Page 196 - Cyber Defense eMagazine March 2024
P. 196
jettisoned in favor of a new model that flips the paradigm, acknowledging that the pace of business
shouldn’t be slowed, but that cybersecurity must be sped up!
Removing Barriers
Traditional cybersecurity thinking creates a heavily guarded road with speed bumps, stop lights, and
guarded checkpoints to protect organizations from risk. Every new initiative or innovative project must
run this gauntlet to expose potential threats and ferret out uncertainty, inevitably leading to significant
delays. This "security first mentality" is fraught with bad friction and inadvertently creates a culture of
inhibition where the fear of potential threats overshadows the potential benefits of innovation. As
businesses today need to be agile and innovative to stay competitive, this model is increasingly
untenable.
Now imagine pulling those barriers off the road, turning them 90 degrees, and lining them up as guardrails
to clearly mark the approved path. Expressed as a vision: transform 42nd Street in Manhattan into the
Autobahn. Expressed in ASCII: Turn these | | | | into these = = = =. Unlike the bad friction of roadblocks
and barriers, guardrails don’t aim to stop movement but to guide it safely and efficiently forward. This
approach encourages a culture of security mindfulness where everyone understands the importance of
cybersecurity, is equipped to make decisions that balance innovation with risk, and is aligned with the
business's goals.
Building Guidelines and Guardrails
The essence of exchanging bad friction for good friction lies in transitioning from strict barriers and
controls to less prescriptive and restrictive guidelines and guardrails. Instead of requiring every decision
to go through a central security team for approval, organizations adopt a thoughtful, balanced framework
of decision-making. These guidelines and guardrails provide teams with the boundaries within which
they can operate safely. They are designed to be broad enough to allow for innovation and agility but
narrow enough to protect against significant risks.
For instance, a guideline might dictate that any new software development must undergo a security
review before being deployed, but it leaves the choice of technology and implementation strategy up to
the individual teams. A guardrail may monitor for software deployed with known vulnerabilities that
exceed risk appetite. This approach not only speeds up the development process but also empowers
teams to take ownership of their security practices.
Fostering Security Awareness
The shift towards good friction is not just about changing policies but about fostering a culture of security
awareness. It requires educating all members of the organization about the importance of cybersecurity
and how they can contribute to it. When employees understand the rationale behind the guidelines and
see how they enable rather than restrict their work, they are more likely to embrace them.
Cyber Defense eMagazine – March 2024 Edition 196
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.