The best is the enemy of the good
I saw this aphorism on a manager’s whiteboard once.
I guess it was an attempt to guide himself or his engineers away from gold-plating the system they were working on. But I didn’t ask for and he didn’t offer an explanation.
However, if you were determined to develop the best systems possible, then I guess it could have been pretty demotivating to see that.
I came across a good example of this today, in the IT field. I am a (non-IT) consultant working with a local authority with a poor reputation. I am working to implement a project in this authority which has been operated successfully by many other councils. Part of it requires the transmission of personal data between the council’s IT system and a partner organisation’s system. This is the rub. The council’s IT managers are determined that the data transfer should take place using Secure http://FTP. However they are banging their heads against the technical aspects of this, to the extent that it is jeopardising the whole project. The partner organisation we are working with already has data transfer in place with 10 other local authorities. So somewhat in desperation I asked them how other councils did it. The answer was by ordinary (non-secure) http://FTP. They acknowledged that Secure FTP was best, and some of the other councils were moving towards this, but in the meantime, in the interests of having a workable arrangement, they use ordinary http://FTP. My council, however, will not consider this. They are petrified that personal data might be intercepted, and the council castigated in the press (as many government agencies have been recently).
So only the best will do, but the “best” currently appears unachievable and the “good” that our project could achieve may be lost. The best is the enemy of the good! I agree that this runs counter to the current vogue for “pursuing excellence”, and might be considered demotivating, but it is also pretty demotivating to see the realisable good sacrificed to the unachievable best.
I’m pretty pragmatic so, like you, I would probably recommend that the council bit the bullet and implemented the less secure model until such time as they understood how to implement the secure model - assuming this approach complies with data protection standards.
I suspect that given the current high-profile for data protection that these standards will become stricter in this area and this may force everyone to upgrade to more secure transmission mechanisms but it seems a shame that the council’s customers lose out in the meantime.
However, I am not a security specialist and would need to know more about the risk of data interception in order to make a fuller judgement.