Table of Contents
If you ask most people what springs to mind when they think of “security,” many would say “friction.” Friction slows us down, gets in the way of what we want to do, and prevents us from acting as quickly as we’d like.
To be honest, there’s some truth to this. However, friction is also critical for an organization to function at its best. As a wise philosopher once said, “Many of the truths we cling to depend greatly on our own point of view.”
How Security Fuels Performance Without Slowing You Down
Some people believe that security practices are merely a hindrance to progress. While there’s some truth to this, it misses the bigger picture. Just as we think that offense fuels defense, we believe that security can fuel performance when used in the right way.
Security is all about finding the right level of friction by balancing performance against acceptable risk levels. Think of your company as a Formula 1 race car: a high-speed, high-performance machine designed to reduce as much friction as possible and perform at its maximum potential for the duration of the race.
I can already hear you thinking, “Hold on, CISO. You just said it yourself: Formula 1 cars are designed to reduce friction as much as possible. So, if we’re supposed to think of our business like a Formula 1 car, shouldn’t we minimize friction too? That means all your security ‘stuff’ is just slowing us down, right?”
This is a common misconception: I didn’t say eliminate friction entirely. Rather, our goal is to reduce the amount of friction as much as possible without sacrificing an acceptable level of safety (or security in this case, since we’re talking about your business).
Reducing Friction Without Eliminating It
Formula 1 tires differ from the ones our personal cars use because they don’t have treads. Instead, they are essentially flat surfaces.
You might think this is another argument against friction. Specifically, you might be thinking, “Well, CISO, there it is again: Treads provide traction, but racecars use flat-surfaced tires to avoid the friction those treads create.” The problem with that assumption is it’s completely wrong.
Formula 1 cars use flat tires because they offer the maximum surface area for their specific use case, allowing for optimal contact with the racetrack. This provides just the right amount of friction needed for peak performance.
All cars that travel on land need some level of friction. The tires must create a frictional grip against the road surface to propel the vehicle forward, rather than spinning in place, as happens when your car gets stuck in snow, ice, or a wet patch of leaves.
Sacrifice too much friction, and your wheels spin in place. Sacrifice too little friction, and you increase the risk of spinning out of control, costing yourself a chance at victory. Even worse, you could end up crashing your car and destroying it.
The front wings on a Formula 1 car are adjustable and fine-tuned to generate just the right amount of downforce, creating the ideal friction-to-speed ratio. The goal is to minimize drag, reducing the friction the air exerts on the car as it moves through it.
If the wings are over-adjusted, there’s too much downforce, creating excessive friction. If they’re under-adjusted, the car may lift like a plane, reducing friction too much and preventing the vehicle from performing at maximum efficiency.
Applying These Lessons to Your Organization
The true art of creating a successful security program within your organization lies in designing the perfect friction ratio.
Finding the right balance allows your team to operate at maximum speed and performance. Meanwhile, it minimizes the risk of losing control, veering off course, or, worse, crashing out of the race entirely.
Getting it right means applying just enough friction to slow down an attempted attack and preventing a risk from becoming a reality.
The Big Question: What’s the Acceptable Ratio?
We must ask ourselves how much time and effort we are willing to put into designing and planning to find the perfect level of friction.
You can’t rely on the skill of one person to win a team race in the same way that you can’t rely on a single department to achieve success across your entire business. This means security should be a joint effort that requires collaboration between your SOC teams, IT teams, sales, marketing, and finance.
For every business process, all we’re really doing is finding an acceptable balance of friction. If risk suddenly increases, we may need more friction in our business processes.
It should always be considered a careful balancing act — or, you could say, an art form — that requires continuous monitoring and regular reassessment.