To be fair sometimes the security team is wrong or being over protective. There has to be a balance because it’s too easy to think of “what if” , Mission Impossible style, scenarios that have no hearing on the real world.
You're absolutely right. I have two main job functions:
1. Instead of saying "no", saying "not that way, but let's figure this out together".
2. Evaluating risk and modeling threats: "this is who we're protecting ourselves from, and here's what happens if we fail." If a bored teenager on their couch hacked our website, it would be embarrassing because someone without a lot of resources would be able to make changes to our display system, even if no real harm was done. If North Korea hacked our user database, it would suck and be bad for our users, but in practice not too many people are going to get angry at us for being attacked by a hostile nation's government as long as we were doing the right things.
(Note: that's grossly simplified, and it's not like we're "heh we don't protect against nation states".)
There's such a thing. You can get asymptotically close to "perfect security", but it really is a risk evaluation game. Is it worth it to spend $20,000 to run a pen test and make sure we're not grossly vulnerable to attack? Sure! Is it worth spending $50B to develop our own hardened OS, hosted inside our data bunker with airgapped servers running on custom CPUs? Probably not. The challenge becomes how to identify when you're as good as you reasonably can be given the threats you realistically face on a budget that doesn't resemble a small country's GDP.
Of course there's always a scenario that could be malapropos; yet most of the time we're not comparing $20k to a figure that has a larger GDP than many countries. I always get a kick out of people on the internet who take what I say and blow it way out of proportion to try to win an argument against me that I never made in the first place.
Anyway, I agree with your last sentence; at what point is something "good enough". Lately I feel like the "good enough" in a significant amount of corporations isn't acceptable. I'm in healthcare and the absolute lack of security in my day to day is absolutely amazing.
I think you're reading stuff into my reply that I didn't intend. I didn't want to argue with you. I read your post as though you were asking a question, and I answered it.
I agree with you on that last bit. While it's important to have your compliance ducks in a row, a lot of shops seem to feel like "we've checked all the audit checkboxes so we're secure now!" No. All that stuff is nice, but having a documented process for deciding who gets root on your database servers is not the same as actually securing your database servers.
