In the world of cybersecurity, not all measures are created equal. Many security controls implemented by organizations today are, in fact, useless - wasting valuable resources and potentially making systems less secure. This article explores how to identify useless security controls and why they pose a significant problem for the industry.
The Chimps in the Cage Analogy
Imagine a group of chimps in a cage. One day, a researcher sprays them with cold water. The chimps learn to avoid the water by climbing a ladder. Over time, new chimps are introduced and old ones removed. Eventually, none of the original chimps remain, yet they all still avoid the ladder - even though the water spray is long gone. This illustrates how useless practices can become ingrained without anyone understanding why.
Spotting Useless Security Controls
How can you tell if a security control is likely useless? Here are some key signs:
- The justification is vague, like "to improve security" or "for compliance"
- Those implementing it can't clearly explain the reasoning
- The rationale can't be summarized in 2-3 sentences for someone with basic technical knowledge
Useful controls typically have clear, concise explanations. For example:
"Encryption in transit prevents eavesdropping on network traffic between endpoints."
"Private S3 buckets prevent accidental public exposure of sensitive data."
While security can be complex, the core purpose of controls should be easily articulated.
The Harm Caused by Useless Controls
Useless security measures are more than just ineffective - they actively damage cybersecurity efforts:
- They waste limited resources (budget, personnel, time)
- They use up the finite "security goodwill" of employees and users
- They propagate across the industry via compliance frameworks and vendor questionnaires
- They get embedded in contracts, becoming difficult to eliminate
This leads to security teams spending significant effort on low-value activities instead of addressing real risks.
Moving Forward
To combat this issue:
- Always understand and be able to articulate why you're implementing a control
- Question vague justifications from security teams or vendors
- Evaluate existing controls and eliminate those without clear value
- Push back on useless requirements in compliance frameworks and contracts
By focusing on controls with demonstrable security benefits, the industry can better utilize its limited resources to tackle genuine cybersecurity challenges.