This is a good take on something I’ve been advocating for a long time. Wearing both the security and network manager hats as I do it’s useful to remember the concept of the C-I-A triangle from your CISSP exam. The A stands for “availability”, something a lot of security professionals forget about. To many see “confidentiality” and “integrity” as far more important. It kind of reminds me of the three branches of the US government. “Availability” is the Supreme Court of security.
The three make more of a Venn diagram, really. The sweet spot is where all are in balance is what we should strive for as security professionals.
Putting my network manager hat on, the triangle is more about performance, resilience, and value. I don’t use cost as a metric for a variety of reasons, which will make for an interesting post on it’s own. Yet again, where the three overlap is the sweet spot for network availability.
The most fascinating aspect to these in my organization is the fact that the argument for both security and network are basically the same – what do you, the customer, want to pay for insurance that your location will stay up and running through most critical events?
Interestingly, it just occurs to me that in both areas simplicity is critical to success. I’ve seen severely over-engineered network setups meant to provide redundancy only to have the actual outcome assure that the network is more vulnerable to outage. The same happens with security. Labyrinthine machinations usually keep people from doing their work and dives users to find ways around.
What do you think about resiliency and simplicity as the aspirational end-game of security and networking?