Well even tho i think at the end of your comment you went a bit out of the way, i get your point and i agree to a certain point.
You cannot reduce the risks to 0 - that's a matter of fact and i would never claim you could.
I tend to say its a question of cost/gain. If the cost the attacker has to pay (work/invest/...) is higher than the possible gain (data/funds/...) you are on a good track for your companies security.
Im btw not working for an ISP, rather something you would see as a smaller sized IT company. Therefor i also have certain points where i in theory could go alot harder on security, but i don't because its not feasible.
Another thing especially in that regard i find important is trying to educate your users, at least we work on that. We don't just enforce hard rules on them, but we also try to make sure they understand why we have these rules and mechanisms in place - not to annoy them but to protect them.
Finally, thats my favorite point of your article, "force users to use lots of passwords ".
Well our business has to undergo regular audits by partners which are lets say rather meticulous when it comes to the security of our systems. These enforce certain things on us we have to than enforce on our users even if we don't think its good.
So ye, now you can blame on me that i enforced something on our users, but keep in mind - it was also enforced on me - i even discussed certain things with these partners trying to explain to them why some measures sound cool on paper but in reality are just impractical - not that anyone would care. So we implement it.
Therefor the next time you argue that some security measure is just an CISO that doesn't really care about its users, maybe keep in mind that some things are forced upon us even tho we don't like and don't support them.
I can see why you would take "online service provider" to mean an ISP, but I meant it to include SaaS and apps like whatsapp, google, etc.. as well
>Therefor the next time you argue that some security measure is just an CISO that doesn't really care about its users
Oh I didn't mean to imply that, there's no doubt that IT admins that overimplement security policies care in general, the critique is not about motives, rather the efficiency. I don't argue that they don't care or even that they are wildly inefficient, just that they are suboptimal on this specific point by going overboard.
You cannot reduce the risks to 0 - that's a matter of fact and i would never claim you could.
I tend to say its a question of cost/gain. If the cost the attacker has to pay (work/invest/...) is higher than the possible gain (data/funds/...) you are on a good track for your companies security.
Im btw not working for an ISP, rather something you would see as a smaller sized IT company. Therefor i also have certain points where i in theory could go alot harder on security, but i don't because its not feasible.
Another thing especially in that regard i find important is trying to educate your users, at least we work on that. We don't just enforce hard rules on them, but we also try to make sure they understand why we have these rules and mechanisms in place - not to annoy them but to protect them.
Finally, thats my favorite point of your article, "force users to use lots of passwords ".
Well our business has to undergo regular audits by partners which are lets say rather meticulous when it comes to the security of our systems. These enforce certain things on us we have to than enforce on our users even if we don't think its good.
So ye, now you can blame on me that i enforced something on our users, but keep in mind - it was also enforced on me - i even discussed certain things with these partners trying to explain to them why some measures sound cool on paper but in reality are just impractical - not that anyone would care. So we implement it.
Therefor the next time you argue that some security measure is just an CISO that doesn't really care about its users, maybe keep in mind that some things are forced upon us even tho we don't like and don't support them.