One of the best things any computer security professional can do to further their career is to recognize that most people don\u2019t really care that much about computer security. Few popular products sell because of security. Security absolutely doesn\u2019t matter in most cases \u2014 until, of course, when it matters very much during a big hacking event. Most companies and their customers are very happy with the absolute least amount of security that has minimal impact on them. That\u2019s just our computer security life. You must learn to operate within the confines of that social agreement.Case in point: One of my most popular talks has been \u201cThe 12 Ways to Hack 2FA\u201d. I\u2019ve given the talk dozens of times. The key lessons are that multi-factor authentication (MFA) is good, but any MFA solution can be hacked. To that end, the current version of my talk now covers 18 ways to hack an MFA solution.After every talk, at least one MFA vendor comes up to me to explain how their great solution fixes all those problems. Within a few minutes, I show them how five or seven of the attack types would easily work against their product. They usually go limping home.Some vendors don\u2019t give up. They come back to me with improved, five-factor (if there is such a thing) versions that do get rid of most of the attack channels. I\u2019ve even come across a few that are really, really secure (but still not unhackable). They still walk away with a frown when I tell them that it\u2019s unlikely that anyone will buy, much less use their product.No customer is going to want to use an authentication solution that involves more than a few factors of authentication. Most want to do the very least to provide assurance to themselves with the least amount of \u201cfriction\u201d for the customer. Companies know that anything that gets in the way of a customer using their product as seamlessly as possible is making them hemorrhage customers in a very real way.Let me give you an example.Credit card crime is on the increase and we don\u2019t careIn the U.S., it was big news when all the U.S. credit cards were finally updated to \u201cchip & PIN\u201d (officially known as EMV cards, which we were all told would make our credit cards significantly harder to hack. They have for some types of credit card fraud.Here\u2019s the big kicker. Chip & PIN credit cards are meant to be used with both the chip and the PIN at the same time. At nearly every location you use them, all you are required to provide is the chip (and that\u2019s only if the merchant isn\u2019t telling you that you can\u2019t use the chip at all). Without typing in your PIN, anyone can still use your credit card. If you drop the card or someone steals it, they can use it just like you use it. If it\u2019s used anywhere but where your physical presence is needed, the chip doesn\u2019t play a role at all.Europe and other places where chip & PIN cards have been in use for over a decade longer than in the U.S. require you to use both at the same time. That\u2019s real security and has led to a huge reduction in credit card crime. U.S. merchants were pretty sure all those pesky PINs would do is frustrate customers.Less security an acceptable trade-off if it keeps customers happyThey are right. Customers who forget their pins are going to get frustrated, and possibly move onto non-PIN-requiring credit card solutions. So, America\u2019s credit card vendors decided to not require the PIN, accepting far less security as a trade-off for not pissing off customers.It worked. Very few people are complaining. The surprising part is that, as expected, overall credit card fraud actually rose. In-store purchases, requiring physical presence, dropped from $3.6 billion in 2015 to an estimated $1.8 billion in 2018, according to FT Partners Research, because chipped cards are harder to steal and replicate. Overall credit card fraud, involving non-physical presences, increased from $3.1 billion to $6.4 billion in the same time period.I\u2019m not saying that any of us are happy about credit card fraud. The vendors and merchants who have to eat the fraud costs certainly aren\u2019t happy. The customer, even if all damage is immediately reversed, isn\u2019t happy. Everyone wants to decrease fraud, but no one is absolutely hating the current way it is working.No one, besides a few computer security people, are even noticing the lack of the PIN to complain. The people who care the most about computer security are always going to be in the minority, no matter what else the headlines may occasionally say.The real role of securityThe world is full of security theater and failed security. Credit cards aren\u2019t nearly as secure as most people think. The TSA doesn\u2019t stop all guns and weapons from getting onto planes (although there hasn\u2019t been a successful terrorist attack since they were in charge). Police don\u2019t stop most crimes. Banks are still robbed. Computers are still hacked. Ransomware still holds people\u2019s data hostage. Phishing still works.The world will never have to be crime-free. It just has to be at an acceptable level, where we stop most of the crime and aren\u2019t inconvenienced too much most of the time.Computer security professionals need to understand their role in the large world to become more valuable to their organization. Computer security is just but one part of the puzzle. Businesses need to compete, survive and lower costs. They do need to put down computer crime and fraud, but not to such an extent that the protection outweighs the benefits.The fine line is to recognize the \u201cright\u201d amount of security in the right places to significantly minimize potential losses due to security crime, and do it in such a way that it does not handicap the business too significantly.Computer security is important, but it isn\u2019t considered alone. Otherwise, you could just make all computers standalone without connection to a network or the internet and get a very secure computer. Very few organizations, outside of the top-secret government and military types would accept those conditions. The rest of us have to find the right balance of computer security and business objectives. The best computer security professionals know this and work hard to achieve the right balance.