General Security Concepts

Maintain an organization’s security posture

Each security decision should address at least one of the following concepts in this section. If it doesn’t, challenge its value. Implementing a new control means making a change to the production environment. Any change runs the risk of breaking something that was working before or even increasing the attack surface. Changes shouldn’t be taken lightly. Any change should maintain, if not improve, an organization’s security posture. Therefore, if we decide to implement a security control, the net benefit of that change should be mapped back to a core security concept.

Security theater

Security theater means implementing a security control only to say that a security control has been implemented without actually improving security. Since changes like this don’t make the organization any safer, we want to avoid them.

An increase in an organization’s complexity

Changes also run the risk of increasing an organization’s complexity. There’s a general rule that the more complex something is, the greater the chance that something will go wrong. In a security context, complexity increases the likelihood of vulnerabilities and bugs being exploited. In addition to their contribution to security, proposed changes should also be evaluated for complexity. Changes that increase complexity should be considered carefully because they can adversely impact the organization’s overall security.