Balancing, estimation, & trade-offs
As with most anything in life, security is about balancing risk, estimating outcomes, and making trade-offs. For example:
-
ALLOW vs. DENY
-
vulnerability & exposure vs. resources & opportunity
-
FUD vs. impact x likelihood = risk
-
preventative vs. reactive vs. detective controls
-
paranoia vs. trust
-
people vs. process vs. technology
-
freeform vs. structured
-
secure / hardened vs. usable / accessible
-
unskilled "script kiddie" vs. skilled adversary
-
delivering results now vs. delivering more-secure results later
Success is sometimes dependent on navigating those trade-offs across the security stack (or whatever view/framework/reality you prefer to apply). The rest of the time, we may have just got lucky.