For three decades now, I have had a feeling that our constant (business) pursuit of efficiency was going to turn around and bite us at some point. (In the press of other events and research, I haven't been able to study it as thoroughly as I would have liked to.)
Well, now, Bruce Schneier (it would be Bruce, wouldn't it?) has pointed out that the CoVID-19 pandemic has amply demonstrated that efficiency is bad for security.
Initially, and specifically, efficiency eliminates redundancy, and efficiency is therefore at odds with business continuity planning. (As we tend to say in security, a redundant backup is not redundant when you need it.) Our pursuit of efficiency, and our elimination of margins in pursuit of immediate profits, has created extremely brittle systems and supply chains. It has taken a global crisis to point out the danger. Unfortunately, it has put us, globally, in a business situation facing massive debt, which will take at least a decade (at best) to climb out of, and which a great many businesses will not survive.
It is possible that the failure of so many enterprises will force business management and economics to re-evaluate our devotion to efficiency and unrestrained capitalism as the only guiding principle for business. One can hope, but I do rather fear the old adage that history teaches us that history teaches us nothing.
Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413
This message may or may not be governed by the terms of http://www.noticebored.com/html/cisspforumfaq.html#Friday or https://blogs.securiteam.com/index.php/archives/1468
We have recognized these problems for decades. Remember 20 years ago, when Mac and *-ix proponents were begging their enterprise deciders-in-chief to embrace not only redundancy, but diverse redundancy. They were making the case that the All-Micro$oft environments pushed for the sake of financial and service support efficiencies pretty much guaranteed total disaster when the crunchy out shell of a network was broken by a single example of M$-specific malware.
Even though my account is dead, a) I'm still getting subscrriptions, and b) "reply- via-email" still seems to work.
So, if any of you lot want to go into "CISSP questions," and, every few days, post *any*thing (even just, "hey, how about another CISSP question?"), it seems I'll get it, and can reply to it with another question posting.
(Reply-via-email" only works once per posting, and it unreliable about a third of the time, so, if you want more CISSP questions somebody will have to keep posting there on a semi-regular basis.)