Security’s Dilemma – Damed if you do, Damed if you don’t

(Last Updated On: November 14, 2007)

The Security Trap of all in the profession …..

  • If you do your security job well … you management ask “What are you doing and why am I spending all the money on security?”
  • If you do not do your security job well …. management ask ” Why didn’t you do something to keep this from happening!?”

This is the big security dilemma we face in the industry. If people do the right thing, protect their networks, and fight against the cyber-criminal economy, then the natural consequence will be a safe Internet experience with no business impact. After a time, management does not see a business reason to keep some of their most experienced, flexible, and dynamic engineers working solely on Security. The result – resources reassigned away from Security.

While many security pundits are talking about the increasing threat, many of my peers – the top SP Security talent in the industry – are getting pulled away from full time security work. Their management feels no pain. They don’t see the DOS attacks, customer complaints, SLA violations, or help desk being hammered with complaints. Does that mean the security problems are going away? No. The empirical evidence still shows that the security issues on the Global Internet are increasing fueling a dynamic and healthy cyber-criminal economy.

What we are seeing is the cyber-criminals learning a new principle – Stay below the Pain Threshold. The Pain Threshold is the point where an SP or Law Enforcement would pay attention. If you are below the pain threshold – where you do not impact an SP’s business, then the SP’s Executive Management do not care to act on the threat. If you are below the pain threshold – where you do not have a lot of people calling the police, then the Law Enforcement and Elected Official do not care to act. The Pain Threshold is a matter of QOS, Resource Management, and picking targets which will not trigger action.

The consequence of this new principle is interesting. It means that organized crime knows that if they stay below the threshold, resources get pulled from tracking and stopping them to be pushed to other projects and programs which are more critical to an SP’s business. It demonstrates a higher strategic thinking in the global cyber-crime war.