Slogans such as this one distort policy discussions, planning and implementation on a variety of issues.
The issue here is cybersecurity but it could be sexual harassment, rape, terrorist acts (other than the first two), fraud, hunger, suicide, etc.
Take it as a given there are no, repeat no sparrow shall fall systems.
Sorry to disappoint you but even with unlimited resources, which no project has, that’s not possible.
Every discussion of cybersecurity or other policy issue MUST include the issue of how much security (risk if you prefer) can be obtained for N resources?
More likely than not you are always going to want more security that you have resources to obtain but acknowledging that up front, enables you to prepare for what happens when security fails.
Which it is going to do. No ifs, ands or buts, all security systems fail. Some more often than others but they all fail.
I don’t consider Roswell to be a counter-example. The information, such as does exist, isn’t important enough for the effort required to obtain it. Some secrets remain secrets out of disinterest.
Realizing failure is not only an option but a certainty, designers don’t have to waste time on plausible deniability and/or responsibility for all breaches. Congress allocated $N resources and for $N resources, you get the rot-13 cipher level of security.
As opposed to the VA routine where Congress allocates $N resources to the VA but expects $N3 care for veterans. Why is anyone surprised the VA provided $N level of care and created mechanisms to deny $N3 care?
Of course, cheating and lying aren’t the best options for dealing with a shortfall in funding but that mirrors the VA funders so that isn’t surprising either.
Be up front with clients and say:
- Yes, failure is not only an option, it’s going to happen.
- Anyone who says differently hopes you manage by bumper stickers.
- Evaluate what $N resources can buy you against risk R.
- Plan your response to failure (as opposed to the post-failure blame game)
Such an approach will make you a novelty among consultants/contractors.