Ed and I watched the film "Pan's Labyrinth" last night. If you haven't seen it, it's worth the rent. A child is taken by her mother to live with a cruel and sadistic Captain who is in charge of "controlling" a rural village in Franco's Spain. The child's mother is extremely sick and the Captain is not a step-parent capable of providing any comfort to the frightened child.
Upon arrival, the girl encounters a large flying bug. Seen through her eyes the bug is a "fairy" that leads her, and the viewer, to wonderful places. Throughout the film the images of "fairy's" world are intercut with very real images of the threat that the Captain's military force brings to the village and that the rebels in the woods around the military encampment bring to the soldiers. Watching the movie the viewer doesn't know if the fairy's world is real (at least in the construct of the film's world) or simply in the girl's imagination.
Don't want to give away the ending, but suffice it to say that one of the messages of the film is that in some ways, it doesn't matter whether her safe world was a real retreat or a fantastical illusion. The fairy story brought comfort to the girl, and that is what mattered most.
It made me think about whether or not it matters if the security controls we put into place are essentially illusory as long as they bring us some level of comfort. Take for example the fuss and hub-bub going on about eDiscovery. If an organization followed due process and lost or destroyed key information, will that be considered negligence punishable by law or normal spoliation?
What about connecting to the Internet? In general, we feel better with a firewall in place and anti-malware on our hosts - but do these make us more secure? The rise in bot-nets, infected machines' cycles being sold off to the highest bidder, and phishing indicate that current solutions are not up to the task of protection.
HIPAA addresses protection of critical health information, but from news reports it appears incidence of loss are on the rise. And while PCI is supposed to help provide comfort that our credit card information is being protected, incidents such as the recent one at TJX tell us otherwise.
While none of the regulations or technical measures mentioned above guarantee us on-line safety, there is no denying that we are, without a doubt, doing business on-line.
Perhaps we're all a bit like that child in "Pan's Labyrinth" - clinging to fairy stories of security because it's easier than facing the truth. And, if it gets us through the day, perhaps that isn't so bad. Business has to go on, is it a terrible thing that we tell ourselves security stories to ensure that it does?