Success is a lack of failure, it’s not about meeting mission objectives

The Risk Management Framework puts in place procedures to eliminate as much risk as possible. From the perspective of the Framework, the only success that can be had is if a system does not fail or is not found to be insecure. Success is measured as “not failing.”

There are seemingly infinite ways for the Risk Management Framework to fail and only one way for it to succeed. Furthermore, that success is always in jeopardy. It can be proven in the past and the present, but never the future. Because of this approach, and because nothing can move forward without an ATO, mission outcomes are effectively seen as a lower priority than data integrity.

“At one time, I was explaining that the government would want something to fail closed and they were like, ‘What? Don’t they want their service to operate’?”

In the area of technical security, perfection is unattainable. Experienced security professionals expect and plan for scenarios in which they lose data or experience performance failures. Success is measured less in terms of completely avoiding incidents and more by how quickly and effectively incidents are remediated.

Experienced security professionals do not seek to prevent all risks. Even if all risks were known and could be mitigated, it is rarely practical to address all risk. Instead, experienced professionals evaluate risk and manage it proportional to the cost of failure. In theory, this is the value of the Risk Management Framework. In practice, this balance is rarely achieved.