Cybersecurity in a vacuum with spherical frictionless OS is awesome but in a real production environment things get fuzzy. To give you an idea, the fuzziness is so severe that there’s a whole line of work called 2nd line security which was invented almost entirely to deal with the most important and devastating problem plaguing the industry: how to have the MBA pukes in “the business” understand why security isnt just some dick-waving excercise by nerds with a hard-on for *tightly* closed port ranges, while at the same time explaning to the dick-waving nerds that we run a business and that’s what pays for their fancy toys and consulting hours.

IT security is a constant balancing act between these two polar opposites. Want to air-gap a system to prevent cyber-attacks? Here’s a shopping list of processes that are currently being done through APIs and whatnot but will now have to be entered manually through a dedicated workstation. Need to put your server in the DMZ because reasons? Have this nice risk assessment of how long it’s going to take until some russian pwns your little box, and what you’re going to lose; please sign off on the risk.

It’s a never-ending dance to try and figure out the correct security posture, based on your risk appetite, your actual threat profile, and how much Flak your are willing to catch from your production teams and possibly your management (protip: get *them* on board first, preferably through a dark ritual of blood and flesh), as well as the eternal sinews of war (money). Once you got that figured out, you stick to it. And if they’re not happy they can suck on it till they fucking chew it with their sphincter because there isnt a single point in the scale that will make most of them or any of them happy, and the whole point of the exercise is to have an agreement on where the security stance will be so that you have a plan to follow and something to show when the shit hits the fan and people start pointing fingers: “See, we knew that there were risks, they were estimated to be so and so, and we agreed that they would be accepted/mitigated/transfered so that we can remain competitive and grow our business, and our auditors thought it was cool. Blow me.”

And sometimes that involves leaving the billing system accessible from the internet, because someone fucked up and missed out on the process of mapping out critical system dependencies and leaving a glaring hole in their Incident response and business continuity scenarios. Oh we havent talked about that yet? I could write another paragraph on that but id rather just tell you to check that your fcking backups are kosher over-write proof because in the end that’s your lifeline.