good thing, but practising moderation and reason (instead of perfectionism) is the most sensible, sustainable way to establish strong cybersecurity foundations. 


No posts to display