Sometimes it takes the absurd to realize common sense has left the building.
I saw this today while wandering the halls of the office and had to take a picture.
Here is an example of a security control, which cost money to purchase, time to store, manage, and implement, and causes users a delay of access for a resource which is likely not desirable by imminent threats. It runs the risk of permanent denial of the asset if the key is lost and a temporary lack of immediate access as the key-holder is not readily known. The most important aspect of this situation is the overall cost of the security control is more than the value of what it is protecting. Security gone awry.
I am no expert on the street value of these toroidal entertainment objects or if there is a rash of hula-hoop theft in the office, but I suspect neither is real or meaningful enough to warrant padlocking in a secure building with vetted employees. The office is full of expensive equipment, Intellectual Property, and other valuable sundries which would seem to be more likely targets for appropriation. Yet, someone decided to go out of their way to secure these with a padlock.
Can we apply this bit of afternoon silliness to our world of information security? You bet. How often do we look at the cost and impact of security controls in relation to the value of what is being protected? It is easy to automatically lock everything up and think security has justly been instituted. But as this example shows, that is a disservice to the underpinning concepts and true value of security.
As practitioners and beneficiaries of security, we must effort rational decisions to insure we achieve the right balance. We should support the application of security where it is needed and challenge superfluous bureaucracy, spending, and unnecessary controls.
As painful as it may be, it is okay for security experts to conclude 'more security does not make sense or add any value here'. We donâ€™t always need to add more. Sometimes less security is the right answer.