Not meant to be a rant, I’m looking for advice. I’m a security operator focused on cloud product infrastructure, but I believe this is a general question.
I commonly run into a problem where someone describes some esoteric/overcomplex threat scenario, and any answer short of complete mitigation is treated like we’re not doing our jobs. Most often this is customers’ security teams who have no incentive to accept any risk, or internal leaders who think about security in black and white. I’m looking for the words to use when I want to roll my eyes and focus my work on real problems.
A couple examples:
From an exec: “What are we doing to prevent large scale denial of service against our site? What if one of our competitors wants to take us offline, and hires one of those DDoS-as-a-Service things?”
I want to say that the economics of that don’t make sense (for our particular business), that the risk is so close to zero that it’s not even worth the time we’re spending discussing it, but this doesn’t satisfy because I can’t prove it and I only have my instinct to back it up.
From a customer: “How do I know one of your (approved) engineers isn’t accessing the product database and pulling out my data?”
Yes, we do have a small number of privileged reliability engineers who can access the databases, because we’re a 30 person company and sometimes our legacy database has schema errors. Your “data” consists of email addresses and your org structure. Why is this a deal breaker?
How have you addressed this problem? I know our industry has a lot of CYA but there has to be some reasonable way to navigate the conversation. Thank you!