Situation
Information security has become a highly relevant topic in our country for some time now. This is largely due to the growing number of leaks and cyberattacks that have successfully targeted various companies, government agencies, and public institutions. A simple Google search reveals an abundance of news stories, suggesting that many are still not fully prepared to face today’s cybersecurity challenges.
These recent incidents not only create chaos, but also force organizations to undergo drastic changes. There’s no greater motivator for improving security than a successful—and especially public—attack. It’s a bit like that neighbor who suddenly installs bars on their windows even though they never had them before.
It’s also worth noting that security roles—the professionals responsible for protecting organizations from cybercriminals—have certain peculiarities that make them particularly challenging positions within the business context.
Security controls
Implementing security controls, by definition, involves change—and change is rarely frictionless, especially when it affects day-to-day operations. Security measures in particular often meet resistance, making those responsible for enforcing them some of the least popular figures in an organization, as they tend to go against the ease and convenience people are used to. It’s similar to construction: years ago, workers might have operated without helmets—certainly more comfortable—but today, allowing that would be unthinkable.
Sometimes, the balance tips too far in the other direction, and the business ends up working for security rather than the other way around. The organization’s core purpose—whatever that may be—gets lost. It’s important to remember that security must support the achievement of organizational goals. After all, without the business, there’s nothing to protect. We can’t ban people from walking in public just because traffic accidents are a risk; instead, we build traffic lights to help people move safely toward their destinations.
Proportionality
If security is meant to serve the business, but its approach is unrealistic, then it’s not really useful either. As with any aspect of life, proportionality is key—in this case, proportional to risk. Ideally, it would be great to have the latest technologies and the most robust procedures in place. However, the level of risk may not justify the time and financial investment required to implement those controls. We can think that a reinforced steel door would be great for your home—and sure, it would—but that doesn’t mean it’s practical or makes sense in most situations.
The business. The business. The business always comes first. In many cases, if the cost of a security initiative is lower than the potential risk, then it may seem viable to implement it. That’s a valid approach—as long as all associated costs are taken into account: financial, operational, organizational, maintenance- related, and more. As one might guess, all those elements that make up the total cost are also part of the business—and you can’t afford to impact them without a solid reason.
Organizational culture
Someone once said that if you don’t adapt to the organizational culture, it will consume you. While this phrase is usually about individuals adapting, we can all recall a new initiative or department within an organization that failed—either because it was too ambitious or it simply didn’t fit in.
Cybersecurity must adapt as well—otherwise, it will be swallowed by the culture. It’s a mutual agreement, but security must adapt more. Success in protection lies in this adaptability: instead of resisting how things work, security should accompany and enable change.
We need to change how security is perceived within organizations. When done right, it isn’t a burden—it’s a support. Rather than blocking the path, it should be the guardrail that keeps us from going off the edge. For the business and in service of the business, the right kind of security doesn’t create discomfort—it provides peace of mind.