As security threats continue to rise, it might seem odd to suggest we need less security.
Yet, offering people more of what they want and less of what they don’t — or don’t understand — is precisely how we improve our security posture.
Consider how the startup world embraces the idea of the minimum viable product and how medicine looks for minimum effective dose.
Try this with security and you might get burned.
Have you experienced the backlash when people find out you’re enforcing least privilege?
People bristle even as you explain they’ll have everything they need. Once they hear “least,” security becomes an inhibitor of their progress and another security barrier they need to contend with.
Calling it minimum privilege wouldn’t do much better.
We’re about to see it play out again in terms of zero trust. I get it, even President Joe Biden is talking about zero trust. That doesn’t mean it’ll play well when we work with our colleagues who want more trust, not less.
There is a simple explanation: the qualifiers negate something people want — trust, access, privilege.
Zig Ziglar once explained: “You can get anything in life you want, as long as you help enough other people in life get what they want.”
People want less security getting in their way — with more protection. They want the outcome of security with less obstruction.
Here’s how it worked for Jennifer (not her real name), a CISO at a power company when she worked with Ted (not his real name), the head of power distribution.
Tired of the constant asks from security coupled with the endless stream of “you can’t do that,” Ted built his own shadow IT group. This created more friction as it decreased trust and made the annual required audits more complex, time-consuming and expensive.
We arranged a meeting with Ted to explore how to work together better. After learning more about the challenges and stress of power distribution, we flipped the script by asking: “What if we reviewed the regulations and then came back with the absolute minimum amount of effort you needed to be compliant and in line with the company — and no more? Would this let you put your focus and budget where it needs to be?”
Ted loved it.
In the same meeting, he offered for his shadow IT team to join the security organization. Ted became a powerful ally for security.
This isn’t a one-off example. It shows that helping someone else get what they wanted allowed them to help us get what we wanted.
We offered the minimum viable security to reduce his burden, allowing us to improve protections. By reducing the friction, we also increased value and built trust.
This subtle, but important, shift in approach is the enormous opportunity security leaders and teams need right now.