It seems that this year has been dominated by negativity: we have focused on months of bugs, slammed colleagues and users (note: this term needs to end) and even tried to prove through science (!) that people do not understand risk. In fact, many in our industry seem quick to point out that everything is wrong, nothing works and we cannot win (whatever that means).

As I have traveled around the country, hosted some informal gatherings and met with friends and clients, I’ve been struck by how people, in general, look and act. Most of the people I have met in security seem down, rushed, angry and lacking hope.

Are we doomed to an industry filled with negativity?

Open Culture recently ran a story about the (in)famous Stanford Prison Experiment. Reading it reminded me of the first day of my new job after college. My first boss sat me down and told me, “Don’t F*** up, because if you do, the whole world will crush you. If you do a good job, no one will notice, and that’s okay.” In my experience, those words have sometimes been accurate (more than I care to admit). His words stay with me, often in the context of watching how many people in technology are treated, and how they choose to treat others.

Practicing Security Today is like the Famous Stanford Prison Experiment

The Stanford prison experiment was a psychological study of the human response to captivity, in particular to the real world circumstances of prison life and the effects of imposed social roles on behaviour. It was conducted in 1971 by a team of researchers led by Philip Zimbardo of Stanford University. Undergraduate volunteers played the roles of guards and prisoners living in a mock prison that was constructed in the basement of the Stanford psychology building.
— Wikipedia entry (

In the experiment, the behaviors of both the guards and the prisoners escalated quickly as each took on characteristics of their role — to the point where the experiment was ended early.

You can learn more here:

The Official Website:
interesting overview:

So, are we the prisoners, or the guards? Short answer: yes.

As “protecting information” has grown in importance, many in the field of security suddenly find themselves in a new and somewhat awkward situation; the shifting demands of the role necessitate the need to influence, and sometimes to enforce. After years of receiving “abuse”, they find themselves in positions of relative power. Sometimes without guidance. With memories of prior treatment, we take a reactive and negative approach to those around us. Perhaps some of our colleagues “assume the position” too much and get a bit carried away?

Some act like the guards. Some act like prisoners. And some started as prisoners only to become guards.

Regardless, this is a situation we cannot accept. Period.

Now, let me be clear – with all the plight in the world today, I’m not suggesting that we, collectively, take our practice of security to the extremes of the prison experiment. I’m not suggesting a direct comparison. I just happened to review an article on the topic a few weeks back and it has stuck with me that our practice of security might be allowing people to embellish their roles.

Reboot the Security Industry

The single most common (and mocked) approach to fix a non-responsive computer is to reboot.

The security industry needs a reboot. We have to flush from memory the bad blood and old experiences and get started with a clean(er) slate. We need a fresh start (or a least a fresh approach).

We tried negative, restrictive approaches that divided people and explained why things wouldn’t work. We said no. No, no, no!

It’s time to stop alienating people. We cannot do this alone. We need help. And while it’s nice to opine about a growing workforce, the real opportunity lies in changing the approach. Security is important, but it need not be punitive. It’s not only possible, but necessary to change the way we practice security to connect with people, demonstrate business value and rely on the art and science of effective communication.

On a recent flight home, I watched the inflight presentation of A Night At the Museum. An entertaining way to pass the time, I was drawn to the story — especially the ending. The main character realized success only after abandoning a process of restriction and segregation to focus on a path of inclusion. Easy to dismiss as another “Hollywood ending,” the box-office success of the movie is due to the underlying strength of the story. People want to be included, and celebrate inclusion.

Stories are natural. They help us make sense of the world around us. We use them to learn, to teach, to reach understanding.

Perfect ending or not, we need more stories.

After the reboot: a new direction

After the reboot, it’s time to cast a new vision. I see a way to practice security mindful of the past, but focused on the present. With a focus on basics, connecting with people, demonstrating business value, and practicing effective communication to share, and to learn. Technology has a role, but its time to build dialogues and foster inclusion.

We have to foster a sense of trust among each other and those we serve. We have to reintroduce the concept of accountability, create a culture that embraces and expects personal responsibility.

We each play a part.

I’m going to keep focusing on better ways to engage, empower and enable people; to make it easier to realize and demonstrate value; to help others liberate their stories through a practice of effective communication.

What about you?

About the Author Michael Santarcangelo

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.