Ian Grigg seems to have kicked off a micro-trend with “The most magical question of all — why are so many bright people fooling themselves about the science in information security?.” Gunnar Peterson followed up with “Most Important Security Question: Cui Bono?” Both of these are really good questions, but I’m going to take issue with Gunnar’s claim. Who benefits is a great analytic tool to bring to the table, but it’s not the most important. The most important question isn’t even “Are you getting the outcomes you want?” or even “Are your controls producing the outcomes you want?”
I really like both of those questions, but I don’t think they quite capture the position of best. They’re better than many, which is an important step forward. But we can still do better. Security isn’t something people want in and of itself. It’s a property that you want for things. In the same way that people don’t go and buy a usability product, they don’t really want to buy security products. They might buy a reliability product (like a fail over system, or a high availability storage system), but they’re buying it to enable something else. And even as we work on our speciality, and even as I think it’s important, it’s part of the business, and so my proposal for today’s most important question in to ask security is:
How’s that working out for you?
It’s sad how often that brings smart folks in security to a dead stop. We can and should do better, and I think that “How’s that working out for you” helps us get better outcomes faster than “qui bono.”
And I’m optimistic that someone will say that question isn’t working very well for them, and offer up something better.