Rethinking what it means to win in security

Are we winning at security right now?

Before you answer (too late, right?), take a moment to consider what it means to win. Less trick question and more a candid exploration of our collective mindset in security.

We remain flooded with headlines and conference talks that decry our losses and offer approaches for us to win. The constant negativity poisons our mindsetto the point where we question if security even matters, if we matter.

To be certain, security matters. Increasingly, security matters. That means you matter. The key is understanding what success for security leaders actually is.

Security isn’t a sprint?

Sometimes I’ll show a slide during talks that simply explains, “Security is not a sprint.” 

After some nods, someone usually utters, “That’s right. It’s a marathon.” They are often surprised when I advance a slide to suggest, “Security isn’t a marathon, either.”

Here’s the reality: Security is not an absolute, zero-sum game.

In fact, maybe we need to stop thinking about security in terms of contests—military and other. It’s not a game. It’s not a war, either. Admittedly, security is an elusive concept that is both condition and feeling. It’s why I offered that security is an “infinite game.”

In an infinite game, the measure of success is whether you—and the people around you—are better today than yesterday.

What does it mean to win in security?

Still want an answer, right?

Consider how it works in retail. A reality of selling goods is “shrinkage.” That’s a fancy way of explaining that goods get lost and stolen. The mindset requires the understanding that a situation where nothing is lost, broken or stolen is simply unreasonable, which causes us to consider what a reasonable amount of loss is.

It turns out the percentage is quite small. It used to be 4 percent or less (often based on sales). Then it dropped to 2 percent, and people celebrated. Recently, global shrinkage was reduced even further—and it caused much celebration.

The key lesson here is that while what is considered reasonable has changed over time, it is not zero. Embedded in this shift is the economy of improvement: Each reduction in shrinkage needs to cost less to obtain than the savings it generates. After all, it doesn’t make sense to spend $100 to protect $1. Coupling the cost of improvement with measured reduction in overall impact to the business is a reasonable way to understand success.

What is reasonable in security?

Generally, reasonable security means reducing risk to tolerable levels.

Naturally, the details are in the nuance. And while we continue to struggle with regulations and compliance, the legal concept of reasonable security is important to embrace. At a high level, could you testify in court that your efforts were reasonable? Would someone else in a similar situation (industry, company, etc.) make similar decisions?

Like retail shrinkage, what is reasonable for security shifts over time. While that might feel frustrating in a search for definite answers, it gives us the ability to shift and grow in a way that is best for our organizations.

Maybe winning is avoiding risk catnip

A few years ago, I suggested that chasing after risks simply because they existed, because we could, was playing with "risk catnip." Sometimes the struggle of security is the awareness of all the possible ways things can go wrong. It creates a lot of stress coupled with a strong desire to "do something." In hindsight, it leads to a lot of time playing with risk catnip.

A better approach is working with the organization to reduce the business impact to tolerable levels. In other words, winning and reasonable security might actually mean working with the business to reduce the risk to what is tolerable. Tolerable risk is more than zero risk.

If you partner with the business to manage your risk in a reasonable way, you might just be winning after all.

This Article was originally posted for CSO Online (US) on July 6th 2017