You’ve probably heard the analogy that security is like having brakes on an automobile. Brakes allow the driver to go faster, have more control and go where they want to go safely. While brakes are an inhibitor, they actually allow the driver to reach their destination in a safe, yet quick manner.
Imagine driving without them. You’d be a nervous wreck. (Okay, maybe not you, but most of us would be.) You’d go really slow; be afraid of changing directions; and feel stressed. Think: the only way to stop is to crash into something.
In the paragraphs above, replace brakes with security (meaning security controls and processes) and driver with your organization’s name. Isn’t the concept the same? Security allows the user (driver) to reach their goal (destination) in a safe, yet quick manner. If you (security professionals) and your customers (users) are doing it right, security should allow the business to go faster, have control, and reach their goals safely without crashing.
The security team should be a stress reducer, not an inducer. Stress (in the negative connotation) comes when we feel out of control. Shouldnâ€™t it be securityâ€™s job to introduce control and offer solutions for reducing risks and thereby reducing stress?
In recent years, the security group has gotten the bad reputation for being (a) a barrier to business, (b) an overhead without a quantifiable ROI, and (c) the hammer when thereâ€™s a breach or policy is not followed. In other words, they increased the stress for our organization. They werenâ€™t being â€œgood brakes.â€ This caused the organization to try to bypass security to get things done. (Donâ€™t you try to avoid those things that cause you negative stress?)
Instead, we, the people in security need to be stress reducers. We need to be the brakes for our organization. However, thereâ€™s one difference: brakes are not normally seen, only felt; the security team needs to be both seen and felt. You do that by implementing proper controls and risk management processes.
Security should collaborate with the business in identifying and assessing the risks and then implementing the proper controls to ensure the risk is appropriately mitigated for the business. (No more security for security sake.) This puts the business in control guided by security and reduces negative stress for everyone.
Security professionals: Next time you implementation a new technology, process or policy, ask yourself, â€œAm I being a â€˜good brakeâ€™ or am I really adding negative stress?â€ Youâ€™d be surprised at how much better you will be received if you reduce your customerâ€™s stress. Next week weâ€™ll cover key steps you can take to become a security stress reducer.
By working together and helping each other, we all become stronger.