Infosec is Not Like Boots

January 5, 2022

Spend some time on Reddit - which you probably shouldn’t - or read the original Terry Pratchett - which you should - and you’ll probably come across the Sam Vimes “boots” theory of Socioeconomic Unfairness.

""" The reason that the rich were so rich, Vimes reasoned, was because they managed to spend less money.

Take boots, for example. He earned thirty-eight dollars a month plus allowances. A really good pair of leather boots cost fifty dollars. But an affordable pair of boots, which were sort of OK for a season or two and then leaked like hell when the cardboard gave out, cost about ten dollars. Those were the kind of boots Vimes always bought, and wore until the soles were so thin that he could tell where he was in Ankh-Morpork on a foggy night by the feel of the cobbles.

But the thing was that good boots lasted for years and years. A man who could afford fifty dollars had a pair of boots that’d still be keeping his feet dry in ten years’ time, while the poor man who could only afford cheap boots would have spent a hundred dollars on boots in the same time and would still have wet feet. """

That’s the theory, and its biggest issue is that I’m not sure it’s emprically true. The cheapest pair of shoes I’ve ever bought, £12 on trainers, lasted maybe six months. And they were used daily across all terrains. I also have one very expensive pair of boots (£240, so twenty times that). So they need to last twenty times as long - ten years - and whilst I suspect they can, only because I baby them. At the price you would too. And I’ll bet there’s much less durable footwear available for that price.

So what’s that got to do with infosec?

Well, there’s no doubt that infosec is ultimately a cost, and costs for business are ultimately (checks notes PHB-style…) bad. A cheap infosec solution, none if viable, makes sense unless your boots wear out, and even then, you’ve got no proof the expensive boots wouldn’t have worn through just as fast. Cheap is definitely cheap, expensive is only sometimes good.

Premium bootmakers climb out of this hole with “heritage” (see, Coke’s brand consultants are right about brand value.). Infosec companies will find it difficult to point to a few centuries of hand-crafted YARA rules. But even with time, unless you exercise a lot of control over your customers (like, erm, Apple), breaches will happen and you’ll look bad.

So: bad news for boutique companies. Apple has a point: security is an infrastructure feature.