Fear, Fatigue, and Absolution drive our security landscape today. Security professionals drive budgets and behavior through an archaic management practice. Tools and tactics won’t fix a cultural problem. Cultures need to change.

The fear of attack is valid.

There is no end to this asymmetrical warfare. From state actors to bedroom hackers, everyone is under attack. Tools created, used, and abused by anyone who has the time and resources or time to kill. The world of vendor control was broken by opensource. Opensource lowered the cost of doing business. The black market embraced opensource with open arms creating a new arms race. All this while companies march in straight lines with one arm tied behind their backs in the name of stability and release schedules.

Attacks don’t stop at a lobby; they persist in our bedrooms. Technology gives the world another dimension. The information helps us grow, provide safety for our children, react in a disaster, resolve a crisis, or provide us with peace of mind while taking a stroll in a park at night — a fundamental change from work-life balance to balanced working life. The universe is in our pocket, spreading our lives across the globe.

Fatigue takes no vacation

The benefits of technology outway the risks of technology. Maps that are always updated, supplies can be ordered in a moment, family members located in less than three clicks, work from home is possible around the globe, and your favorite shows, movies, and music are always present. So, we ignore the risks of pervasive computing in our daily life. Omnipresent in the cameras, point of sale card readers, monitoring software, marketing services, automation, and cell phone computers, we know there is no escape. So the fatigue builds.

Struggling with this new reality at home, we compound the fear and fatigue with business tools. Survalence, real or imaginary, by an employer, has become the new normal. Almost always misapplied, poorly communicated, and sometimes draconian, the struggle is real. Policies forced on workers and exempted for management make of a savory mix of contempt and resentment. Faced with a never-ending and changing barrage of systems, people resign themselves to the inevitable breach that will punish them: one way or another.

Absolution is the unspoken sin

We absolve ourselves of the risk by downplaying the value of our lives. Companies absolve themselves by recklessly tracking employees. Markets absolve themselves with assurances and insurance. Cost value benefits analysis wins over rigor in almost all budget discussions. The bottom line is we resign ourselves to accept a breach will happen and validate we are doing everything possible to say out of the headlines.

Absolution shields a company and the security teams, while front line employees are often the fall guys for a breach. It all boils down to culture — understanding who and what is essential while leaving the rest to function as efficiently as possible. Tone down the internal rhetoric of punishment that drives most security policies today. If we all assume it’s a matter of time before an asset is compromised, why compromise our best assets? Our staff.

Culture is the cure

Stop the fear were all in this together. Learn from companies that have created security cultures is valuable, but making sense of yours is vital. Understand what you are trying to protect vs. blanket applications. Define what is important and enable learning to inspire motivations for everyone. Stop using words like make, force, and control. Eliminate punishments for mistakes.

Create value with positive game mechanics and group participation. Reduce the policy-driven systems that prevent logical work from getting done. Increase positive incentives to align the workforce. Allow the workforce to define what’s essential and give them the tools to secure them.

Create a top to the bottom security model. Don’t silo security operations. Physical, digital, personal, corporate security should have clear ownership. Apply tools with strategy and care measured for success and revised when required. Safety should be in motion, not static. There is no magic bullet, no one, and done.

Most of all. Stop the politics and processes of fear. Enlist everyone in securing the assets that matter most — starting with your colleagues.