Even under the best of conditions, developing an information security programme that is both efficient and successful is a difficult task. Because new dangers, technologies, and laws are constantly arising, the landscape is always changing. As a result, it is easy for organisations to become overwhelmed by the sheer volume of advice and requirements about controls, frameworks, and technology. Consequently, there is too much work to be done, and not enough advice is provided regarding what measures are genuinely helpful in mitigating risk.

You may feel you have no choice but to attempt to utilise the highly descriptive idiom “boil the ocean” when you are in a difficult situation. So, to try an impossible task or project, or to make a task or project unduly tricky, is a phrase that is sometimes referred to as “boiling the ocean.” To put it more succinctly, “to try and do everything.”

This idiom may teach us an important lesson about security, and we should pay attention to it. The key to adequate protection is striking a balance between ideals and reality. Compiling a list of potential hazards and dangers to the organisation while concurrently ranking them in order of importance. Attempting to reduce risk while being aware that some degree of uncertainty must be accepted as inevitable in every endeavour. Developing a security programme notwithstanding the possibility that some of the people, processes, or technologies involved will be lacking or not functioning perfectly. Conducting security operations with the recognition that the surrounding conditions are seldom optimal. Finally, striking a balance between the requirements of commercial or operational activities and general security standards.

From my point of view and based on my experiences, trying to improve an organisation’s security posture by boiling the ocean is not possible. Trying to take that approach invariably exposes more significant risks for an organisation, as they cannot implement even the most fundamental controls. How can enterprises move away from security strategies based on “ocean-boiling” and towards more pragmatic security strategies?

Here are 8 signs you are trying to do too much:

1. The pursuit of perfection comes at the cost of the good. The 80/20 rule is one that I have a lot of respect for. It is often feasible to swiftly implement a solution that covers most of what we want, even if it doesn’t cover everything. However, suppose we wait for the answer to solve our problems perfectly. In that case, we can wait for quite some time (and we probably won’t be able to afford it).
2. Pointing out the issues with every solution. Throughout my career, I’ve had the opportunity to collaborate with many outstanding security professionals who appear to be able to find a solution to almost any challenge they confront. But unfortunately, I’ve also had the experience of working with some who always try to show how immensely clever they are by finding fault with every solution. The former helps organisations learn and mature of organisations, and the latter causes them to be unable to make a choice.
3. An inability to locate a way to go forward. Making any effort to advance any solution can seem like an endless succession of dead ends. This is a sign you may be overcomplicating the way ahead. A less complicated path may bring about more achievable outcomes. Apply the 80/20 rule and stop trying to be so clever.
4. Continually on the lookout for more information. It is simple to put off making a choice since you are focussed on gathering additional information. However, you will eventually reach a point where you must come to terms with the fact that you have had practically all the pertinent information for some time. Therefore, you just need to make a choice.
5. Always waiting for something. There will never be enough financial support, qualified employees, or time, to complete every possible task. So establish your priorities, focus on the first one, and then begin moving.
6. Being buried alive by noise. If you are inundated with alerts and notifications, you are already falling short in some way. Find a way to only get notified of the things that are important to you and fewer things that aren’t as important to you.
7. Inability to prioritise risk and let things go. Every threat appears to be of the utmost importance. However, we must make thoughtful decisions if our available resources are restricted. If we cannot do that, we risk not providing any solutions…
8. Draconian policies. Ocean boiling is to blame for most of the severe security measures I’ve encountered throughout my professional career. It is helpful to clearly understand which rules and procedures genuinely assist in boosting security and which ones only make ocean boilers feel better about themselves.

Any organisation that must guard sensitive or valuable information has the formidable challenge of maintaining adequate security. However, securing all that data can be intimidating in an ever-changing threat landscape. It’s easy to forget that even small changes can have a big effect. The best way to ensure your data is safe is to focus on the problems that pose the most significant threat but can be fixed with the least effort.