Voltaire once said "Le Mieux est l'ennemi du bien." Which translates roughly into "The perfect is the enemy of the good."
I, not being a writer of Voltaire's prolific stature, have often expressed this sentiment in my own way: "Anything worth doing is worth doing poorly." Which usually attracts some puzzled looks from my colleagues...
Yeah, Frenchy probably said it more eloquently than I ever did, but the sentiment is the same: Don't get so wrapped up in doing something perfectly that you ultimately don't do *anything*.
This concept first hit me a few years back, when I was watching the old reality show "Project Greenlight". The show, if anyone remembers, was a reality show on HBO I think about making an amateur film funded by Matt Damon and whatever his buddy's name is (see, I could be "perfect" and look it up, but it's not really that relevant and so I'm satisfied calling him "What's his face"). The movie starred a then-unknown Shia Lebouf, who has since gone on to star in an annoyingly large number of blockbusters. But I digress.
During the filming of the movie, the director was having a hard time getting a shot just right, and kept doing it over and over again. The producer finally came over and said "You know what? It's FINE. We're not making Casablanca here."
That resonated with me. Not everything has to be perfect to be good enough.
I get afflicted with this attitude myself, from time to time, even these days. For example: I was having a problem with shin splints on the treadmill a couple months back, so wasn't doing the cardio my trainer had prescribed me. She was frustrated, and finally said "So do 15 minutes instead of 30, if that's all you can do. It's still better than nothing." (I've since switched to the elliptical trainer, and don't get shin splints there. Thanks for your concern.) That's a perfect example of letting the perfect be the enemy of the good. It was a case where it was better to do a thing poorly, than to not make the effort at all.
How is this relevant to information security? Well, take a look at some of the standards out there. ISO 17799, for instance, has mechanisms in place to identify controls that are not fully mature, but you frequently get points for doing *something* to satisfy the control objective and acknowledging that there's work left to be done in that area. As long as you have a plan in place to continuously improve, you're going to be able to satisfy many control objectives with a solution that is imperfect, but "good enough". Just demonstrate that you've assessed the risk of that imperfect control, and have chosen to either accept the risk, or have a plan in place to improve it at some point in the future. Obviously some controls are absolute, and you don't have that kind of wiggle room, but a great many are flexible, given a demonstrably mature risk assessment process.
Maybe your current logging solution has some gaps in its feature set, and doesn't satisfy non-repudiation requirements. Does that mean it's useless? Certainly not. And if you can't afford to purchase a logging solution that has non-repudiation protections, does that mean you shouldn't deploy a solution you can afford that has 50% of what you need?
I can list example after example of companies that choose to deploy no solution, because they can't yet afford to deploy the "perfect" solution. This often is in direct conflict with what is good for the organization. Even a 10% solution is improving your security posture in some meaningful way, in the vast majority of cases.
In these times of tight budgets and reduced staff, we may all have to put aside our dreams of "the perfect", and be satisfied with the "good enough".
Who knew Voltaire was such a visionary on information security, way back in the 18th century?