Literal Security Measures

To maintain good relationships with our friends, families. we always be careful in taking a decision that might hurt them to make sure that we don’t take things literal and get context to decide and act. I am just drawing lines of what security measures, policies that we do for literal namesakes. Some example of literal taking things are

1. Policies that block developer freedom. Too much of access restrictions, having unnecessary tools which does not improve security posture such as DLP. Cause DLP security are like the below image. Anyone can easily jump and bypass DLP measures.
   

   

   From Reddit

2. Saying No if new stuffs are not understood well or not matured. for example, blocking the usage of AI in daily work. Nevertheless the company allows or not, developers might have tendency to use.

3. Having Strong Opinions. I have seen Security Testers, researchers have strong beliefs cause they form those beliefs due to an incident in previous company and generalise it. For example, sales and marketing are prone to bad security. This is a strong security opinion on folks who are working in those pillars . Anyone could come up with the literal Security Opinion. How would you prove that opinion makes sense in the context?. Should you wait for signals to confirm and then put up defences or invest before that?

4. Why compliance is literal thing?. Just having SOC2 is a baby security. I do not consider them as security measures. those should be there by default like bare minimum. Community led benchmark , frameworks such as OWASP, CSP and Government led frameworks such as NIST can help us in bringing context aware security measures.

5. Who knows security? Vendors or customers. Customers expect the vendor to meet their security requirements which might not make sense cause their questionnaires are like hammers. To hammers, everything looks like a nail. Customer expect all small, large vendors to have same security posture which does not make sense . But those customer requirements are the one of the way to drive your security programs.

6. What drives your security posture? Is it fear? or well planned program?. If the requirements are prioritised only from regulations and customers. then the security posture is a literal security posture . Literally its meant for running the show like security theatres. It will feel like you know these security measures are just running. Basically be ready to say sorry and put up defences after mishaps like how Ivanti did.

7. expecting security to be perfect is literal take. Few incidents will happen . that does not mean the current security measures are not working.