Thought-Terminating Cliches and Infosec

Posted August 17th, 2010 by

Reference: Thought-Terminating Cliches.  They’re such a ugly things and all over the security industry and need to die, mostly because these things are so obvious that they need to die so we can introduce new ideas.

Just starting a collection, feel free to add more:

  • Compliant doesn’t mean secure.
  • You can always go above the minimum baseline.
  • You don’t know what you don’t know.
  • Security is a journey, not a destination.
  • We all know that $Foo is dying/dead/failing/stillborn.
  • There is no silver bullet.
  • It’s security, it’s supposed to be hard.

Similar Posts:

Posted in Rants | 7 Comments »

7 Responses

  1.  Andy Willingham Says:

    Industry Standards
    Best Practices
    Defense in depth
    Fear, Uncertainity, Doubt (FUD)

  2.  Christophe Pradier Says:

    I’m sceptic about it… Sure these are clichés.

    I think it would be better not to point them as clichés but rather as bad formulations of good ideas.

    For instance, “compliant doesn’t mean secure” is the typical sentence you’ll hear from someone who doesn’t want to speak more about a subject. That is, indeed, a thought-terminating cliché. Yet, you can’t say that it’s wrong…

    For this particular point, I would rather say that compliance is one specific part of security. I would define security as Confidentiality, Integrity, Availability and Compliance (to legal and internal constraints). Less thought-terminating, it lets you see that you’d better run parallel processes for these different parts, with different audits, criteria, people, etc.

    “Security is a journey, not a destination.” So true, but I would rather say that security is not a static asset, it’s a constant re-evaluation of security needs, more than everything else.

    “There is no silver bullet.” That’s a word you could hear from a conscious CISO. I would however rather say that the review and enhancement of existing IT services (ITIL sense) and security measures is of more value than the implementation of ever-newer “security products”.

    As for the list itself, I would happily add that item “You can’t reach 100% security.” or “There is no 0% risk.”

  3.  Mike Says:

    “Data wants to be free”

  4.  Tweets that mention Thought-Terminating Cliches and Infosec | The Guerilla CISO -- Says:

    […] This post was mentioned on Twitter by novainfosec, alex knorr. alex knorr said: Thought-Terminating Cliches and Infosec: Reference: Thought-Terminating Cliches.  They’re such a ugly things and a… […]

  5.  Christophe Pradier Says:

    Oh, and of course “multiple security layers” as an excuse to the fact you don’t actually control the endpoints…

  6.  LonerVamp Says:

    “You can’t patch stupid.”

    Amen. I’d pull some of those items out though and put them into a list of “fundamental laws” that really don’t ever need to be said because they’re so obvious, but they do formulate the bedrock of our approaches (kinda like scientific laws and simple statements make the foundation of more complex assertions).

    “Compliant doesn’t mean secure. ”
    “You don’t know what you don’t know.”
    “Security is a journey, not a destination.”
    “There is no silver bullet.”
    “It’s security, it’s supposed to be hard.”

    These are cliche only because too many people still bandy them about like new insights. Or, like you say, as thought-terminating cliches and you just want to slap someone for leaning on them too much.

  7.  Prenston Gale Says:

    Lets not forget –

    “What gets measured gets improved.”


    “It’s security for security’s sake.”

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: