Security practitioners are often faced with a conundrum: do you do the "right thing"– by which we mean lock everything down – or do you "enable the business" and let everyone run rampant? The answer is neither, and we can look at 250 years of American excellence for the real answer.
Ben Franklin famously said, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." This quote is often misused, as people ignore the modifier a little temporary on Safety, and read this as "liberty is more important than safety."
That couldn't be farther from a plain reading of Franklin's sage advice, nor from practical advice we can use today. Franklin clearly values both Liberty and Safety in this context (or he wouldn't call people out as becoming undeserving of it); his concern is for the tradeoff of essential Liberties against temporary Safety. But how does that apply to cybersecurity?
Cybersecurity practices can easily be viewed on two axes. On one axis, you have the cost to the business. Measured not in dollars, business cost is instead qualitatively measured in impact: how much agility have you removed from the business? The essential liberty in the context of a business is the ability to adapt and innovate, and the more that security practices impede a business's lifeblood, the more costly they are.
On the second axis is the long-term utility of the security practices. Practices that don't produce long term risk reduction, architectural safety, or simplification are, ultimately, temporary, especially if they have to be continuously repeated. The goal of cybersecurity practitioners should be to minimize the temporary nature of a practice while also minimizing its impact on the essential innovation of the business.
Pivoting from passwords to a more secure authentication scheme? Permanent security, and one that, while it will have some minor impact on the business (hardcoded passwords are, sadly, the fastest way to ship!), is a good tradeoff to keep companies innovating. Cybersecurity awareness training, like most phishing simulations? They spend a lot of employee time, and don't have demonstrable long term positive gains.
Pick your tradeoffs wisely.
