“Good Enough” Security

Two guys are walking in the woods and they come upon a big bear. The bear sees them as food and creeps toward them. the first guy starts to slowly tip-toe away, but the second guy takes off his hiking boots and pulls out his running shows. The first guy says, “You can’t outrun that bear!” The second guys says, “I don’t have to outrun the bear, I just have to outrun you!”
This illustration is often used to show that you don’t have to have perfect security. True, perfect security is an illusion. But what does it matter if my security is better than my neighbors?
Lets think of two common types of attacks. One is the network worm. It doesn’t care whose network its on. It doesn’t know my network is more secure or less secure than my neighbors. If I am vulnerable to the threat, I am hosed.
In another type of attack, I may be specifically targeted. Again, the attacker doesn’t care about my relative security. He is specifically after me.
This isn’t like home security where a bugler will move on to the unattended home. Companies need to take steps to secure their network based on their business impact analysis. The only time being “faster than the bear” will help is when you are trying to prove due diligence.