StillSecure, After All These Years

Michael Farnum has a good post today (I will spare you all another picture of Michael, but you can see him on his blog) on the realty of UTM.  The point Michael makes and also credits Chris Hoff for originally making the point, is that many people don't do what may be best in security, they do what is "good enough".  Forget UTM, I am sorry to say that in just about all matters dealing with security (and everything else for that matter), with the exception of sometimes a few key verticals, good enough security is good enough. 

This has been a hard lesson we have learned at StillSecure.  My sales team and SE's constantly are talking to customers about why SNMP is an inferior way to achieve port-level access control versus 802.1x..  You know what, most security admins, especially in the .edu space just don't care.  They can have something without a lot of work and it is good enough.  I have thought for a long time, what is the use of just checking for anti-virus and patch levels, when you can check for so much more.  The answer, its good enough.  On IPS, why would you just turn on a few rules and not do a better job of checking traffic?  Easy, its good enough.  Here is another one, on vulnerability management, with so many vulnerabilities out there, why scan occasionally?   Good enough, you got it. 

My perhaps jaded experience is that our IT culture views security as something that has to be done good enough.  Did I do enough to satisfy the regulatory issue (Farnum makes the point that this can actually hurt security), can I check off the check box by just doing it good enough.  Then we wonder why Choice Point and VA style data losses can happen.  We ohh and ahh about the amount of losses reported due to security breaches every year.  But we wont get off our butts (collectively) to do more than good enough.  We will bitch and moan about big brother government making us do something about security, but face it without them, would we even do the minimal things they ask of us.  I know it is about managing risk, but all to often good enough, is good enough when it comes to security.

PS - the more I think about it, I am not sure this is limited to just information security.  I think "good enough" pretty much sums up a classic view of America lately.  Why don't we have a better alternative energy policy?  Why don't we do a better job about poverty, education, health?  Maybe what we have is good enough.  Is good enough the real mantra of America today?  If the WW II generation was the greatest generation, are we the good enough generation?