Shostack + Friends Blog Archive


"It's so Confidential, even we don't know the number"

I’m just wondering how often any of you encounter this phenomena.  The dialog goes like this:

You: “We’d like to define a metric for overall security and risk, and then publish it to stakeholders and business partners…”

Executive: “Wait right there!  No way!  That’s too confidential!”

You: “Excuse me?  Confidential?  You mean you already know what the number is, and revealing it will seriously harm your business?”

Executive: “No, we don’t know the number.  It’s so confidential, that even we don’t know what it is.”

Of course, the conversation never goes like this exactly, but I hope you get the drift.   The executive asserts the importance and critical nature of an overall metric for security and risk, but uses that as an excuse to not even try to estimate it in the first place.

I’m going to coin a label for this:  “meta-taboo”.   The topic itself is not taboo, but any discussion about how to actually get there or deal with the topic is taboo.  (Another example: a humorous label for a design document from my early days in engineering: “Burn before reading.”)

Of course, this is a sign of an unresolved inner conflict in the executive, or more likely a blind spot in the social psychology where we bury our collective fears, our collective fictions, and our quid pro quo‘s.

The Cone of Silence from "Get Smart" TV program. It was so effective that it prevented all communication!

Anyone else encounter this?

One comment on ""It's so Confidential, even we don't know the number""

Comments are closed.