What does “Security is our top priority” really mean?

I've spent time in the classified world. Security can be obtained, but costs are high. At the aerospace company, we estimated for bid purposes that running a project at SECRET doubled the cost. Running at levels above that became even more expensive, and much slower. You have to partition things, so that only the really critical stuff gets the most expensive protection. It's common to have a project where the project is mostly unclassified, many things are SECRET, and a very few things are at higher levels.

The military views security as time-limited. When and where the attack will start is highly classified until the attack is underway. After that, there is no secret. New weapons systems eventually get used or cancelled, after which they're less secret. The intelligence community wants to protect info forever, though.

The credit card services get this. The CVV is required to have a higher level of protection than credit card numbers or names and addresses. Banks understand separation of functions and mutual mistrust. Most computer security work doesn't think this way.

I was at one company where the PM blurted out (paraphrasing, but very close) "Enough of security talk. We will put out some nice wording on our website stating that security is our top priority and our product is perfectly secure. And that's that. We will not spend a single penny beyond that on making it so-called secure."

So, that's often what companies mean when they say "security is our top priority".

(The referred PM has since had a long career at a fruit-shaped FAANG, presumably making products secure. I hope they have grown up a bit.)

Tbh as a consumer I'd rather a company not just give self-appraisals of security in the form of overt marketing lines but let pen tests, post-mortem analyses and such speak to their robustness/lessons they've learned. Marketing is virtually always that security is top notch regardless of realities so it's hard not to be skeptical of ordinary spiels.

It's like third-party VPN services. It's all well and good to market security but when they get breached/raided/etc and it turns out they don't hold up to the claims then it just increases one's cynicism. At least those like Mullvad from everything I've seen match their statements (no affiliation, nor do I even use it, just useful for this example).

Ed Catmull of Pixar once brought up in a talk, referring to cliched lines like "Story is the most important thing" despite various productions' output being mediocre in that regard, that once an important idea can be encapsulated into a concise statement that the statement per se can be used without fear of changing behavior. Could be said for a lot of marketing.

It is certainly true that security needs can sometimes get in the way of better UX although there is plenty of security that users never encounter. It is also true that the UX of many security designs is awful. However, it is not true to say that security requirements are opposed to good UX.

You can absolutely create good UX with good security, but it will require more effort. Improving your UX doesn't normally hurt security. In fact, having better UX can help security. Conversely, improving your security does not inevitably hurt your UX (although it certainly can if you don't give it sufficient consideration).

More sensitive data I need store, more I need to think about security as well (and more expensive it gets).

If it's obvious that the service doesn't have much worth of hacking for, it's already better starting point than if I know it's going to be hack attraction.

Thanks for that quote :)

Does it sound like this? If a restaurant says that "our food is our top priority", I don't think anyone would think that means they're not going to lease a premises, buy chairs/tables, hire waiters etc.

To me, the very fact that you say something is your "_top_ priority" implies that you have other priorities.

It feels like the author is responding instead to the premise "security is our only priority".

https://i.pinimg.com/originals/71/2c/a5/712ca583647508a50606...

https://www.youtube.com/watch?v=Km8XxRCuCho

(I don't fully agree with the message though. It's not just the user of the process that is responsible for their safety. It's mostly the designers of the process.)

I must be Dr Contrary tonight but this strikes me as bullshit.

SSH is more convenient that telnet. Passkeys are more convenient than passwords. TouchID and FaceID are more convenient than passwords.

In general, security is an afterthought that is inconvenient to developers to add back. But in the digital world I haven’t seen many examples of security being less convenient than the alternative.

(I am writing this from an airport and definitely do not assert that this applies to the built environment.)