Gunnar Peterson channels Hunter S. Thompson with a great little essay on “security.” I’d take this further and replace the person in the essay with “organization.” The same will hold true.
There are two points to make if one wants to reduce the possible weight of this essay on “security” as we usually talk about in infosec worlds. Disclaimer: I’m being devil’s advocate here, but I really do like the essay and in general agree with it.
First, persons can’t avoid all risk, i.e. sit in a rut. Even if you’re sitting in your rut, your identity may be stolen, your system trojaned, or your organization experiencing an attack of some measure. Thompson’s security in the essay is more akin to an on or off situation, whereas information security today can’t really be off. (Unless you have no assets and no data and no systems…). Hunter’s position is that of either reaching our and grabbing for improvement (risk), or sitting back and doing nothing (no risk).
Second, and this is really silly and minor. But not every entity needs to strive for more. I may be upsetting economic science or business paradigms by saying it, but I don’t believe every entity needs to always be improving. If I run a business that makes $500K a year for myself, I might be happily satisfied with that, no? This tackles Hunter’s points in the last paragraph about defining happiness, really. Maybe an organization may be just fine achieving a comfortable level of security by not pushing the technological envelope any more than they have already. Some may see this as a rut, but maybe they see that as having reached their goal?