Is Poor Security Worse Than No Security?

As Lead Systems Engineer (EMEA) at Tripwire, I’ve had the pleasure of sitting down with and talking to many prospective customers about their security needs. I always ask about their existing digital capabilities during our talks. When I do, I usually get the following response: “We have lots of different tools, but these solutions are either misconfigured or not used often.”

I can’t tell you how many times a prospective customer has told me something along these lines. After hearing it over and over again, I couldn’t help but wonder: is no security possibly better than a state of poor security where you falsely believe that you are in fact adequately protected by existing tools that might be misconfigured or rarely used? Is this false sense of security worse than no security, in other words?

As I see it, there are two sides to the argument. On the one hand, it’s better to have something than to have nothing. When something goes wrong, you’ll, therefore, have forensic evidence of where it went wrong and what you can use to try and mitigate it the next time it happens.

On the other hand, the damage is already done at that point. The company’s sensitive data is compromised. Its intellectual property exposed. Its reputation tarnished. There’s nothing that can be done to spare the organization from the consequences of the already successful security incident besides saying “We’ll do better next time” and implementing changes that will hopefully help you keep your word.

But propping up a system with more technology that won’t be frequently used or correctly configured does not make for a meaningful post-data breach security upgrade. More than that, it’s not smart from a financial standpoint. Your organization can’t afford to keep throwing thousands if not millions of dollars (Read more...)