Some things are obvious to those who work in security but genuinely surprising to everyone else. This is one of them.
How technology complexity changed the security picture
The environment security professionals operate in today looks nothing like it did ten years ago. Where once we ran virtual machines on-premise, we now use cloud instances. Where once we used OS images to ensure consistent builds and control baselines, we now use infrastructure as code and containers. And the organisations those systems serve are also changing, with technology estates growing in size and complexity as businesses evolve.
That growth rarely reverses. New systems get added, old ones continue running, networks expand, firewall rules accumulate, and VPNs and cloud links get added on top. Software complexity grows with it: more patching, more configuration management, a broader attack surface to monitor and manage.
Why perfect security is impossible
The classic image of security is a castle. High walls, solid gates, a wide moat. The enemy is always outside. Trusted people are always inside. The stronger the attacker, the higher you build the walls.
In cybersecurity, that model does not hold.
Castles are built from stone. Technology defences are built from bits and bytes whose state is constantly changing. Configurations are updated. Software is patched. And attackers can subvert bits and bytes too. They can also subvert the people operating the defences through phishing and social engineering.
Add to that the ever-growing size and complexity of what you are defending, combined with the business need to move data in and out of those systems continuously. The idea of 100% secure simply does not survive contact with this reality.
If that is what you are aiming for, you are directing resources towards an impossible target.
Aiming for adequate security instead
The right goal is adequate security. Adequate means protecting the business from enough risk without going beyond what the situation calls for. What counts as enough will vary significantly between a nuclear power station and an e-commerce business.
Reaching that bar requires knowledge about your own systems and business. What risks does the business face if a particular system is compromised? What could an attacker gain by targeting your organisation? Some systems have very little interest to an attacker. Others carry major consequences if they are successfully attacked.
You also need to understand your weak spots. For systems that do carry significant consequences, where are their vulnerabilities? Are they correctly configured? Hosted on a secure network? Protected by authentication?
The common thread is risk. What is the likelihood of something going wrong, and what would the impact be? Answering that question requires knowing what attackers are targeting, what they could gain, what the business consequences would be, and where your security gaps are.
Security is not about perfection. In a world of growing complexity and overextended security teams, perfect is most definitely the enemy of the good.
Jonny founded Threatplane in 2017. With a background in offensive security, he has spent 15+ years helping organisations across defence, financial services, healthcare, and manufacturing understand and manage their technology risks.
Full bio →