July 7

Being a good brake – Security as a stress reducer

You’ve probably heard the analogy that security is like having brakes on an automobile. Brakes allow the driver to go faster, have more control and go where they want to go safely. While brakes are an inhibitor, they actually allow the driver to reach their destination in a safe, yet quick manner.
Imagine driving without them. You’d be a nervous wreck. (Okay, maybe not you, but most of us would be.) You’d go really slow; be afraid of changing directions; and feel stressed. Think: the only way to stop is to crash into something.

In the paragraphs above, replace brakes with security (meaning security controls and processes) and driver with your organization’s name. Isn’t the concept the same? Security allows the user (driver) to reach their goal (destination) in a safe, yet quick manner. If you (security professionals) and your customers (users) are doing it right, security should allow the business to go faster, have control, and reach their goals safely without crashing.

The security team should be a stress reducer, not an inducer. Stress (in the negative connotation) comes when we feel out of control. Shouldn’t it be security’s job to introduce control and offer solutions for reducing risks and thereby reducing stress?

In recent years, the security group has gotten the bad reputation for being (a) a barrier to business, (b) an overhead without a quantifiable ROI, and (c) the hammer when there’s a breach or policy is not followed. In other words, they increased the stress for our organization. They weren’t being “good brakes.” This caused the organization to try to bypass security to get things done. (Don’t you try to avoid those things that cause you negative stress?)
Instead, we, the people in security need to be stress reducers. We need to be the brakes for our organization. However, there’s one difference: brakes are not normally seen, only felt; the security team needs to be both seen and felt. You do that by implementing proper controls and risk management processes.

Security should collaborate with the business in identifying and assessing the risks and then implementing the proper controls to ensure the risk is appropriately mitigated for the business. (No more security for security sake.) This puts the business in control guided by security and reduces negative stress for everyone.

Security professionals: Next time you implementation a new technology, process or policy, ask yourself, “Am I being a ‘good brake’ or am I really adding negative stress?” You’d be surprised at how much better you will be received if you reduce your customer’s stress. Next week we’ll cover key steps you can take to become a security stress reducer.

By working together and helping each other, we all become stronger.


Tags


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

  1. It’s hard to combine those two. Reduce stress and also leaving your system behind with the suffient security. The reason for this is, that users do need to abide to the policy’s and guidelines provided. Now you could design your policy’s with the users in mind, but thats not really a good idea. What you could do is design your policies and then ask the everyday users if they feel the “rules” outlined would “stress” them in their everyday work. Then you will have to evaluate the suggested changes to your policy and define either to accept the changes or maybe find a common ground with the users. (You say; “change your password every week” and users say “Change our password every 3 weeks”) Well, then you need to evaluate the risk associated with changing passwords every 3 weeks.

    I really feel that IT security people and the end-users should combine forces, and most of all, the security professional should educate the users to understand why they need to have a policy. This way users feel they are a part of the security process which is #1 in order to get them to comply and feel no stress when they have to follow a policy

  2. It’s hard to combine those two. Reduce stress and also leaving your system behind with the suffient security. The reason for this is, that users do need to abide to the policy’s and guidelines provided. Now you could design your policy’s with the users in mind, but thats not really a good idea. What you could do is design your policies and then ask the everyday users if they feel the “rules” outlined would “stress” them in their everyday work. Then you will have to evaluate the suggested changes to your policy and define either to accept the changes or maybe find a common ground with the users. (You say; “change your password every week” and users say “Change our password every 3 weeks”) Well, then you need to evaluate the risk associated with changing passwords every 3 weeks.

    I really feel that IT security people and the end-users should combine forces, and most of all, the security professional should educate the users to understand why they need to have a policy. This way users feel they are a part of the security process which is #1 in order to get them to comply and feel no stress when they have to follow a policy

Comments are closed.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!